3
Risk Management Approaches to Safety

All ventures entail some risk. With space launches, this risk applies to the loss of the mission, property damage, or casualties for mission personnel or the public at large. A strict risk avoidance stance—reducing risk to the lowest possible level regardless of cost—would preclude space launch by making it unaffordable. Risk management, however, is designed to meet standards of acceptable risk based on overall costs and benefits. Risk standards then can be used to derive safety requirements, and old requirements not needed to satisfy risk standards can be eliminated.

This chapter describes a risk management approach to space launch range safety. The starting point is EWR 127-1, the primary range safety document at the ER and WR. Although risk standards specified in EWR 127-1 are consistent with a risk management approach to safety, many of the specific guidelines in EWR 127-1 apply the standards in a way that avoids risk. Shifting the operational implementation of EWR 127-1 from risk avoidance to risk management requires a cultural change.

The focus of the chapter then shifts to the division of roles and responsibilities for range safety between AFSPC and AFMC. The last part of this chapter examines risk criteria, risk management, and analysis methods, including the potential for eliminating downrange safety-related assets at the ER.

PHILOSOPHY OF EWR 127-1

EWR 127-1, which was most recently updated on October 31, 1997, is based on earlier range safety manuals developed independently at the ER and WR. Rather than requiring that each user develop its own methods of compliance, the ranges defined many design solutions and included them in EWR 127-1 as requirements. Also, to reduce the need to refer to regulations and instructions issued by other government organizations, many of their requirements were quoted, expanded, or paraphrased and inserted into EWR 127-1. As a result, EWR 127-1 is a huge document that is focused much more on methods and solutions than on basic, performance-based safety requirements. Also, EWR 127-1 has two sets of requirements in many areas, one for the WR and another for the ER.

EWR 127-1 is issued under the authority of the 30th and 45th wing commanders. The Air Force plans to issue the next revision of EWR 127-1 under the authority of AFSPC, which also will be involved in developing future updates. The committee supports this plan, which should enhance the ongoing convergence of documents issued by and requirements established by the WR and ER.

The fundamental safety standard in EWR 127-1 is the collective risk criteria, Ec, of 30 × 10−6. However, the safety philosophy and practices codified in EWR 127-1 often go beyond what is necessary to meet that standard. For example, risk management becomes risk avoidance when EWR 127-1 speaks of “risk minimized to the greatest extent possible.” Also, Chapter 4 of EWR 127-1 laboriously lays out hardware, construction, and test requirements for vehicle safety systems. Detailed, often step-by-step procedures and processes are dictated in annexes. Although EWR 127-1 is based on limiting collective risk to the general public, Ec, to less than 30 × 10−6 for each launch, no allowable component- or system-level risk assessment is provided, and the “highest achievable system reliability” has become the de facto guiding principle.

EWR 127-1 does not describe the source of most of its requirements. In parallel with this study, SMC, which is part of AFMC, initiated a study to document the sources of requirements, determine which requirements are design solutions, and identify the actual standards represented by design solutions. The committee endorses this and other efforts to determine the validity of specific requirements in light of industry standards and existing laws and regulations.

Another complicating factor is the process of “tailoring,” which allows alternate means of complying with the requirements of EWR 127-1. The tailoring process has



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 14
Streamlining Space Launch Range Safety 3 Risk Management Approaches to Safety All ventures entail some risk. With space launches, this risk applies to the loss of the mission, property damage, or casualties for mission personnel or the public at large. A strict risk avoidance stance—reducing risk to the lowest possible level regardless of cost—would preclude space launch by making it unaffordable. Risk management, however, is designed to meet standards of acceptable risk based on overall costs and benefits. Risk standards then can be used to derive safety requirements, and old requirements not needed to satisfy risk standards can be eliminated. This chapter describes a risk management approach to space launch range safety. The starting point is EWR 127-1, the primary range safety document at the ER and WR. Although risk standards specified in EWR 127-1 are consistent with a risk management approach to safety, many of the specific guidelines in EWR 127-1 apply the standards in a way that avoids risk. Shifting the operational implementation of EWR 127-1 from risk avoidance to risk management requires a cultural change. The focus of the chapter then shifts to the division of roles and responsibilities for range safety between AFSPC and AFMC. The last part of this chapter examines risk criteria, risk management, and analysis methods, including the potential for eliminating downrange safety-related assets at the ER. PHILOSOPHY OF EWR 127-1 EWR 127-1, which was most recently updated on October 31, 1997, is based on earlier range safety manuals developed independently at the ER and WR. Rather than requiring that each user develop its own methods of compliance, the ranges defined many design solutions and included them in EWR 127-1 as requirements. Also, to reduce the need to refer to regulations and instructions issued by other government organizations, many of their requirements were quoted, expanded, or paraphrased and inserted into EWR 127-1. As a result, EWR 127-1 is a huge document that is focused much more on methods and solutions than on basic, performance-based safety requirements. Also, EWR 127-1 has two sets of requirements in many areas, one for the WR and another for the ER. EWR 127-1 is issued under the authority of the 30th and 45th wing commanders. The Air Force plans to issue the next revision of EWR 127-1 under the authority of AFSPC, which also will be involved in developing future updates. The committee supports this plan, which should enhance the ongoing convergence of documents issued by and requirements established by the WR and ER. The fundamental safety standard in EWR 127-1 is the collective risk criteria, Ec, of 30 × 10−6. However, the safety philosophy and practices codified in EWR 127-1 often go beyond what is necessary to meet that standard. For example, risk management becomes risk avoidance when EWR 127-1 speaks of “risk minimized to the greatest extent possible.” Also, Chapter 4 of EWR 127-1 laboriously lays out hardware, construction, and test requirements for vehicle safety systems. Detailed, often step-by-step procedures and processes are dictated in annexes. Although EWR 127-1 is based on limiting collective risk to the general public, Ec, to less than 30 × 10−6 for each launch, no allowable component- or system-level risk assessment is provided, and the “highest achievable system reliability” has become the de facto guiding principle. EWR 127-1 does not describe the source of most of its requirements. In parallel with this study, SMC, which is part of AFMC, initiated a study to document the sources of requirements, determine which requirements are design solutions, and identify the actual standards represented by design solutions. The committee endorses this and other efforts to determine the validity of specific requirements in light of industry standards and existing laws and regulations. Another complicating factor is the process of “tailoring,” which allows alternate means of complying with the requirements of EWR 127-1. The tailoring process has

