Upload
harvey-waters
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Futron Corporation • 400 Virginia Avenue,SW Suite 340• Washington, DC 20024-2730Phone 202-488-2931 • Fax 202-488-7863 • http://www.futron.com
We make technology work
NASA PRA Practices and NeedsNASA PRA Practices and Needsfor the New Millenniumfor the New Millennium
International Space StationInternational Space StationProbabilistic Risk AssessmentProbabilistic Risk Assessment
Stage 7AStage 7A
October 25-26, 2000
We make technology workOctober 23,2000ISS PRA 00-34
• 2
Purpose of ISS PRAPurpose of ISS PRA
• Provide a decision support tool for the ISS program that evaluates safety and mission assurance risk
• Objectives Provide risk data across ISS functions/systems (useful to
operations planners as well as follow-on development managers) Ensure synergy with ongoing safety, reliability, and risk
management activities
• Scope Develop the PRA in phases (allows for strategic/tactical changes
to approach) Consider only the catastrophic end states of loss of station, crew,
module, or mission Incorporate existing safety and reliability data
We make technology workOctober 23,2000ISS PRA 00-34
• 3
PRA ProductsPRA Products
• Risk model capable of assessing risks due to changes in ISS configuration, operations, or environmental factors
• Probability distribution functions (including median values, mean values and uncertainties) for the end states, events, and accident scenarios
• Trade and sensitivity analyses (i.e. effects of: system upgrades; risk mitigation strategies; modeling assumption changes etc.)
• Identification of any discrepancies found in existing safety and reliability analyses (provides independent check)
We make technology workOctober 23,2000ISS PRA 00-34
• 4
Phased ApproachPhased Approach
2000 2001 2002 2003 2004
Flt 7A Flt 12A Final Assembly F light
Stage 7A PRAQuick Look
Interm ediateS tage PRA
AssemblyCompletePRA
Safety Data ProductsProduced by ISS Program
Safety Data ProductsUsed by PRA Process
Num ber of DataProducts
Hazard AnalysesFMEA/CILReliability D iagram sFault TreesFailure Rate PredictionsArch. Description DocsFlight RulesProcedures
Phase I
2005
Phase II Phase III Phase IV
Stage 7A PRA
Use PRA to perform Trade andSensitivity analysis to support
program decisions
We make technology workOctober 23,2000ISS PRA 00-34
• 5
DefinitionsDefinitions
• Event Sequence Diagram (ESD) - ESDs show the progression of an initiating event to all the possible end states.
• Initiating Event - Initiating events begin the event sequences. Single component failure or a combination of failures Start of a procedure Energetic external event
• Pivotal Event - Pivotal events are those that must occur in order to prevent the initiating event from propagating further. These may take the form of safety systems, procedural steps, crew or ground intervention, physical conditions, or time constraints.
• End States - Terminating point of an event sequence. An ESD can have multiple end states.
• Sequence - Accident scenario. A path through the ESD from initiator to a bad end state
• Basic Events - Lowest quantified part of the model
We make technology workOctober 23,2000ISS PRA 00-34
• 6
Model PhilosophyModel Philosophy
• Stage 7A (including previous stages) is assembled correctly
• All equipment is operational at start of 7A
• Structural failures are not credible
• Spares noted in logistics plans are on station
• Repair actions incorporate restoration of initiating events restoration of onboard spared items
• Human errors are not initiating events They do contribute to pivotal events
• Russian EVA resources not available Procedures do not yet show the use of these assets
• Software is perfect for this iteration of the model
We make technology workOctober 23,2000ISS PRA 00-34
• 7
Stage 7A ConfigurationStage 7A Configuration
• Airlock is attached and functional
• Model includes: 3 Crew members 8 Months of operations 3 Progress dockings 3 Orbiter dockings 2 Soyuz dockings 1 Soyuz port change 1 Avoidance maneuvers 2 Reboost burns 3 EVAs
Joint Airlock
ServiceModule
Progress
Soyuz
U.S. Laboratory
Node 1
Functional Cargo BlockZ1 Truss (CMGs)
PV Arrays
Radiators
Space Station RemoteManipulator System
Pressurized Mating Adapter
Pressurized Mating Adapter
P6 Truss
We make technology workOctober 23,2000ISS PRA 00-34
• 8
End State DefinitionsEnd State Definitions
• Station and Crew are Functional (OK) This end state signifies that the station is still working with the
flight rule constraints
• Loss of Station and Crew (LOS/C) Catastrophic loss of the station and crew
• Loss of Crew (LOC) Resultant loss of a crew-member Also includes the inability to evacuate the station due to
evacuation end state and the unavailability of either Soyuz or Orbiter to perform such a task
We make technology workOctober 23,2000ISS PRA 00-34
• 9
End State DefinitionsEnd State Definitions
• Evacuation End States (EVAC) Emergency Evacuation
• An emergency situation exists and warrants station evacuation. These situations are characterized by short response times and are captured in Flight Rules.
