SAFETY GUIDED DESIGN OF CREW RETURN VEHICLE IN CONCEPT DESIGN PHASE USING STAMP/STPA

Similar documents
Successful Demonstration for Upper Stage Controlled Re-entry Experiment by H-IIB Launch Vehicle

SELENE TRANSLUNAR TRAJECTORY AND LUNAR ORBIT INJECTION

Parametric Design MARYLAND. The Design Process Level I Design Example: Low-Cost Lunar Exploration U N I V E R S I T Y O F

MARYLAND. The Design Process Regression Analysis Level I Design Example: UMd Exploration Initiative U N I V E R S I T Y O F.

DESIGN STANDARD. Micro-debris Impact Survivability Assessment Procedure

Space Debris Reentry Hazards

Parametric Design MARYLAND. The Design Process Regression Analysis Level I Design Example: Project Diana U N I V E R S I T Y O F.

Human Spaceflight Value Study Was the Shuttle a Good Deal?

The Design Process Level I Design Example: Low-Cost Lunar Exploration Amplification on Initial Concept Review

Challenging Decisions from a Career in Aerospace. AIAA Huntsville Section Michael D. Griffin 8 August 2017

Mars Sample Return Mission

LRO Lunar Reconnaissance Orbiter

21 JSTS Vol. 27, No. 2

The Inter-Agency Space Debris Coordination Committee (IADC)

USA Space Debris Environment, Operations, and Policy Updates

USA Space Debris Environment and Operational Updates

Mission to Mars. MAE 598: Design Optimization Final Project. By: Trevor Slawson, Jenna Lynch, Adrian Maranon, and Matt Catlett

The Inter-Agency Space Debris Coordination Committee (IADC)

2024 Mars Sample Return Design Overview

Whether a Soyuz Spacecraft really needs a parachute or is there an alternative?

Overview of JAXA Activities on Sustainable Space Development and Space Situational Awareness

Feedback Control of Spacecraft Rendezvous Maneuvers using Differential Drag

The Inter-Agency Space Debris Coordination Committee (IADC)

Achievements of Space Debris Observation

IMPACT OF SPACE DEBRIS MITIGATION REQUIREMENTS ON THE MISSION DESIGN OF ESA SPACECRAFT

Orbit Plan and Mission Design for Mars EDL and Surface Exploration Technologies Demonstrator

Predicting Long-Term Telemetry Behavior for Lunar Orbiting, Deep Space, Planetary and Earth Orbiting Satellites

Modular Low Earth Orbital-Hub DLR Vision 2025

ETS-Ⅷ Ion Engine and its Operation on Orbit

Reliability, Redundancy, and Resiliency

Evaluating the Safety of Digital Instrumentation and Control Systems in Nuclear Power Plants

TESTIMONY BEFORE. HOUSE CO1MfITTEE ON SCIENCE AND ASTRONAUTICS SUBCOWITTEE ON SPACE SCIENCES AND APPLICATIONS. Dr. John W.

CIVIL PROTECTION AND SAFE SKY

New Worlds Observer Final Report Appendix J. Appendix J: Trajectory Design and Orbit Determination Lead Author: Karen Richon

Launch Vehicle Family Album

The Kerbal Space Program

Marlene H. Dortch Secretary, Federal Communications Commission th Street, S.W. Washington, D.C

Congreve Rockets This rockets were invented by Englishman, Sir William Congreve. Congreve successfully demonstrated a solid fuel rocket in 1805, and

To the Moon and Back

Space Debris Assessment for USA-193

Robotic Lunar Exploration Scenario JAXA Plan

MAE 180A: Spacecraft Guidance I, Summer 2009 Homework 4 Due Thursday, July 30.

Formation Flying and Rendezvous and Docking Simulator for Exploration Missions (FAMOS-V2)

Implementation of the Outer Space Treaties in view of Small Satellites

Solid Propellant Autonomous DE-Orbit System [SPADES] Co-authors: T. Soares J. Huesing A. Cotuna I. Carnelli L. Innocenti

The time period while the spacecraft is in transit to lunar orbit shall be used to verify the functionality of the spacecraft.

TEACHER PAGE CELEBRATING SPACE: A QUICK HISTORY

The Interstellar Boundary Explorer (IBEX) Mission Design: A Pegasus Class Mission to a High Energy Orbit

Space Debris Re-entries and Aviation Safety

B.H. Far

Autonomous Vision Based Detection of Non-stellar Objects Flying in Formation with Camera Point of View

LAB 2 HOMEWORK: ENTRY, DESCENT AND LANDING

ADVANCED NAVIGATION STRATEGIES FOR AN ASTEROID SAMPLE RETURN MISSION

Operation status for the asteroid explorer, Hayabusa2

Space Exploration Earth and Space. Project Mercury Courtesy of NASA Images

Why Do We Explore Space?