OCR for page 14
Streamlining Space Launch Range Safety evolved to the point that, in essence, a unique version of EWR 127-1 is created for each new launch system. Tailoring provides range users with great flexibility, but it also reveals a serious shortcoming in the usability of EWR 127-1: range safety requirements are defined on an ad hoc basis by the safety offices (during the tailoring process) rather than in published regulations. In addition, inconsistencies in the tailoring process may mean that different users incur different costs to certify the same equipment depending, in part, on the negotiating skills and expertise of the engineers working with range safety personnel. A C-band radar beacon may cost $60,000 on one certified vehicle and less than $20,000 on another because different requirements for parts quality and acceptance testing are established during the tailoring process. Users may continue to use more expensive components because the cost of certifying lower cost components and recertifying other related hardware on the vehicle would wipe out the savings of using the lower cost components. Reformulating EWR 127-1 as a performance-based requirements document would have several benefits. The need for tailoring, as it is currently practiced, could be greatly reduced or eliminated. The number of individual requirements in EWR 127-1, which add to the costs borne by both the Air Force and the launch customer, would be greatly reduced. A clear distinction would be made between non-negotiable performance-based requirements and approved methods of compliance that can be waived if an equally effective alternative is available. Users would have the option of (1) implementing the approved method of compliance to streamline the review process, or (2) using an alternate means of compliance, for which users would accept the responsibility for getting approval. Primary Recommendation on EWR 127-1. AFSPC should simplify EWR 127-1 so that all requirements are performance based and consistent with both established risk standards for space launch (e.g., Ec of 30 × 10−6) and objective industry standards. The process of revising EWR 127-1 should include the following steps: Eliminate requirements that cannot be validated. Remove all design solutions from EWR 127-1. Establish a range user’s handbook or other controlled document to capture lessons learned and design solutions recognized by the ranges as acceptable means of compliance. (Requirements should be retained in EWR 127-1.) Form a joint government/industry team to establish procedures for periodically updating EWR 127-1 and ensuring that future requirements are performance based. Converge the modeling and analysis approaches, tools, assumptions, and operational procedures used at the Western and Eastern Ranges. ROLES AND RESPONSIBILITIES OF THE AIR FORCE SPACE COMMAND AND AIR FORCE MATERIEL COMMAND EWR 127-1 includes a great deal of detailed information on organizational roles and responsibilities. Briefings and documents provided to the committee also included significant amounts of information on these subjects, and the committee reviewed two versions of an AFSPC/AFMC memorandum of agreement (MOA) to understand the division of spacelift roles and responsibilities. One of the agreements was signed in 1997 and is currently in effect (AFSPC/ AFMC, 1997). The second was an unsigned draft of an updated MOA dated May 1999 (AFSPC/AFMC, 1999).1 The purpose of the review was to determine if changes in roles and responsibilities might improve the efficiency of range safety operations. The review focused on two alternatives: maintaining the status quo and adopting the approach defined in the MOAs. Both MOAs confirm the intent that AFMC assume responsibility for the acquisition, developmental testing, sustainment, and improvement of launch vehicles, spacecraft, and launch range systems. The process of transferring related functions from AFSPC to AFMC began in earnest with the range modernization program. Nonetheless, developmental engineering continues to be performed by AFSPC in the area of safety systems for launch vehicles and spacecraft. AFSPC has performed these tasks since it was established more than a decade ago, even though they overlap existing AFMC functional responsibilities. The transfer of the development and engineering functions related to range safety from AFSPC to AFMC would be consistent with the intent of the MOAs and with normal Air Force practices. If properly executed, this transfer would reduce costs and workload for both the Air Force and range users by eliminating duplicative efforts and standardizing procedures and systems. Air Force Memorandum of Agreement on Spacelift The MOA on spacelift between AFSPC and AFMC delineates in great detail the roles and responsibilities of each organization. The basic concept of operation states that AFMC will develop and acquire space systems based on approved AFSPC requirements and that AFSPC will conduct spacelift operations to meet its war-fighting requirements. Each command is expected to manage the hardware, software, and support necessary to meet its mission requirements. AFMC’s role is to “perform all functions required to acquire, conduct developmental testing, sustain, and improve the operational performance of launch vehicles, satellites, and launch range systems” (AFSPC/AFMC, 1997). AFMC 1   Instead of issuing a new MOA based on the 1999 revision, the Air Force may decide to issue an Air Force Instruction.

