370 likes | 520 Views
Crew Survival Office’s Position on the Acceptability of the Proposed Inline RSRB Launch Vehicle for Crewed Launches July 15, 2005. Leo Langston Paul Porter Clint Thornton JSC Crew Survival. Agenda. Objective Lessons Learned? Crew Survival Office Position Applicable HRR Requirements
E N D
Crew Survival Office’s Position on the Acceptability of the Proposed Inline RSRB Launch Vehicle for Crewed LaunchesJuly 15, 2005 Leo Langston Paul Porter Clint Thornton JSC Crew Survival
Agenda • Objective • Lessons Learned? • Crew Survival Office Position • Applicable HRR Requirements • Crew Survival’s Response to SRB Reliability and Survivability Claims • Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004 • Demonstrated Reliability In Other Solid Based Systems • Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) - Specific Issues • CSO Comments on ESAS Integrated SRB Abort Assessment • Conclusion • Recommendations • Backup
Objective • Given the limited time to select launch vehicles that will meet the Agency’s exploration goals, the Crew Survival Office (CSO) is concerned that cost and schedule and perhaps other outside/political pressures may be forcing the agency to make a decision to use a launch vehicle configuration that will not meet current human rating requirements. • The Crew Survival Office would like to present a set of arguments questioning the basis for selection of the current proposed crewed launch vehicle (13.1) that can be used to allow agency management to pause and reconsider the current selection before making a commitment to a possibly inappropriate design solution.
Lessons Learned ? Words of wisdom from past accident investigations and other NASA advisory groups should be providing some important lessons learned to help guide our selection of the next human launch vehicle. • “We need to make sure that the next generation vehicle is not based on probability but on ‘assurability’. We need to use the best technology we can to assure that the crew survives. If we cannot do it in the Shuttle then we need to have it in next vehicle. If we do not do this now – and do some soul searching – we will be in the same place 20-30 years from now.” Bernard Harris, Aerospace Safety Advisory Panel, March 26, 2003 • “Future crewed-vehicle requirements should incorporate the knowledge gained from the Challenger and Columbia accidents in the assessing the feasibility of vehicles that could ensure crew survival even if the vehicle is destroyed.” Columbia Accident Investigation Board Report Vol I, August 2003
Crew Survival Office Position • It is the position of the Crew Survival Office that the use of SRB’s (large or small) in any crewed launch vehicle present booster catastrophic failure modes that make compliance with the HRR 8705.2 very unlikely due to the inability to successfully abort if those failures occur. • Inability to abort occurs primarily due to the lack of sufficient warning time to detect the imminent booster catastrophic failure, initiate the abort and achieve a safe separation distance prior to LV catastrophic breakup or explosion • The current ATK/SAIC reliability estimates for the RSRB in line crew launch vehicle are over-optimistic compared to historical evidence from solid propellant launch vehicles
Applicable HRR Requirements The following are excerpts of the applicable requirements from the latest NPR 8705.2 • 3.1.7 Space systems shall not use abort as the first leg of failure tolerance • 3.9.3 The space system shall provide crew and passenger survival modes throughout the ascent and on-orbit profile (from hatch closure until atmosphere entry interface) in the following order of precedence: a. Abort. b. Escape by retaining the crew and passengers encapsulated in a portion of the vehicle that can reenter without crew or passenger fatality or permanent disability. c. Escape by removing the crew and passengers from the vehicle. Note: The requirement is for survival modes to cover 100 percent of the ascent trajectory. The preferred method is for abort to cover 100 percent of the trajectory, thus returning the crew to the Earth in the spacecraft. Some architecture options that do not lend themselves to the 100 percent abort coverage will need to use the other methods to meet the intent of this requirement. • 3.9.4 The program shall ensure that ascent survival modes can be successfully accomplished during any ascent failure mode including, but not limited to, complete loss of thrust, complete loss of control, and catastrophic booster failure at any point during ascent • Tailoring of HRR requirements is allowed with the following caveat Note: Tailoring is for requirements that are not applicable (e.g., ascent escape requirements do not apply to a surface rover). Tailoring is not for requirements that are considered programmatically undesirable, expensive, or technically complicated. Underlining provided for emphasis only
