480 likes | 714 Views
Federal Aviation Administration. FAA Approach to Human Space Flight Regulations For Occupant Safety on Orbital Missions. Jim Van Laak Deputy Associate Administrator, FAA Office of Commercial Space Transportation (FAA/AST) Date: May 26, 2011. Agenda. Introduction
E N D
Federal Aviation Administration • FAA Approach to Human Space Flight Regulations • For Occupant Safety • on Orbital Missions Jim Van Laak Deputy Associate Administrator, FAA Office of Commercial Space Transportation (FAA/AST) Date: May 26, 2011
Agenda • Introduction • Mission Perspective • Resulting Approach • Proposed Approach for Occupant Safety • Process Based Approach • Human Capabilities • Human Limitations • Core System Requirements • Conclusion
Introduction • NASA’s pursuit of commercial crew transportation is jumpstarting commercial orbital human sector • Expected growth requires review of applicable FAA regulations • Historical accident/incident rate is significant • FAA licensing of NASA launches is likely • FAA licensing of all non-governmental launches is certain • Highly desirable that systems be designed both for NASA missions and commercial customers • Industry has requested that NASA and FAA work together to ensure compatibility between their requirements • This briefing outlines tentative approach to FAA licensing of commercial orbital human space flight • Content is preliminary but maturing daily • Extensive coordination with NASA will continue 2
Mission Perspective • NASA and FAA approaches to human safety are based on their respective missions • Different missions lead to different approaches • NASA: • Is a customer with a system level need (support ISS) • This translates to detailed system requirements • NASA has its own requirements for the safety of its crews • Is willing and able to pay for top quality systems • FAA: • Is the regulator for a new, broad and varied industry • Is charged with allowing the industry to develop • Is focused only on the safety of public and spacecraft occupants • Mission success is launch customer’s requirement • Results in regulations that are more general and performance based 3
Resulting Approach • FAA approach to regulation must: • Use a phased implementation as industry matures • Be flexible to enable multiple customers • Be performance based to support innovation • Implement critical safety lessons learned from past programs • Reward success without penalizing benign failure • Apply enforcement as required for violations • FAA and NASA together should: • Identify system elements and operations critical to safety • Agree on characteristics of satisfactory design solutions • Clearly distinguish safety from mission assurance 4
General • This briefing describes the FAA’s planned approach to regulating orbital human space flight • Seeks balance between process and design requirements • Offers minimum core requirements for the safety of occupants • Note: Current FAA regulations use the terms crew and space flight participant • This document will use occupants to include all humans on board • Those with mission execution roles will be called crew • Proposed FAA requirements (regulations) intended to be: • Technically sound and attainable • Focused on occupant safety and not mission assurance • Verifiable • Compatible with more prescriptive NASA requirements • Apply to the human space flight system • Launch vehicle, crewed element and portions of ground segment
Dual Approach • Two parts – process and core requirements • Process requirements require applicants to: • Use a system safety process for hazard analysis and risk assessment • Use human integration processes to manage capabilities and limitations • Validate and verify requirements • Maintain a “spaceworthy” system • Core safety requirements are minimum credible values for: • Cabin environment for human safety • Space system reliability • Human capabilities must match the tasks they are to perform 7
FAA PROPOSED REGULATORY APPROACH FOR OCCUPANT SAFETY • Process-Based Requirements: (Note 1) • Implement System Safety Process • - Conduct hazard analyses and risk assessment • Human Integration Process • - Assess human capabilities and limitations and apply that • info. (anthropometric, biomechanical, and ergonomics data) • in space system design, development, and operations • Validate and Verify requirements (e.g., testing, analysis) • Ensure “Spaceworthiness” • - Maintain/refurbish space system • - Implement Quality Management System • - Establish Configuration Management System • - Establish Sustaining Engineering Process Human Capability Requirements (Occupants must be capable of performing safety critical functions) Note 2 Human Limitation Requirements (Occupants must be able to survive natural and man-made environments) Note 2 Space System Requirements (Launch or reentry vehicle must provide a safe, habitable environment for occupants) • Failure tolerance • Anomaly detection and response • Contingency capabilities and/or escape • Emergency equipment • - Pressure suit? (Note 3) • Structures (including crashworthiness) • Standards (e.g., M&P, design, manufacturing) • Infrastructure (pads, control centers, networks) • Operations planning, training, and execution • Occupant (flight crew and non-crew • member) training • Manual vs automated control? (Note 3) • Ground command and control • support (Note 3) • Operating procedures • Environmental control (pressure, thermal) • Acceleration, shock, vibration • Acoustic • Radiation • Sustenance (food and water) • Hygiene & waste • Occupant health and rest 8
