Ground Safety
Special Topics
Paul Kirkpatrick
Chapter Outline
3.1 Safety During Payload Ground Processing
Paul Kirkpatrick, John Dollberg, Jean-Pierre Trinchero
3.1 Safety During Payload Ground Processing
Paul Kirkpatrick, John Dollberg and Jean-Pierre Trinchero
Introduction
This subchapter describes the typical hazards that can be expected to be encountered when processing payloads on the ground. Also described are some of the more common controls for these hazards. Many of these controls are based on hard requirements, but they are also based on specific lessons learned. This subchapter uses the term flight hardware (F/H) for all payloads regardless of size.
Flight Hardware (F/H)
Flight Hardware Hazards in the Ground Environment
Flight hardware is that equipment which is designed for on-orbit operations. Safety requirements for F/H are described in other chapters and books. Throughout this chapter those hazards which apply to F/H while performing ground processing will be discussed where appropriate. These hazards include such categories as electrical systems, composite overwrapped pressure vessels and ground handling.
Design standards for F/H are determined by the program or project based on the needs of the mission. However, ground safety standards may also be applicable and need to be included early in the design phase. Failure to account for ground safety requirements may necessitate a re-design effort or an increase in risk to the mission. Designers also need to take into account that if the F/H is going to be processed at multiple locations, then compliance with each location’s safety requirements is required.
Ground Support Equipment (GSE)
Ground Support Hazards
Ground support equipment can be defined as all non-flight hardware and software that is used to support the transporting, receiving, handling, assembly, testing, checkout, servicing, launch, recovery and post flight processing of space vehicles and payloads at the launch, landing, and retrieval sites. GSE does not necessarily have to provide a direct connection to the flight hardware to be considered GSE. For example, communication hardware that can provide radio frequency transmission commands to the flight hardware during processing operations is considered GSE. Other terms for GSE may also be used, such as factory equipment, test equipment, special test equipment, support equipment, processing equipment, and commercial off the shelf (COTS) equipment. Generally, the scope of the GSE will be defined by the program or project as well as the safety requirements. The GSE requirements used to process the flight hardware at the manufacturing, development, or test facilities may also be specified by the program or project.
The safety requirements for GSE will be specified by the program or project organization responsible for the flight hardware and, at a minimum, contain those requirements specified by the processing or launch site. Examples of requirements documents include CNES CSG-RS-33A-CN, JAXA JMR-002 and USAF AFSPCMAN 91-710. Generally, the GSE is designed and operated in accordance with the national laws and consensus standards of the country of origin, subject to local processing site requirements. Modifications to GSE that comply with the national standards where the GSE was manufactured may not be required to comply with additional safety requirements imposed for GSE, when the GSE is used in another country.
A safety process will be established to ensure the customer’s GSE complies with the appropriate safety requirements. The requirements should state what safety documentation is required to be submitted to the program or project and what type of safety review process will be used to approve the customer GSE. The safety reviews may be held in a safety review panel forum with representatives from the customer and a panel of safety experts representing the program or project.
The timing of the safety reviews and for the delivery of the associated safety documentation is linked typically to major program milestones. The safety documentation is reviewed to provide assurance that hazard causes have been identified and controlled to an acceptable level and that a scheme is in place to ensure the controls are verified prior to the start of the associated operations. The results of these reviews are presented to program management, processing and launch complex operators, and sponsoring agencies for approval. The results will also identify any risks that must be accepted by the program or project. Risks are typically catastrophic or critical hazards with very high or high likelihoods of occurrence that could result in loss of mission, damage to flight hardware, damage to facilities, or injury or death to personnel. The complexity of the documentation and the required submittal dates and processes vary with each mission. Early contact with approving authorities is recommended to establish an understanding of applicable requirements and expectations.
Ground Support Equipment General Design Practices
When considering the GSE to be used in the processing of flight hardware, the customer should pay close attention to the operating environment where the GSE will be used. The natural geographical environment where the GSE is designed to function will play a role in the design of the GSE. GSE which must be used outside must consider the effects of salt spray, sun exposure, rain, snow, etc. Sunlight could affect the ability of the workers to read digital readouts, so human factor issues are an important part of environmental considerations. GSE designed to function in hazardous atmospheres must be compatible with the materials present and also fire/explosion proof as required. GSE in a clean room environment must be compatible with the cleanliness level necessary for the flight hardware. GSE may require other special environmental considerations such as design for seismic environments if used in earthquake zones or temperature extremes to match the processing and landing site environments.
