SPACE STUDIES INSTITUTE
P.O. BOX 82
PRINCETON, NEW JERSEY 08542
[[librarian note: This address is here, as it was in the original printed newsletter, for historical reasons. It is no longer the physical address of SSI. For contributions, please see this page]]
THE HIGH FRONTIER® NEWSLETTER
VOLUME XVI ISSUE 4 JULY/AUGUST 1990
VICE PRESIDENT’S COLUMN
International Asteroid Mission
I’m writing this column from the Institute for Space and Terrestrial Science (ISTS) near Toronto, Ontario ISTS (along with York University) is hosting this year’s Summer session of the International Space University. (ISU) Through ISU’s history, it has engaged in design projects of considerable interest to the Space Studies Institute. For example in 1988, the inaugural session of ISU held at MIT designed a lunar base to supply construction materials for solar power satellites. In 1989 one design team developed a Variable Gravity Research Facility for low Earth orbit while another team at the Universite Louis Pasteur (in Strasbourg, France) designed a lunar polar orbiter for resource prospecting.
One of this year’s two design projects is a two-part investigation into asteroid resources. The International Asteroid Mission project, as it is known to the students, is looking at ways to learn more about possible candidate asteroids and to eventually mount a resource recovery mission. For the purposes of this endeavor, SSI is playing the role of a customer which has engaged the ISU design team to do two major tasks. The first task is to learn how best to find and characterize new asteroids. To accomplish this task, the students are looking into how asteroids are presently being discovered. For example, during this project, noted asteroid astronomer Eleanor ‘Glo’ Helin, discovered 1990 MF, a near-Earth asteroid which passed within approximately 3 million miles of our planet several weeks ago. One could make a strong case that the most cost-effective way to find new asteroids would be to provide Glo Helin with several more graduate student assistants. Others believe that setting up a network of automated groundbased telescopes at several different locations on the planet would be the best way to proceed.
In addition to looking at fairly conventional methods for asteroid detection and characterization, they are also investigating the use of ground-based systems which were not developed specifically for asteroid search but which take high-resolution pictures of the sky for other reasons. Data from past, present and planned space equipment such as IRAS and Space Telescope are being considered as are low-cost dedicated search spacecraft.
The other major component of the International Asteroid Mission project is a feasibility study of the resource recovery system that could be used to return useful asteroid materials to near-Earth space. In addition to the engineering and process design work that one would obviously expect, the team includes a group from the department of policy and law, (They have concluded that existing treaty law does permit nonterrestrial resources to be harvested.) and a business and management team which is tasked with writing the business plan for the project. In addition, architects, life scientists (including cosmonaut-cardiologist Dr. Oleg Atkov who spent 237 days in space) and space physical scientists are working together on the mission.
SSI is supporting ISU and the project in several ways. James D. Burke, of SSI’s Board of Directors, is serving as the IAM Design Project faculty director. Jim received ISU design project experience by leading the Lunar Polar Orbiter project last summer. Dr. Gay Canough is also playing a key role on the design project faculty. Gay is returning to Toronto in a few days following a short absence for personal reasons – she went home to have a baby! Alexander Maxwell was born on July 17. Congratulations to Gay and Larry and we welcome your little one to the SSI family!
In addition to playing the role of the customer representative to the IAM project, I am serving as the Managing Director for this ISU summer session. As you can imagine, this is a very busy place with leaders from the space community from all over the world converging on Toronto for the summer. We’ll provide further information on the project’s progress in a future issue of Update.
Mr. Chris Faranetta of SSI’s Headquarter’s staff has just returned from a three week long visit to the Soviet Union and Bulgaria. He was a guest of Energia Center which is a semiprivate manufacturing, education, and spacecraft design organization. NPO Energia, a major scientific, industrial concern that designed Sputnik and supervises the manufacture of the Energia/Buran Launch Vehicle, also co-hosted Chris’s visit.
Chris significantly furthered the progress of discussions on a wide range of topics including the possible launch of Lunar Prospector. He also had the privilege of being the first foreigner in history of NPO Energia to give a lecture to their employees. The subject of this lecture was SSI’s role in the development of utilizing non-terrestrial resources and the need for greater international cooperation in space.
Chris met with several other organizations that are looking to market unique Soviet space spin-off technologies internationally. We will have further details as this and other related subjects unfold in coming weeks and months.
One immediate result of these discussions is that SSI is now serving as a conduit for technology transfer from the Soviet space program to the U.S. We have been presented with very interesting information on automatic docking systems and procedures and other topics in which the Soviet program has developed special expertise. Key Soviet personnel have signed literary agreements allowing SSI to publish their work in the West. This issue of Update features an excerpt from a monograph that summarizes the Soviet approach to rocket safety.
ROCKET-SPACE TECHNOLOGY SAFETY
By V.M. Filin
Candidate of Sciences (Engineering),
Deputy Chief Designer of the Energia VRSS
[VRSS – Universal Rocket-Space System]
Dr. Filin is a graduate of the Moscow Aviation Institute. During the 1960s and early 1970s Dr. Filin was part of the Soviet Union’s Lunar program. Dr. Filin’s role in this project was to design the manned Lunar lander for the mission.
The Soviet lander was ready for launch several months before the U.S. Lunar Module. However, development problems with the N1 booster designed to place the lander in orbit caused the cancellation of the program in 1974.
Since the late 1950s Dr. Filin has worked for the space organization NPO Energia. Dr. Filin became the Deputy Chief Designer of the successful versatile rocketspace transportation system, Energia. This launch vehicle is presently the world’s largest and has the potential of playing a major role in future large scale international space missions.
