AI AA-89-2281 HERMES Propulsion Design Optimisation With RAMS Implementation R. Pitt and E. Winkler MBB Space Communications and Propulsion Systems Division, Munich, FRG.

AI AA/ASM E/SAE/ASE E 25th Joint Propulsion Conference

Monterey, CA / July 10-12, 1989

For permission to copy or republish, contact the American Institute of Aeronautics and Astronautics 370 L’Enfant Promenade, S.W., Washington, D.C. 20024

HERMES PROPULSION DESIGN OPTIMISATION WITH RAMS IMPLEMENTATION

R. Pitt and E. Winkler MBB Space Communications and Propulsion Systems Division

Munich, FRG

Abstract

The European HERMES concept for manned transportation has evolved from a reusable Spaceplane to the current version of a reusable Spaceplane together with an expendable Resource Module and an expendable Propulsion Module. After a description of the main reference mission of the HERMES, this paper defines the Propulsion System requirements and the resulting design. In particular, the impact of the qualitative (Fail Operational/Fail Safe) and quantitative (Failure Condition objectives) safety and reliability requirements on the system design is explained. The application of the Failure Condition approach is performed for the first time in a space programme and the advantages and disadvantages of this new application are discussed.

1.0 Introduction

/ The HERMES Space Vehicle (Fig. 1) is currently under study by European industry under the leadership of the European Space Agency (ESA) and Centre National d'Etudes Spatiales (CNES).

Fig. 1: HERMES Space Vehicle

A6rospatiale is the nominated industrial Prime Contractor and MBB has been nominated as Contractor for the HERMES Propulsion System with SEP as main Subcontractor.

The first phase in the development of HERMES began with the Phase C1 in January 1988 and will end in December 1990. The intentions of this phase are to conduct the necessary studies and technological work in order to provide a ' sound basis for the future development programme and to prove the feasibility of the project.

Published the American Institute a f 1 Copyr ight PI989 by MBB.

Aeronautics A i t i o n w t i c s , I n c . w i t h OermiP110".

Once the go-ahead has been given at the end Of 1990, the second development phase shall begin. This will involve the actual building of two HERMES Space Vehicles and will terminate after the first HERMES automatic unmanned flight (flight HOO1) scheduled for 1998 and the first HERMES manned flight (flight H02) in 1999.

The configuration of the HERMES is continually evolving with the latest update being in April 1989.

This paper presents the definition of the Propulsion System and the application of new RAMS methods to this man-rated reusable system comprising:

a) initial design optimisation by application of qualitative (Fail Operat ional/Fai 1 Safe) principles

Failure Condition objectives. b ) final design optimisation through use of

2.0 The HERMES Missions

The HERMES Space Vehicle is intended to carry out a wide spectrum of missions to meet Europe's needs for in-orbit human intervention.

The basic reference mission is to service the European COLUMBUS Free Flying LaboratoryJig. 2

Fig. 2: HERMES docked to Laboratory

The HERMES crew will implement the scientific experiments and perform maintenance on the

Laboratory every six months. Each mission will last up to 12 days, during which HERMES will be docked to the Laboratory for 7 days. A prolonged mission of four weeks for this Laboratorv is also envisioned. The other missions *foreseen for the HERMES include visits to the International Space Station ( I S S ) , to the Soviet Space Station MIR, and to the Eurooean Platform EURECA. These other missions ~~ ~ ~

may ' require supplementary kits (for additional propellant or oxygen etc. depending on the exact nature of the mission).

The HERMES Space Vehicle comprises

0 the IHERMES Propulsion Module (HPM), jettisoned by the HERMES after the orbit injection is performed

o the HERMES Resource Module (HRM), adaptable to the various missions and jettisoned by the Spaceplane prior to atmospheric reentry

o the reusable HERMES Spaceplane (HSP), a delta-wing tailless vehicle which incorporates an ejectable capsule to ensure crew safety in the event of mission abort

The characteristics of the HERMES Space Vehicle are given in Table 1

I HSP HRM HPM - - I L L - . _

/Length (in) 1 13 1 6 I 1

/Wingspan ( in) / 9 I - I -

;Max. ladei /15,non j8,ooo j -

~ (kg) ! ! !