Good sources of information for GSE are lessons learned data bases and mishap data bases from previous programs. For example, during the ground processing of a NASA payload, a mishap occurred involving the inadvertent attempted mating of an energized electrical connector from a spacecraft battery. The technician attempted to mate the pin side of the connector to the socket side of the connector in an area of the spacecraft where the technician could not view the socket side of the connector. As a result, he inadvertently scooped the energized pins against the shell of the wrong connector which shorted out the battery. A small fire resulted which damaged the battery and the electrical arc damaged the connectors. This mishap resulted in a change to the NASA GSE payload safety requirements imposing the use of scoop proof keyed connectors for all energized connections.
Other lessons learned are gained from real life operational experiences. One payload customer built a fluid servicing cart that was intended to be rolled around on wheels for ease of transportability to the flight hardware and the fluid servicing area. However, the cart designer forgot to include the weight of the fluid when selecting the size of the wheels. When the cart was fully loaded with fluid, the weight of the cart exceeded the load capacity of the wheels. As a result, the cart was placed on wood blocks after filling to take the weight off of the wheels and the cart was no longer portable. Designers need to consider maximum gross weight when designing stands, carts, and lifting equipment.
One last note concerning fluid carts. If the cart also has electrical power connections, it is important to make sure the electrical connections are all located higher than the fluid connections. In this configuration, a fluid leak will not drip on an electrical connection which could result in a shock or fire hazard.
During typical payload processing flows, the GSE is used for a few months to process the payload at the launch site and then returned to the customer facility never to be brought back to the launch site again. In some processing flows, the GSE may be used for several repetitive operations, or the GSE may be used for a series of flight hardware missions. If the GSE is to be used long term, consideration must be given to ongoing operation and maintenance of the GSE. For the processing of Space Shuttle payload GSE, the safety requirements did not address long term usage of GSE such as occurred during the processing of International Space Station (ISS) flight hardware. As a result, during the later stages of ISS processing, as GSE began to show signs of wear and tear, data to support advanced maintenance and repair was difficult to obtain due to the completion of the original contracts.
Ground Support Equipment Design Details
This section will discuss the different categories and subsystems of GSE. Key safety considerations will be provided as well as lessons learned.
Biomedical Systems and Materials
Biomedical systems cover the range from plant life to animal life to experiments performed on the flight crew. Hardware containing biological material requires special attention because of the possibility of injuring the flight or ground crew. Remember to ask for Material Safety Data Sheets (MSDS) or similar information when obtaining biological samples, as this data is frequently available from the supplier.
Although a biological experiment or sample may have a low toxicity on orbit, this does not mean that the experiment or sample has a low toxicity on the ground during pre flight or post landing ground processing. Concentrated acids or fixatives may be used to prepare or process the biological samples on the ground which are hazardous to the ground processing personnel. The ground safety hazard analysis must consider how the ground processing personnel are protected from exposure to the chemicals used to process the biological samples and exposure to the samples themselves.
The handling of trash returning from space requires careful planning. There have been cases of ground personnel stuck by used syringe needles because such trash was not segregated properly on orbit prior to landing. A plan for marking and handling trash must be developed prior to launch to ensure protection of ground personnel after landing.
Electrical
In general, electrical GSE should be designed and operated in accordance with the national safety and consensus standards from the country of origin. For the United States, this means the GSE should comply with the National Electric Code (National Fire Protection Association Standard No. 70) and have an Underwriter’s Laboratory (UL) label. The GSE should only be used within the manufacturer’s guidelines. Any modifications will require an additional hazard analysis. Electrical GSE used in a different environment than intended may require additional safeguards such as hazard proofing or purging to prevent fire or explosion.
Electrical connectors shall be designed to make it physically impossible to inadvertently reverse a connection or mate the wrong connectors if a hazardous condition can be created. The connectors for energized circuits should be of a scoop proof design to prevent an inadvertent hazardous mating, as discussed earlier. Construction of the payload and the electrical GSE shall assure that all conductive external parts and surfaces are at ground potential at all times.
