This Briefing is UNCLASSIFIEDUNCLASSIFIED

September 23, 2008September 23, 2008

A Common Language for a Generic Range Safety Tool

appropriate for Manned and UnmannedBallistic, Aerodynamic, and Buoyant

Risk Generating Flying Machines

A Common Language for a Generic Range Safety Tool

appropriate for Manned and UnmannedBallistic, Aerodynamic, and Buoyant

Risk Generating Flying Machines

The Rosetta Stone

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Why do we Need a FSS Rosetta Stone?Why do we Need a FSS Rosetta Stone?

• The CSWG team, the RLV community, and the ranges must be communicating together to be responsive in this growing thought process

• Therefore we need a common language for our mutual understanding• Perceptions are most critical!• Our requirements must address all phases of flight• Take-off - Launch, Climbout - Orbital insertion, Cruise, Re-entry - landings• Atmospheric, Exo-atmospheric, Trans-atmospheric, Near-Space• Our requirements must address all types of flying machines• Ballistic, Aerodynamic, Buoyant• Manned, Unmanned• Reliable/operational, Unreliable/experimental, and everything in between• Our requirements must be adaptable to recognize Pilots, MFCOs, RSOs, and Autonomous Types• Our requirements must effectively address the hazards and fulfill the safety concerns for all of the above• All flying machines, regardless of type, can and do fail• All flying machines generate risk, although to varying degrees depending on type and flight mode• Effective solutions vary significantly and need not be singular

• Let there be no doubt - Failure to effectively mitigate risk can be highly catastrophic!!!

At the dawn of the first aerospace millenniumWe have only just begun to evolve!

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Seeking Common Flight Safety System TerminologySeeking Common Flight Safety System Terminology

We come from different organizations and aerospace cultures, seeking a common set of standards, but historically have had differing terminology,

requirements processes, and concerns.

• Now we need such a lingual instrument for the entire Flight Safety Community• Generically applicable for launches and re-entries of ELVs and RLVs that can also be

understood and used by UAS, PGM, and any other manned or unmanned flying range operation• It’s all about perception – targeting to inform the least comprehending reader

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

My Flight Safety System MindsetMy Flight Safety System Mindset

I disagree with the concept that a FSS must contain FTS.  Unlike our typical ER/WR spacelift launch scenario applications of FSS with FTS, there are many situations and ways to protect public lives using FSS without using FTS as not all aerospace vehicles require flight to be terminated in order to be rendered safe. I believe all parties agree with the fact “that a vehicle returning from space has the potential to kill many people here on the earth”. The difference is on the approach of how to define broader requirements that can accommodate alternative, and likely yet to be foreseen, reentry flight safety system options and yet be fully effective for protecting public safety.  The “calming function” must be getting everyone to open their minds, establish mutually understood terms, and realize there are routine Flight Safety System alternatives in use throughout the aerospace industry – manned air flight, UAS, PGMs, manned spaceflight, small sounding rockets, re-entry payloads,…

This needs to be kept simple so all of us can

easily understand!

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

A Proposed FSS General ParadigmA Proposed FSS General Paradigm

A Flight Safety System (FSS) is a range safety tool that may be used to: Reduce risk to an acceptable level Record and document event outcome Execute emergency response protocols

FSS may include any or all of the following subsystems: Range Tracking System (RTS) – a method to track the flight vehicle A method to receive safety critical status data from the vehicle A method to either manually, autonomously, or a combination of both to compare tracking and critical status data to established criteria A method to affect change to assure safety criteria is fulfilled

FSS reliability may most likely be a critical requirement For any or all subsystems and their components of the FSS Scalable: Depends on the specific risks and the specific solution to mitigate these risks Residual risks and consequences, with and without FSS successful execution, with respect to established criteria May impact any or all phases: policy development, design, testing, analysis, documentation

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

FSS Range Safety Tool ApplicationsFSS Range Safety Tool Applications

Flight Safety System

A tool that may be used to fulfill various range requirements Risk Management - Reduce risk to an acceptable level

Destructively terminate flight Terminate thrust Alter unacceptable vectors or momentum (occasional nudge or flight mode change) No action – Let it be (Not enough risk potential to warrant a separate control function)

Liability Management - Record and document event outcome Emergency Management - Execute emergency response protocols

Tool application may vary depending on: Unmitigated risks involved Particular flight phase(s) of concern Consequence of any catastrophe that may occur Potential for liability and defensive documentation

EPCRA – Emergency Planning and Community Right-to-know Act Department of State related matters Vulnerability to impede continued access to space

