National Academies Press: OpenBook

Streamlining Space Launch Range Safety (2000)

Chapter: Appendix E: Safety Modeling and Analysis

« Previous: Appendix D: Studies Related to Space Launch Range Safety
Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×

Appendix E
Safety Modeling and Analysis

The primary hazards from launch accidents are associated with debris, toxic effects, and blast overpressure. Debris is created by aerodynamic forces that break up the vehicle, by explosions caused by system malfunctions, or, in many cases, as the intended result of initiating flight termination. Toxic effects may be caused by effluents from launches or catastrophic accidents. Vehicle explosions may also create blast overpressure, which can break windows and cause injuries from glass fragments miles from an accident site. Modeling of these effects is needed for launch safety.

PRELAUNCH MODELING

Nominal trajectory and expected variations from nominal. The launch customer generally provides mission data describing the nominal vehicle trajectory and states (e.g., velocity, thrust, staging events). Uncertainties in vehicle and control system characteristics and wind variability are used to define three-sigma limits to the trajectory profile. The nominal and three-sigma limits are used as references during launch and are depicted on the Range Safety Display System. These data, which define the baseline path for the vehicle, are essential to any safety study. The data are also necessary during launch because deviation from the nominal trajectory may indicate a dangerous failure.

Vehicle component reliability. The launch customer provides estimates of component and subcomponent reliability to range safety personnel. These reliabilities are generally computed using fault tree analyses. If operational experience is available, component reliabilities may be adjusted based on observed failure rates. The adjustment process uses conventional filtering theory for estimating the confidence level for operational and estimated reliability but also includes a degree of subjectivity and technical judgment.

The use of fault trees to estimate system reliability is quite common in risk management. Fault tree analysis is most effective when subcomponent reliabilities are well known (e.g., through repeated laboratory tests) but may be less accurate in estimating reliabilities when failure modes are dependent or unexpected. Adding complexity to a fault tree (e.g., adding nodes) does not necessarily result in a more accurate estimate of reliability because the uncertainties in each component propagate throughout the tree.

Vehicle failure modes, probabilities, and effects. Probable failure modes are identified by the launch customer using event trees and component reliabilities. This process includes describing each failure type (including the results of command destruct), its likelihood as a function of time, its effect on the vehicle's trajectory (e.g., a change in thrust direction), and the quantity, type, and energy of debris that would be generated. These data may also be adjusted by range safety personnel based on previous experience.

Wind modeling and debris-dispersion modeling. Statistics on monthly or seasonal winds are developed at each range to determine the likely trajectories of expended stages or debris. These data include the average wind magnitude and direction as a function of altitude, as well as the statistical variability of these parameters. Wind speed or direction shifts downrange are not considered.

At the time of launch, the actual measured winds from aerial soundings may be used to improve prelaunch estimates. The wind data are used with the data on ballistic coefficient and energy to determine debris trajectories. During launch, wind and aerodynamic effects are omitted when computing the instantaneous impact point (IIP), but measured winds are used to depict probable debris impact points on the Range Safety Display System.

Population modeling. Simplified models of population density are developed by the ranges to determine the likelihood of casualties if debris lands in a given region. These models generally break the landmasses into regions in which the population is assumed to be equally distributed. Dense population centers and cities are separated from rural areas. Population data are available in the models for much of the word, although data for some regions, including Europe, are missing. Different population distributions and shelter

Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×

probabilities are assigned depending on the time of launch (day, evening, or night).

Debris-effect modeling. Data relating object energy and the likelihood that an object will cause injuries or deaths are used to determine the smallest objects that should be included in subsequent analyses. This modeling considers the type of shelter available and the probability that a fragment of a given energy would penetrate the shelter. This analysis is also used to determine the minimum size of debris that could endanger aircraft and ships.

Computation and application of safety metrics. Safety metrics, such as casualty expectation (Ec) and the individual hit probability for aircraft or ships (Pi,) are calculated throughout the launch trajectory by computing the probability of failure at any given time; determining the potential failure modes, debris types, and energies; propagating the debris using wind and aerodynamic models; and estimating casualties for the debris type and energy, the affected area, shelter types, and population densities.