Another lesson learned is to be careful when using three phase power GSE. There have been incidents when three phase electrical GSE was mated to facility power connections that had a different phase rotation. When the GSE was powered up, the GSE was damaged because the GSE motor was wired for a different three phase rotation than the facility power provided. Remember to check the three phase power rotation from the facility before connecting three phase power GSE so that the phase rotations match between the facility and the GSE.
Special attention should be given to battery charging and conditioning operations. Continuous monitoring by personnel should occur during spacecraft battery charging and conditioning operations. The battery charging GSE should incorporate devices to protect the batteries such as fuses, diodes, voltage and current limiters, and temperature and pressure monitors.
Pressure Systems
Most countries have national standards or consensus standards for the design of pressure vessels and pressure systems used in ground systems. These standards should be used as the basis for the design of the pressure GSE used to process the flight hardware at the launch site and the manufacturing facility. Consult with the program or project as the safety requirements imposed on the pressure GSE may include additional requirements in the areas, for example, of testing, marking, or color coding.
Consider human factors when selecting and locating pressure gauges in the GSE. Gauges should be clearly readable from where the operator normally is located to operate the pressure GSE. Lighting may be necessary on the panel to assist in reading the gauges. Gauges have sometimes been selected which cannot provide the level of accuracy needed to read the pressure value. Gauges should have blow out backs so that if they receive excessive pressure, they will vent away from the operator.
Pressure GSE used for multiple fluids should be designed with different sized connectors, keying, etc. to make it physically impossible to mix fluids that could result in a hazardous condition. Flexible hoses rated for use above 150 psi (1034 kPa) should be restrained at connections, across unions, and every six feet (1.8 m) to prevent whipping in case of inadvertent disconnect while under pressure. The hoses should be placed in a manner to eliminate tripping hazards to personnel.
Special care should be taken to ensure that any venting done by a pressure system, whether planned or unplanned, is done in such a way as to not create a hazardous condition. If venting into the work area, the vents should be configured so that the discharge is directed away from personnel. Work should never be accomplished on a pressurized system without first venting the pressure out of the system.
The use of composite overwrapped pressure vessels (COPVs) in flight hardware requires special attention during ground processing. Because COPVs are very sensitive to impact damage, the program should require a mechanical damage control plan for the COPVs that explains in detail how the COPVs will be protected from the time of arrival at the assembly site through launch. The COPVs may also require a certified inspection after transportation to the launch site.
Explosives
Explosive devices are generally divided into two categories: Category A and Category B. Category A electro explosive devices (EEDs) are ones that by expending their own energy, or initiating a chain of events, may cause injury or death, loss of life, or damage to hardware or property. Category B devices are ones that will not, by expending their own energy, or initiating a chain of events, cause injury to people or damage to hardware or property. There are cases where an EED may be one category during ground processing and then become a different category after installation into the flight hardware, after integration of the payload to the launch vehicle or prior to launch.
All explosive devices must be stored, shipped, and handled, in a manner consistent with their hazard level and classification. Faraday caps must be installed on ordnance until electrical connections are made. Explosive test equipment must limit the energy input to the EED.
Explosive devices and systems are required to be designed to preclude inadvertent firing when subjected to environments, including shock, vibration, and static electricity that can be encountered during ground processing. Explosive circuits, hardware design, and accessibility must permit interrupts such as safe plugs or safe and arm devices as close to the explosive devices as possible. Final connections should be made as late as possible prior to launch.
Mechanical and Electromechanical Devices
Flight hardware that contains deployment mechanisms must have all necessary controls in place to prevent inadvertent activation. These mechanisms include such items as solar arrays or sample gathering devices. Even if the deployment is non-hazardous, controls are highly recommended to promote mission success.
Regarding solar arrays, remember that solar arrays exposed to facility lighting can generate electricity. Solar arrays should be kept covered or routed to load resistors to prevent a shock hazard to personnel or damage to equipment.
Propellants
The materials used in liquid propellant systems must be compatible with the type of liquid propellant used. The type of fluids used in launch vehicles and spacecraft liquid propellant systems can vary widely from inert gases to highly hazardous hypergolic fluids. Since each of these fluids has distinct physical and reactive properties, it is important to follow the guidelines contained in the Material Safety Data Sheets or similar data sheets and to develop the hazard analysis and safety considerations accordingly.
When dealing with solid propellants, following the requirements related to explosive and electrical safety are important. The most critical hazard faced is the control of electrostatic discharge (ESD). This hazard can occur through the environment (lightning), or electrical systems or materials used during processing (plastic films).
