1 shuttle derived launch vehicle dynamic abort risk evaluator (dare) gaspare maggio chris everett...

1

Shuttle Derived Launch Vehicle Dynamic Abort Risk Evaluator

(DARE)Gaspare Maggio

Chris EverettTony Hall

– Section Manager– Project Manager– Development Lead

2

Topics to be Discussed

• DARE Background– DARE Purpose & Scope– Space Shuttle DARE– DARE Methodology– Example Trade Studies

(SSME Throttle Up, Nz Pullout)

• DARE Model– Abort Initiators– Pivotal Events– Module Examples– Probabilistic Framework

• Application to Constellation– CLV Application– Expansion for Lunar Mission

3

• DARE dynamically evaluates abort effectiveness– Conditional analysis

• Given an abort, what is the subsequent probability of abort success/failure

• Aborts are defined by a failure initiator and failure time– Dynamic evaluation

• The risk evaluation in DARE is determined both probabilistically & parametrically, accommodating a broad range of initial conditions (vehicle configurations, abort initial conditions)

• The DARE model accommodates random uncertainties, such as the time of subsequent system failures

• The current scope of DARE is ascent abort (expandable to other mission phases)– Space Shuttle (heritage capability)– Shuttle-derived Launch Vehicles (new capability)

DARE Purpose

4

Background - Shuttle DARE

• Space Shuttle PRA 1995– First quantitative probabilistic risk model

created for the Space Shuttle– Addressed nominal mission

• DARE 1997-present– Model to determine abort risks and perform risk trade

studies(1995 PRA did not consider abort risks)

– Address the need to include abort risk assessment as part of the overall Space Shuttle risk management process

– Compliment, and eventually integrate into, nominal-mission Space Shuttle ascent risk analysis

• Inclusion of Shuttle-Derived Launch Vehicles– New capability: initial development completed May 2005– DARE Shuttle & SDLV

5

FutronBarney Roberts

NASA JSC/SAICFeng HsuMark BiglerMichael StewartJohn Pruitt

BoeingDavid AlmonzaEd DigonGregory Manich

USAKevin ButlerDouglas LufkinMishawn MielkeStacy Sklarczyk

NASA MSFCPhilip Benefield Joseph HastingsRandy Humphries, Jr.Michael KynardFayssal Safie Len Worland

RocketdyneRobert Biggs

Core DARE Team:Edward M. Henderson

**Richard Heydorn**Dennis Bentley Roger BoyerAngela Braun Leroy Cain Carlisle Campbell, JrBarbara Conte John Craft Steve DawsonDaniel Deger Gary DuncanRobert Ess William (Andy) Foster Stephen N. Frick, LCDR Mark HammerschmidtJim HarderJoshua Hardy Scott HartmanMack HimelNorman Knight

**Jan Railsback **Catherine KoernerHoward Law Robert LawAlice LeeSteve LindseyRobert Navarro-LightholderGregory OliverMunish Patel J. Ken PattersonWilliam PowersHenk Roelant John ShannonCarson SparksCindy SwitzerDavid Thelen David Whittle Jeff Williams Philip Wilson Karon Woods

NASA JSC

UHCLKevin ButlerTom English

NASA HQMichael StamatelatosWilliam Vesely

Independent Peer Review TeamAli Mosleh, Univ. of MarylandNathan Siu, NRC







Core DARE Team:

Gaspare Maggio, Chris Everett, Sabrina Yazdpour, Frank Hark, Tony Hall



NASA JSC


**Individuals listed were instrumental in getting the DARE project started









Core DARE Team:Edward M. Henderson



NASA JSC










Core DARE Team:

Gaspare Maggio, Chris Everett, Sabrina Yazdpour, Frank Hark, Tony Hall



NASA JSC


**Individuals listed were instrumental in getting the DARE project started



DARE Contributors

Gaspare Maggio, Chris Everett, Sabrina Yazdpour,Tony Hall

John Turner

6

DARE Technical Validation• Ascent GN&C Abort Panel Review in September 2001

– Monte Carlo simulations for ET separation success rates were incorporated into DARE model and reviewed