OCR for page 14
Streamlining Space Launch Range Safety is also responsible for contracting for these items as required and for the full life cycle of the acquisition process with support from AFSPC. AFMC is responsible for development, qualification, and acceptance tests of new or modified systems to show that systems comply with all specifications and requirements provided by the operational organization at the component, subsystem, and system levels. AFMC is also responsible for the provision of sustaining engineering and depot-level maintenance for launch vehicles, upper stages, range systems, and associated ground equipment. In support of the acquisition process, AFSPC is responsible for defining and prioritizing operational requirements for existing and new launch vehicles and systems and for communicating those requirements to AFMC. AFSPC is responsible for developing, planning, and conducting operational testing and evaluation to demonstrate systems’ operational effectiveness and suitability under realistic conditions. AFSPC’s primary role (in terms of space launch) is FIGURE 3-1 Air Force roles and responsibilities for space launch. Source: AFSPC/AFMC, 1999. to conduct prelaunch and launch operations with AFMC support as necessary to resolve anomalies. It is noteworthy that the 1997 MOA does not delegate to AFSPC a special role in the development of safety systems. The MOA makes AFMC responsible for providing a complete launch vehicle, including safety systems, that meet AFSPC requirements. AFMC is the office of primary responsibility until “space system asset availability,” which is the program milestone when hardware is turned over to AFSPC. At that time, the 1997 MOA specifies that hardware should be ready for flight except for prelaunch processing. The May 1999 draft of the new MOA does not indicate any changes in the division of responsibilities described above (see Figure 3-1). Both MOAs are also consistent with the normal roles and responsibilities assigned to a system program director in AFMC and other DoD acquisition commands. System program directors are responsible for all aspects of new system

OCR for page 14
Streamlining Space Launch Range Safety acquisition, including developmental testing, sustainment, and overall cost effectiveness. Before systems are turned over to operational commands, AFMC must certify that all systems have been designed to meet operational requirements and check out at the component, subsystem, and system levels. System program directors’ responsibilities extend to all subsystems and include safety, including safety of flight where applicable (AFMC, 1998). Development and Engineering Functions at the Ranges The ranges, which have a long history of development and developmental testing, for many years were part of an Air Force acquisition command. Over the years, research and development related to ICBMs, SLBMs, and other space launch systems have been reduced, and operations have became increasingly important. In 1982 a space operations command (i.e., AFSPC) was created, and in 1990 it assumed command of the ranges. Soon thereafter responsibilities for development and sustaining engineering of range instrumentation were transferred back to an acquisition command (i.e., AFMC), which is managing the ongoing range modernization program. In accordance with the 1997 MOA, AFSPC sets programmatic requirements for the modernization effort and supports the acquisition. In contrast, personnel from launch vehicle manufacturers and the ranges indicated to the committee that the safety offices at both ranges (which are part of AFSPC) have assumed essentially full responsibility for analysis and testing of safety systems to certify compliance with requirements in EWR 127-1. Areas of particular interest include onboard safety systems, such as FTSs, receivers, batteries, and tracking devices. As described earlier in this chapter, obtaining authorization from either range safety office to use new or modified systems can be labor-intensive for both users and the range safety offices, can significantly increase user costs, and can take months or years to complete, even if the “new” system has been previously authorized for use at the other range. The range’s heavy involvement in analysis, testing, and certification results in duplication of effort, because AFMC and the individual system program directors already have responsibility for approving flight safety systems along with other vehicle subsystems. Current practices are also at odds with normal Air Force acquisition practices and with specific guidance in both versions of the MOA on spacelift roles and responsibilities. Transfer of Acquisition Functions to an Acquisition Command Analyzing, testing, and certifying the design of new and modified systems involves staff assigned to many different elements of the range safety offices at the WR and ER. The committee recommends that the Air Force transfer acquisition-like functions related to range safety from AFSPC (i.e., from the ranges) to AFMC. (See Primary Recommendation on Roles and Responsibilities, below.) The committee recognizes that determining which functions are involved in the development phase and where to draw the line organizationally between operations and development will be difficult because these functions have been closely linked for many years. The Air Force will have to decide where in AFMC range safety functions should reside and what changes should be made in the size of the workforces and budgets of AFMC and AFSPC. It will be important to establish a concept of operations that ensures safety decisions are objective and provides for effective communications between acquisition and operational commands involved in range safety. Although quick action is needed, the committee believes that the Air Force should carefully review implementation issues such as these before moving forward with the recommended transfer of responsibilities. Also, it should be emphasized that the recommended transfer is about functions—not existing organizations or individuals. In addition to a transfer of safety system functions, the committee concluded that responsibilities for developing detailed safety models to support flight operations should also be transferred. The range safety staff must, of course, be very knowledgeable about the content of the models and how to use them during prelaunch and launch operations. Also, close working relationships between operational staff (at the ranges) and acquisition staff (within AFMC) must be maintained to ensure that new systems and system modifications are consistent with operational needs and can be efficiently implemented in an operational setting. The basic responsibility of the range safety offices—the protection of human life and property—should not be changed. The basic responsibility of the newly established AFMC safety office would be to support to the system program offices (and AFSPC, as appropriate) during the acquisition, developmental testing, sustainment, and improvement of space systems. The AFMC safety office would also be responsible for certifying safety readiness for other government, civil, and commercial launch operations at the WR and ER, as outlined below. Requirements for design, qualification, and acceptance testing processes would be removed from EWR 127-1 and documented in an AFMC handbook describing acceptable means of compliance and lessons learned, in a manner consistent with the Primary Recommendation on EWR 127-1. AFMC would certify to AFSPC that new and modified systems have met specified requirements. Systems would then be handed over to AFSPC for prelaunch and launch operations, including operational testing, in accordance with the current MOA. Existing and planned independent functional organizations in AFMC and SMC could be used as a model for establishing a safety office. To ensure that safety decisions are objective, the safety office must be independent. This could be achieved by allowing safety managers to report unresolved safety concerns directly to a high level within the

