hazard control & crew...

© Copyright QinetiQ Limited 2012 QinetiQ Proprietary

1

Hazard Control & Crew Interaction

Herwig Hellinckx, P. Rosiers

A presentation to: 6th IAASS Conference – Safety is Not an Option, session 30 System and Payload Safety

22.05.2013

QinetiQ Space nv© Copyright QinetiQ Limited 2010

Ground

Operations

Satellites &

PlatformsSubsystems

Scientific

PayloadsServices

QinetiQ Space nv

The leading provider of Small Space Systems

Small satellite bus

End-to-end

mission solutions

ESA

Export

Microgravity

research

Planetary

exploration

Earth observation

On-board

computers

Docking &

Berthing Systems

Space

Mechanisms

IOT Services

LEO & GEO ops

Teleport

Integrated Appl.

Institutional

Commercial

Technical

consultancy

Systems engineering

Project management

Aerospace

High-tech

Company introduction

2


QinetiQ Space nv Headquarters

Located in Kruibeke - Belgium

Offices: 3.742 m², Warehouses: 1.200 m²

2 Class 100.000 cleanrooms

QinetiQ Space nv Ground Station Operations

Located in Redu - Belgium

ESA satellite ground station

Jointly operated with SES Astra

• Former Verhaert Space (name change April 2010 to QinetiQ Space)

• Founded in 1969 as product developer

• Space activities started in 1983

• Delivered 100+ systems and sub-systems for manned space stations, satellites

and interplanetary missions

• Belgians leading space company and innovative product developer

• Acquired by the QinetiQ group (UK) in 2005

• 110 highly educated specialists employed

• Turnover over 15 MEURO (2008)

Key Data

Company introduction

3


Hazard Control & Crew Interaction

Crew interaction with hardware often requires careful design and implementation

of dedicated features to prevent hazards from occurring.

Several case studies are presented which illustrate dedicated design solutions

and verification approaches used in hazard control.

4


Case 1: Selectable Optics Diagnostics experiment (SODI) in MSG

Installing hardware in wrong configuration can result in damage to the hardware

making it inoperable in space or even creating hazards to the crew.

The basic principle of SODI is to have modular instrument for operation in

Microgravity Science Glovebox in ISS.

SODI is equipped with various optical diagnostics allowing to mount different cell

arrays for different experiments as to study the aggregation of colloidal solutions

(COLLOID), to study diffusion phenomena and Soret effects in liquids and

investigate the influence of vibration stimuli on these phenomena (DSC and

IVIDIL)

The modular approach concept allows exchanging subassemblies inside MSG

without endangering the overall functionality.

Advantage of this modularity is less hardware needs to be uploaded.

5


Case 1: Selectable Optics Diagnostics experiment (SODI) in MSG

Drawbacks:

•More complicated installation

•Possible hazards associated with incorrect configuration

6


Case 1: SODI in MSG

Mitigation of hazards using Poka-Yoke

(mistake- proofing) techniques

One example is the mitigation of hazards

related to the use of 120 V (hazard is crew

exposure to high voltage):

Protection against inadvertent mating (dedicated

connector keys)

Power carrying side female

Pins/sockets completely enclosed

1 Inhibit link through all power cables connecting

the different subsystems

7


Case 1: SODI in MSG

8


Case 1: SODI in MSG

Another example of mitigation of hazards using Poka-Yoke techniques helping

the operator to avoid mistakes is related to avoid hazards resulting from

incorrect installation

Subassembly can physically only be fitted in the correct location (assymetric

dowel pins or rails) e.g.exchangeble hard disks

Proper marking (guiding labels)

9


Case 1: SODI in MSG

10


Case 1: SODI in MSG

11


Case 2: Transparent Alloys in MSG

Handling levels of containment in space is

another common operations topic to avoid crew

exposure to hazardous substances

Transparent Alloys is another modular instrument

for MSG intended to study directional

solidification phenomena in µ-gravity

The basic principle is that the substances

contained on ground in a glass cartridge are

uploaded inside a transport container and once in

orbit are processed inside the experiment unit.

This means that in orbit the cartridges need to be

transferred from the transport container to the

experiment unit.

Although perfomed in a glovebox, could not rely

on the filters due to incompatibility with the

substances

12



Mainting required number of levels of

containment during all phases in space

THL=2, 3 LOC’s required

Substances in glass cartridge (1 LOC);

Uploaded inside double sealed transport

container

Processed in double sealed experiment unit

Transfer the cartridge by an exchange

mechanism that maintains the 2 LOC’s during

transfer

Exchange mechanism is safety critical,

developped fault tolerant acc. ECSS-E-ST-33-01

gas sensors verify intactness of cartridge

13



Main features of exchange mechanism:

• Verification of intactness of the first level

of containment prior to start of exchange

operations; this is done through

dedicated gas sensors

• Qualification towards ECSS-E-ST-33-01

• Failure tolerant design with position

detectors, assuring that the mechanism is

not activated when unsafe

• Features to avoid incorrect positioning

14

3a

6b

1a

POWER

2b

Door

Motor

4a

5a

Clamp

Motor 1

Clamp

Motor 2

4b

5b

Translation

Motor

Sensor detection function

1 Door closed (redundant)

2 Container handle locked (redundant)

3 Door open (redundant)

4 Hot clamp open (left & right)

5 Cold clamp open (left & right)

6 Hard stop position (3 positions)

7 Translation home

8 Cartridge detection

9 Illumination home (set at 0°)

10 Camera’s home (NOC & HAC)

11 Gas sensor (redundant)

CREW LED

1b

2a

Gas sensor 2

11a

11b

Gas sensor 1

Hard-stop

Motor

6a

6c

Bi-stable lock

Bi-stable lock

Ca

rtrid

ge

Exp

erim

ent I

D

Car

trid

ge d

etec

tion

3b

Illumination

0° pos9

7

NOCamera

10a

10b

HACamera

8



15


Case 3: provisions for rapid undonning

Emergency egress for crew not always easy to implement or difficult to verify

Provisions include quick buckles and zippers

Verification by on ground tests and during parabolic flight

16


Case 3: provisions for rapid undonning

17


Case 4: Subject Loading System (SLS)

The hazard potential of failure modes involved in crew

exercising equipment is often hard to analise.

On current treadmills in space, bungees are used to

keep the crew on the treadmill during running, reducing

the negative effects of microgravity on the astronauts

physiology (countermeasure).

ESA’s SLS subsystem for NASA T2 treadmill provides

an accurate pull down force on the crew running on a

treadmill, simulating the weight of the astronaut

independent of the movement.

It’s based on the resistance experienced when moving

a plunjer in a pressurised cylinder

18



The severity impact of failure modes of the SLS

affecting the running crew member could not be

estimated on ground because of the different

biomechanical behavoir in 0-G compared with the

same human movements on ground.

19



Two failure modes of the SLS were identified

which could result in crew injury :

• Loss of the connection between the exercising

crew member and the SLS (rope breakage)

causing the crew member to rotate fast and

eventually hit the T2.

• Blockage of the SLS mechanism causing the

crew member to brake his movement at one

side (brake of the running movement at one

side/leg).

After numerous analyses on forces and

movements and discussions with

biomechanical experts it remained uncertain

how credible the hazard was.

20



During parabolic flight test campaign test subjects of different size and weight

were subjected to both failure modes. The effect on running was filmed and

analysed and completed with test subject questionnaires.

21

Better understanding the real hazard and helped to convince safety

panel on adequacy of SLS controls and verifications

hazard control & crew...

Documents