• MFSC SSME Project office, SSME Reliability Estimates Review in July 2002 – SSME Project provided new SSME mean and median estimates for catastrophic

and benign shutdown failures

• Independent assessment of the RTLS risk modeling was performed in October 2001 (Barney B. Roberts, Futron Corp.)– Continue to pursue DARE modeling -- Good decision-support tool for studying

mission options to reduce risk

• Flight Techniques Panel Review in July 2002– Presented DARE model and overview

• Integrated Control Board Review in October 2002– Presented DARE model and overview as well as discussed DARE/SPRA

integration

• Independent Peer Review Report, NASA Office of Safety and Mission Assurance– DARE was independently reviewed by NASA OSMA as a pathfinder

7

Comments of Note from Reviews

“The general methodological framework underlying DARE is, as a whole, technically

valid”-Independent Peer Review Report, NASA Office of Safety and Mission

Assurance, July 2003

“Good decision-support tool for studying mission options to reduce risk”

-Barney Roberts, Independent Reviewer, Sept 2001

“This is great stuff!”-Wayne Hale, Integration Control Board Review, October 2002

8

DARE Methodology

Identify AbortInitiators

Determine Abort Modes / Regions

Identify Events that Dominate

Abort Risk

ProduceResults

DevelopModels / Modules

for SignificantEvents

Integrate into ProbabilisticFramework

ShuttlePRA

SDVPRA

CustomerNeeds

Flight Rulesfor Abort

Operations

DataGathering

UncertaintyAnalysis

ModelDevelopment

• Identify important abort initiators• Characterize abort operations• Identify significant abort events• Model events within dynamic,

probabilistic framework

Step 6

Step 5

Step 4

Step 3

Step 2

Step 1

9

Example Shuttle Results

10

DARE Ver. 3.00STS-111

SSME Throttle-Up Risk Trade

TAL (ZZA) @ 104.5%/104.5%

104.5%/106%104.5%/109%

148 s

136 s 12 124 s 24

A risk trade was performed using DARE to consider the possibility of throttling up the two remaining SSMEs after a first engine shutdown to transition to a TAL abort rather than having to conduct an RTLS

11

1 in 33

RTLS risk dominated by ET separation risk

Qbar at separation reduced by increasing load limits

during Nz Pullout

Risk reduction potential quantified

~ 1 in 70

ET Separation

Percentage Risk Distribution (RTLS)STS # 114 / First Engine Shutdown = 30 sec

Mean Estimates

All Estimates Conditional on First Engine Shutdown* Other Systems Not Shown above such as Failures due to HYD, ECLSS, EPD, ET Debris HIt, Mechanical, MMOD, Orbiter Structure, SSME-MECO, TPS, and Loss of Control Due to Failure to Control C.G. are either ~0% or not applicable

ET Separation

Nz Pullout Risk Trade

0

20

40

60

80

100

120

140

160

7.5 6.6 5.6 4.6Dynamic Pressure at ET Sep (psf)Nz Target (g)

Altitude at ET Sep (kft)Max Dynamic Pressure at Pullout (psf)

To

tal a

nd

ET

Se

pa

rati

on

Ris

k (

1 in

X)

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

Nz

Pu

llou

t (1

in X

)

TOTAL LOV RISK

LOV due to ET Separation Risk

LOV due to Nz Pullout Risk

2.0 2.1 2.1 2.3 210.1 212.2 216.2 221.4 319 336 357 320

Inc

rea

sin

g R

eli

ab

ilit

yIn

cre

as

ing

Re

lia

bil

ity

Total RTLS

Nz Pullout ET Sep

0

20

40

60

80

100

120

140

160

7.5 6.6 5.6 4.6Dynamic Pressure at ET Sep (psf)Nz Target (g)

Altitude at ET Sep (kft)Max Dynamic Pressure at Pullout (psf)

To

tal a

nd

ET

Se

pa

rati

on

Ris

k (

1 in

X)

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

Nz

Pu

llou

t (1

in X

)