FIGURE 1: FAA PROPOSED REGULATORY APPROACH FOR OCCUPANT SAFETY (CONT.) Notes: These processes should drive design and operation of the system without FAA prescriptive requirements. In a few cases FAA will specify minimum acceptable requirements such as failure tolerance. Most of these core safety requirements arise from combining well established standards with system design. Human capabilities and limitations (such as those defined in NASA Std 3000 and other documents) combine with system design to produce a safe operation. Applicant’s human factors and system safety analyses will determine requirements for some design features: manual or automated control; ground command and control; need for a pressure suit. FAA will be evaluating applicant’s processes as well as the results of analyses and tests. 9
Detailed ExamplesNote: The following charts capture the current FAA approach to significant requirements. These requirements are in addition to requirements to protect public safety. The language does not reflect final regulatory text. 10
System Safety Process Applicant must document and implement a System Safety Process which includes conducting hazard analyses and risk assessments for occupant safety. 12
System Safety – Hazard Analysis • Applicant must identify and characterize each hazard and assess risk to occupant health and safety a. Identify and describe hazards b. Characterize risk for each hazard before risk elimination or mitigation c. Define measures of risk acceptability d. Identify risk mitigation measures required to satisfy paragraph (c) e. Verify design performance through test, inspection or analysis • Applicant must ensure the continued accuracy and validity of its hazard analyses throughout the system’s operational life 13
System Safety – Risk Assessment • Applicants must perform and document an integrated risk assessment describing the total risk of the mission • The results of this assessment will be used to: • Identify dominant sources of risk to target mitigation • Guide test and verification efforts • Inform occupants of the risks they are accepting • Quantitative and/or qualitative methods may be used • Input data and assumptions must be documented 14
System Safety – Sustaining Engineering • Maintain surveillance of system performance relative to design requirements and ensure continuing compliance • Perform an updated risk assessment when there are safety critical changes to the vehicle design, operation, or maintenance. • Record each significant system anomaly and report those that affect a safety-critical element. • Identify root causes of each significant anomaly and inform the FAA of any corrective actions.
Human Integration Process Document and implementa process for assessing human capabilitiesand limitations and apply that information to the space system design, development, and operations to ensure occupant safety. 16
Human Integration Process • Environmental Analysis Process • Ensure anticipated environment permits planned activity • Ergonomic considerations must be accommodated • Evaluate expected vibration/load environment and assess human performance capability • Identify when an unsurvivable environment can occur in the vehicle and implement controls to minimize the probability of occurrence. • Task Allocation Process • Tasks allocated to humans must be suitable for humans functioning in the anticipated environment. • Human/Machine Interface Requirements • Design all human/machine interfaces to control risk of inadvertent, inaccurate, or mistaken command inputs • Assess how vehicle and its systems allow consistent and effective control throughout the flight environment
Validation and Verification Implement a process for validating and verifying safety critical requirements. 18
Validation and Verification (V&V) Use systems engineering processes for requirement definition and control Show traceability from each safety critical requirement to its verification, from the component to the system level. Submit a master test plan including: scope, methods, environments, groundrules and assumptions, predicted results, and data requirements. Provide a final test report that summarizes the test results for safety critical system elements. Document verification that safety critical requirements have been met. Demonstrate that software has been verified prior to beginning hazardous operations. 19
Verification and Validation (V&V) Successfully verify the system’s integrated performance in an operational flight environment before flying a space flight participant. Verification must include flight testing. [§ 460.17] *Operator must specify the objectives, procedures, type and number of tests, and success criteria for the flight test program. Flight test objectives must: Verify the integrated performance of the launch/reentry vehicle system hardware, software, and the human, in the operational flight environment; Define and validate the boundaries for acceptable operation; and Verify the analytical models used to predict the system performance across the operating envelopes. *Operator must demonstrate the safety-critical nominal functions in an operational flight environment before flying non-crewmembers. Safety-related flight parameters must be recorded to enable correlation between predictions and actual flight test data. * This adds more specificity to § 460.17 20
Ensure “Spaceworthiness” • Document and implement processes to ensure system “spaceworthiness” to include: • Maintaining/refurbishing elements of the flight system • Implementing a quality management system • Implementing a configuration management system 21