Safety considerations for both liquid and solid propellants include the proper storage, transfer, and handling of propellants, separation from reactive materials, capability to isolate leaks, purging, spill containment, clean up, and electrostatic properties of materials. Emphasis is placed on personnel protection during propellant operations, toxic vapor detection, asphyxiation hazards, venting and scrubbing of vapors, explosion proofing of electrical equipment, and emergency planning.
There are several lessons learned available that can be studied where lives were lost as the result of asphyxiation or electrostatic discharge mishaps in this area.
Cryogenics
In general, cryogenic systems must comply with the same requirements as those that apply for propulsion systems and pressure systems. Due to their unique physical properties, some additional requirements are also imposed. Cryogenic systems shall provide for thermal contraction and expansion without imposing excessive loads on the system. Cryogenic GSE systems shall be insulated with an oxygen compatible material or be vacuum jacketed to prevent liquefaction of air. The use of pressure relief devices is required in parts of the system where conversion from liquid to gas can create a pressure rise issue. This issue may also be resolved by the draining of cryogenic lines after completion of the operation.
Oxygen
The use of gaseous or liquid oxygen involves unique design requirements with respect to material compatibility. Metals, soft goods in valve components, and lubricants must be carefully selected to ensure compatibility with oxygen. Cleanliness of oxygen systems is extremely important because contamination and particles can ignite when impacted against components in the GSE or flight hardware. During operations, valves should be required to open and close slowly, and the oxygen flow rates should be kept to flow rates less than 100 feet/second to prevent an adiabatic compression hazard.
Oxygen systems should be analyzed to ensure leak prevention, adequate ventilation, suitable design of system components, and system cleanliness. Systems should be designed with sufficient redundancy to provide adequate failure tolerance and personnel safety.
Ground Handling
The attach points for flight hardware used during ground lifting operations generally use either the attach points for connecting the flight hardware to the launch vehicle, or special attach fittings added solely for lifting operations that are later removed before flight. When utilizing the flight attach points, the flight dynamic structural analysis must include enough safety margins to account for the ground lifting load. When special attach fittings are used, an analysis is required to verify the load paths have adequate safety factors for ground handling. Be careful if the attach points are located below the center of gravity of the flight hardware. There has been at least one case where the flight hardware flipped over inside the sling during a crane move because the attach points were below the center of gravity of the flight hardware.
Lifting GSE design should comply with the requirements of the country of origin and there may be additional program requirements imposed for testing and inspection of the GSE. Large pieces of lifting GSE may require disassembly for shipping to the launch site. A method is required to ensure the lifting equipment is reassembled correctly after arrival at the launch site for use. Methods to use to ensure reassembly include marking, tethering, labeling, and color coding. As a lesson learned, if color coding is used as the method of marking, make sure that the personnel performing the reassembly of the lifting device do not have color blindness.
Software Safety
Software continues to provide an increasing role in the design of flight and ground systems. Software is used to monitor the status of flight systems during ground processing and to load and verify the software installed on the flight computers. A safety assessment is required for the use of software during ground processing to ensure that the software does not contribute to a hazardous condition or cause one to occur.
Potential hazards from software include inadvertent commanding, loss of command, out of sequence commands, human error, removal of inhibits, and coding errors. Commands could inadvertently open valves, power transmitters, start sequence timers, allow power to relays, and remove other system or safety inhibits.
Integrated Hazards
Integrated hazards are those hazards that occur across multiple items, such as F/H to GSE, or GSE to GSE, and GSE, to facilities. The most common integrated hazards occur at the interfaces, in the local environment and during launch and possible return.
For interface hazards, examples such as the proximity of electrical and fluid connections and lifting points (both previously discussed), designers and analysts need to assure that both sides of the interface, as well as across the interface, are evaluated. End-to-end (i.e. from source to end point) analyses of fluid and electrical paths are highly recommended.
Environmental hazards, such as adverse weather and hazardous atmospheres, tend to be operationally controlled; however, some can be designed out, such as hazard-proofing electrical equipment. As these hazards can impact the facility, the facility will generally have specific requirements to be followed.
During the launch and possible return phases of the mission, hazards may be imposed on the F/H from external sources (e.g. the launch vehicle). Designers and operators must work closely with the owners of those hazards to assure they are properly controlled and that any controls on the F/H are implemented.