TOTAL LOV RISK

LOV due to ET Separation Risk

LOV due to Nz Pullout Risk

2.0 2.1 2.1 2.3 210.1 212.2 216.2 221.4 319 336 357 320

Inc

rea

sin

g R

eli

ab

ilit

yIn

cre

as

ing

Re

lia

bil

ity

Total RTLS

Nz Pullout ET SepET separation risk

sensitive to Qbar at separation

13

• Current SDLV configurations modeled in DARE– In-line crew (ILC)

• 3 CLV configurations– 4 segment SRB, J-2 upper stage– 5 segment SRB, J-2 upper stage– 4 segment SRB, SSME upper stage

• CEV parametric model

– Side-mount crew (SMC)• Shuttle derived external tank, dual

SRBs, 3 SSME main propulsion• Same CEV model as for ILC

SDLV Scope

14

SDLV Abort Initiators

Functional Failure/Shutdown (US) Catastrophic Fire/Explosion (US) OMS Failure to Function (CV SEP) TVC Catastrophic Failure (SRB) Booster Separation Motor Failure (SRB SEP) Interstage Separation Motor Failure (SRB SEP) Booster Separation Bolts Failure (SRB SEP) CV Separation Motor Failure (CV SEP) RSRM Propellant Failure RSRM Flex Bearing Joint Failure RSRM Nozzle Joint 1 Failure RSRM Nozzle Joint 5 Failure RSRM Other Joint Failure RSRM Structural Failure RSRM Thermal Failure RSRM Nozzle Failure

SSME Shutdown SSME Turbopump Failure SSME Nozzle Failure SSME Main Combustion Chamber Failure SSME Other Catastrophic Failure MPS Functional Failure MPS Catastrophic Failure FCS Functional Failure APU Catastrophic Failure SSME Failure to MECO SRB Functional Failure SRB Catastrophic Failure SRB Separation Functional Failure SRB Separation Catastrophic Failure RSRM Functional Failure RSRM Motor Propellant Failure RSRM Nozzle Failure RSRM Nozzle Phenolics Failure RSRM Other Insulation Failure RSRM Structural Failure RSRM OPT Joint Failure RSRM Flex Bearing Joint Failure RSRM Other Joint Failure RSRM Nozzle Joint 1 Failure RSRM Nozzle Joint 5 Failure RSRM Other Nozzle Joint Failure

Side-Mount Vehicle*In-Line Vehicle*

*Abort initiator identification and consolidation is subject to the fidelity of the PRA used to identify the failure modes. In the case of the SDLV PRA, In-Line upper-stage failures have all been grouped into a common failure mode. Additionally, some abort initiators they may be consolidated due to commonalities on one vehicle, may not necessarily share those commonalities on another vehicle.

Relevant abort initiators were transferred and modified from Space Shuttle PRA

15

Pivotal EventsAscent abort pivotal events are identified in a master abort event tree and evaluated in event-specific modules

Event Descr:

Abort Initiating Failure Detected

CEV successfully separates from LV

CEV successfully stabilizes after separation

CEV abort mode is abort to orbit

Abort to orbit successful

CEV successfully performs de-orbit burn and re-entry

CEV successfully deploys landing system

CEV lands safely

Crew is safely recovered Prob_Path Description

Event Name: PEM 1 PEM 2 PEM 3 SWITCH - 4 PEM 5 PEM 6 PEM 7 PEM 8 PEM 9Event Prob: 0.999995 0.999726 0.999984 0.000000 0.999874 0.999736 0.999986 0.999000 0.999999

1 0.999994867 0.999720608 0.999704144 0 0 0 0 0 0Abort Initiating Failure Y 0.999994867 Y 0.99972574 Y 0.999983531 Y 0 Y 0.999874288 Y 0.999735677 Y 0.999986364 Y 0.999 Y 0.999999 0 OK