Crew Survival’s Response to SRB Reliability and Survivability Claims • Reality does not seem to correspond to the predicted “paper reliability” of SRB’s as presented by ATK/SAIC “It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management. What are the causes and consequences of this lack of agreement? Since 1 part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose only one, we could properly ask "What is the cause of management's fantastic faith in the machinery?" R. P. Feynmann, Personal observations on the reliability of the Shuttle, Report of the Presidential Commission on the Space Shuttle Challenger Accident, Appendix F
In 44 years of human space flight no flight crew has been lost during ascent as the result of a totally liquid based launch vehicle Anticipated failures and robust ascent abort system Two loss of vehicle events in the manned Soyuz program ended in successful launch aborts Soyuz 18-1 – 2nd/3rd staging separation failure Soyuz T 10-1 – GSE failure; pad fire However, in 24 years of flight on SRB based systems one flight crew has been lost as the result of an SRB failure during ascent Unexpected and unanticipated failures, and no valid abort system STS 51L Crew Survival’s Response to SRB Reliability and Survivability Claims “For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.” R. P. Feynmann, Personal observations on the reliability of the Shuttle, Report of the Presidential Commission on the Space Shuttle Challenger Accident, Appendix F
Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004 • In the past 20 years there have been more SRB failures than Liquid Propulsion failures • The four SRB shell failures were probably not survivable • All of the Liquid Propulsion failures were probably survivable Failure Details Source: Futron Design Reliability Comparison for SpaceX Falcon Vehicles November 2004
Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004 • Four of the six liquid failures in the previous table were associated with the upper stage and none led to a vehicle explosion • Of the two 1st stage failures • Atlas I (AC-74) - Inappropriate power down to 65% - Propellant pressure regulator misconfiguration • Titan 34D (34D-7) - Premature engine shutdown – Propellant feed system failure • Of the seven SRB failures in the previous table • Four resulted in vehicle destruction with little or no warning • STS 51L • Titan 34D-9 • Titan 403A K-11 (45F-9) • Delta 2 7925-10 • The three TVC failures were caused by loss of hydraulic fluid
Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004 Titan 34D-9 – 18 April 1986 SRB Case Burst at MET of 8.5 seconds
Demonstrated Reliability In Other Solid Based Systems • Since 60’s the nation’s defense has relied on solid propulsion ICBM systems • Minuteman family • Minuteman I - Launches: 380. Failures: 27. Success Rate: 92.9% (1/14 failure rate) • Minuteman II - Launches: 194. Failures: 2. Success Rate: 99.0% (1/100 failure rate) • Minuteman III - Launches: 263. Failures: 5. Success Rate: 98.1% (1/53 failure rate) • Total - Launches: 837. Failures: 34 Success Rate: 95.9% (1/24 failure rate) • Peacekeeper • Launches: 51. Failures: 1. Success Rate: 98.0% (1/50 failure rate) • Polaris family • Polaris A1 - Launches: 122. Failures: 33. Success Rate: 73.0% (1/4 failure rate) • Polaris A2 - Launches: 227. Failures: 15. Success Rate: 93.4% (1/15 failure rate) • Polaris A3 - Launches: 271. Failures: 8. Success Rate: 97.1% (1/34 failure rate) • Trident C-4 - Launches: 165. Failures: 7. Success Rate: 95.8% (1/24 failure rate) • Trident D-5 - Launches: 122. Failures: 5. Success Rate: 95.9% (1/24 failure rate) • Total - Launches: 907. Failures: 68. Success Rate: 92.5% (1/13 failure rate) • These failure rates demonstrate that very high total system reliabilities are quite unlikely
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • SAIC, p. 7: “The simplest designs of the EELVs, which offer the greatest potential for inherent reliability, are the single core variants. These single core EELVs with an effective crew escape system should provide the greatest crew safety.” • CSO: Crew Survival agrees with this statement. Any all liquid launch vehicle with an effective crew abort/escape system should provide the greatest crew safety. Mercury, Gemini, Soyuz and Apollo programs demonstrate this. • SAIC, p. 8: “Simple Inherently Safe Design – A single human-rated SRB first stage matured through years of experience with over 176 flights of the current design for launching crew” • CSO: This statement, while true of the current shuttle RSRB, is not necessarily applicable to the proposed new 5 segment RSRB or RSRB inline configuration. Also, is the shuttle RSRB human rated because it truly meets human rating requirements or because there were no viable alternatives to it for the shuttle system? Is it truly human rated or human rated because humans ride on it?
