sign in sign up
<<
Home , Mars Surveyor 2001

RISK ASSESSMENT APPLICATIONS TO SCIENCE AND EXPLORATION MISSIONS

Dr. Todd Paulos [email protected]

Risk Analysis of Aerospace Missions II: Mission Success Starts with Safety Workshop

Key Bridge Marriott Arlington, Virginia October 29, 2002 Introduction

z Brief PRA Review z Exploration Missions z ’03 z Mars ’07 z Mars ’09 z MSR (Mars ’13? Or Mars ‘not in my lifetime) z Science Missions z CloudSAT z GRACE z Herschel Planck z Summary

SRA, October 29, 2002 T. Paulos 2 Brief PRA Review

Inputs to Decision Making Process Master Logic Diagram (Hierarchical Logic) Event Sequence Diagram (Logic)

IE End State: ES1 A B End State: OK

EndEnd State: State: ES2 ES2 End State: ES2

C D E End State: ES1

End State: ES2

Event Tree (Inductive Logic) Fault Tree (Logic) One to Many Mapping of an ET-defined Scenario

End Not A IE A B C D E NEW STRUCTURE State LOGIC MODELING Logic Gate 1: OK Basic Event ‰ Internal initiating events One of these events ‰ External initiating events 2: ES1 ‰ Hardware components AND 3: ES2 ‰ Human error 4: ES2 ‰ Software error one or more ‰ Common cause of these 5: ES2 elementary ‰ Environmental conditions events 6: ES2 ‰ Other Link to another fault tree

Probabilistic Treatment of Basic Events Model Integration and Quantification of Risk Scenarios Risk Results and Insights 30 50 60 25 50 40 End State: ES2 Integration and quantification of 20 40 30 100 logic structures (ETs and FTs) 30 15 ‰ Displaying the results in tabular and graphical forms 10 20 80 and propagation of epistemic 20 uncertainties to obtain ‰ Ranking of risk scenarios 10 5 10 End State: ES1 60 0.02 0.04 0.06 0.08 ‰ Ranking of individual events (e.g., hardware failure, 0.01 0.02 0.03 0.04 0.02 0.04 0.06 0.08 ‰ minimal cutsets (risk 40 human errors, etc.) scenarios in terms of Examples (from left to right): 20 basic events) ‰ Insights into how various systems interact Probability that the hardware x fails when needed ‰ likelihood of risk ‰ Tabulation of all the assumptions Probability that the crew fail to perform a task 0.01 0.02 0.03 0.04 0.05 scenarios ‰ Identification of key parameters that greatly inflence Probability that there would be a windy condition at the time of landing ‰ uncertainty in the likelihood estimates the results

The uncertainty in occurrence of an event is ‰ Presenting results of sensitivity studies PROBABILISTIC characterized by a probability distribution

SRA, October 29, 2002 T. Paulos 3 Small Event Tree vs. Large Event Tree Approaches z Small Event Trees z Systems with repair z Steady-state systems dealing with perturbations z Mutually exclusive set of initiating events develops into set of event trees z Large Event Tree z Systems without repair z Dynamic missions dealing with mission objections and performance z One initiating event develops into a single, large event tree

SRA, October 29, 2002 T. Paulos 4 Three Important Things z Do NOT emphasize the “P” in PRA z The first benefit of doing a PRA is in doing the process z Scenario approach z Systems analysis z The second benefit of doing a PRA is that it identifies and prioritizes risks z Helps with risk management efforts z Cost-benefit analyses

SRA, October 29, 2002 T. Paulos 5 (’03)

SRA, October 29, 2002 T. Paulos 6 MER Assembly

SRA, October 29, 2002 T. Paulos 7 Mission Requirements z Key Requirements z Level 1: Provide a surface mission lifetime of ¡ 90 sols z Level 1: Provide a UHF communications capability on the surface of Mars compatible with the Orbiter and/or a compatible orbiting asset z Level 1: Accommodate science payload z Panoramic Camera (PanCam) z Miniature Thermal Emission Spectrometer (mini-TES) z Mössbauer Spectrometer (MS) z Alpha Particle X-Ray Spectrometer (APXS) z Microscopic Imager (MI) z Rock Abrasion Tool (RAT) z Mission Constraints z Each Mission Duration = 90 sols z Two Concurrent Landed Missions - Prime missions overlap from 2/25/04 to 4/6/04

SRA, October 29, 2002 T. Paulos 8 MER Cruise Stage and Lander

SRA, October 29, 2002 T. Paulos 9 MER EDL and Deployment

SRA, October 29, 2002 T. Paulos 10 MER Rover

SRA, October 29, 2002 T. Paulos 11 Rover “Arm” z Arm has three joints, similar to a human arm z Four tools are located on the arm z The Microscopic Imager z The Mössbauer Spectrometer z The Alpha Particle X-Ray Spectrometer z The Rock Abrasion Tool

SRA, October 29, 2002 T. Paulos 12 Cameras

z Each Rover has nine cameras z Four Hazcams z Two Navcams z Two Panoramic Camera z One Microscopic Imager