Requirements should accommodate diverse solutions, but fulfills the bottom line: Operational Risk Management per Range Commander direction shall be employed Fundamental Equivalent Level of Safety range requirements shall not be compromised No unnecessary risk shall ever be taken

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

FSS ComponentsFSS Components

FSS may include any or all of the following subsystems: Range Tracking System (RTS) – a method to track the flight vehicle A method to receive safety critical status data from the vehicle Command - A method to either manually, autonomously, or a combination of both to compare tracking and critical status data to established criteria

Decide when and if corrective action is required to assure the criteria is not violated Timely execute the appropriate actions based on the data received or not. Such individuals performing such manual functions may be referred to as Mission Flight Control Officers (MFCOs), Range Safety Officers (RSOs), or Pilots

A method to affect change to assure safety criteria is fulfilled. Either: Flight Termination System (FTS) – all components that provide the ability to terminate a launch vehicle’s flight in a controlled manner; the flight termination system consists of all command terminate subsystems, inadvertent separation destruct subsystems, or other subsystems and their components that used to terminate flight. Contingency Management System (CMS) – a method to execute commands to either place the vehicle in a safe or recovery mode or affect realtime corrective actions to resume safer flight

Include all components of the subsystems required - Each of the required subsystems must include all components that are required in the solution to execute the Range Safety requirement

Ground based assets Aboard the risk-generating flight vehicle Aboard any other mobile or fixed relay or sensing platforms Inertial, GPS, or any other positional or state-vector determining inputs Software Decision making process

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

A More Generic FSS DefinitionA More Generic FSS Definition

The FAA definition in 14 CFR § 417.3: Flight safety system means the system that provides a means of control during flight for preventing a hazard from a launch vehicle, including any payload hazard, from reaching any populated or other protected area in the event of a launch vehicle failure. A flight safety system includes:(1)All hardware and software used to protect the public in the event of a launch vehicle failure; and the functions of any flight safety crew.

The AF definition in AFSPCMAN 91-710 V7 1 JULY 2004: Flight Safety System — the system consisting of the airborne and ground flight termination systems, airborne and ground tracking system, and the airborne and ground telemetry data transmission systems.

A Proposed More Generic Definition: Flight Safety System is a system that provides a means of control during flight for preventing a hazard from a flight vehicle, including any payload hazard, from reaching any populated or other protected area in the event of a flight vehicle failure. A Flight Safety System includes all airborne and ground hardware, software, and any human-in-the-loop controls used to protect the public. Such human-in-the-loop controls include associated human-systems interfaces and may involve ground-based Mission Flight Control Officers or Range Safety Officers, flight vehicle-based pilots or Flight Safety Officers, or any combination of such.

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

An RLV FSS ExampleAn RLV FSS Example

Let’s hypothetically say we have a reentering vehicle crossing the California shoreline heading towards Edwards AFB.

On one of the final set of energy management turns an aerodynamic control surface has apparently failed causing anomalous yaw motions.  Current vector is towards lightly populated areas but potential for continued yaw could endanger more densely populated areas.  Do you terminate now causing some potentially fewer but higher probability casualties?  Any hesitation in decision could be catastrophic, but on the other hand, any premature termination action may needlessly cause casualty.

Would one much rather have an FSS that either autonomously or RSO commands the ejection of wingtip drag shoots to try to offset the yaw, yet allowing continued flight to either open desert or possibly successful touchdown?

One could say we should terminate prior to getting near the shoreline and placing population at risk.  But what happens if the first anomaly indication happens after that threshold has passed?  Do we just say no landings at Edwards as risk cannot be controlled by FTS?

Or do we employ a tiered approach using various forms of FSS, some with Contingency Management Systems in lieu of FTS, and specific criteria before each tier gate may be crossed?

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Potential Impact to AFSPCM 91-710/91-711Potential Impact to AFSPCM 91-710/91-711

Currently Proposed Impact

Presumes ground elements are GFE and onboard elements are Range User furnished

Accommodate options for RU or GFE of any/all FSS elements (AFSS, SBRSS, User furnished ground or mobile assets, network centric links,…)

91-710 Vol 2 Para 3.7 FTS Determination Analysis

Para 3.7.2: Minor edits to assess FSS type determination and any need for a scaled set of requirement

91-710 Vol 4 Airborne FSS Requirements Change To: Requirements upon Range User furnished FSS elements in order to fulfill top-level requirements

Paras 1.2.5.3.2, 1.3.2.5, 1.5, 6, 9: Minor edits

Para 1.4.1: Rewrite

Chap 3: Requires careful thought

Chaps 4, 5, 7: May be OK as is

91-711 Chap 6 FSS Ground Elements Change To: Requirements upon GFE furnished FSS elements in order to fulfill top-level requirements

Para 3.8.9-13, 6, 7: Requires careful thought

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Potential Impact to RCC-319Potential Impact to RCC-319

Currently Proposed Impact

Presumes FSS includes FTS An FSS may include an FTS, a CMS, both, or neither

Chap 1: Introduction

The need for and the technical content of RCC-319 basically remains intact.