Space Flight Safety Assurance
The achievement of any space flight is based on fulfillment of the program objectives and tasks with a high degree of safety.
In other words, flight safety assurance means attainment and maintenance of the planned functional reliability of both standard and special facilities forming the space complex. Flight safety is in an inverse relationship to contingencies, i.e. the fewer contingencies met during the flight, the greater the assurance of a successful program.
Emergencies in flight can be divided into three categories: catastrophic, critical and controlled.
Catastrophic emergencies are characterized by lack of means and time to eliminate problems and to rescue crew members.
Critical emergencies lead to dangerous consequences to the crew or to serious damage to the spacecraft or launch vehicle unless countermeasures are taken immediately when the emergencies arise.
Controlled emergencies do not do any harm to the crew or space complex equipment. They are “parried” by appropriate structural means, safety devices and cautionary warnings, which initiate the automatic failure elimination routines. The crew can perform failure elimination operations at any opportune time.
Table 1 presents the general scheme of spacecraft safety assurance, from which it follows that failures, disasters and incidents are caused as a rule by:
– engineering system failures;
– environmental effects or unforeseen external circumstances;
– crew and operator errors.
These situations can lead to:
– a fire in compartments;
– an explosion or sudden destruction;
– contamination of living and working compartments with toxic and/or nontoxic substances;
– collisions with meteors, spacecraft debris, etc.;
– accumulation of undesirable electrostatic charges;
– losses of food, air and water supplies;
– diseases or injuries of crew members;
– temperature deviations;
– destruction of crew quarters, etc.;
I will now consider the scheme of safety assurance in some detail.
The Influencing Factors Engineering System Failures
The main causes of engineering system failures are:
– use of underdeveloped designs;
– insufficient working capacity margins for all systems’ parameters;
– inadequate integration of separate assemblies and units;
– use of a great quantity of components and units without sufficient substantiation;
– infringement of service instructions;
– integration of electrical, hydraulic and pneumatic communications within the same zones;
– insufficient protection of working areas from penetration of particles and dirt;
– failure of monitoring devices;
– use of combustible and toxic material;
– insufficient protection of electric equipment from sparking, etc.
The engineering systems of the space complex affect an emergency situation differently. Therefore, they are often divided into vital systems and supporting ones.
It is vital system failures that lead to catastrophic and critical emergency situations. Such a differentiation, though it is characteristic of the majority of situations which have occurred during the period of space exploration, is not absolute. Situations which will cause a catastrophy can arise from servicing system failures and will lead only to a controlled situation on the failing of vital systems. Undoubtedly everything depends on a system failure character and its effect on the adjacent systems.
What systems should we classify as vital ones? First of all, the failure of the propulsion system of the rocket spacecraft will inevitably lead to deplorable consequences. Other analogous systems include control, power supply, stabilization and altitude control, and life-support systems.
The rise of any adverse situation depends on a failure point in a system. Therefore, from designing to testing, the designers of all the systems take care to localize any failure in a system so this failure could be limited within a separate component and would not lead to serviceability loss of a system or unit as a whole. These principles will be considered later on when describing ways and means of safety assurance.
The concept of environmental effect will be used for operating conditions of rocketspace systems.
The environmental factors having a direct influence on space flight safety are:
– acoustics loads with a significant sound pressure level occurring during the launch vehicle start, ascending and descending stages, as well as noises of a lower level occurring in the course of orbital flight;
– vibrations during manned spacecraft injection into orbit;
– g-loads during manned spacecraft injection into orbit, on starting the escape system of the propulsion system, in case of ejection, on passing through the atmosphere when descending, during parachute deployment, soft landing engine starting, hard landing, descent module dragging by the parachute after the landing;
– space radiation, radiation from onboard nuclear power and propulsion systems, radiation from the Earth’s natural radiation belts;
– sporadic meteors and particles;
– artificial space objects: spacecraft, last stages of launch vehicles, payload separation devices, debris produced from explosions and collisions of the mentioned objects;
– thermal balance deterioration in orbit, in case of a fire, during manned spacecraft passage through the atmosphere, at descent and landing in areas with hot and cold climate;
– manned spacecraft pressurization loss in space or in case of unsealing pressure gas vessels;
– weightlessness in the course of orbital flight;
– air composition inside the manned spacecraft cabin;
– toxic substances, metabolic products, releases from structural materials, harmful wastes of technological processes on board the manned spacecraft; combustion products in case of a fire, vapors and aerosols of rocket fuels and hydraulic fluids seeping through faulty seals;
– high voltages in electrical circuits;
– water at water landing of the manned spacecraft;
– weather conditions in the areas of launch, normal and emergency landing (wind, rain, hail, storm, icing, vertical wind gradient, visibility).
One should point out operational conditions which cannot be ignored. They cover radiation danger and collisions in space orbits.
Radiation danger for cosmonauts
During long-term flights the radiation dose resulting from galactic space radiation can exceed the permissible annual dose a hundred times. According to foreign press dispatches, the given radiation dose will increase cancer predisposition of cosmonauts. Solar phenomena (solar flares), though rare, can expose cosmonauts to radiation of highenergy particles and provide a fatal radiation dosage (up to 100 rem/day).