A corollary of integrated hazards is change control. Once permission has been obtained to start ground processing, any changes in equipment or operations must be re-assessed to assure the appropriate controls are in place or remain in place. Close coordination with the approval authority is required at this point. Changes should not be implemented until the additional assessment is complete and approved.
Summary
This subchapter has highlighted some of the hazards to consider involving GSE and the processing of flight hardware, both prior to launch and during the post landing processing of the flight hardware. Some lessons learned were included from actual examples that have occurred. In some cases, the ground processing of the flight hardware may be more hazardous than the flight hazards during the on orbit portion of the mission.
3.2 Gases Storage and Handling Safety
Michael T. Kezirian
On July 26, 2007, an explosion during a nitrous oxide injector test at the Mojave Spaceport, 130 km north of Los Angeles, California caused three fatalities and critical injuries to another three individuals (Walker, 2007). On December 23, 2008, at the Kennedy Space Center, a composite vessel (unlined, liquid oxygen compatible, 1.4 m diameter) exploded, injuring seven persons and incurring thousands of dollars of damage to the lab facility (Dean, 2009). Internationally, there have been several documented cases of the explosion of pressurized vessels containing compressed natural gas (CNG) in automobiles (vans and buses). The hazards associated with gases under pressure during ground testing and space vehicle processing are frequently overshadowed by the flight operation concerns. However, they can often pose a higher risk to casualty.
Pressurized gases are essential to space flight operations and ground processing operations. Propulsion, life support, and thermal management subsystems require the use of high pressure gases, often at many thousand hundreds of atmospheres. Additionally, gases are critical to payloads including science experiments performed on the International Space Station (ISS). Special storage, use, and handling precautions are necessary in order to control the hazards introduced by the presence of pressurized gases. Compressed gas and equipment is addressed in general industry standards as well as those specific to a range of applications including oil and petroleum, marine, construction, and the space industry.
This subchapter is organized as follows. First, for purposes of background, it is necessary to understand energy considerations of stored gases. The next section describes the hazards and corresponding causes associated with compressed gases. The remaining three sections contain the operational controls which should be followed to minimize these risks.
Stored Energy Considerations
There are several methods for estimating the effects of the release of stored energy associated with a gas explosion. One commonly used method involves the Brode energy equation,
(1)
where E is the energy of explosion, 
and 
are the ambient and burst pressures respectively, 
is the vessel gas volume and 
is the ratio of specific heats of the stored gases. The other frequently used relation involves the isentropic expansion energy equation,
(2)
The Brode equation is felt to better predict the potential effects of explosion energy close to the explosion source (near field), while the isentropic expansion method is believed to better predict effects at a distance (far field) (Crowl, 2003).
Expansion of Gas into a Vacuum
When the ambient pressure is a vacuum, 
, these two approaches both reduce to the stored gas energy equation for bursts into a vacuum:
(3)
The simple model of spherical gas expansion into a vacuum assumes that the gas starts at an initial density dependent on the original vessel pressure. The failure of the vessel is modeled as follows. The boundary of the fluid is suddenly removed. The contained gas expands into the vacuum producing a rarefaction wave, which propagates from the outer surface to the original volume center. The gas accelerates and the density of the gas within the expansion drops. In the simplest model, the rarefaction wave reaches the center of the gas volume instantly. The gas starts with its peak initial and maximum velocity (
) and expands radially outward. With this model, (a) this uniform expansion will involve a decrease in pressure (density) as an inverse cube function; and (b) the mass is distributed equally throughout the volume. The pressure will be determined from the initial volume and the volume of the expanding boundary. This pressure can be calculated from the ideal gas law (Keddy, 2010–12).
Expansion of Gas During Ground Operations
For ground operations, the analysis must incorporate expansion of the gas into air at standard atmospheric pressure, thus 
. In this scenario, the surrounding medium will compress, and a shock front will develop. A typical ground facility is filled with structures (other equipment, walls, etc.) which create reflected pressures from the expanding gas. In comparison with expansion into a vacuum, the resulting pressure waves might be at lower pressures due to the presence of barriers, but they will last longer given the reflected waves.