Flight Rule Evacuation• Evacuation as a set of conditions are met. Some Flight Rules state
that certain conditions must be satisfied but do not identify further action, while others state that further discussion with the ground is required.
Medical Evacuation• Evacuation of the station is dictated by a medical condition of one of
the crewmembers. At Stage 7A all three crewmembers must evacuate together since only one Soyuz is available.
We make technology workOctober 23,2000ISS PRA 00-34
• 10
End State DefinitionsEnd State Definitions
• Other Undesired End States (OUE) Collection of end states, while neither catastrophic nor an evacuation, still
represent a “bad day”. These include: The shut down of any pressurized module
• as dictated by flight rule
• as result of MMOD The loss of either US or RS distributed systems
Electrical Power Attitude Control Command & Data Handling
Thermal Control Guidance & Nav Communications
Environmental Control and Life Support Propulsion
Loss of a function such as• ability for Orbiter, Progress, or Soyuz to dock
• ability to reboost
• insufficient O2 or N2 reserves
We make technology workOctober 23,2000ISS PRA 00-34
• 11
ISS PRA Approach Flow DiagramISS PRA Approach Flow Diagram
Phase I R esu lts FM EA/C IL H azard R eports Functiona l Ana lysis Previous R isk
Assessm ents
Master LogicDiagram
List o f In itia tingEvents
SAPHIRE
Fligh t R u les Tra in ing M anuals System A rch itecture Engineering
Expertise
M AD S PR AC A Industry databases O ther assessm ents
C om ponentsSystem s
R acks
R esults
Event SequenceDiagrams
Fault Trees
Data Analysis
R eviewed byISS P rogram O rgan izations
Integrates operationalmodels and hardwareconfiguration to provideresults
We make technology workOctober 23,2000ISS PRA 00-34
• 12
Master Logic DiagramMaster Logic Diagram
Loss ofStation
Function
InternalSystemFailures
EnergeticHazards
InteractionWith Other
Vehicles
Crew Injury orIncapacitation
ElementInterfaceIntegrity
StructuralIntegrity
Propulsion
LifeSupport
ElecticalPow er
C&DH Comm.
ThermalControl
ExternalSources
InternalSources
SoyuzCollision
ProgressCollision
OrbiterCollision
AttitudeControl
"Bad Day"
We make technology workOctober 23,2000ISS PRA 00-34
• 13
ISS PRA Model
Continuousoperations
Perdemand
Occurrencefrequency
Housekeeping ESDs•EPS•TCS•GNC•C&DH•ECLSS•ACS•Medical
Procedural ESDs•Orbiter Docking•Soyuz Docking•Progress Docking•Reboost•EVAs
Energetic Hazard ESDs•MMOD•Radiation•Fire•Toxic
ISS PRA ModelISS PRA Model
End StatesProbabilities based on:
Gatheredacross all
ESDs
ResultsProbabilities and
dependency interactions
PRA Stage 7A Model status
65 Event Sequence Diagrams
~450 Fault Trees
~1500 Basic Events
28 Unique Bad End States
~400 Sequences
>2 million Cut-sets
We make technology workOctober 23,2000ISS PRA 00-34
• 14
ESD Example - OESD Example - O22 Generation Generation
Elektronfails1
Progress O2/A irtanks available (390
hours of supplies)OK
O 2 HPGC #1available (1000
hours of supplies)OK
SFOGs available/functional2 (320
hours of supplies)OK
FR EVAC
Yes
Yes
Yes
Yes
No
No
Yes
Yes
Yes
No
No
N otes:1) The E lektron is considered the prim ary oxygensource fo r the IS S as per F ligh t R u le {B 17.2 .10-2}E LE K TR O N N O M IN A L C O N FIG U R A TIO N A N DFA ILU R E R E S P O N S E ® [111699-7014A ]. Th is fligh tru le sta tes tha t "...upon loss o f E lektron , M C C w illrecom m end in rea l-tim e..." The sequence o f use o fredundant system s was then based on the IS SE C LS S C onso le H andbook, V o lum e I - A ppend ix:C onso le F lipbook (JS C -36331) R esource S ystemC apacities (pg. 44).2) The S FO G s and the E V A H P G C are no tnecessary fo r the 35 days (840 hrs) be tween 7A and7A .1 .3) The E V A H P G C is on ly necessary be tween 7A .1and U F-1 if the P rogress stores were com ple te lyconsum ed prio r to 7A .1 and the E lektron does no twork fo r m ore than 8 days (192 hrs) o f tha t tim eperiod .4) 68 kg o f O 2 a re reserved as per F ligh t R u le{B 17.5 .1-1} O XYG E N A N D N ITR O G E N R E S E R V ER E Q U IR E M E N TS ® [062296-6596] so th is H P G Ccan on ly provide 13 .3 days (320 hrs) o f O 2 support.5 ) G reatest length o f tim e be tween O rb ite r fligh ts(H P G C recharge and S FO G cassette rep len ishm ent)is be tween 7A .1 and U F-1 - 63 days (1512 hrs).