It is necessary to study possible radiation conditions for future long-term space flights so that appropriate steps decreasing the risk for cosmonauts can be taken. On board the space station in an orbit with an inclination of 28.5°-51°, the cosmonauts are protected from high-energy particles of solar and galactic origin by the Earth’s magnetic field. In such an orbit protons captured by the Earth’s radiation belts form the main portion of the radiation dose. However, the Earth’s magnetic field will not protect cosmonauts in polar and geostationary orbits during flights to the Moon, Mars and libration points.
Danger of collisions with space objects in orbit
Orbiting space objects are classified conditionally into three categories: particles, debris and modules.
Particles have masses less than lg, sizes less than 1cm, and are not observed by radar. Among the particles are pieces of alumina present in solid propellant combustion products of rocket engines, peeled paint pieces, or debris formed by an accidental or intentional explosion of space objects. Meteor particles can be attributed to this category as well though they do not circulate in orbit but promote nearEarth space.
Debris are metallic as a rule, have masses from 1g to 199g, sizes from lcm to 1m. Large debris can be observed by radar. Among debris are various components separated from space objects: fairings, structures for mounting payloads (e.g. “Sylda” and “Spelda” structures of the Ariane launch vehicle) and other things. Debris is formed for the most part by explosions of the last stages of launch vehicles put into orbit.
Modules are metallic as a rule, have masses from 10 to 1000 kg, sizes more than 10 cm and can be observed by radar. Among such modules are out-of-operation spacecraft, spent launch vehicle stages, and undestroyed support structures for payload mounting.
According to some calculations, from 1977 to 1987 the collision probability in orbits has increased by 41% at altitudes of 800-850 km, by 128% at altitudes of 950-1000 km, and more than by two orders of magnitutde in geostationary orbit. At present, the collision probability for two spacecraft in geostationary orbit over one year is estimated at 0.0020.003% and this figure will increase.
Several methods are available to decrease the amount of fragments and modules in orbits and hence to lower the collision probability. They are:
1. Jettisoning of launch vehicle fairings in such a manner that they are not orbited but follow a ballistic trajectory to burn up in the atmosphere.
2. Residual fuel venting from tanks of launch vehicles put into orbit.
3. Diversion of satellites from geostationary orbit on completion of their operation. To reduce the satellite’s stay at geostationary orbit altitude, the American National Ocean and Atmosphere Research Agency transfers its satellites into a higher orbit (by about 300 km) on completion of their operation in geostationary orbit; the ESA uses an orbit differing from the geostationary one by 150 km in height; the USSR transfers its satellites into elliptical orbits. All these measures however cover a small portion of satellites put into geostationary orbit.
NASA has been developing screens for protection from damage by collisions and increasing the efficiency of fragment tracking aids. In July 1988, NASA completed experiments on bombardment of pressurized vessels by hypersonic projectiles simulating orbital particles. The experiments were carried out at White Sands. Projectiles of 800 mkm size were used, they were accelerated up to 4-6 km/s. Metal and composite containers similar to those which are assumed to be used for compressed gas storage on board the orbital stations were employed.
Crew and Operator Errors
Crew and operator errors can result from the following factors:
1. Design and development deficiencies in the vehicle and its ground systems because of: inadequate automation of operation; insufficient measuring and warning instrumentation;
– insufficient and/or suitable tools and devices adapted for use in standard operational conditions (including weightlessness, vacuum, etc.);
– imperfection of urgent communication aids “board-ground,” “board-board,” “ground-ground;”
– unreliable functioning of the life-support and thermal control systems, which can lead to abnormal working conditions for the crew (temperature, humidity, etc.); insufficient lighting of the work places; disregard of the requirements of engineering psychology and ergonomics; lack of equipment for actions in extreme and abnormal situations;
2. Deficiencies in training of the crew and operators as a result of:
– insufficient knowledge of the structure and operational modes of the systems;
– insufficient training of procedure in abnor
– lack of readiness for action in extreme
– inadequate knowledge of operational procedures.
3. Shortcomings in the work and registration of operational documentation (including onboard records):
– errors of documentation developers;
– omissions in texts;
– inaccuracies of formulations;
– careless registration;
– computer operation failures (when using computers for operational documentation preparation).
4. Shortcomings in methods of performing and organizing work because of:
– lack of specialists or consultants for communication with the crew and assistance to control operators in their work;
– inadequate medical health monitoring and insufficient measures of its support when operating;
– abnormal organization of operational checklists for the crew and operators, which can lead to increased fatigue, diversion, etc.;
– adoption of hasty, insufficiently substantiated decisions on flight control, crew and operator work (unjustified interference in their actions);
– lack of complex facilities and instrumentation for ground simulation and development of the crew and operator actions in case of abnormal situations;
– lack of steps taken to eliminate possible stress situations;
5. Shortcomings in selection and physical and psychological training of crews and operators as a result of:
– disregarding psychological compatibility of crew members and/or operators;
– inadequate medical monitoring when selecting the crew and operators;
– drawbacks or inaccuracies of physical and psychological training procedures for the crew and operators.
Safety Measures/Main Design Parameters The Flight Profile
Reasonable selection of the flight profile is a factor defining the safety basis determined in the initial design stage. The flight profile means in this case a combination of parameters essentially characterizing all the phases of both the active and passive flight of the rocket-space vehicle, a state vector at the end of work of each stage of the launch vehicle, orbital flight parameters in their evolution, and the main features of flight trajectories to other planets.
Powered flight leg parameters are generally defined by considerations of ensuring the maximum payload mass put into orbit, as well as descents of expended stages, nose fairings and other launch vehicle debris in prescribed areas. A number of requirements and limitations is taken into account as well, e.g. non-exceeding of the velocity limits at first stage separation, limitations on g-loads at the end of powered flight, a possibility of forming a return trajectory (for reusable spacecraft) or a rescue trajectory for the descent module with the crew at any point of the powered flight leg.