The criticality for reliable FSS, not using FTS but rather CMS, may likely be just as critical as for those FSS applications that do require FTS-based solutions.

Minor FSS semantics editing.

RCC-319-07 format was overhauled to accommodate innovative Range User solutions to fulfill performance-based requirements.

Chap 2: Tailoring

Chap 3: Common FTS System and Component Performance Requirements

Chap 4: FTS Component Test and Analysis Requirements

Chap 5: FTS Component, Subsystem, and System Prelaunch Test and Launch Requirements

Chap 6: FTS Ground Support and Monitoring Equipment Design Requirements

Chap 7: Flight Termination System Analysis

Chap 8: Documentation

References

Appendix A: Software/Firmware Independent Verification and Validation

Appendix B: Electronic Piece-Part Upscreening Requirements

Appendix C: Electronic Piece-Part Derating Requirements

Glossary

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Backup Slides

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

The Rosetta StoneThe Rosetta Stone

• An ancient Egyptian artifact instrumental in advancing modern understanding of hieroglyphic writing• Text is three translations of a single passage

• Egyptian hieroglyphic script• Egyptian Demotic script• Classical Greek

• Created in 196 BC• Discovered by the French in 1799 at Rashid (a Mediterranean

harbor in Egypt then referred to as Rosetta by the French)• Contributed greatly to the decipherment of the principles of

hieroglyphic writing in 1822 by Thomas Young and Jean-François Champollion

• Assisted in understanding many previously undecipherable examples of hieroglyphic writing.

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

AFSPC TermsAFSPC Terms

AFSPCMAN 91-710 V7 1 JULY 2004

 

flight safety system — the system consisting of the airborne and ground flight termination systems, airborne and ground tracking system, and the airborne and ground telemetry data transmission systems.  flight termination action - the transmission of thrust termination and/or destruct commands to a launched launch vehicle and/or payload. flight termination system - all components, onboard a launch vehicle, that provide the ability to terminate a launch vehicle’s flight in a controlled manner; the flight termination system consists of all command terminate systems, inadvertent separation destruct systems, or other systems or components that are onboard a launch vehicle and used to terminate flight.

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

RCC TermsRCC Terms

RCC-319 version of August 2007

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

RCC TermsRCC Terms

RCC-321 version of June 2007

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

FAA FSS TermsFAA FSS Terms

14 CFR § 417.3 Flight safety system means the system that provides a means of control during flight for preventing a hazard from a launch vehicle, including any payload hazard, from reaching any populated or other protected area in the event of a launch vehicle failure. A flight safety system includes:

All hardware and software used to protect the public in the event of a launch vehicle failure; andThe functions of any flight safety crew.

Below is from the FAA Advisory Circular AC 431.35-2A July 20, 2005

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

FAA RLV ApproachFAA RLV Approach

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Newer FAA ApproachNewer FAA Approach

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

CSWG LanguageCSWG Language

The telemetry and tracking requirements for a reentry vehicle are intended to serve at least three purposes: (1) to facilitate activation of the FSS when necessary to protect public safety, (2) to provide input to the Post-Flight Vehicle Performance Analysis required by Volume 2 paragraph 3.8, and (3) to assist in recovery of the vehicle or vehicle debris, particularly in support of a mishap or accident investigation. Therefore, continuous tracking is generally required for a reentry vehicle in any phase of flight that exhibits a capability to hazard any protected area. The need for tracking of a particular reentry vehicle during a given phase of flight can be determined with an analysis acceptable to Range Safety that is similar to the FTS Determination Analysis required by Volume 2 paragraph 3.7. This analysis may show that tracking may not be required for a vehicle in the final phase of flight that can hazard only unpopulated or sparsely populated areas. For example, telemetry and tracking may not be required for a phase of reentry vehicle flight that poses a debris hazard only to broad ocean areas that are sparsely populated or unpopulated with vessel or air traffic.