OCR for page 14
Streamlining Space Launch Range Safety chain of command without putting their jobs on the line. In addition to supporting system program offices and the ranges, the safety office should be responsible for centralizing and simplifying the development of safety policy, procedures, and systems; maintaining a strong engineering, analysis, modeling, and simulation staff through training and career advancement; and reducing costs for the range operators and users. Other Users The discussion above is focused on satisfying the safety needs of space launches by the Air Force on the WR and ER. However, the AFMC safety office described above would also have to certify the safety of flight and ground systems for commercial space launches and other activities at the ER and WR (e.g., launches of the NASA spacecraft, ballistic missile tests by the U.S. Navy and Air Force, and aircraft flight tests). Certification of these systems would be based on FAA space launch regulations (for commercial launches),2 EWR 127-1, other pertinent documents, and the results of design reviews, analyses, developmental tests, and/or operational performance records. Close coordination between operational staffs at the ranges, system operators or developers, and the AFMC safety office would be necessary to evaluate risks, generate new safety tools, establish appropriate risk standards, and manage risk for these missions. In addition, the safety office could also develop, procure, and certify standard flight safety systems and make them available to users. Working with other involved parties, the Air Force should prepare an instruction or other appropriate document describing the safety group’s role in the development and certification of Air Force, government, and commercial safety systems and interfaces with other organizations in AFMC, AFSPC, FAA, NASA, and industry. The specification of design, qualification, and acceptance testing processes, as well as lessons learned, should be incorporated in the new documentation and removed from EWR 127-1. Findings and Recommendations on Roles and Responsibilities Finding 3-1. AFSPC has transferred responsibility to AFMC for development, developmental testing and evaluation, and sustaining engineering of range safety ground systems. Organizational responsibilities for many other range safety processes and procedures, however, are inconsistent with the current memorandum of agreement between AFSPC and AFMC on spacelift roles and responsibilities. In addition to the operational workforce, each AFSPC range safety office also has an engineering workforce that establishes flight safety system design and testing requirements and certifies that flight safety systems meet safety requirements at the component, subsystem, and system levels. These acquisition-like functions overlap the responsibilities of AFMC. Finding 3-2. The complete transfer of range safety development, developmental testing and evaluation, and sustaining engineering to AFMC would, if properly implemented, increase efficiency and reduce costs without compromising safety by eliminating overlapping responsibilities between the ranges and AFMC, by minimizing differences in range safety policies and procedures applicable to the Western and Eastern Ranges, and by enabling users to deal with a single office when seeking approval to use new or modified systems on both ranges. Primary Recommendation on Roles and Responsibilities. The Air Force should fully implement the memorandum of agreement between AFSPC and AFMC on spacelift roles and responsibilities. This would consolidate in AFMC the acquisition-like functions related to safety that are now performed by AFSPC organizations at the Eastern and Western Ranges. These functions include developmental testing and evaluation, sustaining engineering, and certifying that system designs meet safety requirements. To manage the safety aspects of the acquisition-like functions specified in the memorandum of agreement, AFMC should establish an independent safety office. Operational responsibilities, such as generating safety requirements, operational testing and evaluation, and all prelaunch and launch safety operational functions, would be retained by AFSPC. Recommendation 3-1. AFSPC should issue an Air Force Instruction addressing the certification of flight safety systems for commercial, civil, and military launches at the Western or Eastern Range. The instruction should include a description of interfaces among responsible organizations, such as AFSPC, AFMC, FAA, NASA, and commercial contractors. RISK CRITERIA, RISK MANAGEMENT, AND ANALYSIS METHODS This section discusses several key issues affecting public safety during launch. First, the current risk criteria used by the Air Force are discussed. Next, certain inconsistencies between these accepted risk-management criteria and operational methods based on risk avoidance are described. These inconsistencies are examined in light of the risk posed by vehicles as they approach orbit to show that downrange safety-related assets can be eliminated while safety is maintained within accepted limits. Finally, general safety assessment and modeling issues are presented, followed by an outline of the major differences in modeling and analysis methods at WR and ER. 2   Information on the FAA licensing process, including relevant statutes, regulations, and policies, is available on line (http://ast.faa.gov/licensing/).