For modern multi-stage rockets the requirement of their omni-directional capability is rather typical. Greatly complicating this fairly difficult task of search for and selection of safe landing regions for separated launch vehicle elements. These regions should meet a number of rigid requirements, such as thinly populated areas, distant location from main gas and oil pipelines, power lines, etc. The problem is solved by a dynamic correction of the powered flight leg of the trajectory and by controlling separated stage (module) flight. The situation is complicated many times if the rescue of a payload or manned module must be ensured; then, the same problem will have to be solved for any feasible return or rescue trajectory.
The problem might be much more simple should the powered flight leg pass through the world oceans. But considering the geographical coordinates of the Soviet launch complexes, it is evident that our specialists have to solve ever so much more complex problems than the American specialists confront.
For manned spacecraft and stations the correct selection of such ascent orbit parameters as inclination to the equatorial plane, minimum and maximum height above the Earth’s surface, the location of the line of apsides (the line containing apogee and perigee), is primary as far as safety is concerned. We have to consider the existence of radiation belts around the Earth, a possibility of recovery from orbit through natural braking in the upper atmosphere in case of altitude control or propulsion system failures and the capability of launching a rescue vehicle.
Considerations used as the basis of selecting the orbit parameters for the first launch of the Vostok spacecraft with cosmonaut Yuri Gagarin on board can be presented as an example. Even in the case of retro-rocket failure the descent module would have landed in ten days. Such a capability is provided in the spacecraft life-support system design.
When calculating manned flight trajectories to the Moon (and such calculations were conducted both in the USA and USSR), a capability of return to Earth from any point of the trajectory with the use of redundant systems was also accommodated. The Apollo 13 spacecraft flight can serve as an example.
All these features and principles put into the flight profile affect the launch vehicle and spacecraft configuration, their layout, the number of stages and rocket modules used, and power distribution between stages and modules.
Redundancy levels present the second most significant design parameter. The system’s survivability, i.e. safety, depends on their definition and correct assignment. This is specifically characteristic of large systems, when a launch vehicle is equipped with a great number of engines, units and apparatus. Undoubtedly, redundancy of rocket tankage is impossible, but with separate units, concepts of control systems, and power supply systems, redundancy becomes a critical reality; and its original concepts subsequently determine the total system safety. The most widely used concept of redundancy for large systems is: one failure: the flight program can still be fulfilled; two failures: crew or crew cabin safety is still ensured (a controlled situation); three failures: a catastrophic situation.
Such an approach to the design of all the rocket-space complex systems was used when creating the Energia-Buran system. It makes it possible to apply redundancy not only for electronic systems, but for the main engines as well, which in turn ensures the launch vehicle flight even in case of a failure of one of the strap-on modules.
Spacecraft Operating Life Margins
We have a good proverb: “A chain is no stronger than its weakest link.” It is true for rocket-space technology as well. Therefore, one of the most important tasks in the design stage is development and introduction of requirements of the power-to-weight ratio and operating life of the systems and units. When a unit operates far from its maximum capabilities, we may say with confidence that its operation is more stable, reliable and safe. Reckoning on the unit operating below its capabilities requires additional expenditures, but, nevertheless, it is justified for such highloaded units as rocket engines. Engines are being developed for thrust characteristics which are 10-15% higher than required for the flight, but confidence in the success increases.
For reliable and safe functioning of the systems and units, the requirements of the system operation life are of significant importance. For rocket-space systems this means double life in flight. This suggests that requirements on the operational life are defined with due regard for double flying life and !ife consumption for ground development.
Propellant component selection is one of the difficult problems creating rocket-space technology products. As a rule, toxic, explosion-proof, power characteristics contradict ecological characteristics. Under such conditions the designers understand that the use of high-energy components requires introduction of additional protective measures. These include measures providing an optimal configuration, as well as introduction of special systems for stabilizing dangerous concentrations.
The main characteristics of the auxilliary systems and propulsion system propellant components governing safety include:
– explosion hazard;
– corrosion of structural materials;
– thermal action.
Launch vehicle or spacecraft configuration plays a dominant role in safety assurance problems. A list of configuration measures on the launch vehicle safety assurance includes the relative position of modules in the vehicle, laying of hydropneumatic service lines, running of an onboard cable system, localization of dangerous elements in special bays, installation of systems which counteract emergency situations. All these measures can be easily observed by the Energia launch vehicle example. The allocated power supply units and hydraulic systems are in the tail compartment where temperature control is ensured. In this case utilization of their working power unit wastes is designed structurally in such a way that decomposition products do not get into the compartment. The control system instrumentation and measurement systems are also mounted for the most part within the intertank module, where their operating conditions are more favorable than in other places.
Hydraulic pipelines for propellant components are laid on opposite boards of the launch vehicle; thus isolation of one propellant component from the other is provided in case of a contigency. Special routes for laying the cable system are provided.
These configuration concepts are typical of manned spacecraft as well. Besides considering ergonomics requirements, when designing manned spacecraft configuration and living compartment configuration in particular, there are a number of requirements which are strictly fulfilled by the designers. Among these requirements are an additional protective case of living compartments; pressurization loop redundancy; arrangement of living compartments far from power-loaded units, if possible; location of components releasing harmful substances outside the living compartments; location of outlet hatches near the work places to ensure rapid escape of the crew from the cabin; introduction of special protective living compartments in case of an emergency; providing individual survival aids; introduction of components ensuring quick separation of the living compartment from the spacecraft, etc.
