© [2012] Orbital Sciences Corporation. All Rights Reserved. A Proposed Approach to Integrating Hazard Analyses with Requirement Definition and Verification Benjamin Herbert, Mark Arend, Charlotte Pappageorge (CSEP), G. Fitz Vernon, Darko Filipi, Kenneth J. Bocam November 18, 2018 © [2012] Orbital Sciences Corporation. All Rights Reserved.

© [2012] Orbital Sciences Corporation. All Rights Reserved. Agenda Purpose Role of Safety Engineering Hazard Analysis Problem Statement Proposed Approach © [2012] Orbital Sciences Corporation. All Rights Reserved.

© [2012] Orbital Sciences Corporation. All Rights Reserved. Purpose To propose an efficient interaction between Safety and Systems Engineering that… Lessens the chance of documenting conflicting and incorrect information Ensures a single requirement source to Design Engineering, thereby lessening the chance that requirements will be missed Avoids duplicate effort between Systems and Safety Engineering (reducing program cost) Fosters interaction between Safety and Systems/Design Engineering to various levels of detail throughout the project lifestyle Supports having safe system © [2012] Orbital Sciences Corporation. All Rights Reserved.

Safety Engineering Plays Critical Role Provides independent oversight Ensures that the priority of safety to personnel, crew, or in-space assets is achieved and reasonably maintained above cost, schedule, or other program factors Especially important for human spaceflight programs Safety Review Panel (SRP) at NASA provides oversight © [2012] Orbital Sciences Corporation. All Rights Reserved.

© [2012] Orbital Sciences Corporation. All Rights Reserved. Safety Definitions Definitions Example Hazard An occurrence that would cause loss of life, crew, hardware, etc. Cause Underlying reason why a hazard can be realized Control A means of preventing a hazard from being realized Hazard Control Verification A means of proving the control (as implemented) is in place Hazard A visiting vehicle colliding with the ISS. Cause Inadvertent memory modification can cause unexpected behavior of a vehicle Control Processors are RAD hardened, CRC checks are performed on commanded memory modification Hazard Control Verification © [2012] Orbital Sciences Corporation. All Rights Reserved.

Safety Analysis Process Systematically identifies and mitigates hazards and risks Hazard Analyses Critical Items List Failure Mode Effect Analysis Process and methods detailed in SSP 30309 for Integrated ISS Systems and Operations © [2012] Orbital Sciences Corporation. All Rights Reserved.

© [2012] Orbital Sciences Corporation. All Rights Reserved. Mitigation of Hazards Preferred solution: Elimination of hazard source or hazardous operation Alternative solution: Reduce hazard with controls Hazard-Minimizing Design Features (Fault Tolerance, Factors of Safety, etc) Safety Devices Warning Systems Special Procedures Existence and proper operation of controls must be verified Preventative Controls © [2012] Orbital Sciences Corporation. All Rights Reserved.

Hazard Analysis Development – The Traditional Linear Approach © [2012] Orbital Sciences Corporation. All Rights Reserved.

© [2012] Orbital Sciences Corporation. All Rights Reserved. Problem Statement Verification is independently and sometimes redundantly established for both requirements and Hazard Controls Design Engineering team has to produce evidence to show compliance to both Safety assesses rather than influences the design Makes it more difficult for Safety Engineering to thoroughly and accurately understand the design of the System Increases the likelihood that an unsafe feature will be missed Reactionary nature of the process may necessitate unplanned design changes after the design process is largely completed Increases program cost and slips program schedule Substantial effort is required to ensure that Hazard Report paperwork is kept up-to-date after initially being established © [2012] Orbital Sciences Corporation. All Rights Reserved.

Proposed Process Integration Integrate Safety and Systems Processes Maximize quality and efficiency Key Elements Associate Hazard Controls with a requirement Derive requirements to appropriate specificity at the appropriate requirement levels Verify Hazard Controls by virtue of their associated requirement being verified Provide Design Engineering a single source for requirements and verification requirements Involve Safety Engineering and Systems Engineering in each other’s processes Give Safety approval authority on changes to safety critical requirements or their associated verification © [2012] Orbital Sciences Corporation. All Rights Reserved.

The Integrated Approach Proposed process enables better communication between Safety and Engineering Increases the likelihood that a process will be executed correctly Promotes System safety Safety documentation requirements are still satisfied Detailed verification plans capture the level of detail necessary for inclusion in hazard reports © [2012] Orbital Sciences Corporation. All Rights Reserved.

Hazard Control Verification - Levied in the specification - Specific details about how the verification plan is applied to the design - Not “levied” on design engineering, but rather reflect the detailed plan; changes require safety approval. - Test Procedures developed and executed using verification details as a blue print © [2012] Orbital Sciences Corporation. All Rights Reserved.

Hazard Analysis Development – The Integrated Approach © [2012] Orbital Sciences Corporation. All Rights Reserved.

Example Verification Details Requirement 1 The analysis will determine the minimum margin of safety for one and two solar array locks in place for each of the two solar arrays using the solar array loads in DocABC by means of an System integrated Finite Element Model. The test will command deployment of the solar arrays and simulate zero-g deployment using MGSE. A 1.1 test factor will be applied to the load in Doc ABC for both the single lock and dual lock configurations. Requirement 1 The XYZ Spacecraft shall lock the solar arrays into position following initial deployment such that a 2.0 margin of safety is maintained against the loads defined in DocABC. Verification Plan (Method and Criteria) Analysis shall determine the MoS against the loads when the locks are in place and confirm that it meets the requirement. Test shall demonstrate that the locking mechanism engages and holds to acceptance loading. Hazard Control Solar arrays are locked into place following initial deployment Hazard Cause Solar arrays do not stay rigidly deployed following initial deployment Requirement 2 The XYZ Spacecraft shall only use mechanisms that are one-fault tolerant to performing their required functions.

Advantages of Integrated Approach Safety considerations are more likely to be built into the design process by using requirements Reduction in redundant effort Design descriptions and hazard control verification plans provided to the governing organizations/customer (e.g. NASA) requires less maintenance to remain accurate Hazard reports can be generated from the same tool used to generate specifications, MVPs, etc (e.g. Cradle, DOORS) Safety remains independent of other program factors Hazard, cause, and control definition process is unchanged Process requires Safety approval at every stage of review and development of requirements and verification © [2012] Orbital Sciences Corporation. All Rights Reserved.

© [2012] Orbital Sciences Corporation. All Rights Reserved. Conclusions Safety Engineering and Systems Engineering work to achieve related goals Integrating Safety and Systems Engineering processes Achieves goals common to both Increases efficiency Enables efficient and safe design by leveraging accepted design verification processes © [2012] Orbital Sciences Corporation. All Rights Reserved.