LOW-COST LUNAR COMMUNICATION AND NAVIGATION

LOW EARTH ORBIT RENDEZVOUS STRATEGY FOR LUNAR MISSIONS. William M. Cirillo

PRELIMINARY HARDWARE DESIGN OF ATTITUDE CONTROL SUBSYSTEM OF LEONIDAS SPACECRAFT

Mars Sample Return Mission Design Proposal

Mission Analysis of Sample Return from Jovian Trojan Asteroid by Solar Power Sail

Joint work with Marie-Aude Esteve, Joost-Pieter Katoen, Bart Postma and Yuri Yushtein.

LUMINARY Memo #214 Revision 1

STUDY THE SPACE DEBRIS IMPACT IN THE EARLY STAGES OF THE NANO-SATELLITE DESIGN

Space Debris. New Mexico. Supercomputing Challenge. Final Report. Team 78. Mesa Middle School. Team Members. Justice Armijo.

INNOVATIVE STRATEGY FOR Z9 REENTRY

New Worlds Observer Operations Concept NEW WORLDS OBSERVER OPERATIONS CONCEPT (OPSCON)

Mars Sample Return (MSR) Mission BY: ABHISHEK KUMAR SINHA

Opportunities for Small Satellites and Space Research Using the K-1 Vehicle

MIKE HAWES VICE PRESIDENT & ORION PROGRAM MANAGER

The story of NASA. Presented by William Markham

Guidance Strategy for Hyperbolic Rendezvous

Initial Trajectory and Atmospheric Effects

Safety analysis and standards Analyse de sécurité et normes Sicherheitsanalyse und Normen

COMPREHENSIVE GIS-BASED SOLUTION FOR ROAD BLOCKAGE DUE TO SEISMIC BUILDING COLLAPSE IN TEHRAN

Solid Propellant Autonomous DE-Orbit System [SPADES]

Nov 30, 2012 China s Ambitious Space Program

THE DLR ORBITAL HUB: A CONCURRENT ENGINEERED POST-ISS APPROACH

USA Space Debris Environment, Operations, and Modeling Updates

SOLVING THE INTERNATIONAL SPACE STATION (ISS) MOTION CONTROL LONG-TERM PLANNING PROBLEM

Circular vs. Elliptical Orbits for Persistent Communications

Orbital Debris Mitigation

THE TRAJECTORY CONTROL STRATEGIES FOR AKATSUKI RE-INSERTION INTO THE VENUS ORBIT

Thank you for your purchase!

Orbital Debris Challenges for Space Operations J.-C. Liou, PhD NASA Chief Scientist for Orbital Debris

SELENE (KAGUYA) ORBIT DETERMINATION RESULTS AND LUNAR GRAVITY FIELD ESTIMATION BY USING 4-WAY DOPPLER MEASUREMENTS

MISSION ENGINEERING SPACECRAFT DESIGN

HERA MISSION & CM16 lessons learned

Design of "KIBO" structure and verification

ASTRIUM. Interplanetary Path Early Design Tools at ASTRIUM Space Transportation. Nathalie DELATTRE ASTRIUM Space Transportation.

from Phased Missions to Software Intensive Systems Use of the Dynamic Flowgraph Methodology (DFM) in Advanced PSA/PRA Applications:

Remembrances of Apollo. Dr. Ralph P. Pass

CASE STUDY. Keeping the James Webb Space Telescope on Track

Definition and verification of functional safety concepts for the definition of safe logical architectures

Current Status of Hayabusa2. Makoto Yoshikawa, Yuichi Tsuda, Hayabusa2 Project Japan Aerospace Exploration Agency

12.3 Exploring Space: Past, Present and Future

Pulsed Plasma Thruster Propulsion System

Implementation of Real-Time Monitoring and Warning of Near-Earth Space Dangerous Events by Roscosmos. I. Oleynikov, V. Ivanov, and M.