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • SAIC, p. 8: “Historically Low Rates of Failure – In the space shuttle system only the 51-L event (a non-catastrophic failure of the SRB) has marred a perfect record in 226 SRBs, with 176 consecutive successful uses of the redesigned SRBs. This 1 in 226 history, or 0.996 launch success rate is perhaps the best of the best in launcher history.” • CSO: Non Catastrophic? Did vehicle breakup before the SRB could have had a catastrophic event? The JSC Greenbook list 17 additional significant gas sealing problems, most recently STS-79, making the demonstrated failure rate 18/226 or a success rate of 92% (Greenbook extract) • SAIC, p. 8: “Non-Catastrophic Failure Mode Propensity – Solid rocket booster history, and specific design features of the SRB suggest a propensity for gradual thrust augmentation failures which present less of a challenge for crew survival in the inline configuration, should they occur.” • CSO: This historical record from 1985-2004 shows this to not be the case: only 1 out of 6 SRB failures demonstrated thrust augmentation • CSO: “suggest a propensity” is wishful thinking not, a valid engineering conclusion
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • SAIC, p. 8: “Process Control – The proposed design offers the benefits of using propulsion suppliers with mature in-plant process control systems to minimize human error, which has proven to be a significant contributor to risk.” • CSO: Current 4 segment RSRB processes may not be applicable to the new proposed 5 segment design. RSRB refurbishment, segment pouring, testing, hazardous shipping and storage, and KSC stacking still require substantial human labor and inspection with corresponding potential for human error • SAIC, p. 8: “Failure Precursor Identification and Correction – The design capitalizes on the significant failure precursor identification and elimination benefit from recovery, and post flight inspection of the recovered SRBs.” • CSO: Post flight failure examination is of little use to the crew on the flight with the problem • CSO: The data may be used incorrectly as in the Challenger and Columbia accidents. • CSO: Not all precursors are recognized
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • SAIC, p. 10: 1. The proposed design has a significant potential of meeting, and even exceeding, the 1 in 1000 mission astronaut office risk goal proposed by the crew even when conservative accident failure criteria have been applied (see Figure 1.1 indicating worst case condition), and even with significant further conservative variation in key risk driving parameters. • CSO: Paper rockets are well known for having “significant potential” in whatever aspect is important. In reality, the actual vehicle most often never achieves it’s “significant potential.” • SAIC, p. 10: “SAIC assumed that all worse case accidents, that is, case burst events, would not be survivable. The SAIC physical models indicate that some at least, if not all, of the accidents would allow for the possibility of crew escape and recovery” • CSO: HRR compliance requires more than “some at least, if not all, of the accidents would allow for the possibility of crew escape and recovery.” • CSO: The unknowable accident environment renders analysis somewhat less than reliable.
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • SAIC, p. 11: “The proposed design offers significant, as much as an order of magnitude, improvement in crew survival during ascent as compared to the current shuttle system.” • CSO: Since the shuttle has no ascent crew survival capability during a first stage SRB failure this statement means “something is better than nothing.” • SAIC, p. 11: The primary risk-driving elements of the design are forecasted to be contained in the second stage J-2S based system because it is a new development of a system without flight experience. • CSO: The lack of flight experience would also be true of the 5 segment design or the inline 4 segment design.
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues SAIC assumptions: • SAIC, p.24:2. The 1995 Shuttle PRA [5], specifically the portions of that document that relate to the participation of the solid rockets in the shuttle risk, is representative. • CSO: Failure rates from other large SRB programs, at a minimum, should be included as well as the other failures in the STS SRB program • SAIC, p. 24: 4.The SRB/J-2S developed integrated design will be fully qualified for its launch environment. Specifically any additional launch vibrational loads or other environments will either be demonstrated to have fallen within the existing shuttle qualification envelop or will undergo delta qualifications for those environments that are not contained. • CSO: It is not apparent that the shuttle qualification envelope is appropriate to the new design. • CSO: Delta qualification could encounter unforeseen challenges or show stoppers
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues SAIC assumptions: • SAIC, p. 24: 4 The SRB/J-2S design will be fully tested with an integrated test program including full scale flight tests to demonstrate flight readiness before crewed flights. • CSO: Full envelope qualification of the launch abort system in the presence of catastrophic SRB failures is likely to be difficult and expensive. • SAIC, p. 25: 11. There is sufficient warning time, and signals for 80% of the loss of control (thrust augmentation) failures. • CSO: There is no analysis that supports the 80% claim. • SAIC, p. 25: 12. An escape system can be designed for the CEV that will provide escape capability after loss of control. • CSO: The Titan IV-A LOC (8/12/98) suggests that this may be difficult. • 1.7 seconds elapsed between the full pitch command and vehicle breakup at an alpha of ~13 degrees. The time between a reasonable launch abort redline (5 degrees) and breakup was much smaller.
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • SAIC, p.96: “SRB failure rates were developed: • By combining component failure rate data in an “assessment tree” a bottom-up approach was used to estimate a failure rate of approximately one in 7000 motor-flights, • Through Bayesian update of U.S. solid rocket booster experience as recommended by a NASA-commissioned Independent Peer Review Panel (approximately one in 1500 motor-flights) • Through an expert elicitation using Thiokol managers as experts, combined with a Bayesian update to estimate a failure rate of one in 3058 motor-flights.” • CSO: The differences in these three estimates is troubling given that the demonstrated shuttle SRB failure rate is, optimistically, 1/266 or realistically 1/15 (18/266). • These discrepancies suggest something is askew in the world of reliability estimates. • The current industry team LOV estimate for the inline RSRB configuration is 1/438
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues Including other large SRB failures changes the picture considerably
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • Arbitrarily assuming all SRB failures are non-survivable yields a Loss of Crew Probability of 1/1750 • Since this LOC exceeds the desired 1/1000, CEV weight growth and decreasing launch vehicle perfomance margins could lead to pressure to delete the ~10,000lb ascent abort system.
Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F) Specific Issues • SAIC, p. 120: Launcher reliability has a large impact on crew safety. Regardless of the launcher type, assuring crew safety after a failure is uncertain. Given the limited number of test and flight opportunities it will be difficult to gain sufficient understanding of the dynamics to create an escape system that can provide high assurance of escape. Unknown-unknowns will dominate the reliability of crew escape systems. Since there undoubtedly will be significantly more launch experience than abort experience, the uncertainty in the likelihood of launch failure will be less than the uncertainty in abort reliability. Furthermore, a good design should be focused on achieving safety inherently, not by adding safety systems as a crutch. This is because the operating environment for the safety system is almost always less known (and therefore cannot be counted on to be highly reliable), therefore the safety focus of design should always be directed at achieving the highest possible reliability and recovery failure systems added only afterward. • CSO: This philosophy seems contradictory to the findings, recommendations, and observations of previous accident investigation boards. (link)
CSOComments on ESAS Integrated SRB Abort Assessment • The comparison should be between the Single Stick SDLV and a liquid fueled vehicle. (link) • Side mount SDLV has already been ruled out • Safety Drivers – omits relevant facts from Single Stick claims (link) • Thrust Augmentation leads to slower single stack break-up is an assertion for which there is very little substantiating analysis. • Thrust Augmentation can lead to interactions between stages on the Single Stick • Thrust Augmentation can lead to upper stage propellant mixing/conflagration on the Single Stick
Conclusion • It is the opinion of the CSO that the ATK/SAIC Loss of Crew prediction for the inline RSRB configuration is over-optimistic and should not be the basis for selecting the next crewed launch vehicle. • Historical data suggests that exceeding a 99% launch success rate for solid propellant vehicles is improbable.
CSO Recommendations • Non-selection of the inline SRB design for the crewed launch vehicle based on inability to meet the current Human Rating Requirements, NPR 8705.2. • If the inline SRB design is pursued, establish an independent analysis and review effort to assess SRB success rates, failure modes, failure dynamics, failure detectability, and to define the catastrophic failure environments in which any launch abort system would have to successfully operate and determine the appropriate test and qualification program for that launch abort system. • The agency perform a detailed comparison between the inline RSRB and EELV derived or other all liquid LV configurations using consistent criteria as to what counts in the reliability statistics The Agency is in the process of selecting a human launch vehicle that will most likely be used for the duration of the exploration program. Historical evidence and the lessons from past accidents should be applied in that selection. “Those who cannot remember the past are condemned to repeat it.” George Santayana
BACKUP Crew Survival Definitions Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004 SRB Anomalies from JSC19413 (Greenbook) ESAS Integrated SRB Abort Assessment
Crew Survival Definitions • Abort: Termination of the nominal mission that allows the crew and passengers to be returned to Earth in the portion of the space system used for nominal entry and touchdown. • Escape: Removal of crew and passengers from the portion of the space system normally used for reentry, due to rapidly deteriorating and hazardous conditions, thus placing them in a safe situation suitable for survivable return or recovery. Escape includes, but is not limited to, those modes that utilize a portion of the original space system for the removal (e.g., pods, modules, or fore bodies). • Rescue: The process of locating the crew, proceeding to their position, providing assistance, and transporting them to a location free from danger. • Safe Haven: A functional association of capabilities and environments that is initiated and activated in the event of a potentially life-threatening anomaly and allows human survival until rescue or repair can be affected
Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004 Source: Futron Design Reliability Comparison for SpaceX Falcon Vehicles November 2004
ESAS Integrated SRB Abort Assessment*** *** MSFC Solid & Hybrid Propulsion Systems Branch, Abortability Assessment RSRM, April 2005.
ESAS Integrated SRB Abort Assessment*** (cont’d) *** MSFC Solid & Hybrid Propulsion Systems Branch, Abortability Assessment RSRM, April 2005.
ESASRSRB - Safety and Reliability • Simple Inherently Safe Design • Design Robustness • Historically Low Rates of Failure • Non-Catastrophic Failure Mode Propensity • Process Control • Failure Precursor Identification and Correction The estimated reliability for a 4-segment SRB, based on QRAS2000 model, is 99.97% Demonstrated Shuttle RSRB reliability is more than 3 times that of other large SRBs Major redesign conducted after the Challenger accident significantly increased the expected reliability of the SRB
ESAS Significant Benefit for Post Flight Inspection Number of Shuttle SRB Post Flight Issues vs. Flights