浅谈NASA对SpaceX的安全性要求

来源:公众号“RAMS工程师”
2020-06-08
1702

1.背景


美国东部时间2020年5月30日下午3点22分,SpaceX首次载人飞船(Falcon 9火箭+Dragon 2飞船)在NASA肯尼迪航天发射中心发射成功,成为全球首家实现载人航天的民间商业公司。约19个小时后,Dragon 2飞船于美国东部时间5月31日上午10点16分,与国际空间站成功对接,两名宇航员顺利到达国际空间站。

image.png

小编作为外行看热闹的吃瓜群众观看了直播。在叹服SpaceX取得巨大成功的同时,也很好奇NASA对于SpaceX的安全性要求都有哪些。经过粗略地检索和整理,形成了本文。

众所周知,载人航天是极其庞大的系统工程,涉及到非常多的学科交叉。本文基于能公开检索到的资料,仅着眼于探寻NASA对于SpaceX的安全性要求。

鉴于能够搜索到的公开资料不多,加之小编视野和能力有限,欠缺、片面之处在所难免,欢迎补充、批评、指正。

P.S. 本文许多部分仅直接引用了英文资料原文,未做进一步翻译。


2.Commercial Crew Program

2014年,SpaceX作为供应商加入NASA的Commercial Crew Program的Commercial Crew Transportation Capability(CCtCap)阶段,与Boeing一起竞争NASA的载人航天候选供应商。

image.png

图片来源: [1]


直至今年5月底的成功发射和对接,SpaceX才正式通过了NASA对其作为正式供应商的certification要求。(小编注:根据NASA的certification要求,其供应商必须成功实现载人航天器与国际空间站的对接。)

根据NASA对于Commercial Crew Program的介绍显示[1],NASA要求其供应商满足一份名为“Commercial Crew Transportation Capability (CCtCap) contracts”的合同。如下图所示。

image.png

图片来源: [1]

NASA在其官网上公开了这份“Commercial Crew Transportation Capability (CCtCap) contracts”的部分内容。鉴于航天技术的敏感性,该公开版本中许多地方(如价格等)已被NASA涂黑屏蔽了,因此许多具体的细节我们不得而知。但至少可以管中窥豹,看看在这样一个大型的项目中,NASA对于SpaceX大致有哪些安全性方面的合同要求。



3.安全性指标

NASA对于其商用航天运输系统的安全性指标要求,可参见Commercial Crew Transportation System Certification Requirements for NASA Low Earth Orbit Missions [2],共计有14条基本要求,大致包括:

  • 须为航天员提供安全的工作环境。

  • 系统需满足由NASA的设计参考任务(Design Reference Mission,DRM)计算出的机组损失(Loss of Crew,LOC)指标。

  • 系统应具备对灾难性事件的容错能力,而无需使用应急设备和系统。

  • 系统的设计应能够承受操作员的无意误操作(至少一项),而不会引起灾难性事件。

  • 系统应能承受在任何单个系统故障发生时,操作员的无意误操作。

  • 系统应具有减轻安全关键软件的危险后果的能力。

  • 系统应具有检测关键系统、子系统和/或机组故障状态的能力。

  • 系统须提供故障隔离和/或故障恢复。

  • 系统必须能利用关键系统和子系统的健康状态数据,来解决任务期间和任务之后的异常。

  • 系统必须提供系统和子系统的自主操作功能。



上述14条要求详见[2]。英文原文如下:

  • 5.2.1 The CCTS shall provide the capability to sustain a safe, habitable environment for the crew.

  • 5.2.2 The CCTS shall safely execute the Loss of Crew (LOC) requirements specific to the NASA Design Reference Mission (DRM). The Programs shall determine and document the LOC risk when DRMs are specified. 

  • 5.2.3 The CCTS shall limit the Loss of Mission (LOM) risk for the specified NASA DRMs. The Programs shall determine and document the LOM risk when DRMs are specified. 

  • 5.2.4 The CCTS shall provide failure tolerance to catastrophic events, with the specific level of failure tolerance (one, two, or more) and implementation (similar or dissimilar redundancy) derived from an integrated design and safety analysis.

  • 5.2.5 The CCTS shall provide the appropriate failure tolerance capability defined in 5.2.4 without the use of emergency equipment and systems.

  • 5.2.6 For an ISS DRM, the CCTS shall comply with requirements for failure tolerance during ISS proximity operations and the ISS docked phase as defined in SSP 50808 Section 3.3.11.1.

  • 5.2.7 The CCTS shall be designed to tolerate inadvertent operator action (minimum of one inadvertent action), as identified by a human error analysis, without causing a catastrophic event.

  • 5.2.8 The CCTS shall tolerate inadvertent operator action in the presence of any single system failure.

  • 5.2.9 The CCTS shall provide the capability to mitigate the hazardous behavior of critical software where the hazardous behavior would result in a catastrophic event.

  • 5.2.10 The CCTS shall provide the capability to detect and annunciate faults that affect critical systems, subsystems, and/or crew health.

  • 5.2.11 The CCTS shall provide the capability to isolate and/or recover from faults identified during system development that would result in a catastrophic event.

  • 5.2.12 The CCTS shall provide the capability to utilize health and status data (including system performance data) of critical systems and subsystems to facilitate anomaly resolution during and after the mission.