OCR for page 14
Streamlining Space Launch Range Safety TABLE 3-1 Comparison of Maximum Acceptable Collective Risks Activity Annualized Collective Risk (number of expected fatalities per year) Space launch (ER and WR) 1 × 10−3 Commercial nuclear power plants (United States) 2 × 10−6 Hazardous material storage (Hong Kong) 7 × 10−3 Nuclear and chemical industry (Netherlands) 1.1 × 10−3 British Ministry of Defense 6 × 10−3 Petrochemicals (Santa Barbara County) 1 × 10−3   Source: RCC, 1997b. In the course of its study of the risk criteria used at the WR and ER, the committee reviewed a number of documents. Central among them was Chapter 3, “Risk Criteria Rationale,” in the Supplement to Range Commanders Council (RCC) Standard 321-97 (RCC, 1997b).3 This document contains an extensive treatment of the principles and logic behind the use of common risk criteria. Risk Criteria According to Air Force Instruction 91-202, “risk should be quantified and acceptable limits established” (USAF, 1991). EWR 127-1 describes the principal risk criterion for space launches at the WR and ER: a casualty expectation, Ec, “of 30 × 10−6 shall be used by both ranges as a level defining ‘acceptable launch risk without high management (Range Commander) review.’ Based on national need and the approval of the Range Commander/Wing Commanders, launches may be permitted using a predicted risk above 30 × 10−6” (Paragraph 1.4.1). Previous versions of EWR 127-1 indicated that the upper limit of risk that a commander might approve locally was an Ec of 300 × 10−6. The ranges also use an individual risk criteria, Pc, to describe the probability of an individual in any particular place being killed or severely injured during a launch. Pc can be used to determine whether specific personnel are at high risk in a given area. EWR 127-1 prohibits exposing members of the general public to a Pc greater than 1 × 10−6; the limit for mission-essential personnel is 1 × 10−5. (See Chapter 5 for a discussion of limits on individual hit probabilities, Pi, for ships and aircraft.) These collective and individual risk criteria are consistent with RCC Standard 321-97, which recommends their use on all DoD ranges (RCC, 1997a). The supplement to RCC Standard 321-97 also describes acceptable levels of risk in other domains. The supplement cites regulatory procedures promulgated by the U.S. Department of Labor, Environmental Protection Agency, Occupational Safety and Health Administration, and the Food and Drug Administration that pertain to individual and collective risks of industrial, occupational, public, and in-the-home accidents, as well as risk levels related to carcinogens (RCC, 1997b). The RCC analysis uses annualized risks when comparing space launch range safety to safety in other fields. An Ec of 30 × 10−6 is equivalent to a rate of one casualty every 1,000 years, or 1 × 10−3 casualties per year, given an average launch rate of 33 per year. Table 3-1 compares this risk level with the annualized collective risk limits for other fields and shows that annualized risks on the order of 10−3 are commonly accepted, both in the United States and internationally. The significantly lower risk standard established by the Nuclear Regulatory Commission for the operation of nuclear power plants reflects concerns about a major catastrophe that could affect tens or hundreds of thousands of people near a nuclear power plant and the potential long-term consequences of a nuclear accident. An Ec of 30 × 10−6 is also comparable to the risk accepted by the public for commercial air travel. From 1982 through 1998, U.S. air carriers had 131 million departures, and accidents resulted in 2,868 casualties (354 serious injuries and 2,514 fatalities), which is equivalent to an Ec of 22 × 10−6 per departure (NTSB, 2000, Tables 3 and 5). Finding 3-3. A collective risk standard (i.e., a casualty expectation, or Ec) of 30 x 10-6 per launch for members of the general public is consistent with the risk standards of many other fields in which the public is involuntarily exposed to risk, both domestically and internationally. Application of Risk Management To ensure safety, range safety tracks each launch vehicle and predicts its instantaneous impact point (IIP), which is a real-time estimate of where the vehicle would land if the flight were terminated. Because of the high speed of the 3   The membership of the Range Commanders Council includes the commanders of the ER, the WR, and 19 other test, training, and operational ranges operated by the DoD.

OCR for page 14
Streamlining Space Launch Range Safety vehicle, the IIP may be several thousand miles downrange of the vehicle’s current position. The nominal flight path, the actual course of the vehicle, and the computed IIP change during flight. If for any reason the range safety personnel cannot verify that a vehicle is and will remain within specified boundaries (e.g., if tracking systems fail), they will terminate the flight. Background on Destruct Lines and the Africa Gates A key element of current range safety procedures involves defining the thresholds used during launch to determine when a flight should be terminated. These thresholds are ultimately based on impact limit lines (ILLs), which extend downrange from the launch site and define the area in which debris (from planned stage drops, vehicle explosions, or thrust termination) may land. Flight trajectories and ILLs are calculated and approved prior to launch to protect people and property. The ILLs are not explicitly defined by safety metrics (such as Ec). Instead, they are based on risk avoidance: “Whenever possible, the overflight of any inhabited landmasses is discouraged and is approved only if operational requirements make overflight necessary, and risk studies indicate probability of impact and casualty expectancy are acceptable” (EWR 127-1, paragraph 2.3.6). To account for delays in operator response, uncertainties about vehicle breakup, winds, and other aerodynamic effects, destruct lines are defined inside of the ILLs. If a vehicle’s IIP reaches a destruct line, the flight is terminated. Wherever the vehicle passes over inhabited landmasses before orbital insertion, “gates” (i.e., exits) in the ILLs and destruct lines are defined. The vehicle must pass through the gate or the flight will be terminated. The gates are perpendicular to the nominal trajectory, and the width of the gates accounts for tracking uncertainties and acceptable variations in trajectory. The use of gates and their locations are defined by EWR 127-1 and related Air Force documents—the committee knows of no international agreements that require their use. Even though orbital insertion typically occurs over the horizon, gates and downrange tracking, telemetry, and FTS capability are not needed to satisfy the Ec risk standard (30 × 10−6) for orbital launches from the WR. Allowable azimuths are constrained during the uprange portion of flight to avoid overflight of inhabited landmasses during the boost phase. Orbital vehicles are tracked and FTS commands are issued only to the horizon (i.e., only as long as uprange systems have direct contact with the vehicle). DoD Directive 3200.11 requires ranges to prevent launch vehicles from “violating established limits through impact for vehicles with suborbital trajectories and through orbital insertion or escape velocity for space vehicles” (Paragraph 4.2.9.8). The 45th Space Wing made the following statement in response to a query from the committee: Our interpretation is that DoD Directive 3200.11 drives a definite requirement for downrange assets at the ER to support command destruct . . . and metric tracking . . . . Even interpreting 3200.11 liberally and employing risk management techniques, metric tracking would be required to support notification in cases of accident or errant trajectories. The responsibility for safety from launch to orbital insertion (for space vehicles) and from launch to impact (for ballistic vehicles) is consistent with knowing the vehicle’s position and its predicted impact point at all times during these periods of flight. This information would also be necessary for the settlement of international claims or disputes in the event that a malfunction occurs beyond the destruct capabilities of the ranges (45th SW, 1999). Neither DoD nor AFSPC instructions establish different risk standards for citizens of the United States and citizens of foreign nations, and the ER allows vehicles to proceed over Europe and Africa without further intervention if the vehicles have successfully navigated the appropriate gates. The location of the Africa gate typically corresponds to the position of the IIP at approximately 500 to 700 seconds after launch (see Figure 3-2). Depending upon the launch vehicle and flight azimuth, Africa gates may be as far downrange as 10° west longitude. Downrange radar assets at Antigua and Ascension Islands are required to provide the vehicle position data used to compute the IIP beyond approximately 480 seconds (Figure 3-3). Maintaining, staffing, and operating downrange facilities and providing reliable, real-time communications between the downrange facilities and the Range Operations Control Center (ROCC) at the ER is expensive. Coordinating launch operations with remote facilities also complicates range safety operations and increases the risk of holds and delays (if problems occur at the remote facilities or in the communications links). Moving the Africa Gates Several factors suggest that the collective risk standard, Ec, could still be met if the Africa gates were moved uprange. First, most major vehicle events (staging and engine starts) occur within approximately 300 seconds of launch while the vehicle is well within the area covered by uprange assets. Following these events, vehicles have historically been quite reliable. After 300 seconds, for example, the probability of an Atlas failure is estimated at 25.7 × 10−6 per second until the end of the vehicle’s mission at 670 sec (see Table 3-2 and Figure 3-4). Vehicles that successfully complete uprange staging events are highly reliable, and their IIPs are travelling very fast—much faster even than the vehicles themselves as they approach orbital velocity; the IIP disappears as soon as the vehicle reaches orbital velocity. The IIPs of Atlas vehicles, for example, are over Africa for only 0.3 to 8.08 seconds before the vehicle reaches orbital velocity or the IIP enters the Indian Ocean. Based on the vehicle