0N 1E-06 0 LOC

0N 0.001 0 LOC

0N 1.36358E-05 0 LOC

0N 0.000264323 0 LOC

0N 0.000125712 0 LOC

0.999704144 0.999690513 0.998690822 0.998689823N 1 Y 0.999986364 Y 0.999 Y 0.999999 0.99869 OK

9.98691E-07N 1E-06 9.99E-07 LOC

0.000999691N 0.001 0.001 LOC

1.36317E-05N 1.36358E-05 1.36E-05 LOC

1.64639E-05N 1.64685E-05 1.65E-05 LOC

0.000274259N 0.00027426 0.000274 LOC

5.13313E-06N 5.13313E-06 5.13E-06 LOC

16

Example Module: Separation Failure

• Separation failure occurs if any of the following failures occurs:– Failure of separation mechanisms– Failure of the CEV to survive increased dynamic pressure

associated with abort velocity– Failure of the CEV to survive the accident environment existing in

the vicinity of the LV

SEP-FAIL

4

ACCIDENT-ENV-FAIL

5

DYNAMIC-PRESS-FAIL

6

SEP-MECH-FAIL

Faiure to surviveabort dynamic

pressure

Failure to surviveaccident environment

stresses

Failure of separationmechanisms

CEV fails todepart launch

vehicle vicinity

SEP-FAIL - CEV fails to depart launch vehicle vicinity 2006/01/25 Page 7

SEP-FAIL

4

ACCIDENT-ENV-FAIL

5

DYNAMIC-PRESS-FAIL

6

SEP-MECH-FAIL

Faiure to surviveabort dynamic

pressure

Failure to surviveaccident environment

stresses

Failure of separationmechanisms

CEV fails todepart launch

vehicle vicinity

SEP-FAIL - CEV fails to depart launch vehicle vicinity 2006/01/25 Page 7

17

Event Description:

SRB EXPLOSION

SRB EXPLOSION CAUSES

EXTERNAL TANK EXPLOSION

HOT GAS PLUME CAUSES


Event Probability: 0% - 20% 100% 35% - 65%

RSRM Joint Failure Y Y SRB and ET Explode

N Only SRB Explodes

N Y Only ET Explodes

N Nominal Abort

Example: RSRM Joint Failure

Separation Failure ExampleFailure to survive accident environment stresses

• The event, “Failure to survive accident environment stresses” considers the various ways that each initiating event might unfold, producing a spectrum of possible environments

Accident Characteristi

cs

180

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

Time of Abort (s)

Dis

tan

ce (

ft)

Separation Distance

0

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

Time of Abort (s)

Dis

tan

ce (

ft)

Critical Distance

Separation Failure Example Failure to survive accident stresses (continued)

• The CEV survives the accident stresses if it reaches a critical distance from the exploding launch vehicle.

19

DARE Probabilistic Framework

• Dynamic abort risk evaluation is accomplished by developing the abort model within a fully probabilistic framework– Uncertainties can be associated with any modeling parameter– Statistics can be obtained on any calculated result

• DARE handles both modeling uncertainty and random uncertainty– Modeling uncertainty describes lack of knowledge about the

events being modeled, e.g.:• IVHM reliability• LES reliability• Landing system reliability

– Random uncertainty describes variability in the events being modeled, e.g.:

• CEV/LV separation distance• Accident propagation paths

• Abort effectiveness is expressed as a probability and an associated confidence:

P(successful abort) @ confidence level

21

DARE Example ResultsPivotal Event Breakdown

SDLV DARE Example Results

CEV Stabilization FailureRecovery Failure

Landing Failure

Landing Sys. FailureFailure Detection Failure

CEV Separation Failure

Abort Pivotal Events

P (

Ab

ort

Fa

ilure

)

Ascent Time = 80 secondsRSRM Propellant Failure4 Segment SRB, Sinlge J-2

1

1/100,0000

1/10,000

1/1,000

1/1001/100

1/10

1/1,000,000

Mean Value

5th Percentile

95th Percentile

Key

Mean Value

5th Percentile

95th Percentile

Key

Landing and recovery modules currently contain static placeholder values

Separation failure is the event with the greatest expected risk… …and the greatest

uncertainty

22

Integrated Abort Effectiveness

Overall 85% Crew Escape Effectiveness

LOM

LOC

• DARE was applied to the ILC SDLV Top-Level PRA to estimate overall CEV abort effectiveness for this configuration– Rough analysis

• For each failure mode, abort effectiveness was assessed at the midpoint of the exposure duration• 5th, 50th & 95th percentiles were used to estimate failure-mode-specific abort effectiveness densities• A few failure modes are assessed conservatively due to lack of detection lead time data