The Western Range (WR) uses the Launch Risk Analysis (LARA) computer program, along with several other analysis tools, to calculate safety metrics. Thrust termination, ontrajectory breakup, and malfunction turns are the primary failure modes considered in the LARA analysis. The Eastern Range (ER) uses a different computer program, DAMP (facility DAMage and Personnel injury), along with other packages, such as RAFIP (Random Attitude Failure Impact Predictions), RSTT (Range Safety Tumble Turns), and DISP (impact DISPersions). DAMP considers six failure modes: explosion on the launch pad, loss of control at liftoff, straight-up flight, on-trajectory failure, malfunction turn, and planned jettison of components.

The overall approaches used by the WR and ER are similar in terms of failure modeling, debris propagation, and casualty estimation. The assumptions and implementation of these methods, however, are different. RAFIP assumes that an instantaneous turn to any attitude is possible, whereas LARA uses physical limitations on turn rates. Both approaches are conservative. Conservatism is further increased by RAFIP, which assumes that no debris is consumed by heat during reentry and that no populations are sheltered. The conservatism of safety metrics computed by LARA is increased by the use of unrealistically high failure rates.

Some sensitivity analyses have been performed to determine how Ec varies with changes in input parameters, such as overall probability of failure, residual thrust, or roof protection. These sensitivity analyses identify parameters with the largest impact on the value of Ec and, therefore, show where accuracy is most important. This information can be useful for improving risk analysis methods.

Flight hazard and flight caution area. The sizes of flight hazard and caution areas are based on estimates of risk to unsheltered personnel. These areas are conservatively defined using worst-case wind conditions and a probability of vehicle failure of 1.

Blast-effect modeling. Blast risks are estimated using two tools, GLASSC, which relates blast overpressure to window breakage and casualties, and BLASTC (at the WR) or BLASTX (at the ER), which use wind and temperature profiles to determine the risk of casualties.1 The models produce series of predicted overpressure contours and risk profiles (plots of the probability of varying numbers of casualties), assuming that the probability of vehicle failure is 1.

Toxic-effect modeling. The risks from toxic gases are estimated using two software packages. The Rocket Exhaust Effluent Diffusion Model (REEDM) predicts the toxic chemical concentration in the event of a vehicle failure and produces contours showing the predicted concentrations of toxic chemicals near the ground. The Launch Area Toxic Risk Assessment (LATRA) program is used at the WR (and will be used at the ER in the near future) to determine the likelihood of an accident, estimate individual and collective risk (Pc and Ec),and develop risk profiles based on current weather conditions, models of population density and sheltering, and the amount, type, and toxicity of the substances that could be released. Both blast and toxic risk evaluations are performed well before each launch using statistical wind conditions, and they are repeated on launch day using measured winds.

Impact limit lines. Impact limit lines (ILLs), which are defined using geographic references, define boundaries beyond which significant pieces of debris should not penetrate. The definition of ILLs does not explicitly take safety metrics into consideration; rather, it is based on preventing the overflight of inhabited landmasses whenever possible.

Instantaneous impact point. To monitor the vehicle's progress relative to the nominal trajectory and the ILLs, the vehicle's current position and instantaneous impact point (liP) are computed and displayed in real time during flight. For computational efficiency, the vacuum lip is used (i.e., calculations do not include aerodynamic effects).

Destruct lines. Destruct lines, located inside the ILLs, are used to ensure that significant amounts of debris will not cross the ILL. The lip position relative to the destruct line is a primary element of information in destruct decisions during launch. Small debris will propagate farther than large debris but is generally less dangerous upon impact. Ignoring small pieces of debris results in a wider launch corridor and reduces the probability that a mission will be aborted unnecessarily.

Collision avoidance. The intended launch trajectory is compared with the trajectories of satellites in orbit that are manned or capable of being manned. If a vehicle is projected to pass within 200 km of a satellite, the launch window is adjusted. A buffer of two to eight minutes is added to the window to account for uncertainties in the accuracy

1  

GLASSC, BLASTC, and BLASTX are descriptive nicknames, not acronyms.

Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×

and timing of the trajectory. Because the spatial buffer is so large, this safety requirement may be quite conservative.

ACTIVITIES DURING LAUNCH

Some of the information displayed and used to make safety-related decisions during launch is different at the ER and WR. The primary tools and procedures that are common to both ranges are described below, followed by a description of methods used by just one.

Methods Common to the Western and Eastern Ranges

Both the WR and ER use a range safety display system that provides a real-time depiction of the vehicle's current position relative to the nominal trajectory. The display also shows the three-sigma dispersions around the nominal trajectory, the liP, destruct lines, ILLs, and geographic features, such as coastlines. The map may be manually or automatically scaled as the vehicle progresses along its trajectory. The mission flight control officer (MFCO) also has a vertical display (specific to each range, as described below) and flight termination system (FTS) arm and destruct buttons on a console.

Methods Specific to the Western Range

LARA is rerun approximately two hours before launch to identify any changes in Ec caused by current wind data. The results are briefed to the MFCO and range commander. A debris pattern footprint is displayed on the range safety display system showing the probable (two-sigma) locations of debris for several postulated failure conditions. The display is updated in real time during flight. The footprints are shown as circles rather than ellipses to simplify computation.

Two specific times of interest are computed and displayed to the MFCO. Amber time is the time at which the launch vehicle has enough energy to impact a region outside the ILLs. If tracking of the vehicle is not be available by amber time, the flight is terminated. Computations for amber time are conservative in that they do not account for aerodynamic effects on the vehicle and assume the worst-case trajectory toward the ILL. MFCO response time is not included in the calculation because the MFCO is expected to be monitoring the situation closely. Red time is the time at which a straightup vehicle would present a danger. Red time is calculated using statistical wind conditions and MFCO reaction time. If a vehicle fails to initiate its pitch program (turn downrange) by red time, the flight is terminated.

The MFCO also has a display of two vertical planes. One is used to determine whether the vehicle is pitching correctly downrange. The other shows the vehicle's cross-track position relative to destruct lines.

Methods Specific to the Eastern Range

On launch day, the measured wind profile is compared with the previously developed maximum-wind constraints. Winds in excess of these values may result in a launch hold because Ec could be increased beyond the accepted standard.

The MFCO uses two vertical profile displays to monitor the vehicle relative to the nominal trajectory, ILLs, and destruct lines. A straight-up time (analogous to red time at the WR) is also computed and displayed for reference.

At the ER, a "chevron line" display, which is designed to protect the region behind the launch site from a vehicle that does not pitch downrange successfully, is also provided. The display shows destruct lines that move downrange in real time in response to the vehicle's velocity. If the vehicle is not progressing downrange as expected, the flight is terminated before the point at which debris would pass beyond the ILLs. Generally, the chevron display is only needed for the first 100 seconds of flight.

Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×
This page in the original is blank.
Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×
Page 53
Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×
Page 54
Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×
Page 55
Suggested Citation:"Appendix E: Safety Modeling and Analysis." National Research Council. 2000. Streamlining Space Launch Range Safety. Washington, DC: The National Academies Press. doi: 10.17226/9790.
×
Page 56
Next: Acronyms »
Streamlining Space Launch Range Safety Get This Book
×
Buy Paperback | $36.00 Buy Ebook | $28.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

The U.S. space program is rapidly changing from an activity driven by federal government launches to one driven by commercial launches. In 1997, for the first time commercial launches outnumbered government launches at the Eastern Range (ER), located at Cape Canaveral Air Station, Florida. Commercial activity is also increasing at the Western Range (WR), located at Vandenberg Air Force Base, California. The government itself is emulating commercial customers, shifting from direct management of launch programs to the purchase of space launch services from U.S. commercial launch companies in an open, competitive market.

The fundamental goal of the U.S. space program is to ensure safe, reliable, and affordable access to space. Despite the inherent danger of space launches, the U.S. space program has demonstrated its ability to protect the public. No launch site worker or member of the general public has been killed or seriously injured in any of the 4,600 launches conducted at the ER and WR during the entire 50-year history of the space age.

Streamlining Space Launch Range Safety discusses whether range safety processes can be made more efficient and less costly without compromising public safety. This report presents six primary recommendations, which address risk management, Africa gates, roles and responsibilities, range safety documentation [EWR 127-1]), global positioning system (GPS) receiver tracking systems, and risk standards for aircraft and ships.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!