I - . _ _ _ _ _ _ _ _ L - - I - - _ _ L _ _ _ _ -

I-_- I

;weight in t ;transfer orbit / ,

/Max. laden ;15,000 I ;weight at ;landing (kg) ~

I I

;Crew 1 3 perkons / -

;Max. payload 11,500 11,500 1 - ;on orbit ( k g ) ;

4

I

;Max. payload /1,500 I - I -

;at landing (kg);

;Pressurised I 33 i 2 8 : - ;volume (013) ; 1

Table 1: HERMES Characteristics

The HERMES Space Vehicle, Fig. 3, shall be launched by the ARIANE 5 launch vehicle and after separation from the launcher, the HPM shall perform the orbit insertion manoeuvre (110 km x 450 km).The HPM is then jettisoned ~

and the HRM shall perform the orbit manoeuvres including circularisation (450 km x 450 krn) and transfer (463 km x 463 km). The attitude control, translation, docking, and dedocking manoeuvres are carried out by a combination of thrusters on the spaceplane and HRM. After the deorbit burn, performed by HRM, the HRM is jettisoned and the HSP reenters the earth's atmosphere using its own thrusters to assist the atmospheric flight controls.

M >? "

O(I.87 , * l l , , i l < l N

Fig. 3: HERMES Space Vehicle Propulsion

The main operational phases of the basic reference mission to the Free Flying Laboratory are listed in Table 2.

W

3.0 Specified Requirements

__ Technical Requirements

c o m p r i s e e following major assemblies:

0 Propellant storage and distribution 0 Pressurisation 0 Main propulsion system (MPS) o Orbital control system ( O C S ) 0 Attitude control system (ACS) o Electronics

The Prooulsion Svstem has to oerform various

General The Propulsion System shall

mission manoeuv&s and these are accomplished using three types of systems:

(i) The main propulsion system (MPS) comprises two 27.5 kN gimballed bipropellant engines located in the HERMES Propulsion Module (HPM). These engines provide the required impulse for orbit injection to a 1101450 kin orbit.

( i i ) The orbital control system ( O C S ) comprises six 400 N biorooellant thrusters located in the HERMES Resource Module (HRM). These provide the impulse for

- - Transfer to the Free Flying Laboratory L,

- Rendezvous - Deorbit

Orbit circularisation (450 x 450 kni)

orbit (463 x 463 kni)

,

I I I

I lo. ; Flight Phase Events ; Duration Propulsion

!HPM "on" immediately ; Iflight phases ;separation from ARIANE 5 ; 9min 2sec ;after launch I

I 1 ;Launch, composite ;Lift-off until

I I

; 2 ;Launch trim flightjlnjection into orbit ; 5min 5sec [HPM

I jphases j (trimming) ! !

i ; ; 3 ;Orbiting !Orbit circularisation. j 29hr 45min [HRM

! Homing. 4 /Arrival at waiting point

I !Attitude control. ; 13sec [ HSP

I

I I I I I

i I

I 4 ;Approach and ;Soft docking ; 17hr ; HRM

iHSP ! I ! ;docking

i i I

I /HSP I !

5 ;Orbital operationsiManoeuvres of HERMESI I 116hr 30min IHRM !Laboratory composite

i

I ! 6 lDedocking lOedocking j 4hr I HRM

! HSP ! i

! ! 7 ;Reentry phasing :Separation

c ; 18hr 30min !HRM

; HSP !

i i i 8 ;Reentry con- /Reentry conf. setting ! Ihr 25min ;HRM

I ; HSP ! ! ;figuration

i i i 9 Deorbi t ing reentry! Braking impulse. ~ lhr 55min jHRM

;HRM separation jHSP I !Start of aerod. fliqht I I

.O ;Blackout ;Continuation of aerod. j 5min !HSP Iflight

___I I I

. I ;Post-blackout /Final aerodynamic flight. j 50min ! ! land landing 1 Landing

Table 2: HERMES Main Mission Phases for Reference Mission to the Free Flying Laboratory

(iii)The attitude control system (ACS) comprises

Eight 20 N bipropellant thrusters located in HRM Eight 20 N cold gas thrusters located in HRM Eight 400 N bipropellant thrusters located in HSP Eight 20 N bipropellant thrusters located in HSP

These thrusters are used for

/ - Attitude control - - Close rendezvous - Docking and dedocking

n3trogen thrusters (in HRM) shall'be used for the docking and dedocking manoeuvres. The nitrogen shall be supplied by the Environmental Control and Life Support System (ECLSS) of HERMES.