Main Ways and Means of Space Program Safety Assurance
A. Experimental Development of Spacecraft
Experimental ground development of both the spacecraft as a whole and its components is the main technique for attainment of high reliability safety.
The main principles of such development are the following:
– carrying out the main scope of development on the ground, etc., prior to flight tests;
– orientation of experimental development program to the solution of key scientific and technological problems in creating the vehicle;
– detailed substantiation of the experimental development program on its creation, coordination and appraisal by experts pro
ceeding from the necessity of complete solution of ground development problems;
– maximum use of the vehicle analogue as prototype development experience, as well as the bench base created for them;
– orientation of tests to discover causes of likely failures, maximum possible simulation of standard and abnormal conditions, performing intensive rapid and heavy-load
– consistent increase of hardware capability and maturity, as well as increased complexity of development problems being solved, observance of development stages;
– use of unified components of the vehicle for their parallel and outpacing development within launch vehicles of another class;
– manufacture of test objects strictly according to the appropriate design and engineering documentation approved by the chief designer;
– application of reusable components for multiple development tests with a limited number of specimens;
– rational combination of means and methods of physical and mathematical modeling;
– maximum development of vehicle components including their autonomous development with subsequent output to
– providing maximum test information at all stages;
– punctual allocation of responsibility between organizations and departments/coexecutors for performing all kinds of development;
– use of different systems and units, the most efficient methods when planning tests with due regard to their structural features.
Thus, creation of a well-developed, reliable spacecraft, as well as its high safety assurance, are not simple tasks, and their solution requires great efforts from development engineers to overcome organizational, financial and production difficulties.
B. Spacecraft Equipment with Emergency Survival Aids
No matter what principles are realized at the design stage, no matter how the spacecraft has been developed, the question remains: What would happen if… Undoubtedly, pilotcosmonaut rescue is the main safety problem. All the methods envisage this issue. Therefore, all the manned spacecraft are equipped with emergency rescue systems. In so doing, spacecraft are equipped with additional separation engines, catapult-type seats, etc. Let us consider this system in detail.
The emergency rescue system includes:
1. Vital system failure detection and output of a signal for the crew or a command to initiate of one of the abort complex means.
2. Emergency protection of the crew from dangerous factors (flame, smoke, decreased or increased pressures, etc.).
3. Emergency evacuation allowing the crew to leave the spacecraft in case of a failure.
4. Crew protection from unfavorable factors in the process of emergency rescue (lack of oxygen, decreased barometric pressure, accelerations, low and high temperatures, weightlessness, solar radiation, other radiations, etc.), which include personal high altitude and protective equipment.
5. Life-support system and marking of the crew location after the spacecraft escape and landing in case of emergency.
The first group – failure detection, identification and output of the signal “Failure” unites instrumentation of the onboard system state and parameter control; information processing and analysis device which processes the information from sensors and compares the sensor readings with the designed parameter values defining the spacecraft motion and onboard system operation; warning-command devices and automatics of the ERS.
The second group includes crash helmets, breathing masks, etc.
Parachutes, catapult-type seats and capsules, escape modules, means of opening emergency exits, docking units, transfer modules, etc., form the third group of aids.
The fourth group unites oxygen units, partial-pressure suits, spacesuits, air-ventilated suits, anti-G devices, as well as preventive devices (suits) from disorders caused by weightlessness effects and various radiation shields.
The fifth group of aids includes a seat kit containing a food reserve, water, camping equipment, first-aid outfit, signalling means and communication facilities, as well as sea rescue suits, pneumatic life-boats (floats) and other equipment depending on features and purposes.
Extreme actions presuppose use of protection aids and the analysis and selection of ways of emergency rescue and survival are being performed.
For this purpose, appropriate emergency aids must be provided on board the vehicle to protect the crew while eliminating the failure occurring. Individual face-masks protect lungs and maintain working ability despite contamination of the living compartment atmosphere with toxic gases. Spacesuits on board the spacecraft reliably protect the crew in case of cabin depressurization or environmental contamination and provide for crew transfer to a rescue spacecraft.
Crew member protection activities include donning emergency spacesuits or facemasks, as well as isolating compartments from one another. Upon donning personal survival equipment, the crew assesses and analyses the situation and acts accordingly. Situation assessment includes ensuring that all crew members are adequately protected.
Failure analysis performed by the crew members includes determination of the source, causes and location of the failure in order to correct it. Repair work aimed at recovering serviceability of failed or defective systems is an important way of coping with the emergency situation and fulfilling the flight program.
Carrying out emergency-rescue work is an extreme way of resolving the emergency when the situation does not allow the use of protective measures to perform repair-recovery operations, and when the standard aids do not allow performance of descent from orbit and safe landing. Under these conditions it is important to ensure the crew survival when carrying out emergency-rescue operations.
In case of a failure situation on board the Skylab orbital station, the Skylab program envisaged the use of another rescue spacecraft if the emergency situation excluded using the Apollo spacecraft docked to the orbital station.
To perform a prompt descent of the orbital station crew from Earth orbit, as well as to deliver materials and equipment to the ground, a series of ballistic descent modules are supposed to be used.
Flight safety assurance within the program was based on the principles which required pursuance of a series of technical and organizational measures. The greater part of these measures was directed to minimize risk through selection of efficient design decisions, forecasting and comprehensive analysis of failures and emergencies, and development of a series of measures for timely elimination of failures, malfunctions or taking measures for crew rescue.