Shrapnel and Fragmentation Analysis
When a pressure vessel fails resulting in a release of stored energy, the pressurized structure breaks into multiple pieces, ranging in size from a tiny shard to a large section of the tank. Figure 3.2.1 shows the collected fragments resulting from a test burst of a pressurized vessel. Each such resultant tank mass (or shrapnel) becomes a projectile hazard as it accelerates after the explosion. Unfortunately, there is no experimentally determined model which establishes the distribution of particle sizes, corresponding velocities and the subsequent trajectories of the resulting pieces. One current approach simply considers “at-risk” all objects in direct line of sight with a vessel that is under pressure. Similarly, any object that that is not in the line of sight, i.e. it is shielded by ground equipment, interior walls or protective shielding, is considered not vulnerable to fragmentation risk during pressurized operations. A more sophisticated model, when one becomes available, should establish probabilities distribution curves of size and impact energy of fragments, based on distance from the pressurized vessel.
Hazards Associated with Compressed Gases
There are risks inherent in working with gases stored under pressure. These hazards exist at all stages in the program life cycle, exposing personnel during ground processing and crew members during spaceflight. First, there is the hazard of tank leakage. Depending on the nature of the cause, the leakage rate can range from barely detectable to rapid displacement, effectively equivalent to a tank burst. There are numerous consequences which must be considered independently for the particular tank configuration. The leak can lead to an overpressurization or an oxygen displacement; personnel in the surrounding area (ground operators and flight crew alike) that survive the explosion are at risk of suffocation if the lack of oxygen persists for an extended period of time. Similarly, an oxygen tank leak would create an oxygen rich environment. There can also be specific fire or toxicity associated with the leaking gas.
Second, there is the hazard associated with failures leading to a tank burst. Of primary concern is the release of the stored energy in the compressed gas and the resulting consequences on the surrounding personnel and structure. This energy can be significant. As an example, the energy stored in each Space Shuttle Orbiter Orbital Maneuvering System (OMS) helium tank (0.5 m3) vessel when loaded on the launch pad in preparation for a nominal mission (p = 34 MPa) was 2.3 MJ, equivalent to the energy stored in 5.4 Kg of TNT. When a containing device loses its ability to maintain pressure, the stored energy is suddenly released, creating a blast wave from the sudden expansion of the contained gas. As the vessel is destroyed, either from the initial failure or from the ensuing explosion, the vessel disintegrates into hundreds or even thousands of fragments; fragment sizes can vary considerably from dust to large fractions of the original tank. The release energy accelerates these metal and composite shards. Both the blast wave and the corresponding trajectories of shrapnel have the potential to produce catastrophic damage. Secondary explosions can drastically increase the consequence of a failure when the shrapnel from a tank rupture impacts an adjacent structure. It should be noted that in many space vehicle applications, pressurized gases in propulsion systems are typically placed adjacent to pressurized liquid propellants, creating additional catastrophic failure modes.
There are numerous failure modes that would lead to a tank burst; these causes may be considered in three general areas: failure due to improper design or manufacture, failure due to improper use, and failure due to degraded collateral damage.
Failure Cause 1: Improper Design or Manufacture
For most spaceflight applications, with the exception of the smallest of vessels, pressurized gas is typically stored in a COPV, comprised of a thin liner (typically metallic) and overwrapped with a fiber (most commonly carbon graphite fiber, but also glass and Kevlar) in an epoxy matrix. COPVs provide a tremendous mass savings over all-metal pressure vessels. They introduce special safety considerations with unique failure mechanisms.
There can be a design flaw causing the containing vessel to be inadequately designed for its intended use. The liner is susceptible to material fatigue, as the vessel expands and contracts with each filling cycle, due to cyclic, elastic-plastic strain or the propagation of an initial flaw or defect. For the fatigue phenomena, the analysis will incorporate the number of cycles that each vessel will be exposed to in the product lifecycle and the stress that is exerted by the pressurized gas on the liner during a pressurization cycle. One must treat separately failures of the parent material and of any welds (if present) during analyses and material characterizations. Historically there have been two approaches. Leak Before Burst is a design requirement that any defect in the liner will grow sufficiently slow to permit the enclosed gas to escape before the liner collapses and results in an explosion. The second approach is Safe Life, which specifies that an undetected flaw in the liner (at the worst possible location) will not grow to failure over a specified number of cycles. Typically a Safe Life of four times the Service Life of the vessel is imposed so as to account for uncertainties in modeling.