Maintenance/Refurbishment/Quality • Prior to each flight the operator must: • Ensure the system is safe for the planned flight • Ensure that the system meets the performance characteristics defined in its license application • Repair defects in accordance with applicable regulations and the license holder’s spaceworthiness program • Third parties may be employed for refurbishment, maintenance, preventative maintenance and alteration • The operator remains responsible to ensure work complies with the spaceworthiness program 22
Configuration Management Operator must have Quality and Configuration Management Systems commensurate with the complexity of the mission and system to ensure that system remains in a known, tested configuration. Must cover the system and its operations from design through operation and refurbishment (if applicable). Hardware and software requirements, designs, “as built” configurations, and associated operations must remain controlled and traceable. 23
Human Capability Requirements Occupants must be capable of performing safety critical functions. Note: Operator must take into consideration the capabilities of occupants to safely perform critical functions under nominal and non-nominal conditions. 24
Human Factors [§ 460.15] • The operator must account for human factors in safety critical activities including: • Design and layout of displays and controls • Thermal, acoustic, acceleration and vibratory environment • Type and degree of automation; • Restraint of all individuals and objects in the vehicle 25
Task Analysis and Allocation The applicant mustanalyze the system characteristics and detailed system hazard and performance assessment to determine appropriate levels of: Automated vs human-in-the-loop operations Manual override capability Ground support (capability to remotely monitor, operate, and control space system). 26
Operations Planning and Products • Operators must implement an effective operations program to: • Develop plans, procedures, training and oversight • Control hazards • Respond to contingencies • Comply with system limitations through mission design • Products include: • Training requirements and products • Mission planning products including procedures and checklists • Mission rules • Contingency plans 27
Crew Qualifications and Training [§ 460.5] Each crew must successfully complete training on ground and flight responsibilities Training must include nominal and off-nominal conditions including: Abort scenarios Emergency egress In flight emergency operations. Flight crew must demonstrate an ability to function under the stresses of space flight: Acceleration or deceleration, microgravity, and vibration Function while wearing appropriate safety equipment (oxygen mask, pressure suit, etc.) 28
Crew Qualifications and Training [§ 460.5] (cont) Pilots must— Hold an FAA pilot certificate with instrument rating. Receive vehicle and mission-specific training for each phase of flight using one or more of the following A simulator; An aircraft whose characteristics are similar to the vehicle or that has similar phases of flight to the vehicle ; Flight testing; or An equivalent method of training approved by the FAA Train in procedures that direct the vehicle away from the public in the event the occupants abandon the vehicle during flight; and Train for each mode of control or propulsion, including any transition between modes, such that the pilot is able to control the vehicle. 29
Security [§ 460.53] Security An operator must implement security requirements to prevent any space flight participant from jeopardizing the safety of other occupants (flight crew and non-crew members) or the public. 30
Human Limitation Requirements The spacecraft environment must be verified as suitable for human occupancy, including low risk of injury and compatibility with required functions. 31
ECLSS [§ 460.11] Operator must provide atmospheric conditions adequate to sustain life and consciousness for all inhabited areas within a vehicle. Operator must provide means to monitor and control the following environmental conditions in the inhabited areas or demonstrate an equivalent level of safety: Composition of the atmosphere Pressure, temperature and humidity Contaminants that include particulates and any harmful or hazardous concentrations of gases, or vapors; and Ventilation and circulation. 32
Occupant Health For occupant health and safety, the space system must Provide sufficient consumables and sustenance (food and potable water) for the mission with consideration of contingency scenarios (e.g., delays associated with deorbit, emergency recovery associated with non-nominal landings) Provide for personal hygiene activities/supplies and waste management if applicable. 33
Medical Standard for Crew [§ 460.5(b) and (e)] Each crew member on an orbital mission with a safety-critical role must possess and carry an FAA first-class airman medical certificate Additional requirement: Demonstrate an ability to withstand the stresses of space flight, which may include high acceleration or deceleration, microgravity, and vibration, in sufficient condition to safely carry out his or her duties so that the vehicle will not harm the public or those on board. 34
Health–Medical Operators must develop a Medical Screening Program for non-crew occupants. Operator must implement a radiation occupational exposure program to ensure that its orbital flight crew do not individually exceed accumulated radiation doses per OSHA standards. Orbital flight crew must wear personal radiation dosimeters. 35
Space System Core Requirements The launch or reentry vehicle must provide a safe, habitable environment for occupants, and provide, to the extent practical, the capability to safely recover from hazardous situations. 36