SRA, October 29, 2002 T. Paulos 13 Miniature Thermal Emission Spectrometer z Infared spectrometer z Studies mineralogy of rocks and soils z Detects patterns of thermal radiation z Only 5 pounds

SRA, October 29, 2002 T. Paulos 14 Mössbauer Spectrometer

z Instrument designed to specifically study iron- bearing materials z Very sensitive z Very small (fits in the palm of hand) z Instrument head in contact with object for 12 hours

SRA, October 29, 2002 T. Paulos 15 Alpha Particle X-Ray Spectrometer

z The APXS is designed to study the alpha particles and x-rays emitted by rocks and soils in order to determine their elemental chemistry z Alpha particles are emitted during radioactive decay and X-rays are a type of electromagnetic radiation z Most APXS measurements will be taken at night and will require at least 10 hours of accumulation time, although just x-ray alone will only require a few hours

SRA, October 29, 2002 T. Paulos 16 Flight Schedule

MER-A Open Phase MER-B Open Phase Phase Definition Start Start

Launch to thermally stable, positive energy balance Launch May 30, 2003 June 25, 2003 state, launch telemetry played back

Cruise End of Launch phase to Entry-45 days May 31, 2003 June 26, 2003

Approach Entry-45 days to Entry November 20, 2003 December 11, 2003

EDL Entry to end of critical deployments on Sol 1 January 4, 2004 January 25, 2004

Egress End of EDL to receipt of DTE on Sol 4 January 4, 2004 January 25, 2004

Surface Mission End of Egress to EOM January 8, 2004 January 29, 2004

Successful receipt of last scheduled UHF data EOM April 6, 2004 April 27, 2004 return the night of Sol 91

SRA, October 29, 2002 T. Paulos 17 EDL Sequence

# )9'  " ' 9'& "  2)" ' / 7 ; *

#.'  *   #" '  # )- # !"!"$<  " γ##   #  >   #%! *# 

#%!(&   +,#----!"- !"$ #%&' (  )"  %# # !"#"$ #         !"##"$

#   

#6 (& . "      

#/+ '0&1'  !" Launch   =6/27/03 #0 2*34 --  5"  Arrival = 2/8/04 #/ &! 7  *8/0(93/ :- 5#-"5"$ Landing at 10N #6 .' ---#" # *-  Nominal Times #6 '&?#/ @  #!"  and States #/   6% ( < *"  #(4 $%  &7  * *A" 

#   *" 

SRA, October 29, 2002 T. Paulos 18 MER PRA Tasks

z Form PRA team z JPL engineers z PRA consultants z Weekly meetings z Training z Definition of PRA goals z Schedule z Analysis z Programmatic reviews

SRA, October 29, 2002 T. Paulos 19 JPL Personnel

z Fault Protection z Flight System Engineering z Reliability z Engineering Economics, Cost & Risk Analysis

SRA, October 29, 2002 T. Paulos 20 PRA Task Objectives z Participate in the Risk Management process z Risk awareness z Looking at things from a sequence/scenario perspective z Hardware and operational aspects z Interfaces, human interaction, external events and common cause failures z How to use PRA results z Identify the largest contributors to risk z Identify ways to mitigate or prevent risks z Perform cost-benefit trade studies z Train participants in PRA z Give JPL a better understanding of what PRA is and what it can do z Focus on EDL portion of MER mission z Approach z Deployment SRA, October 29, 2002 T. Paulos 21 Example Event List z Deployment Phase • remove lander batteries from • shutdown bus • survive night 2 • isolate lander bus from rover • morning wake bus • extend lander petals • deploy PMA • retract airbags • shutdown • release middle wheel • survive night 1 • cut rover/lander cable 3 • morning wake • turn in-place • cut rover/lander cable 2 • acquire surface image for egress • deploy rocker suspension (rover • drive off lander deck lift/rocker suspension deploy) • vehicle survives deploy phase • rocker deploy • find sun • disconnect lift mechanism • Subsystem survival • release rear wheels • bogie deploy (rear wheel drives back)

SRA, October 29, 2002 T. Paulos 22 EDL Event Sequence

z Event tree includes functions that need to occur for: z Vehicle survival z Mission success z Failures that could end mission z Event tree development is an iterative process z Changes made periodically to reflect changes to hardware or operations z Simplifications can be made once the model is felt to be complete or for computational purposes z Event tree development tried to incorporate as much as possible from the mission level fault tree

SRA, October 29, 2002 T. Paulos 23 Example Event Tree

terminal descent enable RAS ground acquire RAD fire airbag inflate backshell IMU backshell IMU TIRS not TIRS three sigma rocket bridle disable no unintentional ground phase acquisition firing solution reatiner airbags needed surface wind assisted release pyro buses firing of pyro impact release day deceleration bus survival