Depending on the materials and designated fluids, the liner may be susceptible to corrosion; special applications and use may warrant specific additional considerations. To address corrosion concerns, designers will strive to only use materials compatible with the designated gas and operating environment. The safety rationale is tied directly to the number of cycles, the actual pressures (and corresponding pressure) and the specified gas. Exceeding design limits can result in violating certified operating conditions and result in catastrophic failure.
For the overwrap, recent attention has focused on stress rupture of the composite fiber. Dr. S. Leigh Phoenix (Cornell University) provided the following definition of COPV stress rupture:
For stress-rupture phenomena, the analysis will incorporate the time the vessel will be under pressure during the product lifecycle. For this failure mode, the lifetime is inversely proportional to pressure to some power, and the power itself is inversely proportional to absolute temperature, so that the failure rate is rapidly accelerated as the temperature is increased. Given the stochastic nature of the failure mode, it is impossible to predict a priori when the failure will occur. It is not possible to monitor a tank to detect when the failure is about to occur in time to take corrective action. Therefore, designers select parameters (such as factor of safety on proof and burst strength) such that the corresponding reliability of this failure mode is deemed acceptable. Holding the vessel at higher pressures or temperatures or for longer times can significantly increase the corresponding reliability and thus invalidate the safety posture.
One must also consider the liner and overwrap as a system. The interactions between the liner and overwrap can give rise to additional failure modes. One such mode, liner buckling (Phoenix & Kezirian, 2009), occurs due to overwrap debonding from the liner followed by liner inward bowing or wrinkling due to excessive hoop compression exerted by the overwrap on the liner that previously was plastically expanded during autofrettage.
Failure Cause 2: Improper Use
There can be an operational failure that results in the vessel being placed beyond its intended design capacity. Pressure vessels are rated for specific operating conditions, a Maximum Expected Operating Pressure (MEOP), temperature limits, number of loading cycles, and sometimes restricted to specific gas or gases. It is important that operating conditions do not violate these design parameters.
There can be design controls to prevent inadvertent operation beyond capacity. Spacecraft designs often incorporate relief valves such that excessive pressures are vented from the system before critical pressures are reached. Ground support equipment should contain multiple controls to prevent pressure or temperatures exceedances.
More subtle is the limit on use, cumulative time under pressure. While this parameter is not explicitly codified in the standards, it is implicitly established as a limit. For a given expected lifetime, the design manufacturer and customer will accept a risk that in turn specifies a factor of safety. Exceeding the anticipated use increases the risk of failure and violates the risk acceptance rationale. Regardless of the selected design parameters, reducing the time under pressure, adjusting for temperature, will reduce the risk of tank failure.
Failure Cause 3: Collateral Damage
The third class of failures is associated with collateral damage; special care must be taken to ensure that vessels are handled properly as unintended impacts with seemingly harmless force can be potentially catastrophic.
For spaceflight applications where only small tank volumes are required or for ground operations where tank weight is less of a consideration, all-metal pressure vessels are also employed. These tanks are also susceptible to similar failure modes.
Operating in Ground Facilities
Ideally, all pressurized components would be fully integrated into the launch vehicle and gases would be loaded on the launch pad immediately prior to launch. Unfortunately, this approach is not practical. It is often not possible to access integrated pressurized containers for loading and servicing. For the Space Shuttle Orbiter, the nitrogen tanks were filled in the Orbiter before closeout in the Orbiter Processing Facility, prior to final assembly in the Vehicle Assembly Building and rollout to the pad, frequently more than two months before first scheduled launch attempt. Science payloads requiring specialty gases were pressurized and integrated early in the payload integration cycle. It is noted that helium tanks for propulsion systems were pressurized on the launch pad several days before the launch countdown procedure.
To facilitate ground operation schedules, it is more convenient to load earlier in the flow. However, to minimize accumulated time under pressure and the corresponding tank failure risk, the preference is to load on the launch pad as late in the launch preparation flow as possible. When this is not feasible, special care must be implemented to minimize the risk to ground personnel when handling pressurized structures in ground processing facilities. One manner is to use blast enclosures, specially built structures rated to absorb the impact of the stored energy in any pressurized structure. This is not always possible. When it is necessary for ground operators to work in the vicinity of pressurized gases, appropriate ground rules need to be established based on a thorough analysis of the consequences of a failure of a pressurized structure. For this purpose, it is essential to understand the effect of an explosion and the corresponding blast wave.