EnqinesIThrusters The number, type position of the different engineslthrusters

and in - Reentry

J

the HERMES Space Vehicle is given in Table 3 below.

I I I

Engines/Thrusters j HPM ~ HRM jHSP j I MPS 1 OCS I ACS j ACS I

!7.5 k N Bipropellantj 2 I - / - \ . \ 400 N Bipropellant / - ; 6 - j 8 j 20 N Bipropellant I - / - ; 8 ; 8 I

I

1

20 N Cold Gas j - I - j 8 j - , Table 3: EngineIThruster Definition

w n e and Thruster Mixture Ratios The nominal mixture ratios for the biorooellant thrusters are specified below.

27.5 kN engine 2.05 400 N thruster 1.645 20 N thruster 1.645

Propellant Budget The propellant budget for the basic reference mission to t h e Free Flying Laboratory is given in Table 4

/Mission Phases

/Orbit Injection

;Orbit Correction and jcircularisation

:Attitude Control ;(complete mission jincl. docked phase)

;Homing and Rendez- ! vous

:Docking, Dedocking

I Deorbit

!Reentry

;System Margins

8 ! Total

Table 5: Tankage Definition

The propellants shall be stored in spherical tanks. Each propellant tank s h a l l be equipped with a propellant management device capable of delivering gas free propellants to the downstream engines/thrusters during all mission phases and under the acceleration conditions given in Table 5 above.

Mass The dry mass o f the Propulsion System shall be less than 1150 kg.

L if et ime HSP: 30 inissions within 15 years HRM: 1 mission ( = 70 days from tank filling) HPM: 1 mission ( = GO days from tank filling)

Propellant Budget ( k g ) ____ HPM

MPS mkN i-prop

6000

-

-

-

6000

HRM

ocs j ACS 10 N !20 N !20 N i-propjbi-prop/cold gar ..-A-

_ / _ ; -

875 I - ; -

850 j - ! - . I _ / -

) . ! 150 j -

1910 50 / 1960 I 54

- HSP

Table 4: Propellant Budget for Mission to the Free Flying Laboratory

4

System Monitoring The monitoring methods However, the compliance with the qualitative FO shall detect as a minimum the following criterion is (initially) not mandatory for conditions: single failures which belong to a Major Failure

Condition which meets the ouantitative 0 0 0 0

enginelthruster fails on or off combustion chamber starts to burn throuqh engine gimbal position pneumaticlhydraul ic component leaks valve fails on or off propellant mass in tanks

o pressurant mass in tanks

I n particular, the monitoring methods shall be able to detect (and draw attention to) any critical fault so that an abort decision can be made when only one path remains for any function critical to crewlvehicle survival.

RAMS Requirements The Reliability, Avai labi 1 ity, Maintainabi 1 ity, and Safety (RAMS) requirements for the HERMES Propulsion System are mainly focused on qualitative and quantitative demands for reliability and safety.

The qualitative requirements refer to the compliance with the Fail Operational (FO) and Fail Safe (FS) criteria.

- The FO requirement means that the system shall maintain its operational capability after a failure of anv comoonent. The FS demand mean; that the system shall remain safe after a failure of any component.

The FO principle is used to prevent single failures from inducing an interruption of the HERMES mission. The FS criteria is aDDlied to avoid HERMES destruction, injury to personnel, or loss of life.

The definition of the quantitative reliability and safety requirements i s based upon a new failure condition methodology 1.

objective of (Neverthel&s, these particular single failure types will be included in the RAMS critical items list.) No deviation from the aualitative FS criterion is acccpranle. i.e. sinjlr f3ilurcs ledoinq t o darardous or Carastro9hic conseq.tence; m!z be - avoided.