TERM-DES-PH EDL-RAS EDL-GND-ACQ EDL-RAD-FIR-SOL EDL-ARBG-REL EDL-ARBG-INF APR-BS-IMU EDL-BS-IMU EDL-TIRS-N EDL-TIRS EDL-3S-HOR-V EDL-RAD EDL-BRID-REL EDL-D-PBUS-E22 EDL-UPF-E23 EDL-IMPACT-SUR # END-STATE-NAMES

1T BASE-PET-DWN

2 LOV

3T BASE-PET-DWN

4 LOV

5 LOV

6 LOV

7 LOV

8 LOV

9T BASE-PET-DWN

10 LOV

11 T BASE-PET-DWN

12 LOV

13 LOV

14 LOV

15 LOV

16 LOV

17 LOV

18 T BASE-PET-DWN

19 LOV

20 T BASE-PET-DWN

21 LOV

22 LOV

23 LOV

24 LOV

25 LOV

26 T BASE-PET-DWN

27 LOV

28 T BASE-PET-DWN

29 LOV

30 LOV

31 LOV

32 LOV

33 LOV

34 LOV

35 LOV

36 LOV

37 LOV

38 LOV

SRA, October 29, 2002 T. Paulos 24 Fault Trees z Events from event sequence are modeled using fault trees z Developed hardware list (from MEL) z Developed naming convention (for bookkeeping) z Used Mission FTA where possible z Inclusion of common cause failures z Support functions z Need to convert “qualitative” fault trees to “quantitative” fault trees

SRA, October 29, 2002 T. Paulos 25 Example of Mission FTA

Failure to open petals

Failure to Failure of command petal petal retraction actuator mechanism

Avionics Sequence Flight Hardware Failure Error Software too cold Insufficient motor stall before Error power Failure of fully deployed motor h/w

physical hinge grd seq or Both A and B unexpected obstruction failure Failure of config err side heater thermal env Failure of Failure of Failure of Failure of Failure of LPA strings fail Flight Telecom LREU LSID LPDUW Electronics Computer Board Go To Power Failure (then Failure during EDL after CSS) Landed Nose- down in a cravass

Go To Thermal PI Failure

SRA, October 29, 2002 T. Paulos 26 Example PRA Fault Tree

failure to open petals

E-PET-OPEN

ST-E-SPNXX-FD ST-E-SPPXX-FD ST-E-SPPYX-FD

failure to command failure of petal petal retraction actuator mechanism

AV-E-SPPYX-CF ST-E-SPPYX-MF

flight software avionics hardware thermal system power system failure of motor physical failure to command failure failure failure hardware obstruction petal retraction

AV-E-PETRT-SW AV-E-HW-FAIL TH-E-SYS-FF PW-E-SYS-FF MD-E-LPA3-FF MD-E-SPPYX-PO

failure of flt failure of failure of failure of failure of failure of LPA hinge failure landed nose down computer telecom board LREU LSID LPDU avionics electronics in a cravass

AV-E-RAD6K-FF AV-E-TELCM-FF AV-E-LREUX-FF AV-E-LSIDX-FF AV-X-LPDUA-FF AV-E-LPE3X-FF MD-E-HING3-FF MER-LND-CRVS

E-PET-OPEN - 2001/05/10 Page 1 SRA, October 29, 2002 T. Paulos 27 PRA Naming Convention

SS-PHA-XXXXX-FF Failure Mode Component Name Subsystems Mission Phases or Events z AV: Avionics z LAU: Launch z CM: Camera z CRZ: Cruise z ED: Entry/Descent z MD: Mechanical Devices z EDL: EDL z PL: Payload z DPL: Deployments & z PP: Propulsion Egress z PW: Power z SUR: Surface Ops z PY: Pyro z EP1: Enable Pyro z ST: Structure System (one specific time) z TC: Telecommunications z TH: Thermal Control

SRA, October 29, 2002 T. Paulos 28 Data Development

z Obvious difficulty obtaining data z NPRD z EPRD z FMD z JPL History z Judgment z Vendors z Battery Handbook

SRA, October 29, 2002 T. Paulos 29 MER Risk Insights: Loss of Vehicle

z Major Risk Contributors z Lander batteries z Solar panel obscuration on planet surface z RAD rockets z TIR rockets if used z Motor control board z Insights z Deployment phase more risky than EDL z Deployment phase compounded by the fact that many environmental effects and conditions are unknown z Unknowns z Landing impact risk z Phenomenological type risks z Cold welding issues

SRA, October 29, 2002 T. Paulos 30 MER Risk Insights: Loss of Mission

z Major Risk Contributors z Cold weld event z Deployment actions z Airbag retraction z Lander petal obstructions z Wheel retractions z Unknowns z Mars Orbiting assets z These compound comm failures z Excessively Cold Nights z Environmental unknowns

SRA, October 29, 2002 T. Paulos 31 Sensitivity Candidates

z Phenomenological events z Winds, turbulence z Landing event z External events z MMOD, contamination z Command type events z Software type events z Lots of items where we assumed failure rates or probabilities

SRA, October 29, 2002 T. Paulos 32 Potential Risk Reduction Strategies z Increase battery capacity z Develop operational work around for decreased power supply (detection, autonomous control, manual control) z Backup motor control board z Re-examine use of TIRS. As currently modeled, it is difficult to determine the benefits versus the risk introduced by a system malfunction.