Radiation protection should be considered especially.
The kinds of manned spacecraft crew protection from ionizing radiations can be classified as follows:
1. passive physical protection – radiation attenuation through increase of the spacecraft skin thickness, equipment integration, creation of shelters or shadow shielding;
2. active protection – creation of methods of charged particle shielding through the use of magnetic and electric fields;
3. local protection of vital organs of the crew members and spacecraft systems;
4. pharmaco-chemical radiation protection.
All these kinds of protection are chosen depending on the flight track, exposure time and orbit inclination.
C. Introduction of Diagnostic Systems
Timeliness and accuracy of diagnosis of abnormal and emergency situations is of great importance for safety assurance.
It is essential to have methods which monitor initiation and development of dangerous defects to catch the slightest changes in the system modes, which can signify the beginning of an abnormal or emergency situation.
The earlier the beginning of a dangerous defects can be diagnosed, the greater number of possibilities for its prevention or compensation will exist, and the less possible damage from its consequences.
In complex systems operating under extreme conditions, the probability of dangerous situations arising is rather high, while time and aids for adoption and realization of decisions on counteracting failures are very limited. Therefore, diagnosis and forecasting of emergency conditions acquire the greatest importance for safety assurance.
Diagnosis and forecasting are based on both technical aids to detect defects and methods of processing data received.
All this must be taken into account in the design and use of space systems in keeping with the following principles:
– design and development of a vehicle and its systems with regard to requirements on maximum controllability of their state throughout the period of normal operation, as well as the whole life cycle of the vehicle; obligatory introduction of appropriate aids into the structure, substantiation and selection of the most efficient methods of control and diagnosis with regard to the character of physical processes in the system monitored;
– keeping to the requirements standard engineering documents on engineering diagnosis (GOST 23564-79, GOST 26656-85 and others) in the process of design and operation;
– isolation of particular critical elements and zones within the vehicle where dangerous failures and other contingencies can arise (radiation, thermal, chemical and other effects), and introduction of the control and diagnosis system into these elements and zones;
– providing efficient interaction between onboard and ground facilities of concerning control and diagnosis;
– maximum use of computer diagnostic capabilities through application of advanced software which makes it possible to define and forecast development of dangerous situations exactly;
– use of efficient redundancy including a functional and informational one in the diagnosis and control systems, use of the “voting” principle (voted redundancy) in redundancy, etc.;
– concurrent with the main systems of exact control and diagnosis, use of operative diagnostic aids including personal dosimeters, indicators, measuring devices for the crew members and operators;
– use of principles of control and diagnosis system construction excluding output of false and corrupted information (which influence safety in particular).
Let us consider these principles.
Though the control and diagnosis systems do not perform basic functions in the course of normal operation of the vehicle, they are of the most significant importance for reliability and safety assurance of the main systems and vehicle as a whole. It is impossible to provide normal and essentially safe operation of the vehicle in case of different failures; i.e. the control and diagnosis systems allow for increased survivability and extend the capability of solving at least some of the problems under different abnormal situations. Thus, these systems are required to provide fulfilment of the main functions of the vehicle in actual flight conditions. It should also be kept in mind that survival, preserving health and working ability of the crew and operators are among principal tasks of the flight as well.
Along with the main built-in control and diagnosis systems for high safety assurance of the crew and operators, it is expedient to use so-called individual and portable aids. Among them are various indicators, signalling devices, e.g. personal dosimeters to determine radiation doses, gas analyzers, devices for measuring electromagnetic radiation, etc. These aids also provide redundancy of main built-in systems of control and diagnosis, perform specific functions of individual use, and allow for making measurements in different zones of the vehicle. When using personal radiation dosimeters, for example, to measure accumulated radiation dose, these aids are of particular importance.
Vehicle safety is determined to a large extent by reliability, which in turn depends on the number and character of different latent defects in appropriate units and systems. These latent defect developments can already begin in the manufacturing, storage, transportation and preparation of the vehicle. Early detection of such latent defects at these stages is of great importance for vehicle reliability and safety assurance. This is performed by using standard (onboard and ground) diagnosis systems during preparation and check-out tests and in the manufacturing process by using technological diagnotic aids (nondestructive check aids acoustical and electromagnetic flaw detectors, helium leak detectors, etc.).
D. Use of Failure Localization Aids
Control and diagnosis systems are of great importance in detection and determination of a dangerous situation. They provide the first stage in preventing emergency and catastrophic consequences.
These systems are classified into preventive, neutralizing and localizing ones. In general these aids can function both on signals from the diagnosis systems and without them.
Systems preventing damages do not allow dangerous failure development by eliminating the cause of its origin before the failure emerges. Among them are standard systems of automatic control which tum off the appropriate system or unit where a failure is developing or change its operational mode to a safe one without interfering with the main functions of the vehicle.
In specific cases these operations are performed by the crew or operators from onboard or ground control stations, respectively. As a rule, however, an automatic mode is foreseen for all such situations with the possibility of performing appropriate “manual” operations in some instances.
By their functions the failure neutralization and localization aids can be divided as follows:
– fire-explosion prevention aids;
– pressurization assurance aids;
– electromagnetic shields;
– electrostatic shields;
– radiation shields;
– acoustical protection aids;
– medical aids;
– thermal insulation and heat protection aids;
– mechanical impact protection;
– chemical and toxic effect protection;
The fire-explosion prevention aids have already been mentioned above, but here we should point out the significance of the passive aids and measures in addition to the active fire-extinguishing and inert-gas purging aids. Among them are use of non-combustible, thermally stable materials and coatings in the structures, isolation of sparking electrical elements (plugs, etc.) in sealed housings, and adoption of a variety of structural measures to exclude contacting combustible materials and gases with hightemperature structural elements.