Examples for HERMES Failure Conditions with the corresponding classification and attributed objective (PJ are:

- Loss of reentry Catastrophic P 5 10-6

- Pressurised tank CatastroDhic P < 10-6 capability

- exolosion

- ExLessive MMH Catastrophic P 5 10-6 leakage

- Nondetected loss Hazardous P < 10-5 of propulsion capability during launch

for docking with Free Flying Laboratory

- Loss of capability Major P 5

- Loss of 400 N thruster Major P < . redundancv

The specified Failure Condition probabilities indicated in the criticality inatrix above have been deduced from overall targets (per mission) on HERMES level. The following Fig. 4 shows the apportionment.

P < 10-2 P 10-3 P r: 10-4

P e I * 0 "ne I ,

A Failure Condition (FC) is defined as a scenario - initiated by HERMES component failures, crew errors, o r external conditions, considered alone or in combination - which leads to the defined effects on HERMES, Failure Conditions Failure Conditions Failure Conditions classified as Catastrophic, Hazardous, Major or with Major Enects with Hazerdous Enecls with Calaslrophic Enocts

Minor. The definition of the effect classification and the quantitative objectives Fig. 4: Partition of HERMES Reliability and of the Failure Conditions are indicated in the following criticality matrix Table 6 .

Safety Objectives

.- -_ 4.0 System Design and Definition /FC Probability per ~

System Desiqn Based upon the specified I--.. ~ requirements, the design of the HERMES Space I M i M ; Minor I . ~ Vehicle Propulsion System has been established:

[Fdilule Condition E f f e c t j F C Effect :Clalsific.tion ;n,rrion

[ 5 10-4

I -

I

I o HPM: Fig. 5 ;lnferr"ption Of .i*liO" I Major

1 o HRM bipropellant system: Fig. 6 ! o HRM cold gas system: Fig. 7

!ground facil i t ies, serious; ;i"j"Ti.% \Death of c ~ e w member or / Catastrophic < 10-6 j o HSP: Fig. 8 !perron on ground t - : o Explanation of symbols: Fiq. 9

/ D e s t r u c t i o n o f HERMES or / Haraidour I < 10-5

Taking the HSP design as an example, the main features may be summarised as follows: 'fable 6: Failure Condition Classification

/

and Probability objectives - Electric pressure regulation system using

pulsed latch valves located downstream of a coarse accuracy mechanical pressure

5

W

,=@ (* 27.5 kN - ENGINE

mz, 27.5 kN - ENGINE

Fig. 5: HPM Propulsion Design

regulator. Fine pressure regulation is achieved bv usina a nulsed latch valve

- Additional isolation valves for each thruster against leakage.

Propellant volume gauging (not shown) will be performed using a modified pressure-voluine- temperature method.

System Budqets

controlled 'via pFopellent tank pressure transducers. This system not only provides accurate control of Dronellant tank pressures throughout the' imission, but the pressure in the propellant tanks may also be varied in flight to increase thrust, to facilitate propellant dumping and as part o f the propellant volume gauging process.

Mdnual valves used to isolate pressurant and propellant tanks during ground testing and during transport of the tanked HERMES to the launch site.

Mass Budget The dry mass of the propulsion system as given i n Table 7 is 1128 kg.

-

j HPM j HRM HSP j Total 1 /Dry Mass (kg) I 726 I 306 I 96 ~ 1128 I

, I

Table I : Propulsion System Dry Mass

Common pressurisation of the propellant tank pairs.

Check valves to prevent migration o f propellant vapours from the propellant tanks to upstream components.

6

_ Qui I w L A L __..- ~ ........... ...................................... l S V l S

TO ECLSS The mass of the currently selected volume gauging equipment is an additional 5 kg. Hence if this method is finally selected, then the dry mass of the HERMES propulsion system would be increased to 1133 kg. The mass of items such as external harness, and mountings arc not included.