EVA HPGCavailable/
functional3 (320hours of supplies)
OKYes Yes
No
No No
No
Elektron repairedbefore Progress
supplies areconsumed
Elektron repairedbefore O2 HPGC#1 supplies are
consumed
Elektron repairedbefore SFOGsupplies areconsumed
Elektron repairedbefore EVA HPGC
supplies areconsumed
Failure PathInitiator
Pivotal EventEnd State
We make technology workOctober 23,2000ISS PRA 00-34
• 15
Fault Trees - CDRAFault Trees - CDRA
CVV fails(CDRA)
CO2 Vent ValveVacuum Line
PressureTransducer fails
CO2 Vent ValveRack Isolation
Valve fails closed
CO2 Vent ValveBulkhead IsolationValve fails closed
No power to CVV(RPCM LAAFT2B-E
fails)
ColdplateHXRM04 fails
INT MDMs failDDCU LAAFT-2B
fails
LB SEPS-N2-23fails
RPCM LAAFT2B-E fails
CDRA fails
2
CDRA HWfails
INT MDMsfail
LA-3 MDMfails
4
AR rack AAAfails
No power to ARrack (RPCM)
LAF6-2B-A) fails
ITCS LTL not atproper
tem perature
Both LabCCAAs are
inactive
Fault trees trace failures into supporting systems such as the DDCUs
We make technology workOctober 23,2000ISS PRA 00-34
• 16
QuantificationQuantification
• For each Basic Event, the probability of failure is calculated within a given time period
Pr = e-t
where: = failure rate (failures/hours) t = mission time
• Failure rates and probabilities Derived from a number of sources to give a mean and distribution
• MADS - ISS logistics approved
• NPRD - Nonelectronic Parts Reliability Data
• EPRD - Electronic/Electrical Parts Reliability Data
• Russian R&M reports RE-03, R-10-R02 Probability distributions reflect the uncertainty in knowing the
time of the next failure• Typically 5th and 95th percentiles of log-normal failure rates
We make technology workOctober 23,2000ISS PRA 00-34
• 17
Basic Event QuantificationBasic Event Quantification
0.01
0.1
1
10
100
1000
Fai
lure
Rat
e (
fpm
h : f
ailu
res
pe
r m
illio
n ho
urs)
5th Percentile = 0.166 fpmh
95th Percentile = 14.7 fpmh
MADS or RSA Data0.465 fpmh
Distribution mean = 3.96 fpmh
Data values from NPRD
Many data points are combined to derive the mean failure rate and its distribution
We make technology workOctober 23,2000ISS PRA 00-34
• 18
Quantification (Updating)Quantification (Updating)
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0.01 0.1 1 10 100
Failure Rate (fpmh: failure per million hours)
Pro
ba
bili
ty T
ha
t F
ailu
re R
ate
is G
rea
ter
Th
an
Prior Data
Posterior: Updated Data
Component failure rates are updated with actual failure experience on-orbit
We make technology workOctober 23,2000ISS PRA 00-34
• 19
Significance of ResultsSignificance of Results• MMOD is > 90% of risk of LOS
• Majority of risks do not lead to catastrophic end states
• Numbers over estimate the risk of non-catastrophic end states since many options may still be available to the crew and ground once end states are reached
Not meeting flight rules triggers end states Ops documentation still in development
• Several top sequences are driven by having no power jumper to the airlock
Failure of external US power channel 2B prevents an EVA and therefore power is not repairable
No Russian EVA (not in flight rules or procedures)
• Lacks fidelity on Russian segment