P1.1 THE NATIONAL AVIATION WEATHER PROGRAM: AN UPDATE ON IMPLEMENTATION

Cancellation of the Fifth (SM-4) Hubble Servicing Mission

Transcription:

SAFETY GUIDED DESIGN OF CREW RETURN VEHICLE IN CONCEPT DESIGN PHASE USING STAMP/STPA Haruka Nakao (1), Masa Katahira (2), Yuko Miyamoto (2), Nancy Leveson (3), (1) Japan Manned Space Systems Corporation, Urban Bldg., 1-1-26, Kawaguchi, Tsuchiura, Ibaraki 300-0033, Japan Email: nakao.haruka@jamss.co.jp, (2) Japan Aerospace Exploration Agency, 2-1-1 Sengen, Tsukuba-shi, Ibaraki 305-8505, Japan Email: miyamoto.yuko@jaxa.jp, katahira.masafumi@jaxa.jp, (3) Massachusetts Institute of Technology, 77 Massachusetts Avenue, Cambridge, MA 02139-4307, USA Email: leveson@mit.edu ABSTRACT In the concept development and design phase of a new space system, such as a Crew Vehicle, designers tend to focus on how to implement new technology. Designers also consider the difficulty of using the new technology and trade off several system design candidates. Then they choose an optimal design from the candidates. Safety should be a key aspect driving optimal concept design. However, in past concept design activities, safety analysis such as FTA has not used to drive the design because such analysis techniques focus on component failure and component failure cannot be considered in the concept design phase. The solution to these problems is to apply a new hazard analysis technique, called STAMP/STPA. STAMP/STPA defines safety as a control problem rather than a failure problem and identifies hazardous scenarios and their causes. Defining control flow is the essential in concept design phase. Therefore STAMP/STPA could be a useful tool to assess the safety of system candidates and to be part of the rationale for choosing a design as the baseline of the system. In this paper, we explain our case study of safety guided concept design using STPA, the new hazard analysis technique, and model-based specification technique on Crew Return Vehicle design and evaluate benefits of using STAMP/STPA in concept development phase. 1. INTRODUCTION Japan Aerospace Exploration Agency (JAXA) develops various types of space systems such as satellites, rockets, and manned systems including the International Space Station (ISS). Needless to say, safety is one of the essential characteristics to be achieved for these space systems. A hazard analysis is one of the most important elements in developing safe space systems. During system design, component failure based analyses, such as FTA and FMEA, are commonly used as hazard analysis methods. However, it is difficult to identify hazard causes that are not related to component failures using FTA/FMEA, which can lead to inadequate investigation for hazards. Although JAXA has not experienced any critical accidents caused by factors other than component failures so far, JAXA is considering introducing a new hazard analysis methodology, called STAMP/STPA, to avoid future accidents. STAMP/STPA focuses on control problems, not component failures, and it is able to identify hazards that arise due to unsafe and unintended interactions among the system components without component failures. JAXA is also considering to use STPA in very early mission or system design to support safety design of a system. To design system safe, it is important to perform system design and safety design in parallel and optimize functional design and safety design from the beginning of development. In the early study and mission design phase, engineers design many different systems to find out optimal system design. Safety analysis provides safety related risk information of each design candidate which has to be considered in design trade-off. In this phase there are no concrete system configuration items nor system components that mean it is difficult to apply traditional fault based safety analysis like FTA. SPTA is focus on control problems that occur in system and it can analyze control related hazards based on function design of the system without tangible system components. Then the analysis results are organized as safety constraints or