SRA, October 29, 2002 T. Paulos 33 Potential Risk Reduction Strategies (Con’t)

z Need to characterize environmental effects in better detail to determine how they truly affect mission risk z Need to characterize phenomenological events better, such as landing risk z May not want to rely on Mars orbiting assets for mission support z Consider a simplified deployment sequence z Protect against cold welds

SRA, October 29, 2002 T. Paulos 34 MER PRA Shortcomings

z Included only a few phases of the flight z Launch, cruise and surface mission is not included z Dictates many end states leading into surface mission z Project preconception of EDL risk drove analysis z Tug of war with JPL personnel

SRA, October 29, 2002 T. Paulos 35 MER PRA Summary

z PRA focused mostly on mission risk z Management misconception about risk areas z Determined a few scenarios which contribute the most to risk z Determined that the PRA was sensitive to the many single point failures, and that those unknowns could drive the true risk value z Software failure modes currently being assessed z PRA methodology and results are still being used to in reliability models, developing fault protection scenarios, and to better organize mission level fault trees z Risk contributors are supported by data

SRA, October 29, 2002 T. Paulos 36 MER PRA Highlights

z Limited mission scope focusing mostly on system operational risk z Trained JPL personnel z Technology transfer z System nearing design completion, but some room for changes in operations z Lessons learned for other Mars missions

SRA, October 29, 2002 T. Paulos 37 Mars ’07 Netlander

SRA, October 29, 2002 T. Paulos 38 Mission Overview

z CNES is planning to develop and launch a science and technology demonstration orbiter, part of a Program called Premier, in 2007. This orbiter will be a prototype of a future MSR orbiter. z The orbiter will deploy soft-landing NetLanders to the Martian surface from approach trajectory. z CNES plans to return science from the NetLanders for 1Martian year. z To feed forward to MSR, the orbiter aims at validating: z Aerocapture technology to low Martian orbit (deemed too risky and removed) z Rendezvous and capture system z CNES is also considering an extended TBD science mission following the completion of the above objectives (one of the following): z Orbital science including a phase at low periapsis (> 150 km) z Orbital science and escape from Mars orbit and fly-by z Mars atmosphere sample return z Phobos sample return

SRA, October 29, 2002 T. Paulos 39 CNES ’07 Orbiter Overview

Cruise to Mars

Configuration versus mission phase Launch

SRA, October 29, 2002Aerocapture T. PaulosMars orbit 40 Working Groups

Joint working groups from CNES and various NASA centers (JPL, JSC, LaRC) z Mission Design & Navigation z Spacecraft System Design z Aero-Capture Design z Rendezvous and Capture Validation Concept z Mission Risk Assessment z MOS Design z Mission Architecture z Project Management

SRA, October 29, 2002 T. Paulos 41 Risk Assessment Approach

z Used fault tree based quantitative probabilistic method z To identify major driving risks z To make risk mitigation recommendations z To compare risk levels with other missions z Preliminary values to be updated as design progresses z Several analyses already performed by CNES for MSR'05 and CNES'07 Orbiter missions z NASA review and semi-independent analysis

SRA, October 29, 2002 T. Paulos 42 List of Perceived Risks

P erceieved R isk R espon se NAV is too hard W e've added D V L B I, O ptical N av; A pproach N av + less stringent N A V relative to the old M SR baseline. Lehm an recom m ends that N A S A be the lead in this area. This ite m is open. Too m uch M ission O perations: Release Mission O ps is less co m p licated than C assini/G a lileo; and is similar in N etLanders: D o A e ro c a p tu re ; D o a u to n o m o u s com plexity to M G S /M '98/M '01 Perapsis R aise; and then Rendezvous/C apture Demo A erocapture never been done before - Q ualified and m an-rated on A pollo - C o ntro lled entry done on A pollo - S tud ied in detailed for 30 years - Atmospheric re-entry dem onstration conducted by C N E S flight in 1998 (guid e d re -e n try ) - Jo int C N E S /N A S A A erocapture T eam planned for C N E S '07 Autonomous perapsis raise is high risk -B aseline is to use a "canned" - perapsis rais e v s . a u to n o m o u s b u rn . - IN S on-board, standard technology for U .S. & F ranch m issions - R edundancy used in a hot back up m ode (this is m o re re liable than MCO and Mars Odyssey - B ig propellant m argins - C anned burn option

T hree challenging objectives in one m ission, with T he team evaluated the risk in these areas and com pared to other interactio n s b e tw e e n th e m th a t re d u c e flexibility in NASA M ars missions. The results are as follow s: mission operations and contingency planning. For M ission O perations: M ission is less co m p lex than C assini/ G a lileo and exam ple , N e tlander m ust be delivered before com parabile in com plexity /risk to M G S & M '01 aerocapture dem o, and orbita l insertion m ust be - N e tlander release does not im pact aerocapture entry and vice versa com plete b N etlander Science Return : A backup T elecom capability w ith M R O is planned A ero ca p tu re In sertion : Comparable in risk to insertion via propulsive entry/aerobraking.