• Result: 85% mean abort effectiveness for ILC J-2S

24

DARE as a Living Tool

• DARE has been designed to maximize “plug and play” capability, allowing the most current data and models to be integrated into the analysis framework

Evolving Architectures Event Descr:

Abort Initiating Failure Detected

CEV successfully separates from LV

CEV successfully stabilizes after separation

CEV abort mode is abort to orbit

Abort to orbit successful

CEV successfully performs de-orbit burn and re-entry

CEV successfully deploys landing system

CEV lands safely

Crew is safely recovered Prob_Path Description

Event Name: PEM 1 PEM 2 PEM 3 SWITCH - 4 PEM 5 PEM 6 PEM 7 PEM 8 PEM 9Event Prob: 0.999995 0.999726 0.999984 0.000000 0.999874 0.999736 0.999986 0.999000 0.999999

1 0.999994867 0.999720608 0.999704144 0 0 0 0 0 0Abort Initiating Failure Y 0.999994867 Y 0.99972574 Y 0.999983531 Y 0 Y 0.999874288 Y 0.999735677 Y 0.999986364 Y 0.999 Y 0.999999 0 OK

0N 1E-06 0 LOC

0N 0.001 0 LOC

0N 1.36358E-05 0 LOC

0N 0.000264323 0 LOC

0N 0.000125712 0 LOC

0.999704144 0.999690513 0.998690822 0.998689823N 1 Y 0.999986364 Y 0.999 Y 0.999999 0.99869 OK

9.98691E-07N 1E-06 9.99E-07 LOC

0.000999691N 0.001 0.001 LOC

1.36317E-05N 1.36358E-05 1.36E-05 LOC

1.64639E-05N 1.64685E-05 1.65E-05 LOC

0.000274259N 0.00027426 0.000274 LOC

5.13313E-06N 5.13313E-06 5.13E-06 LOC

Master Abort Event Tree

Pivotal EventsVehic

le /

Ele

ment

Set

Ris

ks &

U

nce

rtain

ties

228

32 34 37 39 40

419

1090

36 37 38 40 40

571

0

200

400

600

800

1000

1200

1400

A B C D E F G

Case Designation and FES time

MF

BF

(1

in

X M

iss

ion

s)

Block IIA

Block II

RTLSTAL

0.1 sec 40 sec 90 sec 150 sec 234 sec146.9 sec 279.4 sec

BkII/BkIIA Risk Reduction:Case A - 1- 228/419 = 46%Case B - 1- 571/1090 = 48%

BkII/BkIIA Risk Reduction:Case C - 1- 32/36 = 11%Case D - 1- 34/37 = 8%Case E - 1- 37/38 = 2.6%Case F- 1- 39/40 = 2.5%Case G- 1- 40/40 = 0%

Results

SDV DARE Example Results

CV Stabilization FailureRecovery Failure

Landing Failure

Landing Sys. Failure

Failure Detection Failure

CV Separation Failure


LOC

Ascent Time = 80 secondsRSRM Propellant FailureSide-Mount Vehicle

1

1/100,000

1/10,000

1/1,000

1/1001/100

1/10

1/1,000,000

Mean Value

5th Percentile

95th Percentile

Key

Mean Value

5th Percentile

95th Percentile

Key




Landing Failure





LOC


1

1/100,000

1/10,000

1/1,000

1/1001/100

1/10

1/1,000,000

Mean Value

5th Percentile

95th Percentile

Key

Mean Value

5th Percentile

95th Percentile

KeySDV DARE Example Results


Landing Failure





LOC


1

1/100,000

1/10,000

1/1,000

1/1001/100

1/10

1/1,000,000

Mean Value

5th Percentile

95th Percentile

Key

Mean Value

5th Percentile

95th Percentile

Key


DARE

0

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

Time of Abort (s)

Dis

tan

ce (

ft)

Pf=95%

Pf=50%

Critical Distance: CEV survival / failure interface

Separation Distance: CES Capability

5th Percentile

50th Percentile

95th Percentile

Pf=5%

0

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

Time of Abort (s)

Dis

tan

ce (

ft)