Power Budget The power budget is made up o f continuous power requirements and peak power requirements e.g. when valves arc operated. It is assumed that latching valves are switched sequentially in order to reduce the peak power demand and that a maximum of 4 thrusters arc fired simultaneously. Based upon the designs shown in Fig. 5 to 8 the following power budget f o r the propulsion system is defined, Table 8.

HPM ~ HRM HSP I I

!Continuous, eat IContinuouriPeak !COntinUoUs~Peak ~ ; p I

NT 1 NT 2 NT 3 NT4 NT 5 NT 6 NT7 NT8 /- !Power (Wl j 51 ,! 501' 48 ! 288 30 j 270 ; f f

* Only 2 engine actudton operated rioultaneourly. i f a l l 4 actuators ape required to operate iii"ltaneously then peak PDWeP is increased to 951 W .

am ,

Fig. 7: HRM Cold Gas Propulsion Design Table 8: Power Budget for Propulsion System

7

. . . , I ..............

Hencp the maximum continuous power requirement is 129 I.1 with a peak power requireinent o f 501 W.

Data BudgsJ The inaximum data budget for the Propulsion System is given in Table 9 below.

~ HPM I HRM ~ HSP I

/Data Budget ( k bitsis) / 81 I 121 I 7 7 I - -.L_

I

Table 9: Data Budget for Propulsion System

FO/FS Impleinentation The FO/FS principles have been used as a t o o l for the development of a deterministic design of the Propulsion Svstem. The FO/FS criteria determine - toaether with the severe mass constraint - the ininiinuni degree of redundancies, back-ups, or alternatives for the system components.

The Propulsion System architecture as shown in F i g . 5 to 8 illustrates firstly the muliiplicity of true redundancies, chosen in particular for valves, regulators and thrusters. In addition, quasi-redundancies inherent in the item design have been selected

.... .....". ...... ". Fig. 9: Design Symbols

for some components to comply with the FO/FS requirements in a convenient manner, such a s oversized (double stage) meshes for the filters or double latching pins for the manual valves. Finally, the damage tolerance concept has been utilised using fracture control (safe life 4 feature) for structural single point failure items. These include primarily the inetallic pressurant and propellant tanks and secondly

8

the welding zones and bending regions of The assessment of the probabilities for the pressurant and propellant pipes. A damage HERMES Failure Condition which will be tolerance design must also be applied to the performed by the HERMES Prime Contractor later HPH 27.5 kN engine if it is shown that the two in the design phase may result, in increased engines are not in true redundancy and levels of component redundancies, 1.e. possibly

ensure crew safety during all stages of the HPM , additionally if the Escape Capsule cannot result in many late deslgn changes.

engine usage. Failure Condition Impact The occurence

probmlity of the identified Failure Conditions with Major, Hazardous or Catastrophic conseauences will be estimated - in the 'conventional manner - by means of mission duty cycles, failure (rate) data, and mission environmental factors. The failure data may originate from tests, flights and/or analvses. Potential failure (rate) data sources are manufacturers' sheets; catalogues, handbooks (e.g. MIL-HDBK-217 E ) 2 and data banks. All data which will be applied for the quantitative demonstrations will .be submitted for approval to the HERMES Prime Contractor.

As the Failure Conditions are defined at HERMES level and the contributions from the systems outside the Propulsion System cannot be known in the early design phase the initial probability estimations have to be restricted to the Failure Condition projection on the Propulsion System only. This correlation is illustrated in Fig. 10. Consequently, the specified objectives for the HERMES Failure Condition represent no effective design requirements for the Propulsion System in this phase.

Example: Catastrophic Failure Condition: "Loss of Reentry Capability".

The probability for this HERMES Failure Condition is composed of the failure probabilities of diverse sources inside and outside the HERMES.

10-6 2 P(FC) = P(Propulsion) + ... 4.P (Power)+P ( E lectron ics) t P (Therma 1

+P(External Events) Control ) CP (Ai rf rame) + . . .

Fig. 10: Failure Condition Objective

The difficulty is increased by the lack Of failure data of new components which have to be developed for the HERMES programme.