SRA, October 29, 2002 T. Paulos 43 CNES Risk Analysis Summary z Preliminary Risk Analysis Method z Breakdown in sub-phases (slices) for mission critical phases z Aerocapture z Netlander separation z Etc. z Identification of failure scenario for each sub-phase z Top-down approach (Fault Tree) z Failures of operations or pieces of equipment taken into account z Feared event classification according to consequences at mission and orbiter levels z Coarse assessment of feared event occurrence z Actions and recommendations proposed to project team z Taken into account as soon as start of Orbiter or NetL phase B z Induce requirements in subsystem definition doc z Induce requirements for operation and definition of activities for System validation

SRA, October 29, 2002 T. Paulos 44 CNES Aerocapture PRA Summary (con’t)

z Key assumptions z Single failures only taken into account z Conservative failure rates based on lessons learned from previous programs and engineering judgement for new techniques z Simple roll up of numbers through fault tree

SRA, October 29, 2002 T. Paulos 45 NASA Probabilistic Assessment z Approach z Used information from CNES on mission phases and elements z Developed event trees, fault trees and supporting probabilities z Assumptions z Fully redundant Orbiter z NASA experience for cruise phase and CNES information for aerocapture, Netlander jettison phase, and rendezvous phase z Ability to detect and recover from certain failures z Conclusions z Mission probability of success similar to CNES assessment z NASA assessment of the CNES aerocapture analysis: z A thorough and early assessment of the aerocapture phase z Approach is well thought out and conservative z Very good approach to risk management early in the program

SRA, October 29, 2002 T. Paulos 46 Example Summary of Key Risks

z Navigation z Inaccurate entry corridor z Risks mitigated by z Different navigation techniques z Highly integrated JPL/CNES navigation teams z Limitation of maneuver magnitudes in the last days z Contingency scenarios in case of trouble

SRA, October 29, 2002 T. Paulos 47 Risk Assessment Conclusions

z Major risk drivers have been identified and risk management efforts have begun z Overall mission risk is similar compared to a NASA Mission to Mars z MCO lessons learned are being incorporated into mission design z Mitigating activities have been defined and appear to be acceptable without major impact on schedule and budget of project development

SRA, October 29, 2002 T. Paulos 48 Risk Management Recommendations

z Complete the evaluation of actions/recommendations resulting from the risk assessments z Track the status of each risk during development z Assign one of the CNES project team to supervise progress of actions/recommendations and overall risk management z Assign actions to the proper organization z Have a point of contact at each organization responsible for risk management z Apply similar risk assessment approach to all components of the system (Orbiter, Netlander, operations, etc.) z Establish integrated teams between CNES and NASA for z Navigation z Aerocapture z Rendezvous and Sample Capture z Operations z System validation

SRA, October 29, 2002 T. Paulos 49 What not to do

Mission Phase MGS Mars Odyssey MSR CNES'07 CNES'07 CNES'07 Orbiter Orbiter Orbiter

Launch 0.xxxxxx 0.xxxxxx

Cruise 0.xxxxxx 0.xxxxxx 0.xxxxxx 0.xxxxxx

Netlander Release N/A N/A N/A 0.xxxxxx

MOI 0.xxxxxx 0.xxxxxx 0.xxxxxx 0.xxxxxx 0.xxxxxx

Aerobraking - 65 days 0.xxxxxx 0.xxxxxx N/A N/A N/A N/A

Aerobraking - 87 days N/A 0.xxxxxx N/A N/A N/A N/A

Science 0.xxxxxx 0.xxxxxx N/A

Rendezvous & Capture N/A N/A 0.xxxxxx

SRA, October 29, 2002 T. Paulos 50 Mars ’07 PRA Highlights

z Difference in Preliminary Risk Analysis and Probabilistic Risk Assessment z Very early in design z Gives NASA options about cost risk z Gives NASA and CNES options about design trades z On-going activity z French have considerable on-going effort

SRA, October 29, 2002 T. Paulos 51 Mars Science Lander (Mars ’09)

SRA, October 29, 2002 T. Paulos 52 PRA Status z A Probabilistic Risk Assessment based upon the MSL sequence and configuration, and MER detailed design has been performed to determine the significant risks for the mission z Current project goal is to identify all potentially significant risks; not concerned with quantification z Design not mature enough to focus on a quantification with fidelity z Large uncertainty values detract from the real goal of the PRA z Incorporate lessons learned from previous missions (MPL, , MER, etc.) SRA, October 29, 2002 T. Paulos 53 Mission Phases

z Approach z Entry, Descent, Landing z Powered Descent z Surface Deployment (model ends with deployment of thermal subsystem)

SRA, October 29, 2002 T. Paulos 54 Powered Descent Phase

z Powered Descent Elements z Hazard detection and avoidance z Powered descent z Significant Powered Descent Phase Risks z Control authority z Engine start z Landing z Engine shut-off z Pyro events