OCR for page 14
Streamlining Space Launch Range Safety Numbers indicate time after launch in seconds. The IIP encounters the Africa gate 543 seconds after launch. NLE = no longer endanger (if a vehicle somehow reversed course at this time, it would not have enough propulsive energy to return to the continent from which it was launched). FIGURE 3-2 Instantaneous impact point trace and Africa gate location for Titan IV-B25. Source: 45th SW, 1999. reliability data in Table 3-2, the probability of debris from an Atlas hitting Africa is less than 210 × 10−6 per launch.4 This is equivalent to one event in more than 4,800 launches and is consistent with the probability of land impact for Titan launches on similar trajectories, which has been estimated to be approximately 300 × 10−6 per launch after 400 seconds. When combined with the subsequent probabilities of impacting a populated area and causing casualties,5 the risks from flying over Africa appear to be well within the standard acceptable for the U.S. population, 30 × 10−6 (Ward, 1997). In fact, for an Atlas II/IIAS launch vehicle that successfully reaches the existing Africa gates, Ec for the remainder of flight is 8 × 10−8 (LMA, 1999), and the remaining Ec for an Atlas IIIB when uprange facilities lose contact with the launch vehicle is 4.9 × 10−8. Even if a failure were to occur more than 400 seconds after launch, the vehicle is travelling very fast and it would break up from dynamic forces upon reentering the atmosphere. At this stage of flight, fuel cutoff often is used for flight termination instead of explosive charges. Cutting off fuel helps prevent the vehicle from veering off course and minimizes the size of the debris pattern by keeping the vehicle largely intact until it breaks up at lower altitudes. For failure modes in which thrust ends prematurely, a thrust-termination type of FTS would have no added benefit. Therefore, the absence of FTS capability beyond the coverage area of uprange assets would not reduce safety for malfunctions that terminate thrust prematurely. This would not be true if a malfunction occurred downrange that unexpectedly reduced vehicle thrust or directed a vehicle off the intended trajectory while maintaining stable, powered flight. The committee concludes, however, that the vehicle’s design characteristics and its high speed at this point in the flight make it highly unlikely that a significant change in IIP would occur before the vehicle breaks up even without intervention by an FTS. This conclusion is supported by calculations of Ec during the downrange portion of flight, as noted above. The current placement of Africa gates derived from ILLs and destruct lines is based on risk avoidance. From a 4   Calculated as follows: 1-(1-0.0000257)8.08. 5   Population modeling is described in Appendix E.

OCR for page 14
Streamlining Space Launch Range Safety BECO = booster engine cutoff CCAS = Cape Canaveral Air Station JET PLF = jettison payload fairing MECO-1 = (upper stage) main engine cutoff (first cutoff) MES-1 = (upper stage) main engine start (first start) SECO = sustainer engine cut off FIGURE 3-3 Ground track and elevation angle for an Atlas IIA launched from Pad 36A at the Eastern Range on an initial flight azimuth of 104 degrees. Source: 45th SW, 1999. risk-management perspective, it appears that the Africa gates could be moved safely uprange. The combination of vehicle reliability, short time over land, and high speed make it unlikely that moving the Africa gates to within the coverage of uprange assets (i.e., terminating vehicle tracking, telemetry, and FTS coverage beyond approximately 480 seconds) would violate Ec limits or significantly increase Ec. This conclusion should be validated by more detailed analyses covering current and future launch vehicles of interest. If downrange tracking is needed for reasons other than risk management, those requirements should be documented. However, as already noted, the WR has demonstrated that the collective risk standard can be met without tracking, telemetry, or FTS during the later stages of flight. Primary Recommendation on Risk Management. AFSPC should define objective, consistent risk standards (e.g., casualty expectation, Ec, of 30 × 10−6 and individual risk, Pc, of 1 × 10−6) and use them as the basis for range safety decisions. Safety procedures based on risk avoidance should be replaced with procedures consistent with the risk management philosophy specified by EWR 127-1. Destruct lines and flight termination system requirements should be defined and implemented in a way that is directly traceable to accepted risk standards. Finding 3-4. At the Eastern Range, the downrange location of gates and destruct lines and current requirements for downrange coverage by flight termination, telemetry, and tracking systems are not directly related to accepted risk standards (e.g., Ec of 30 × 10−6 or Pc of 1 × 10−6) but to a risk-avoidance policy that discourages the overflight of inhabited landmasses whenever possible. The Western Range implements this policy by constraining the azimuth of orbital launches.