A FSS as defined in Volume 1 paragraph 3.2.2 is generally required during launch/reentry unless the vehicle operator demonstrates that (1) no hazard from a launch/reentry vehicle, vehicle component, or payload can reach any protected area at any time during flight; (2) no failure of the vehicle would have a high consequence to the public; and (3) the absence of a flight safety system would not significantly increase the risk posed by vehicle hazards. The need for FSS capability during a given phase of flight of a particular reentry vehicle can be determined with an analysis acceptable to Range Safety that is similar to the FTS Determination Analysis required by Volume 2 paragraph 3.7. This analysis may show that the objectives of a positive, range-approved method of controlling errant vehicle flight may be met without a FSS as defined in Volume 1. For example, command FTS capability, or at least an explosive destruct system, may not be required for a vehicle in the final phase of flight that can hazard only broad ocean areas that are sparsely populated or unpopulated with vessel or air traffic.

Tracking a vehicle during any phase of flight that can threaten public safety (e.g. ascent or re-entry) is considered a safety critical function. The following guidance information will be included as a “bordered paragraph” near Volume 2 paragraph 1.6.9.1.1 to clarify “the requirement for continuous tracking and telemetry during reentry” you alluded to.

Similar comments about the FTS requirements were made. The following bordered paragraph will be included near Volume 1 paragraph 3.2.3.1 to clarify the requirement for a “positive, range-approved method of controlling errant vehicle.”

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

NASA TermsNASA Terms

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

NASA TermsNASA Terms

Range Safety Systems

FTS CMS

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Aerospace Industry TermsAerospace Industry Terms

From the AIAA: ISO Standard 14620-3

From the COMSTAC RLV Working Group:

• COMSTAC – Commercial Space Transportation Advisory Committee • Provides industry input to FAA• Assessed FSS technology and applications on ELVs, RLVs, RPVs, and UAVs• Examined range containment, vehicle destruct, flight safing, thrust termination, and vehicle recovery methodologies• Found GPS Metric Tracking based methods sufficiently mature• Assessed maturities of Autonomous FSS, traditional man in the loop FSS, and hybrids• Found Integrated Vehicle Health Management (IVHM) based methods not yet mature

• Pilots can be part of the risk mitigation solution• Considered that not all manned RLVs would have onboard pilots – autonomous control but carrying passengers!• ELVs have no abort strategy beyond activation of the FTS• Alternative solutions to FTS require “regulatory personnel” to have a “more thorough understanding of the design and performance aspects of a particular concept”.

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

UAS LingoUAS Lingo

Understanding and standardizing nomenclature:FTS – The Flight Termination System consists of all components, onboard a launch vehicle, that provide the ability to terminate a launch vehicle’s flight in a controlled manner; the flight termination system consists of all command terminate systems, inadvertent separation destruct systems, or other systems or components that are onboard a launch vehicle and used to terminate flight. - (UAS Lingo) A system which ends the flight of a vehicle by imposing a condition of zero lift and zero thrust when termination is effected.

FSS - The Flight Safety System consists of the airborne and ground flight termination systems, airborne and ground tracking system, and the airborne and ground telemetry data transmission systems.

RSS – The Range Safety System (slang?) consists of those assets and attributes in a network-centric system that are performing functions that would be equivalent to a Flight Safety System.

CMS – The Contingency Management Systems is a system that may be aboard a UAV in order to fulfill risk mitigation necessary to bring risks to within acceptable thresholds. As such, it may be a key factor into the Range Safety approved risk management solution for a particular UAS operation. A CMS may use a set of elements within the vehicle, including but not limited to manual control, autonomous control, and recovery capability. Depending on the approved CMS solution, the CMS may, but not necessarily be, a Flight Termination System (FTS) involving mechanisms, such as explosive charges, to abruptly terminate flight. Activation of a CMS shall not increase the risk to people or property.

Are you hep to the jive?

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Terms from AcademiaTerms from Academia

• Range-Centric and Vehicle-Centric FSS• Range-Centric: Most components of the decision making activity and source of decision data originates at a ground station• Vehicle-Centric: Most of these components are functioning onboard using the vehicle’s systems

• FTS and Vehicle Recovery System (VRS)• FTS – Flight or thrust termination either range or vehicle centric• VRS – A type of FTS highlighting its nondestructive nature featuring soft landing options using airbags, parachutes, throttle and aerodynamic control surface settings generating hopefully only minor maintenance afterwards

• Flight Safing• Do no harm if you do not know what to do• Default flight programming for lost links

• Autonomous Collision Avoidance• IVHM – Integrated Vehicle Health Management

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Human Systems IntegrationHuman Systems Integration

The systematic Integration of nine human elements: SMC/SE Contacts:

Dr Louis Huang: 310-653-1543Chief, Space System Safety Engineering

Mr Francis McDougall: 310-653-1309Space System Safety Engineer

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Equivalent Level of SafetyEquivalent Level of Safety

UNCLASSIFIED

UNCLASSIFIEDUNCLASSIFIED

Equivalent Level of SafetyEquivalent Level of Safety