requirements that indicate hazard related items to be eliminated or controlled in further system design. As a pilot case study, we perform safety analysis using STPA in parallel with mission design and provide feedback between them iteratively as a trial of safety guided design. 2. RESEACH OVERVIEW 2.1. Early Study of Crew return Vehicle JAXA has started early study of a manned space vehicle to obtain technical capabilities that are able to develop and operate a manned space vehicle. The vehicle is a visiting vehicle launched by the H-IIB rocket to carry crews and necessary components to the ISS and return to the earth. Figure 1 depicts operation overview of the Crew return Vehicle (CV). We are involved in a working group of Control System of the CV, which is one the most important target technology area. The objective of this WG is to design optimal vehicle control system and to establish a design methodology which is suitable for designing safety critical and human-centric complex system. One of the most difficult topics of the WG is to realize human-centric space system that provides seamless control between system and human and establish design method. The CV system needs to have many high autonomous functions considering appropriate autonomy level and control authority. For this purpose we start study of safety guided system design using STPA to enhance safety and optimization of control system design of the CV. Figure 1. Operation overview of the Crew return Vehicle 2.2. STAMP/STPA Current hazard analysis techniques start from a completed design and assume that accidents are caused by component failures. Because the primary cause of accidents in the old systems was component failure, the hazard analysis techniques and safety design techniques focused on identifying critical components and either preventing their failure (increasing component integrity) or providing redundancy to mitigate the effects of their failure. There are several limitations of these approaches. One of the major problems is that most common hazard analysis techniques such as FTA or FMEA, work on an existing design. Therefore, much of the effort goes into proving that existing designs are safe rather than building designs that are safe from the beginning. But system designs have become so complex that waiting until a design is mature enough to perform a safety analysis on it is impractical. The only practical and cost-effective safe design approach in these systems is to design safety in from the beginning. In safety-driven design, the information needed by the designers to make good decisions is provided to them before they create the design and the analyses are performed in parallel with the design process rather than after it. Because software errors and flawed human decision making do not involve random failures, hazard analysis techniques that only identify such failures will not be effective for them. A new approach to hazard analysis is required, which in turn must rest on an expanded model of accident causality. Against this background, Leveson developed a new accident model called STAMP (Systems-Theoretic Accident Model and Processes), which has been described in detail elsewhere [2]. The rest of this section describes a new hazard analysis technique, based on STAMP, which is called STPA (STAMP-Based Process Analysis) [3]. An important advantage of this technique is that it can be used to drive the earliest design decisions and then proceed in parallel with ensuring design decisions and design refinement. In STPA, the system is viewed as a collection of interacting loops of control. The assessment begins with identifying hazards for the system and translating them into top-level system safety constraints. Next, a basic control structure is defined. A control structure diagram depicts the components of the system and the paths of control and feedback. Using the control structure diagram as a guide for conducting the analysis, each control action is assessed for potential contribution to hazards. Identified inadequate control actions are used to refine system safety constraints. Finally, the analyst determines how the potentially hazardous control actions could occur. If the controls in place are inadequate, recommendations should be developed for additional mitigations.

3. CASE STUDY ON SYSTEM CONCEPT DESIGN PHASE of CREW RETURN VEHICLE 3.1. System Overview We are conducting a case study of safety guided concept design of CV using STPA. One of the important advantages of STPA is that it can identify hazardous scenarios or their causal factors with regard to interaction between controller and controlled process. In this section we explain a scope and conditions to perform STPA at first. CV is a capsule type re-entry module. Figure.2 shows the reference model of CV. As Figure 1 shows, the CV is launched by Japanese rocket and rendezvous with ISS and dock to ISS. After departure from ISS, CV performs deorbit maneuver and detaches the re-entry capsule before arriving reentry point. Then the capsule return to the earth. Figure 2. Reference model of CV In this CV study, we focused on de-orbit flight phase, from completion of un-dock to passing through re-entry point. Figure 3 shows de-orbit flight phase. Figure.3 De-orbit flight phase Figure 4 shows the state chart of de-orbit phase. The state chart shows nominal sequence of de-orbit procedure. Last two gray colored states that are 4.Guidance flight and 5.Landing are out of scope of this analysis. Figure 4. State chart of de-orbit flight phase In table 1, we defined states that are 1.Preparation of Deorbit, Execution of de-orbit maneuver and 3.Nonguidance flight. Table 1. Definition of States 1. Preparation of De-orbit Maneuver Maneuver preparation Activation and Health check of H/W component that is used for De-orbit Maneuver. For example activation of engines. Maneuver start State of CV System transit to De-orbit Maneuver Execution. Triggering condition: Maneuver preparations shown below is completed. CV time become planned Maneuver time. Health check of H/W components is successful. Confirmation of dispersion of touch down point is successful. Next state: 2. Execution of De-orbit maneuver 2. De-orbit Maneuver Execution Maneuver execution -Inject engines until predefined generation of predefined V. -Maintain maneuver attitude. Maneuver end State of CV System transit to Descent without Lifting Guidance.