SRA, October 29, 2002 T. Paulos 55 Risk Management

z PRA is being used to identify, assess and prioritize risks for RM efforts z Defect Detection & Prevention (DDP) is a risk management tool that can track and evaluate risks, and track mitigation options z DDP & PRA in constant reiteration cycle z List will be constantly updated as design and mission evolves

SRA, October 29, 2002 T. Paulos 56 MSL PRA Highlights

z Very quick look at the EDL portion of the MSL mission z Based on previous PRAs of Mars missions z No arm twisting for PRA z Use of results being incorporated into DDP for risk management activities z System engineering group use of sequences, state tracking

SRA, October 29, 2002 T. Paulos 57 Mars Sample Return (’13)

SRA, October 29, 2002 T. Paulos 58 One MSR Concept

SRA, October 29, 2002 T. Paulos 59 Mission Overview

z Desire for more exhaustive studies of Martial soil and rocks z Requires the use of a lander z Possible rover z Drill z Protected containment z Mars Ascent Vehicle z Orbiter to capture sample in Mars orbit z Sample return to earth

SRA, October 29, 2002 T. Paulos 60 MSR PRA

z JPL has required contractors to perform a “PRA” on their missions z JPL wanted a PRA baseline for comparison purposes

SRA, October 29, 2002 T. Paulos 61 Contractors “PRA”

z Probability estimates are not PRAs z Difficult to compare mission to mission z No logic or thinking supplied z No common set of data or judgment values z P requirement?

SRA, October 29, 2002 T. Paulos 62 What not to do

Mission Phase MGS (Ref. 1) Mars Odyssey MSR (Ref. 2) CNES'07 CNES'07 CNES'07 (Ref. 1) Orbiter Orbiter Orbiter (Ref. 3) (Ref. 4) (Ref. 5)

Launch 0.xxxxxx 0.xxxxxx

Cruise 0.xxxxxx 0.xxxxxx 0.xxxxxx 0.xxxxxx

Netlander Release N/A N/A N/A 0.xxxxxx

MOI 0.xxxxxx 0.xxxxxx 0.xxxxxx 0.xxxxxx 0.xxxxxx

Aerobraking - 65 days 0.xxxxxx 0.xxxxxx N/A N/A N/A N/A

Aerobraking - 87 days N/A 0.xxxxxx N/A N/A N/A N/A

Science 0.xxxxxx 0.xxxxxx N/A

Rendezvous & Capture N/A N/A 0.xxxxxx

SRA, October 29, 2002 T. Paulos 63 MSR PRA Team

z Team consisted of three people who worked on MER PRA z MER model expanded to include additional elements of MSR mission z MER architecture used as a baseline z Some data available for things like MAV and MER componenets

SRA, October 29, 2002 T. Paulos 64 MSR PRA Work z Developed a PRA based on the MER PRA z New phases had to be included z New elements z Lots of assumptions, but at least they were documented z Management still insisted on seeing the “numbers by phase” chart z Many caviots, all forgotten z Needed to instruct management on the abilities and limitations of PRA

SRA, October 29, 2002 T. Paulos 65 MSR PRA Results z Results are difficult to interpret z Some architectures require the use of two launches, but comparing similar missions is difficult z Uncertainty z Incomplete design z Multiple launch configurations can help reduce the financial risk at the expense of slightly increased mission risk

SRA, October 29, 2002 T. Paulos 66 MSR PRA Highlights

z Quick study analyzing several different mission configurations, and to keep contractors work in check z PRA training of management will probably overflow to contractors next fiscal year z Program management has a better understanding of PRA limitations z Management has found PRA useful and will continue to force contractors to use it in the future

SRA, October 29, 2002 T. Paulos 67 Science Missions CloudSAT

SRA, October 29, 2002 T. Paulos 69 CloudSAT

z CloudSat is an experimental satellite that will use radar to measure the vertical structure of clouds and cloud properties from space z CloudSat will fly a millimeter wave (94 GHz) radar that is capable of seeing practically all clouds and precipitation (JPL contribution) z CloudSat will fly in orbital formation as part of a constellation of satellites including Aqua, CALIPSO, PARASOL, and Aura z The CloudSat Mission is a partnership between Colorado State University, NASA's Jet Propulsion Laboratory, the Canadian Space Agency, the U.S. Air Force, and the U.S. Department of Energy. Ball Aerospace, the industrial partner, is building the spacecraft

SRA, October 29, 2002 T. Paulos 70 CloudSAT PRA

z Preliminary Design and Implementation Review and Mission Design Review (PDIR/MDR) Request For Action (RFA) requested a risk assessment of the CPR design approach z Requirement or not? z Design close to completion but vehicle not completely built z High level help from project z Cog engineers and system engineers very helpful in the analysis z No technology transfer

SRA, October 29, 2002 T. Paulos 71 CloudSAT PRA

z Which approach? z Large event tree vs. small event tree z Steady state versus dynamic mission z Repair or not z Training of 1 contractor z No technology transfer to JPL z Interface with contractors fault tree of satellite