  • 5.2.13 The CCTS shall provide the capability for autonomous operation of system and subsystem functions, which, if lost, would result in a catastrophic event.

  • 5.2.14 The CCTS shall provide the capability for the crew to readily access equipment involved in the response to emergency situations and the capability to gain access to equipment needed for follow-up/recovery operations.



4.安全性工作要求

Commercial Crew Transportation Capability (CCtCap) contracts包含1份合同正文(112页)和6份附件(公开部分共计约202页)。

image.png

图片来源: [3]

4.1 顶层要求

在CCtCap合同中,NASA的安全性定义与美军标MIL-STD-882D中的定义完全一致,但其安全性工作考量的优先级别依次是:公众、宇航员、NASA工作人员、设备。

image.png

图片来源: [4]

关于对安全性工作的要求,更多体现在了附件的第三部分Appendix J-03 Contract Performance Work Statement (PWS)中。

image.png

图片来源: [5]

这部分包含了NASA对于SpaceX的风险管理(Risk Management)、安全性和任务保障(Safety and Mission Assurance)方面的要求。分别如下:

  • Risk Management(附件的第三部分Appendix J-03的1.2.4章节)


image.png

图片来源: [5]


  • Safety and Mission Assurance(附件的第三部分Appendix J-03的1.2.5章节)


本节提到的各项工作要求,相信大家都并不陌生,包括:FMECA、Hazard analysis、Probability safety analysis和Software safety analysis。

image.png

图片来源: [5]

此外,通过Attachment J-03的Appendix A, Milestone Acceptance Criteria and Payment Schedule,我们至少能看到的相关交付物包括:Human Error Analysis,Integrated Probabilistic Safety Analysis,Hazard Report Status,Fault Tolerance Assessment。

image.png

图片来源: [6]

4.2 具体要求

如前所述,根据合同附件的第三部分Appendix J-03,NASA要求SpaceX 符合CCT-PLN-1120,以满足CCT-REQ-1130和SSP 50808的要求。CCT-PLN-1120是Crew Transportation Technical Management Processes,CCT-REQ-1130是Crew Transportation and Services Requirements,SSP 50808是ISS Visiting Vehicle Requirements。它们属于NASA对于Commercial Crew Program的供应商要求标准。这些标准的关系如下图所示。

image.png

图片来源:[7]

接下来我们继续追根溯源,分别看看CCT-PLN-1120和CCT-REQ-130中关于Safety and Mission Assurance的具体要求:

4.2.1 CCT-PLN-1120 Crew Transportation Technical Management Processes

image.png

image.png

image.png

image.png

图片来源:[8]

4.2.2 CCT-REQ-1130 Crew Transportation and Services Requirements

  • 指标要求:这里对各个安全性指标进行了量化。

image.png

image.png

image.png

image.png

图片来源:[9]

  • 如何验证:

image.png

image.png

image.png

图片来源:[9]


5.小结

通过公开检索到的NASA与SpaceX的公开合同,可以大致看到:

  • NASA对于SpaceX的安全性指标包括:Loss of Crew (LOC),Loss of Mission (LOM)等。

  • NASA对于SpaceX的安全性工作要求至少包括FMECA,Hazard Analysis,Probability safety analysis,Software safety analysis, Human Error Analysis,Fault Tolerance Analysis等。


本文所探讨的仅仅只是冰山一角。没有涉及NASA对于SpaceX的其它各种要求,例如功能需求、设计、测试、试验等各种重要因素,仅仅孤立、片面地着眼于公开合同中的部分安全性相关要求。感兴趣的朋友可通过文末的参考资料进一步探究。



参考资料

[1] NASA Commercial Crew Program. 
https://www.nasa.gov/sites/default/files/atoms/files/commercialcrew_press_kit.pdf
[2] ESMD-CCTSCR-12.10. Commercial Crew Transportation System Certification Requirements For NASA Low Earth Orbit Missions.
https://www.nasa.gov/pdf/504982main_CCTSCR_Dec-08_Basic_Web.pdf
[3] SpaceX Commercial Crew Transportation Capability Contract (CCtCap).
https://www.nasa.gov/content/electronic-library-spacex-commercial-crew-transportation-capability-contract-cctcap/
[4] Commercial Crew Transportation Capability Contract with SpaceX
https://www.nasa.gov/sites/default/files/files/CCtCAP-contract.pdf
[5] Attachment J-03 - Performance Work Statement (PWS)
https://www.nasa.gov/sites/default/files/files/CCtCAP-Attachment-J-03.pdf
[6] Attachment J-03, Appendix A - Milestone, Acceptance Criteria and Payment Schedule
https://www.nasa.gov/sites/default/files/files/CCtCAP-Attachment-J-03-Appendix-A.pdf
[7] Commercial Crew Program Status Brief.
https://www.nasa.gov/sites/default/files/files/Mango_CommercialCrewProgram_May2011.pdf
[8] CCT-PLN-1120. Crew Transportation Technical Management Processes
https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20150010760.pdf
[9] CCT-REQ-1130. ISS Crew Transportation and Services Requirements Document
https://ntrs.nasa.gov/archive/nasa/casi.ntrs.nasa.gov/20150010757.pdf


--- END ---



收藏
点赞
2000