The pressurization assurance aids are of great importance in rocket-space systems considering specific features of their structures and operating conditions (vacuum, toxic and cryogenic components). Therefore, great attention is paid to airtightness when designing vehicles. Among the depressurization prevention aids are various structural measures on selection and application of appropriate materials for compartments, manifolds, sealings, gaskets, etc. The active aids of safety assurance on depressurization (neutralization and localization of a depressurization-type failure) include use of selfsealing polymer coatings or special compartments – shelters. Compartments hermetically isolated from one another, double pressurization loops, etc. can be referred to as passive aids.
Safety assurance from electromagnetic effects is essential. For the aids preventing mutual electromagnetic influence of the vehicle systems, one should refer to the matching of the system operation modes, use of special structural element shielding from electromagnetic induction, etc. The same aids are used for protection from electromagnetic radiation of external sources. In addition, the importance of introducing digital electronic information systems instead of analog optical information ones, which makes it possible to increase significantly resistance to appropriate effects. To protect the crew from electromagnetic radiation, it is essential that the radiating instruments be located far from the working zones of the crew; appropriate shielding of the compartments should be used. Medical aids are provided on board the vehicle to neutralize the electromagnetic radiation effects on the crew members’ health.
For neutralization and localization of electrostatic charges, materials and coatings should be used which are unable to accumulate dangerous electrostatic charges; this refers to both the vehicle structure components and the dangerous electrostatic charges; this refers to both the vehicle structure components and the crew clothes, instrumentation and equipment. When the charge accumulation cannot be eliminated completely, current-carrying coatings and other means to remove the accumulating electrostatic charge should be used.
Radiation protection both from internal and external sources are essentially analogous to the aids for depressurization and electromagnetic radiation protection, as described above.
Considering the specific character of the rocket-space system operation and the propulsion system operation in particular, great attention should be paid to the protection of the crew and vital systems from acoustical effects, which are very significant. The main methods for protection and neutralization of dangerous effects use noise-absorbing materials (including composites) for compartments and cases, and arrangements of sensitive devices far from the sources of increased acoustical effects.
Considering the rocket-space systems operating conditions proper and efficient use of different thermal protection and thermal insulation means, as well as other structural means of protection and neutralization of possible temperature effects, are of great importance for safety assurance. A reliable and light thermal protection system for all compartments, units and instrumentation should be provided on board the spacecraft to protect the crew.
Various means are used to protect the crew from mechanical impacts and their neutralization. These means include overload protection aids (special seats and spacesuits), impact and injury protection aids inside the compartments (elimination of sharp edges inside compartments and covering extending elements with special coatings and decorative materials).
For protection from toxic chemical effects, all the mainfolds and vessels with toxic and other components should be isolated; they should be located beyond the reach of the crew. Materials and components which can release toxic substances should not be stored in living compartments. Reliable operation of the ventilation system and gas composition support system as a whole are important for neutralization of toxic effects. Spacesuits and isolated compartments represent universal protection means in case of depressurization and radiation effects.
Medical aids such as medicines, medical tools, etc., are very useful for neutralizing unfavorable effects on the crew (radiation, weightlessness, g-loads, electromagnetic irradiation, etc.). The kit and characteristics of its use are a subject of special research.
E. Redundancy of Systems and Modules
To provide reliability and safety, redundancy is of great importance. It should be based on the following principles:
– redundancy of all vital systems, if possible, in accordance with the principles of component redundancy and other practices;
– use of the most efficient kinds of redundancy, depending on particular system features (loaded, unloaded, temporary, information, constant, dynamic, functional and compounded);
– provision for the optimal degree of redundancy to maximize the reliability and safety levels at designed mass constraints, dimensions, manufacture and development costs, etc.;
– when choosing redundancy kind and rate, account for a possibility of different kinds of failures within the system (a “break,” explosion, etc.) and availability and capabilities of aids for localization and neutralization of dangerous failures.
We consider in detail the redundancy principles mentioned above and their impact on vehicle reliability and safety assurance.
Among vital systems which failure can lead to a catastrophy even without an explosion, fire or other dangerous “secondary” phenomena are such systems as:
– a propulsion system;
– a control system;
– a power supply system;
– a life-support system;
– systems and aids of monitoring and ensuring pressurization, plus a number of other systems and aids.
Such a list is of course an approximate one, and an appropriate list should be made for every particular vehicle. Therefore, still at the design stage the compiling of the so-called “List of critical components” is required. The list includes systems, units, instrumentation, assemblies and components of different levels depending on possibilities of localization and elimination of failure consequencies in various components of large systems and units.
Following the list compilation, certain procedures are developed and implemeted to decrease the criticality factor of these components as systems. Determination of the necessity and ways of critical component or system redundanacy is the primary measure in this case.
When the analysis shows that redundancy is not only necessary but also feasible and can give a great positive effect the next step of analysis begins – selection of rational (the most efficient for this particular case) ways and a degree of redundancy proceeding from basic principles.
In this case, kinds of failures characteristic of the particular systems or units, their development speed, capability of the failure diagnosis and neutralization or localization system to operate efficiently in case of emergency should be taken into consideration.
