Appendix E
Safety Modeling and Analysis

The primary hazards from launch accidents are associated with debris, toxic effects, and blast overpressure. Debris is created by aerodynamic forces that break up the vehicle, by explosions caused by system malfunctions, or, in many cases, as the intended result of initiating flight termination. Toxic effects may be caused by effluents from launches or catastrophic accidents. Vehicle explosions may also create blast overpressure, which can break windows and cause injuries from glass fragments miles from an accident site. Modeling of these effects is needed for launch safety.

PRELAUNCH MODELING

Nominal trajectory and expected variations from nominal. The launch customer generally provides mission data describing the nominal vehicle trajectory and states (e.g., velocity, thrust, staging events). Uncertainties in vehicle and control system characteristics and wind variability are used to define three-sigma limits to the trajectory profile. The nominal and three-sigma limits are used as references during launch and are depicted on the Range Safety Display System. These data, which define the baseline path for the vehicle, are essential to any safety study. The data are also necessary during launch because deviation from the nominal trajectory may indicate a dangerous failure.

Vehicle component reliability. The launch customer provides estimates of component and subcomponent reliability to range safety personnel. These reliabilities are generally computed using fault tree analyses. If operational experience is available, component reliabilities may be adjusted based on observed failure rates. The adjustment process uses conventional filtering theory for estimating the confidence level for operational and estimated reliability but also includes a degree of subjectivity and technical judgment.

The use of fault trees to estimate system reliability is quite common in risk management. Fault tree analysis is most effective when subcomponent reliabilities are well known (e.g., through repeated laboratory tests) but may be less accurate in estimating reliabilities when failure modes are dependent or unexpected. Adding complexity to a fault tree (e.g., adding nodes) does not necessarily result in a more accurate estimate of reliability because the uncertainties in each component propagate throughout the tree.

Vehicle failure modes, probabilities, and effects. Probable failure modes are identified by the launch customer using event trees and component reliabilities. This process includes describing each failure type (including the results of command destruct), its likelihood as a function of time, its effect on the vehicle's trajectory (e.g., a change in thrust direction), and the quantity, type, and energy of debris that would be generated. These data may also be adjusted by range safety personnel based on previous experience.

Wind modeling and debris-dispersion modeling. Statistics on monthly or seasonal winds are developed at each range to determine the likely trajectories of expended stages or debris. These data include the average wind magnitude and direction as a function of altitude, as well as the statistical variability of these parameters. Wind speed or direction shifts downrange are not considered.

At the time of launch, the actual measured winds from aerial soundings may be used to improve prelaunch estimates. The wind data are used with the data on ballistic coefficient and energy to determine debris trajectories. During launch, wind and aerodynamic effects are omitted when computing the instantaneous impact point (IIP), but measured winds are used to depict probable debris impact points on the Range Safety Display System.

Population modeling. Simplified models of population density are developed by the ranges to determine the likelihood of casualties if debris lands in a given region. These models generally break the landmasses into regions in which the population is assumed to be equally distributed. Dense population centers and cities are separated from rural areas. Population data are available in the models for much of the word, although data for some regions, including Europe, are missing. Different population distributions and shelter