Pf=95%

Pf=50%

Critical Distance: CEV survival / failure interface

Separation Distance: CES Capability

5th Percentile

50th Percentile

95th Percentile

Pf=5%

Integration of the best available Data and Models

25

• Is a particular LOC requirement reasonable and achievable?– e.g. 99% abort effectiveness at 80% confidence

• System options– LES motor

• pusher/tractor– Reentry/landing systems

• Biconic/ballistic– TPS type

• Ablative/tile

• Performance characteristics– LES acceleration– Overpressure tolerance– Dynamic pressure tolerance– LES burn time

• Concept of operations– Escape tower jettison time– ATE/ATO interface

1

4

7

10 5

10

15

20

0

10

20

30

40

50

60

70

80

90

Requirements Development Support

LES A

ccele

rati

on

(m/s

2)

LES Burn Time

(sec)

Overpre

ssure

Desig

n Limit

(psi)

Requirements Surface e.g. 99% reliability @ 80%

confidenceAbove surface: Requirement met

Below surface: Requirement not met

26

• Identify and reduce the largest inhibitors of abort effectiveness

• Identify and reduce the largest uncertainties in abort effectiveness

US Cat

US Shutdown

RSRM Nozz. J-1 Fail

RSRM Prop. Fail

TVC Cat. (SRB)

0.000100

0.001000

0.010000

0.100000

1.000000

T = 80s

T = 250s

…Failure mode Y…

Event Description:

SRB EXPLOSION





Event Probability: 10% 100% 50% End State Abort Risk

Failure Mode X Y Y Pf = 94% 9.40E-02

N Pf = 5% 0.00E+00

N Y Pf = 79% 3.60E-01

N Pf = 0.1% 4.50E-02

Event Description:

SRB EXPLOSION





Event Probability: 0% - 20% 100% 35% - 65%

Failure Mode Y Y Y SRB and ET Explode

N Only SRB Explodes

N Y Only ET Explodes

N Nominal Abort

Identify the Sources of Risk & Uncertainty



Landing Failure





LOC


1

1/100,000

1/10,000

1/1,000

1/1001/100

1/10

1/1,000,000

Mean Value

5th Percentile

95th Percentile

Key

Mean Value

5th Percentile

95th Percentile

Key




Landing Failure





LOC


1

1/100,000

1/10,000

1/1,000

1/1001/100

1/10

1/1,000,000

Mean Value

5th Percentile

95th Percentile

Key

Mean Value

5th Percentile

95th Percentile

KeySDV DARE Example Results


Landing Failure





LOC


1

1/100,000

1/10,000

1/1,000

1/1001/100

1/10

1/1,000,000

Mean Value

5th Percentile

95th Percentile

Key

Mean Value

5th Percentile

95th Percentile

Key


Pivotal Event W…

…Mitigate propagatio

n to system X

…Increase detection lead time

…Focus analysis on

event Z

27

Risk Informed Abort Development

What are the significantabort-initiating failures?

Failure Mode N

Failure Mode 2

Failure Mode 1

…

Prioritized Initiators

Failure Mode 2

When can Failure Mode 1

occur?

AbortInitial Conditions

Locations

Trajectories

Damage States

Accident Progression

Phenomenological Modeling

Probabilistic Risk Assessment

What are theabort options?

Abort Design

Abort Mode 1,1

Abort Mode 1,2

Abort Mode 1,M

…

How effective is the abort?

Abort Risk Assessment

Iterate

28

Conclusions• DARE is a proven, effective tool-based process

for evaluating abort effectiveness• DARE is designed to capture the best data and

models available throughout NASA• DARE supports risk informed decision making

throughout all stages of program development– Conceptual– Preliminary design– Testing and evaluation– Operations

• The dynamic DARE framework supports rapid analysis of system and operational trades

• DARE is a living process that will remain current and productive throughout Constellation life

1 shuttle derived launch vehicle dynamic abort risk evaluator (dare) gaspare maggio chris everett...

Documents

dare modeling

mission assurance dare

nominal mission dare

dare shuttle sdlv slide

presented dare model

current scope of dare

abort risk assessment

abort risks