OCR for page 14
Streamlining Space Launch Range Safety TABLE 3-2 Probability of Failure vs. Phase for the Atlas IIAS Phase Start Time (seconds) End Time (seconds) Probability of Failure (per second) Liftoff 0.00 5.00 0.000884 GLSRB burn 5.00 59.00 0.0000855 ALSRB ignition 59.00 64.00 0.000106 ALSRB burn 64.00 103.40 0.000106 GLSRB jettison 103.40 104.40 0.0000943 ALSRB burn continue 104.40 117.30 0.0000943 ALSRB jettison 117.30 118.30 0.0000741 Booster flight 118.30 164.80 0.0000740 Booster engine cutoff 164.80 165.80 0.00398 Booster engine cutoff to booster package jettison 165.80 168.90 0.0000514 Booster package jettison 168.90 169.90 0.00182 Sustainer flight 169.90 190.90 0.0000514 Payload fairing jettison 190.90 191.90 0.0000507 Sustainer flight (continued) 191.90 282.90 0.0000507 Sustainer engine cutoff 282.90 283.90 0.00000121 Atlas/Centaur separation 283.90 284.90 0.00161 Coast 284.90 301.50 0.000000454 Main engine start (upper stage) 301.50 306.50 0.00153 First Centaur burn 306.50 670.00 0.0000257 GLSRB = ground-lit solid rocket booster ALSRB = air-lit solid rocket booster Source: 45th SW, 1999. Finding 3-5. Moving the Africa gates uprange has the potential to reduce the cost of safety-related downrange assets, decrease the complexity of range safety operations, and reduce launch holds and delays. Moving the Africa gates to within the reach of uprange flight termination, telemetry, and tracking systems is not likely to increase Ec significantly or FIGURE 3-4 Probability of failure vs. phase for the Atlas IIAS. Source: 45th SW, 1999. violate established limits. No known international agreements would preclude moving the gates. Thus, in terms of range safety there is no clear justification for retaining downrange assets at Antigua and Ascension. It may also be feasible to move other gates uprange and further reduce the need for downrange facilities.

OCR for page 14
Streamlining Space Launch Range Safety Primary Recommendation on Africa Gates. While other requirements may exist, from the perspective of launch range safety the Air Force should move the Africa gates to within the limits of uprange flight termination and tracking systems; eliminate the use of assets in Antigua and Ascension for range safety support; and conduct a detailed technical assessment to validate the feasibility of moving other gates uprange. If other requirements for downrange tracking exist, AFSPC should validate those requirements and reexamine this recommendation in light of the additional requirements. Modeling and Analysis Issues A number of analytical processes and modeling tools are used before, during, and after launch to predict and monitor the safe operation of launch vehicles. The basic prelaunch safety assessment methodology used at both the WR and ER is based on Monte Carlo simulation tools, which is consistent with methods used in other fields. These tools can compute the likelihood of vehicle failure at a given time during launch, the resulting likelihood of debris impacting a given location, and in some cases the risk of casualties caused by debris impact, explosion, blast, or toxic effects. The final outputs of the assessment are used prior to launch (with statistical wind profiles) to determine whether the launch meets safety criteria and where evacuations are required. Continued evolution and assessment of these modeling and analysis techniques is critical, especially for new types of launch vehicles such as RLVs. Because of inherent uncertainties in input parameters and modeling assumptions, safety assessments can provide only approximate results, even though range safety personnel are constantly improving their analytical models based on actual range experience. Because the launch rate is quite low compared to the rate at which new technologies are developed, however, it can be difficult to predict the performance of new vehicles or systems using historical data. Safety procedures and rules should be clearly linked to accepted risk standards, but demonstrating this linkage is difficult because of inherent uncertainties. Therefore, the computation of safety metrics tends to be conservative. For example, models may assume that all debris survives to impact or use worst-case wind profiles. The effect of this conservatism is that actual operations are likely to be safer than predicted. However, conservatism may also overly restrict operations and should be carefully limited. The goal should be to obtain the most accurate answer, not the most conservative one. Safety assessments should be conducted to the level of detail appropriate to the scale and accuracy of the assumptions used in the models, and making the models more detailed is not always warranted. In fact, the additional complexity may have no effect—or even a negative effect— on accuracy. The results of safety assessments should not be subjectively altered when making decisions regarding launch, evacuation, or flight termination. This issue has been identified and discussed by the RCC: Answers obtained by applying these analytical methods . . . are not the “absolute truth” but are the product of a rational process to establish objective safety recommendations. Therefore, the answers should not be subjectively altered at the end of the process. Such changes could render invalid the informed decision process which helps protect the government from liability (RCC, 1997a). This issue has been further developed in the Flight Safety Analyst Handbook: While the validity of the calculation process (the “math”) is not often questioned, numerical results at the end of the process are sometimes called “ballpark”, or thought to contain “margins” as the result of “conservatism built into models.” This intuition fosters a belief that numbers indicating high risk (especially borderline high risk) can somehow be discounted. . . . If the Commander exceeds the criteria it can be argued that the criteria does not exist, or was in fact, never a valid criteria. For credibility and liability protection, it is better to change the criteria before initiating a launch operation, than to establish one and then violate it (30th SW, 1999). As indicated above and in Appendix E, the committee noted that conservatism is, in fact, built into many range safety analytical models and procedures. Ensuring that safety analyses are accurate and free of unnecessary conservatism will help minimize the temptation to discount their results. Recommendation 3-2. AFSPC should identify and correct unwarranted conservatism in analytical models and verify that modeling and analytical methods are properly implemented. Periodic, independent reviews should be conducted to ensure that the level of modeling detail is appropriate given the accuracy of model inputs and assumptions. Differences between WR and ER Analysis Methods The overall modeling and analysis approaches at ER and WR are similar, but some significant differences exist. For example, the ranges use different assumptions and models in computing safety metrics, such as Ec, and they use analytical results differently. At the WR, safety analyses are rerun on launch days using measured wind data to reevaluate the safety metrics and verify that the launch meets the accepted safety criteria. At the ER, the measured winds are compared against predefined worst-case winds to determine if the launch may proceed. Because of the potential risk to the launch area it is necessary to detect and terminate the flight of a vehicle that fails to pitch over and head downrange. Both ranges compute how long it would take for a vehicle to present an unacceptable risk if it flew straight up. If a vehicle fails to turn downrange by the specified time the flight is terminated. Also, at the

OCR for page 14
Streamlining Space Launch Range Safety ER, a “chevron display” is used to track the IIP immediately after launch. If the IIP fails to move downrange at the proper rate as shown on the chevron display, destruct commands are sent. At WR, a dedicated pitch-program display is used to track the vehicle’s position relative to the nominal programming trajectory. Prior to launch, the WR also computes how long after launch it takes a vehicle to generate enough kinetic energy to impact a region outside the ILLs. If tracking of the vehicle is not be available by that time, the flight is terminated. Differences in the assumptions and methods used at the ER and WR to determine ship and aircraft exclusion zones are discussed further in Chapter 5. Finding 3-6. The overall modeling and analysis approaches at the Eastern and Western Ranges are similar, but there are some significant differences in analytical tools, assumptions, and operational procedures. These include differences in analysis software packages, methods of defining ship exclusion zones, and displays for monitoring the launch vehicle trajectory. The differences may increase costs because of overlap or duplication of effort in developing models, software, and hardware for the two ranges. Although differences in geography and other factors may make it impractical for the ER and WR to use identical modeling and analysis approaches, an effort should be made to increase the degree of commonality in accordance with the Primary Recommendation on EWR 127-1. REFERENCES 30th SW (30th Space Wing). 1999. 30th SW/SE Flight Safety Analyst Handbook. Vandenberg Air Force Base, Calif.: 30th Space Wing. 45th SW (45th Space Wing). 1999. Eastern Range and Western Range Collective Risk and Associated Data. August 13, 1999. Patrick Air Force Base, Fla.: 45th Space Wing. AFSPC/AFMC (Air Force Space Command/ Air Force Materiel Command). 1997. AFSPC/AFMC Memorandum of Agreement on Spacelift Roles and Responsibilities. January 31, 1997. Peterson Air Force Base, Colo.: Air Force Space Command. AFSPC/AFMC. 1999. AFSPC/AFMC Memorandum of Agreement on Spacelift Roles and Responsibilities (Draft). Revision 2. May 1, 1999. Peterson Air Force Base, Colo.: Air Force Space Command. AFMC (Air Force Materiel Command). 1998. Single Manager Roles and Responsibilities. AFMC Pamphlet 63-3, September 1, 1998. Wright Patterson Air Force Base, Ohio: Air Force Materiel Command. DoD (Department of Defense). 1998. Use, Management, and Operation of DoD Major Ranges and Test Facilities. Department of Defense Directive 3200.11. January 26, 1998. EWR 127-1 (Eastern and Western Range Safety Requirements). 1997. Available on line at: http://www.pafb.af.mil/45sw/rangesafety/ewr97.htm January 20, 2000. LMA (Lockheed Martin Astronautics). 1999. Atlas II/IIAS Flight Data Package: GTO Class Missions Report No. LMA-AFD-98-290. May 1999. Denver, Colo.: Lockheed Martin Astronautics. NTSB (National Transportation Safety Board). 2000. Aviation Accident Statistics. Available on line at: http://www.ntsb.gov/aviation/Stats.htm January 5, 2000. RCC. 1997a. Supplement to Common Risk Criteria for National Test Ranges: Inert Debris. Supplement to RCC Standard 321-97. AD-A324955. February 1997. Available on line at: http://www.jcte.jcs.mil/RCC/manuals/321/index.htm January 21, 2000. RCC (Range Commanders Council). 1997b. Common Risk Criteria for National Test Ranges: Inert Debris. AD-A324356. February 1997. Available on line at: http://www.jcte.jcs.mil/RCC/manuals/321/index.html January 21, 2000. USAF (U.S. Air Force). 1991. Air Force Instruction (AFI) 91-202 AFSPC Sup 1. February 1, 1991. Washington, D.C.: U.S. Air Force. Ward, J. 1997. Estimation of Downrange Risks for Northeast Titan and Athena Launches. Memo for the Record. October 31, 1997. Research Triangle Park, N.C.: Research Triangle Institute.