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 53
Streamlining Space Launch Range Safety Appendix E Safety Modeling and Analysis The primary hazards from launch accidents are associated with debris, toxic effects, and blast overpressure. Debris is created by aerodynamic forces that break up the vehicle, by explosions caused by system malfunctions, or, in many cases, as the intended result of initiating flight termination. Toxic effects may be caused by effluents from launches or catastrophic accidents. Vehicle explosions may also create blast overpressure, which can break windows and cause injuries from glass fragments miles from an accident site. Modeling of these effects is needed for launch safety. PRELAUNCH MODELING Nominal trajectory and expected variations from nominal. The launch customer generally provides mission data describing the nominal vehicle trajectory and states (e.g., velocity, thrust, staging events). Uncertainties in vehicle and control system characteristics and wind variability are used to define three-sigma limits to the trajectory profile. The nominal and three-sigma limits are used as references during launch and are depicted on the Range Safety Display System. These data, which define the baseline path for the vehicle, are essential to any safety study. The data are also necessary during launch because deviation from the nominal trajectory may indicate a dangerous failure. Vehicle component reliability. The launch customer provides estimates of component and subcomponent reliability to range safety personnel. These reliabilities are generally computed using fault tree analyses. If operational experience is available, component reliabilities may be adjusted based on observed failure rates. The adjustment process uses conventional filtering theory for estimating the confidence level for operational and estimated reliability but also includes a degree of subjectivity and technical judgment. The use of fault trees to estimate system reliability is quite common in risk management. Fault tree analysis is most effective when subcomponent reliabilities are well known (e.g., through repeated laboratory tests) but may be less accurate in estimating reliabilities when failure modes are dependent or unexpected. Adding complexity to a fault tree (e.g., adding nodes) does not necessarily result in a more accurate estimate of reliability because the uncertainties in each component propagate throughout the tree. Vehicle failure modes, probabilities, and effects. Probable failure modes are identified by the launch customer using event trees and component reliabilities. This process includes describing each failure type (including the results of command destruct), its likelihood as a function of time, its effect on the vehicle's trajectory (e.g., a change in thrust direction), and the quantity, type, and energy of debris that would be generated. These data may also be adjusted by range safety personnel based on previous experience. Wind modeling and debris-dispersion modeling. Statistics on monthly or seasonal winds are developed at each range to determine the likely trajectories of expended stages or debris. These data include the average wind magnitude and direction as a function of altitude, as well as the statistical variability of these parameters. Wind speed or direction shifts downrange are not considered. At the time of launch, the actual measured winds from aerial soundings may be used to improve prelaunch estimates. The wind data are used with the data on ballistic coefficient and energy to determine debris trajectories. During launch, wind and aerodynamic effects are omitted when computing the instantaneous impact point (IIP), but measured winds are used to depict probable debris impact points on the Range Safety Display System. Population modeling. Simplified models of population density are developed by the ranges to determine the likelihood of casualties if debris lands in a given region. These models generally break the landmasses into regions in which the population is assumed to be equally distributed. Dense population centers and cities are separated from rural areas. Population data are available in the models for much of the word, although data for some regions, including Europe, are missing. Different population distributions and shelter

OCR for page 53
Streamlining Space Launch Range Safety probabilities are assigned depending on the time of launch (day, evening, or night). Debris-effect modeling. Data relating object energy and the likelihood that an object will cause injuries or deaths are used to determine the smallest objects that should be included in subsequent analyses. This modeling considers the type of shelter available and the probability that a fragment of a given energy would penetrate the shelter. This analysis is also used to determine the minimum size of debris that could endanger aircraft and ships. Computation and application of safety metrics. Safety metrics, such as casualty expectation (Ec) and the individual hit probability for aircraft or ships (Pi,) are calculated throughout the launch trajectory by computing the probability of failure at any given time; determining the potential failure modes, debris types, and energies; propagating the debris using wind and aerodynamic models; and estimating casualties for the debris type and energy, the affected area, shelter types, and population densities. The Western Range (WR) uses the Launch Risk Analysis (LARA) computer program, along with several other analysis tools, to calculate safety metrics. Thrust termination, ontrajectory breakup, and malfunction turns are the primary failure modes considered in the LARA analysis. The Eastern Range (ER) uses a different computer program, DAMP (facility DAMage and Personnel injury), along with other packages, such as RAFIP (Random Attitude Failure Impact Predictions), RSTT (Range Safety Tumble Turns), and DISP (impact DISPersions). DAMP considers six failure modes: explosion on the launch pad, loss of control at liftoff, straight-up flight, on-trajectory failure, malfunction turn, and planned jettison of components. The overall approaches used by the WR and ER are similar in terms of failure modeling, debris propagation, and casualty estimation. The assumptions and implementation of these methods, however, are different. RAFIP assumes that an instantaneous turn to any attitude is possible, whereas LARA uses physical limitations on turn rates. Both approaches are conservative. Conservatism is further increased by RAFIP, which assumes that no debris is consumed by heat during reentry and that no populations are sheltered. The conservatism of safety metrics computed by LARA is increased by the use of unrealistically high failure rates. Some sensitivity analyses have been performed to determine how Ec varies with changes in input parameters, such as overall probability of failure, residual thrust, or roof protection. These sensitivity analyses identify parameters with the largest impact on the value of Ec and, therefore, show where accuracy is most important. This information can be useful for improving risk analysis methods. Flight hazard and flight caution area. The sizes of flight hazard and caution areas are based on estimates of risk to unsheltered personnel. These areas are conservatively defined using worst-case wind conditions and a probability of vehicle failure of 1. Blast-effect modeling. Blast risks are estimated using two tools, GLASSC, which relates blast overpressure to window breakage and casualties, and BLASTC (at the WR) or BLASTX (at the ER), which use wind and temperature profiles to determine the risk of casualties.1 The models produce series of predicted overpressure contours and risk profiles (plots of the probability of varying numbers of casualties), assuming that the probability of vehicle failure is 1. Toxic-effect modeling. The risks from toxic gases are estimated using two software packages. The Rocket Exhaust Effluent Diffusion Model (REEDM) predicts the toxic chemical concentration in the event of a vehicle failure and produces contours showing the predicted concentrations of toxic chemicals near the ground. The Launch Area Toxic Risk Assessment (LATRA) program is used at the WR (and will be used at the ER in the near future) to determine the likelihood of an accident, estimate individual and collective risk (Pc and Ec),and develop risk profiles based on current weather conditions, models of population density and sheltering, and the amount, type, and toxicity of the substances that could be released. Both blast and toxic risk evaluations are performed well before each launch using statistical wind conditions, and they are repeated on launch day using measured winds. Impact limit lines. Impact limit lines (ILLs), which are defined using geographic references, define boundaries beyond which significant pieces of debris should not penetrate. The definition of ILLs does not explicitly take safety metrics into consideration; rather, it is based on preventing the overflight of inhabited landmasses whenever possible. Instantaneous impact point. To monitor the vehicle's progress relative to the nominal trajectory and the ILLs, the vehicle's current position and instantaneous impact point (liP) are computed and displayed in real time during flight. For computational efficiency, the vacuum lip is used (i.e., calculations do not include aerodynamic effects). Destruct lines. Destruct lines, located inside the ILLs, are used to ensure that significant amounts of debris will not cross the ILL. The lip position relative to the destruct line is a primary element of information in destruct decisions during launch. Small debris will propagate farther than large debris but is generally less dangerous upon impact. Ignoring small pieces of debris results in a wider launch corridor and reduces the probability that a mission will be aborted unnecessarily. Collision avoidance. The intended launch trajectory is compared with the trajectories of satellites in orbit that are manned or capable of being manned. If a vehicle is projected to pass within 200 km of a satellite, the launch window is adjusted. A buffer of two to eight minutes is added to the window to account for uncertainties in the accuracy 1   GLASSC, BLASTC, and BLASTX are descriptive nicknames, not acronyms.