Distribution

5.0 Evaluation of RAMS Approach

The new RAMS approach applied to the HERMES Propulsion System takes into account the reliability and safety aspects in one computerised study called SARA-H (Safety and Reliability Analysis for HERMES). The approach is based upon the qualitative F O I F S and on the quantitative Failure Condition objectives. The Failure Condition methodology used to perform the reliability and safety analysis is derived from those used at European level (Joint Airworthiness Requirements Reg~lation)~ and at Amer i can level (Federal Administration Requirements Reg~lation)~ for Civil Aircraft Certification.

The conventional reliability and safety programme has also to ,comply with qualitative and quantitative requirements. The qualitative demand is defined as minimization of single point failure items with Major, Hazardous or Catastrophic effects; preferred analysis types are the Failure, Mode, Effect, and Criticality Analysis or the Faulf Tree Analysis of the system. The quantitatlve requirement is usually determined as one goal for the reliability of the entire Propulsion System. This overall probability of mission success is verified by a calculation using the pre-assessed component reliability figures and the logic block diagram derived from the Propulsion System design (Fig. 11).

System Reliability R as Function of Component Reliabilities Ri

m

U

Fig. 11: Example of a Systeln Reliability Block Diagram

The new RAMS approach is compared to the conventional RAMS methodology in the following:

Advantages of new RAMS Approach

- Comprehensiveness of the model not separating the closely correlated system parameters reliability and safety.

- Allowance of system design optimisation by unique RAMS criteria, primarily by

9

application of the qualitative FO/FS principles and secondly by use of the quantitative Failure Condition objectives.

- Clear definition of requirements for limitation of all important risks and by that means avoidance of risk underevaluation (which could result from an inadeouate amortioninent of an overall reliabiliiy goal b i the Propulsion System for examp 1 e).

Disadvantages of new RAMS Approach

- The attribution of the same objective to all Failure Conditions of the same class (e.g. with Catastrophic consequences) does not reflect the complexity of all events contributing to a Failure Condition, e.g. the "loss of reentry capability" compared to the "pressurised tank explosion".

- The (initially) unknown contributions to the HERMES Failure Conditions from systems outside the Propulsion System impede an early design optimisation.

- Quantitative reliability or safety targets on eouioinent level for manufacturers'

, /

specifications cannot be defined by a rational apport.ionment.

- No overall single reliability figure for HERMES is presently obtainable (e.g. by summing up the probabilities of a l l Failure Conditions with major effects). This is due to the fact that the Failure Conditions are not mutually independent, because come failures can lead to more than one Failure Condition. For examole a orooel lant tank exolosion reoresents a kaiiure Condition,' but it ' may a l so contribute to the Failure Condition "loss o f reentry capability".

In summary, the new RAMS approach - which focuses directly on the critical conditions of HERMES - represcnts a methodology which not only provides clear guidelines for the design but a l s o enables a transparent identification and quantitative evaluation of the residual reliability and safety risks of HCRMES as expressed by the Failure Conditions.

6.0 Conclusions

The HERMES Propulsion System design has been established on the basis of qualitative reliabilitv and safetv criteria (FOIFS) and

_____

mass and volume constraints. This has resulted in the application of

o true redundancies (valves. reoulators . . . ) o quasi-redundancies'(oversized"fi1ters .. . ) o daiiiage tolerance concept (tanks ... ) The implementation of the quantitative criteria (Failure Condition objectives) will be performed at a later stage of the programme since the Failure Conditions are defined at HERMES level, and the contributions from the systems outside the Propulsion System will only be available later i n the design phase.

The successful completion of the new RAMS approach will lead to a Propulsion System optimised for each condition of the HERMES mission.

References I/

Galland, E . , Heckmann IP. "SARAH (Safety and Reliability Analysis for HERMES) Software Package User Manual", Aerospatiale Document No. H-AS-1-20, Edition 0 Toulouse, November 1988

Department of Defense "Reliability Prediction of Electronic Equipment" MIL-HDBK-217E 27 October 1986

European Airworthiness Authorities " Joint Airworthiness Requirements Regulation" JAR-25

American Administration for Civil Airplane "Federal Administration Requirements Regulation" FAR-25 (CFR-14 Part 25)

10