SRA, October 29, 2002 T. Paulos 72 Mission Events

z Lift-Off z Launch z Initialization z Transmit (Cat IV) z Receive (Cat IV) z Operations (Cat III)

SRA, October 29, 2002 T. Paulos 73 Event Tree

Lift Off Launch Initialization Transmit Receive Operations (M6)

LO LF DF CT CR OP # END-STATE-NAMES

1 OK

2 DEG--LEVEL-III

3 CAT--LEVEL-IV

4 CAT--LEVEL-IV

5 CAT--LEVEL-IV

6 CAT--LEVEL-IV

SRA, October 29, 2002 T. Paulos 74 Launch z Delta II launch vehicle z No fault tree, use of statistical data z Includes separation event

SRA, October 29, 2002 T. Paulos 75 Initialization

• The Initialization event addresses the rotation of the Quasi-Optical Transmission Line Mirror into the proper operating position • Fault tree models this event • The proper operating position is dependent upon the two High Power Amplifiers being active • Failure to rotate into the proper operating position would result in the CPR being unable to transmit and mission loss

SRA, October 29, 2002 T. Paulos 76 Transmit and Receive

z Fault trees z Catastrophic mission events in these events z Once radar is “up” it has no moving parts, it simply turns on and off

SRA, October 29, 2002 T. Paulos 77 Operations z Fault trees z Events that cause a science degradation z Calibration is difficult to define success criteria for z Periodic calibration, but unknown science loss if unsuccessful z Most of these faults were due to satellite, and not experiment

SRA, October 29, 2002 T. Paulos 78 CloudSAT PRA Results

z PRA identified several large contributors to risk z Design changes to several areas to remove single point failures z Qual testing plan updated to reflect concern

SRA, October 29, 2002 T. Paulos 79 CloudSAT PRA Highlights

z Trained 1 contractor z Used early enough in design to make changes z Awareness of operational issues that could cause degradation z Use of elicited data did not drive results

SRA, October 29, 2002 T. Paulos 80 GRACE

SRA, October 29, 2002 T. Paulos 81 GRACE

z GRACE (Gravity Recovery And Climate Experiment) will unravel global climate issues by providing a new model of Earth's gravity field every 12 to 25 days over five years z GRACE's data will help decipher changes in key climate components z Long-wavelength ocean circulation z Fluctuations in the mass of our oceans z Transport of heat by the oceans from Earth's equatorial to polar regions z Waxing and waning of ice sheets and glaciers z Changes in soil moisture and major aquifers z In addition, GRACE will improve gravity field models for satellite altimetry data sets such as TOPEX/Poseidon and its follow-on, Jason-1

SRA, October 29, 2002 T. Paulos 82 GRACE

z GRACE's twin, polar-orbiting satellites will be linked by a microwave tracking system z Their high-accuracy microwave link will be integrated with Global Positioning System (GPS) receivers z Their orbits will be loosely controlled, 100 to 400 kilometers apart z Variations in the Earth's gravity field will cause the distance between the two satellites to vary--this is GRACE's basic measurement z Non-gravitational variations in the distance between the two satellites will be corrected by electrostatic accelerometers located at each satellite's center of gravity

SRA, October 29, 2002 T. Paulos 83 International Effort

z International U.S.-German Team led by z Principal Investigator from University of Texas at Austin, Center for Space Research z Co-Principal Investigator from GeoForschungsZentrum-Potsdam (GFZ) z Mission Design and Instrumentation z Jet Propulsion Laboratory z Satellite Development and Test z Space Systems/Loral with support from Dornier Satellite Systems z Launch Vehicle and Mission Operations z GeoForschungsZentrum-Potsdam (GFZ) z Deutsche Forschungsanstalt für Luft- und Raumfahrt e.V. (DLR) z OHB System, GmbH

SRA, October 29, 2002 T. Paulos 84 GRACE Elements z The GRACE project is divided into five systems z Launch Vehicle System (LVS) z Converted Soviet Submarine ICBM z Satellite System (SAT) z Two flight satellites based on the CHAMP design z Science Instrument System (SIS) z Mission Operations System (MOS) z Science Data System (SDS)

SRA, October 29, 2002 T. Paulos 85 Satellite Systems

z The satellite system is basically comprised of the following subsystems z Power Subsystem z Communications Subsystem z Attitude & Orbit Control Subsystem z On-Board Data Handling Subsystem

SRA, October 29, 2002 T. Paulos 86 Mission Phases

z Pre-launch z Launch & Early Operations Phase (LEOP) z Commissioning Phase z Validation Phase z Observational Phase

SRA, October 29, 2002 T. Paulos 87 GRACE PRA Characteristics z Both satellites needed for minimum mission z Certain failures lead to minimum mission z Certain failures lead to loss of mission z 5 year maximum life z Minimum mission (1 year) z Maximum mission (5 year)