OCR for page 53
Streamlining Space Launch Range Safety and timing of the trajectory. Because the spatial buffer is so large, this safety requirement may be quite conservative. ACTIVITIES DURING LAUNCH Some of the information displayed and used to make safety-related decisions during launch is different at the ER and WR. The primary tools and procedures that are common to both ranges are described below, followed by a description of methods used by just one. Methods Common to the Western and Eastern Ranges Both the WR and ER use a range safety display system that provides a real-time depiction of the vehicle's current position relative to the nominal trajectory. The display also shows the three-sigma dispersions around the nominal trajectory, the liP, destruct lines, ILLs, and geographic features, such as coastlines. The map may be manually or automatically scaled as the vehicle progresses along its trajectory. The mission flight control officer (MFCO) also has a vertical display (specific to each range, as described below) and flight termination system (FTS) arm and destruct buttons on a console. Methods Specific to the Western Range LARA is rerun approximately two hours before launch to identify any changes in Ec caused by current wind data. The results are briefed to the MFCO and range commander. A debris pattern footprint is displayed on the range safety display system showing the probable (two-sigma) locations of debris for several postulated failure conditions. The display is updated in real time during flight. The footprints are shown as circles rather than ellipses to simplify computation. Two specific times of interest are computed and displayed to the MFCO. Amber time is the time at which the launch vehicle has enough energy to impact a region outside the ILLs. If tracking of the vehicle is not be available by amber time, the flight is terminated. Computations for amber time are conservative in that they do not account for aerodynamic effects on the vehicle and assume the worst-case trajectory toward the ILL. MFCO response time is not included in the calculation because the MFCO is expected to be monitoring the situation closely. Red time is the time at which a straightup vehicle would present a danger. Red time is calculated using statistical wind conditions and MFCO reaction time. If a vehicle fails to initiate its pitch program (turn downrange) by red time, the flight is terminated. The MFCO also has a display of two vertical planes. One is used to determine whether the vehicle is pitching correctly downrange. The other shows the vehicle's cross-track position relative to destruct lines. Methods Specific to the Eastern Range On launch day, the measured wind profile is compared with the previously developed maximum-wind constraints. Winds in excess of these values may result in a launch hold because Ec could be increased beyond the accepted standard. The MFCO uses two vertical profile displays to monitor the vehicle relative to the nominal trajectory, ILLs, and destruct lines. A straight-up time (analogous to red time at the WR) is also computed and displayed for reference. At the ER, a "chevron line" display, which is designed to protect the region behind the launch site from a vehicle that does not pitch downrange successfully, is also provided. The display shows destruct lines that move downrange in real time in response to the vehicle's velocity. If the vehicle is not progressing downrange as expected, the flight is terminated before the point at which debris would pass beyond the ILLs. Generally, the chevron display is only needed for the first 100 seconds of flight.

OCR for page 53
Streamlining Space Launch Range Safety This page in the original is blank.