Triggering condition: Pre-defined delta-v is generated. Next state: 3. Non-guidance flight 3. Non-guidance flight Descent without guidance -Perform attitude control -Health check for Lifting Guidance flight Guidance start State of CV System transit to Lifting Guided flight Triggering condition: Dynamic pressure by atmosphere is greater than TBD [MPa] Next state: 4. Guidance flight 3.2. System-Level Hazards During this de-orbit phase, one of the most catastrophic accident is a fail of de-orbit maneuver. It is not only a result in damage of the CV itself, but could also lead to loss of crews and the vehicle. In this study, we focused on the De-orbit maneuver fail such as over burn or under burn as a system hazard. 3.3. Hazard analysis using STAMP/STPA As a preparation of STPA, we defined a control structure of CV system. Figure 5 shows a top level-control structure diagram for the CV system. There are 5 major parts: CV (CV crew and CV system), ISS, NASA ground station, JAXA ground station, and Tracking and Data Relay Satellite (TDRS) as data relay communication. Connecting lines between those parts show control actions, information, and acknowledgments (feedback) between each part. There is also a voice loop connection between the ISS crew, NASA ground station and JAXA ground station. Figure 5. Top level Control structure 3.4. STPA Step.1 and Step.2 i. STPA Step.1 Identification of Hazardous control behaviours The first step in STPA is to assess the safety controls provided in the system design to determine the potential for inadequate control, leading to hazard. The assessment of the hazard controls uses the fact that control actions can be hazardous in four ways [3]. 1. A control action required for safety is not provided or is not followed. 2. An unsafe control action is provided that leads to a hazard. 3. A potentially safe control action is provided too late, too early, or out of sequence. 4. A safe control action is stopped too soon (for a continuous or non-discrete control action) For convenience, a table can be used to record the results of this part of the analysis like Table 2. Control Action Table 2. Identifying Hazardous System Behaviour Maneuver start Not Given or Not followed Katahira, M., > Miyamoto, Given incorrectly Wrong timing order To be analyzed. Guidance start Etc... --- --- --- --- or Stopped too soon ii. SPTA Step.2 Determining How Unsafe Control Actions Could Occur Performing the first step of STPA provides the safety requirements, which may be sufficient for CV system. A second step can be performed, however, to identify the scenarios leading to the hazardous control actions that violate the safety constraints. Starting with each hazardous control action identified in Step 1, the analysis in Step 2 involves identifying how it could happen. To gather information about how the hazard could occur, the parts of the control loop for each of the hazardous control actions identified in Step 1 are examined to determine if they could cause or contribute to it. Once the potential causes are identified, design controls and mitigation measures can be designed if they do not already exist or evaluate existing measures if the analysis is being performed on an existing design. Figure 6 shows example of Step 2 STPA analysis on CV.

STPA is used for identification of hazardous control behaviour and their causal factors. In addition to that, SpecTRM analysis [4] is used for checking the existence of concrete hazardous conditions in the design. Using the results of STPA and SpecTRM analysis, we investigate how to eliminate or how to control the hazards and causal factors. The safety constraints against the causal factors are used as Guide for Design detailing such as adding design controls and mitigation measures in next control structure level i.e. From Control Structure Level 0 to Control Structure Level 1. In such way the design is refined. This refinement using STPA and SpecTRM analysis is repeated in the safety guided design process. In this CV case study, we are studying how to apply this safety guided design process from the concept design phase. Figure 6. The causal factors to be considered to create scenarios in Step 2 (It is to be analyzed on CV case) 3.5. Safety guided design process Figure 7 shows our idea of safety guided design process. We are trying to apply the safety guided design to CV. Safety guided design process is compared to JAXA s traditional Safety analysis process in Figure 7. As Figure 7 shows, in JAXA s traditional safety analysis process, JAXA identifies system hazards in Preliminary Hazard Analysis. On the other hand, the control structure of space system and functions are designed in the design process. The control structure is refined based on identified system hazards. 4. SUMMARY AND FUTURE WORK Since we are now in early study phase, there is no concrete system configuration nor architecture. Therefore we defined states of de-orbit phase using state chart. Currently we are performing STPA Step1 and Step2 analysis. After we identify hazardous control behaviours and causal factors, we will investigate safety constraint, design control or mitigation together with system design team of CV. Based on the safety guided design process we defined, we will perform second iteration of hazard analysis on the refined system design. 5. ACKNOWLEDGMENTS The authors would like to thank system design studying team, Dr. Ueno, Mr. Wakabayashi and Mr. Kawano of Manned spacecraft research working group of JAXA. 6. REFERENCES 1. Leveson, Nancy G., A New Accident Model for Engineering Safer Systems, Safety Science, Vol. 42, No. 4, pp. 237-270, April 2004. 2. Leveson, Nancy G., Software Challenges in Achieving Space Safety, Journal of the British Interplanetary Society (JBIS), Volume 62, 2009. 3. Leveson, Nancy G., Engineering a Safer World, 2009. 4. Masa Katahira, Leveson, Nancy G., Use of SpecTRM in Space Applications, 2001. Figure 7 Safety guided design process with STPA and SpecTRM analysis

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback