Embed Size (px)
Citation preview
La seguridad en las Missiones Espaciales
9 Reunión Científica AEETSA Coruña 11 Noviembre 2010
Felipe Martín CrespoTaitus Software
e-mail: [email protected]
AgendaLa seguridad en las Missiones
Espaciales
1.El Espacio y su industria
2.Aspectos generales del la actividad espacial
3.Principios de seguridad en el Espacio• Principios generales• Basura espacial, meteoritos• Seguridad en los materiales• Aviónica• Software
El sector espacial• Una industria mundial de 100.000 M$/año.
• Principales áreas de actividad:
• Missiones tripuladas
• Microgravedad
• Observación de la Tierra y Meteo
• Telecomunicaciones
• Ciencia y astronomía
• Navegación
• Lanzadores
• Principales promotores:• Sector público (Agencias Nacionales, Militares)• Sector privado (Operadores de telecomunicaciones, lanzadores)
Mecánica del vuelo espacial
Velocidad de escape de la Tierra
11 km/s
Velocidad de entrada en órbita (Space Shuttle)
7.7 km/s
Tipos de órbitaLEO
Low Earth Orbit160 – 1000 km
Tipos de órbitaMEO
Medium Earth Orbit 20000 km
Tipos de órbitaGEO
Orbita Geoestacionaria
36000 km
Tipos de órbita
Elíptica, gran excentricidad
El espacio es un entorno hostil
Micrometeoroids
Cosmic raysDebris
Vacuum
Temperature (isothermal/cycling)
Radiation
Space Debris
Micrometeoroids
Atomic Oxygen
(Manned Volumes)
Space radiation
Principios básicos de seguridad en el espacio
Main causes of accidents:
• Manufaturing Errors
• Design errors
-Wrongly assumed or underestimated environmental conditions, such as limit loads or worst cases.
-Deficient control of intrinsic hazardouscharacteristrics, such as flammable materials or stored energy.
-Incorrect or inaccurate detailed design
e.g. Apollo 1, Soyuz 11, Apollo 13, Challenger 1986
Apollo 1 (1967)
Fire in command module during on-ground test
Soyuz 11 (1971)
Cabin depressurization during descent
Apollo 13 (1970)
Explosion of Oxigen tank during moon transfer
Gemini VI 12/12/65Launch engine did not start.Astronauts did not fire ejection seats
Principios y métodosHazard elimination and limitation
Air atmosphere / pure oxigenManufacturing procedures (soldering)Clean rooms
Barriers and interlocksShielding, isolation
Fail-safe designFail passive (de-energize, fuses, circuit breakers)Fail active (stanby redundancy)Fail operational (safe mode)
Failure risk minimizationFault tolerant design (redundancy, fault detect, response capability)Design for minimum risk (overdesign, fault avoidance)
Monitoring, recovery and escapeTimely identification of contingencies
Standards and procedures
ECSS standards
Probabilistic Risk Assessment
RAM analysisReliability, Availability and Maintainability
helpful in carrying out design modifications achieve minimum failures or increase mean time between
failures (MTBF) plan maintainability requirements, optimize reliability maximize equipment availability.
Basura espacial
Naves operativas - 7%
Naves obsoletas - 22%
Restos de cohetes - 17%
Objetos relacionados con las misiones - 13%
Otros fragmentos - 41%
19000 objetos catalogados
Estima: Más de 600000 sobre 1cm
Peligro de “Kessler syndrome” (reacción en cadena)
Basura espacial
Basura espacial
NORADNorth American Aerospace Defense Command
• Space Debris Surveillance and Warning
Basura espacialSafety measures (against collision)
• Early warning and surveillance (NORAD, ESA SSA, China?)
• Collision avoidance maneuvres
• Shielding International Space Station design requirements cal for a probability of critical impacts of less than 0.5 % per Year
Preservation measures (against debris proliferation)
• Deorbiting
• Parking orbit
• Garbage collection
Acustics and Noise
Materials Safety
Fire safety
Toxic offgassingCrew safety
Propellant compatibility
Oxigen compatibility
Stress corrosion cracking
The first documented case of Stress-Corrosion Cracking failure inpropulsion components can betraced back to 1965 with the failureof a pressurized Ti-6Al-4V tankcontaining liquid N2O4
Propulsion systems, in particular tanks are exposed to extremely reactive and aggressive fluids, such as fuels, oxidizers, cleaning agents which can promote SCCSignificant residual stresses due to welding or machining processes could be still present in the tank even after stress relief heat treatment Significant stresses due to the tank pressurization are present in-service
Testing against Stress Corrosion
Maximize Determinism
Minimize Probabilistics
Avionics Safety
AvionicsElectrical and Electronic systems on space missions
Safety Critical Computer Control
Circuit protection (fusing)
Electrostatic Discharge control
Electromagnetic Interference and Compatibility Control
Design, Manufacturing & Testing of Safety Critical Circuits
Component Selection
Electromagnetic Compatibility Testing
Software safetySoftware is an increasing risk factor in Space Missions.
• Inherently unreliablee.g. Space Shuttle 5 identical cross-checking computers
• Best practices, Software Standards
• Very conservative.-“If it works, don’t fix it!”-20-year old Software still operational- Shuttle computers have 1MByte RAM only!
• Extensive testing -> substantial cost increase-Estimulated debugging (get more $ for bugs found)-Separate development / quality / testing teams and companies-Dupplicated / triplicated teams
Big advantage: it can be replaced/repaired on-flight
Software safetySeveral disasters attributed to software faults
NASA Mars Polar Lander (1999) & NASA Mars Climate Orbiter (1998)
ESA Arianne 5 / Cluster mission (1996)
URSS Phobos 1 & 2 mission to Mars (1989)
Success storiesVoyager 2 Uranus flyby (1986)
NASA Mars Polar Lander
• Last telemetry received just prior to atmospheric entry on December 3, 1999.
• The cause of the communication loss is not known.
• Investigation concluded that the most likely cause of the failure of the mission was a software error that mis-identified vibrations caused by the deployment of the lander's legs as vehicle touch-down on the Martian surface.
• The resulting action was the shut-down of the vehicle's descent engines while still 40 meters aloft.
NASA Mars Climate Orbiter• The loss of the craft was the result of several factors,
including • a design flaw that resulted in asymmetric torque, • software errors in the small forces model, and• management inattention.
• metric/US customary units mix-up caused by a human error in the software development.
• The thrusters on the spacecraft, which were intended to control its rate of rotation, were controlled by a computer that underestimated the effect of the thrusters by a factor of 4.45. This is the ratio between a pound force(the standard unit of force in the United States customary units system) and a newton (the standard unit in the metric system). The software was working in pounds force, while the spacecraft expected figures in newtons; 1 pound force equals approximately 4.45 newtons.
• The software had been adapted from use on the earlier Mars Global Surveyor, and was not adequately tested before launch.
• The navigation data provided by this software was also not cross-checked while in flight. The Mars Climate Orbiter thus drifted off course during its voyage and entered a much lower orbit than planned, and was destroyed by atmospheric friction.
ESA Arianne 5 Flight 501 failure
• Flight 501, took place on June 4, 1996,
• First, and unsuccessful, test flight of the European Ariane 5 expendable launch system.
• Due to an error in the software design (inadequate protection from integer overflow), the rocket veered off its flight path 37 seconds after launch and was destroyed by its automated self-destruct system when high aerodynamic forces caused the core of the vehicle to disintegrate.
URSS Phobos 1 & 2 mission to Mars
• Phobos 1Operated nominally until an expected communications session on September 2, 1988 failed to occur.
The failure traced to an error in the software uploaded on August 29/August 30, which had deactivated the attitude thrusters.
By losing its lock on the Sun, the spacecraft could no longer properly orient its solar arrays, thus depleting its batteries
• Phobos 2Operated nominally throughout its cruise and Mars orbital insertion phases on January 29, 1989, gathering data on the Sun, interplanetary medium, Mars, and Phobos.
Shortly before the final phase of the mission, during which the spacecraft was to approach within 50 m of Phobos' surface and release two landers, one a mobile "hopper", the other a stationary platform, contact with Phobos 2 was lost.
The mission ended when the spacecraft signal failed to be successfully reacquired on March 27, 1989. The cause of the failure was determined to be a malfunction of the on-board computer.
Voyager 2 Uranus flyby (1986)
On-flight software upload to
• Overcome a memory fault (cosmic rays).
• Reprogram the spacecraft to produce quality imaging in the need of long exposure due to larger distance from the Sun.
• Resulted in highest resolution and quality images of the mission (Miranda satellite)
Conclusions Space missions are very risky
Chances of failure are highOne failure frequently means Total failure
Almost no possibility of repair on flight
Design for faults (overdesign, redundancy)
Proven solutions preferred to innovations
Follow Engineering Standards and Procedures
Testing, Testing, Testing• Maximize Determinism• Minimize Probabilistics