Failure Tolerance Minimum Level of Failure Tolerance The space system must control hazards that can lead to serious injury or loss of life with no less than single failure tolerance, except for areas approved to use Design for Minimum Risk (DFMR) criteria. Design for Minimum Risk controls risk through approved standards, margins, test and verification to enhance reliability to the maximum extent practicable. The minimum failure tolerance may not depend on the use of in-flight maintenance, including EVA, emergency equipment, abort systems including launch escape systems, or other emergency operations. 37
Failure Tolerance (cont) Potential Additional Levels of Failure Tolerance Integrated analysis of the design and operations must ensure the validity of the claimed failure tolerance In some cases additional levels of failure tolerance may be required based on limited system reliability or other hazard characteristics. Operator Error The space system must be designed to tolerate a minimum of one inadvertent operator action, as identified by a human error analysis, without causing a casualty. 38
Failure Tolerance (cont) Verification of Failure Tolerance Failure tolerance for safety critical hazards must be verified by an integrated analysis, using a system-level Hazard Analysis and a Failure Modes and Effects Analysis to show compliance with the approved level of failure tolerance. Failure tolerance requirement does not apply to primary structure, pressure vessel walls, and pressurized lines Catastrophic failures must be controlled through approved standards and margins. 39
ECLSS [§ 460.11] Operator must provide an adequate redundant or secondary oxygen supply for the flight crew. Operator must Provide a redundant means of preventing cabin depressurization*; or Prevent incapacitation of any of the flight crew in the event of loss of cabin pressure. *A full pressure suit is an acceptable means for meeting this; however, requirement for a pressure suit depends on the specific vehicle design based on system safety and human factors analyses. 40
Structures – Factors of Safety Structures must withstand all design loads and thermal environments without yield or detrimental deformation. Primary structure must be designed with an adequate factor of safety to: Survive a limit-load scenario, at design temperature, after being subjected to design fatigue life. Survive design life without failure. Maintain a positive margin of safety under combined loads, pressures, and accompanying environments Specifications for materials, fabrication processes, and material testing techniques must ensure compliance with the engineering requirements. Processes must assure that production parts conform to the design Materials inspection processes must verify materials meet performance requirements Potential Specification of minimum factors of safety is TBD 41
Anomaly Detection and Response The space system must provide the following capability to detect and annunciate significant anomalies that affect critical systems, subsystems, and/or occupant health. Identify and annunciate catastrophic events Provide real-time monitoring of safety-critical measurements Detect a pre-determined set of failure or degraded conditions. Control hazards and risks for which system response is used to mitigate the hazard. If the design life includes multiple missions, appropriate means must be provided to ensure compliance with minimum performance requirements. 42
Isolation and Recovery The space system must maximize the capability to isolate and/or recover from faults capable of causing a catastrophic event. The Anomaly Detection System must identify incipient failures within the time constraints for system response, including human response if applicable 43
Contingency Response or Escape System Operator must have contingency responses including abort and/or an escape system across the mission profile: Vehicle abort systems must automatically detect incipient failures and determine the need for a time critical abort, such as during ascent. If a Range Safety System is installed, system must initiate abort sequence prior to destruction of launch vehicle to ensure occupant survival The space system should allow contingency reentry with minimum lead time 44
Emergency Equipment Operator or crew must have the ability to detect smoke and suppress a cabin fire. Space System must provide capability for occupants to respond to emergency situations. This includes the following: Contingency breathing apparatus for protection from fire/smoke, toxic atmosphere, or reduced cabin pressure First aid kit Pressure suit or personal protective equipment (if applicable) Emergency lighting Fire suppression system Search and rescue/recovery aids Occupant survival kit to support occupants following an off-nominal landing. 45
Support Systems • Operator must provide support systems necessary for occupant safety. These support systems may include: • Communications facilities • Weather reporting facilities • Mission control centers • Landing and alternate landing facilities, including appropriate rescue, emergency medical, and firefighting services 46
Conclusion • The proposed regulatory approach relies upon • Process-based requirements that provide flexibility to design, develop, and operate efficiently • Minimal set of core safety requirements pertaining to Human Capabilities, Human Limitations, and Space System. • Utilizes robust abort and crew escape provisions to enable relaxed system reliability • FAA/AST looks forward to inputs from industry • Lessons learned • Innovative techniques • Experience based recommendations