SRA, October 29, 2002 T. Paulos 88 GRACE PRA Results z PRA identified seven areas of concern z No major contributor z Use of data elicitation and effect on results z Team response z Realistic attitude from project

SRA, October 29, 2002 T. Paulos 89 GRACE PRA Highlights

z Realistic expectations from program management z Identified approximately 7 risk items, but no big drivers z Extensive use of elicited data z Looked at variable mission lengths for minimum or maximum mission z Pre-launch issue awareness

SRA, October 29, 2002 T. Paulos 90 Herschel Planck

SRA, October 29, 2002 T. Paulos 91 Herschel Planck

z Planck will be launched in the year 2007, together with ESA's next infrared and submillimeter space observatory, Herschel Space Observatory (formerly called FIRST) z It will perform imaging photometry and spectroscopy in the far infrared and submillimeter part of the spectrum, covering approximately the 60-670 µm range z Both satellites will separate after launch to operate independently at a distance of 1.5 million kilometers from Earth at the L2 point

SRA, October 29, 2002 T. Paulos 92 Herschel Planck Trajectory

SRA, October 29, 2002 T. Paulos 93 Planck

z Planck will carry a telescope with a primary mirror of 1.5 meter in size z The telescope will focus radiation from the sky onto the payload, two arrays of highly sensitive detectors called the Low Frequency Instrument and the High Frequency Instrument z The HFI and LFI will measure the temperature of the Cosmic Microwave Background radiation over the whole sky, searching for regions slightly warmer or colder than the average z More than 40 European institutes will participate in the construction of the instruments

SRA, October 29, 2002 T. Paulos 94 Planck 19K/22.5K Sorption Cryocoolers

Planck S/C Cold End HFI

LFI

Compressor Compressor Element Assembly

SRA,May October 4, 2001 29, 2002 T. Paulos 95 Sorption Cooler Risk Studies z FMECA z IOM release very soon z Interface FMECA z Initial review with Patrick Stassi z Risk Assessment (qualitative) z Risk Assessment with human interactions z Case 1: Both coolers sealed z Case 2: Both coolers with field joints z Case 3: One cooler sealed, second cooler with field joints

SRA, October 29, 2002 T. Paulos 96 Cooler Risk Assessment

z Models begin with cooler passing QA testing at JPL, then continuing through the following actions z Disassembly z Pack z Shipping z Unpack z QA/Test z Buildup z Satellite buildup z Payload processing z Launch z Mission

SRA, October 29, 2002 T. Paulos 97 Cooler Risk Assessment (con’t)

z Event trees model the difference between the handling scenarios of field joints vs. no field joints z Fault trees incorporate human failures as well z No quantification

SRA, October 29, 2002 T. Paulos 98 Risk Model

z End states z Cooler damage (pre-launch) z Loss of mission (loss of satellite or loss of both coolers) z Mission delay (pre-launch) z Shortened mission (on-orbit) z Literally millions of combinations that can lead to these end states z Without quantification, it is very difficult to prioritize and make a decision based on these models

SRA, October 29, 2002 T. Paulos 99 Human Interactions z HRA very difficult to model z Current lack of information z No buildup, assembly, or test procedures for either sorption cooler or satellite z Unknown access issues z No QA tests or checks specified z No data on previous human interactions and how they affected missions z Had to use aircraft-type procedures, experience and lessons learned from aircraft manufacturing

SRA, October 29, 2002 T. Paulos 100 Risk Scenarios

z Processing failures could dominate the risk of either scenario z Human risks are typically significant in the aerospace industry z Aircraft z Launch vehicle processing z Maintenance z Risk tradeoffs between assembly, test, buildup and handling are very complex

SRA, October 29, 2002 T. Paulos 101 Human Interaction Threats

z Contamination issues z Degradation issues z Slow leaks z Scratches z Dents z Seals z Errors of omission z Errors of commission z Other failures that could get by QA

SRA, October 29, 2002 T. Paulos 102 Sorption Cooler Risk Model z Currently on-going effort z Quantify? z Qualitative aspects have been very helpful z Helping program management understand and prioritize risks z Helping program management understand ways to reduce and mitigate risks z Risk communication

SRA, October 29, 2002 T. Paulos 103 Cooler PRA Recommendations

z Priorities z Robbing Peter to pay Paul z Recommendations based on priorities z Need to better understand GSE and satellite buildup z When dealing with a qualitative model, it becomes imperative to understand the risk trades

SRA, October 29, 2002 T. Paulos 104 Herschel Planck PRA Highlights

z PRA studied various configurations of shipping two cryo sorption coolers including hardware and handling risks z Huge effort on Human Reliability Analysis z Currently only qualitative z Emotional issues z Priorities z Programmatic issues examined for various alternatives z Team meetings to communicate and resolve issues, questions and concerns, and hopefully arrive at a consensus solution z Investigate ways to mitigate risks of human handling z Awareness z Training z Safeguards z Design z Etc. z Early in design

SRA, October 29, 2002 T. Paulos 105 QUESTIONS????

SRA, October 29, 2002 T. Paulos 106