The following kinds of redundancy exist:
a. according to a degree:
full redundancy-several basic components and several redundant ones, sometimes only one redundant component is used (a propulsion system, for example);
b. according to redundant component connection type:
c. according to functioning:
functional redundancy (when a component of other structures capable of fulfilling the function of the basic component is switched
d. active-parallel redundancy (when different
kinds of redundancy are used);
e. information redundancy;
f. time redundancy;
g. passive redundancy;
h. dynamic redundancy;
I. majority (-voted) redundancy.
Thus, redundancy fulfils both mathematical (optimizational) and engineering-andtechnical tasks. Expenditures for carrying out the appropriate analysis when designing the vehicle and its systems can be compensated many times, since efficient redundancy lays down the foundations for high reliability, safety and finally efficiency of the vehicle.
F. Quality of Crew and Operator Training
The quality of selection and training of crews and operators is not the least of the factors, and sometimes (in the case of extreme situations in particular) it is decisive for safety assurance. Correct actions of the crew members and operators can exclude dangerous consequences even in case of the most unexpected failures and situations caused by external reasons.
The crew training quality depends on:
– psychological compatibility of crew members and/or operators;
– thorough medical monitoring when selecting crew members and operators;
– completeness of engineering, physical and psychological training;
– knowledge of methods and ways of using different tools and apparatus for carrying out preventive repair work, using medical instrumentation;
– development of various abnormal situations by the crew and methods of overcoming them with the use of simulators;
– coordination of actions of the crew and control operators in extreme situations;
– knowledge and skill of quick and effective use of special rescue aids;
– knowledge of onboard documentation and skill of its quick and effective use;
– comprehensive preparation of the crew including their ability to fulfil the functions of other crew members, if needed.
G. Standard Vehicle Testing
The testing of a standard vehicle intended for performing a specific program represents the final main procedure. The success of the program, confirmation of all the procedures and methods accepted before and directed to high safety assurance depend on the quality and completeness of the tests.
Undoubtedly, prior to installation on board the vehicle check-out tests of every unit, engine, apparatus, mechanism on their functioning are performed.
By way of illustration we consider the Energia launch vehicle engine processing technology prior to its integration with the vehicle.
For four strap-on modules 5 engines are manufactured. One engine is sent to tests proving its total operational life achieved. The remaining engines are sent to hot check technology tests where the engine serviceability is checked by firing for one flying life. Only on receiving positive results, these engines with two remained flying lives are used for integration with the standard vehicle.
The experience of work in the rocketspace technology shows that many questions appear at the final stages of vehicle preparation for a flight, when the vehicle is in the engineering complex of the Baikonur cosmodrome, during the check-out tests; there were even cases of vehicle return to the manufacturing plants.
The main rule for testers is “do not proceed with the technological testing cycle until defects or comments occurred on the system operation are studied well.” Modern rocketspace vehicles are the most complex electrohydropneumatic systems, and a failure in any loop can lead to irretrievable consequences in other loops.
According to service conditions, the rocket-space systems, unlike other facilities, are to work in vacuum. Therefore, all the final tests begin with the check for vehicle tightness. Many different methods are used for this purpose. Small vehicle tests are conducted in pressure chembers; for large-scale objects the method of pressure drops or measurement of helium background around the object when filling it with the helium-air mixture is used. On being convinced of the vehicle tightness or more precisely that the pressurization rates are within the designed values, one can pass on to the subsequent test steps. And indeed, a loss of sealing in tanks of the propulsion systems or thermal control loop will certainly lead to catastrophic consequences. The next step involves autonomous tests of separate systems within the vehicle for their serviceability and parameters in accordance with the designed ones.
On completing all the individual test programs, electrical check-out tests begin.
Modern rocket-space systems represent the most complex electrical machines. There are for example about 2,500 apparatus transducers and about 5,500 sensors on board the Energia launch vehicle. For the Buran orbiter these figures are 8,500 and 6,200, respectively. It is quite impossible to check such a number of parameters without the use of computer aids. Therefore, the ground complexes begin electrical tests with a check-out of every channel of the onboard computer operation. There are systems, however, which do not generate a required parameter on electrical check-outs for lack of standard components, for example. Then the required signal output is provided by testing with the use of algorithms. During tests, objects are being connected through thousands of cables with the checktest station, and any carelessness when assembling circuits can lead to failures. As a rule, by the final testing stage the objects are equipped with pyrotechnic means. Therefore, in the course of the testing permanent monitoring of actual insulation resistance of the object power lines is being performed. Two-wire electrical circuits and permanent monitoring of the insulation allow us to carry out pyrotechnical means check-outs by the flow method, i.e., supply of weak current to the pyrotechnical means ignition lines.
As mentioned above, one of the most important measures of safety assurance is redundancy on the majority principle. It makes it possible to provide a high survivability of objects. On trials, however, no failures in any channels are permissible. Therefore, on decoding of the telemetry information, even though the complex tests were carried out successfully, we often have to repeat some autonomous regimes, to eliminate defects and repeat the complex testing all over again. Only on revealing and eliminating all the defects, though minor ones at first sight, we may say that this particular object is ready for the flight.
A wide spectrum of factors affecting flight safety has been presented in this paper. None of the mentioned factors can be neglected, all are interconnected. Therefore, the flight safety can be considered a series of measures from design work to flight performance. The successful program fulfillment depends on thoroughness of development measures. Therefore, in creating new rocketspace systems, a detailed program of safety assurance is required which should cover the process of the system creation with proper monitoring of its fulfillment.
©space studies institute