As an example, the Space Station Program required two pressurized COPVs to be integrated into payloads for the last Space Shuttle flights. The Kennedy Space Center Safety Team analyzed the effect of each potential COPV failure and characterized the resulting blast waves. Two separate criteria were identified. The first was the distance from the center of impact for which persons located would likely lose their life. The second was distance from the center of impact for which persons would likely sustain permanent damage, typically loss of hearing. NASA implemented ground rules in the Space Station Processing Facility, restricting access to essential personnel when pressurized structures were present. Figure 3.2.2 shows the facility map with the corresponding restricted zones (corresponding to the second criteria, likely permanent damage to personnel).
FIGURE 3.2.2 Schematic of the Space Station Processing Facility (SSPF) at the Kennedy Space Center (KSC) identifies the Restricted Zone, limited to essential ground processing personnel. Should a pressurized vessel fail, the ensuing pressure wave would expose personnel in the corresponding shaded areas to the potential for permanent injury. (Courtesy of NASA/Boeing.)
Minimizing Effective Time under Pressure
For best practices, it is recommended to minimize the time under pressure. Establishing strict operational controls will prevent gases in the vessel from being pressurized beyond their design use, effective time under pressure relative to a reference temperature, and for design and manufacturing deficiencies.
During the lifecycle of a COPV, a typical tank will experience a range of pressures and temperatures. Several techniques can be introduced to minimize temperatures that accelerate tank aging. During the tank loading process, thermodynamic properties of gases cause the contained gas temperature to rise as the pressure increases, thereby heating the COPV. By reducing the rate of pressurization and loading a tank over an extended period of time, there is more time for heat to be convected away, minimizing temperature excursions. Controlling the temperature during ground processing is also extremely helpful. For loading operations that are to be performed on the launch pad, particularly if the launch facility is in a warm climate, ground processing should consider flowing a coolant gas over the pressurized vessel in order to control the COPV temperature.
During the Space Shuttle Program Return-to-Flight operations following the Columbia accident (Kezirian, 2011), the risk of a COPV composite stress rupture failure was identified as a new risk and raised to the Program “Top 10” risk level. As part of the overall risk mitigation approach, the following operational improvements were implemented to reduce the effective time under pressure for COPVs in the Orbiter vehicle.
The loading process on the launch pad for 18 helium tanks was modified to reduce the effective time under pressure. Original tank filling specifications defined a minimum level of pressure without imposing temperature limit. Given sensitivity to elevated temperatures, new operational procedures set specified temperature and pressure limits. Instead performing the entire loading in a single stage, the new ground procedures established that COPVs were first loaded to a set pressure (such as 60% of full operating pressure) followed by a “cooling off period”, before the final loading raised the pressure to launch levels. Loading of the tanks was moved later into the launch preparation procedure to minimize total pressurized time. Originally, loading of the flight gases could occur 12 days or more prior to launch; tank loading was changed to commence at five days before launch. During Orbiter turnaround activities between Shuttle flights, system checkout tests specified pressurizing vessels to full operating pressure. To minimize accumulated time on the vessels, the turnaround checkouts were limited to 80% launch load. In order to protect ground personnel, pad access was restricted to essential personnel after pressurizing the helium tanks for launch. Additionally, all personnel were restricted from pad access during tanking pressurization.
Mitigating Collateral Damage
Frequently underappreciated and overlooked is the fact that the handling of a pressure vessel is a safety critical operation. Manufacturing, shipping and handling, and testing all expose critical hardware to the potential for collateral damage. Tests performed at the White Sands Test Facility (WSTF) have shown that impacts as small as 10 J produced irreversible damage to the composite overwrap (Beeson, 2002). Specific concerns include the dropping of tanks and foreign objects falling onto pressure vessels. To mitigate this risk, a Damage Control Plan should be established and followed throughout the lifecycle of a pressure vessel, starting with the initial manufacture through testing and installation.
Typically, it is necessary to install COPVs early in the assembly of spacecraft. One additional control to protect COPVs from impact damage during the remainder of the space vehicle fabrication process is to install temporary protective covers over the vessels. There are many different types of covers used, but these protection devices share design characteristic. The covers absorb the impact energy and dissipate it broadly to significantly reduce the impact to the protected structures underneath. One design is to use a thick heavy fabric, sometimes termed “elephant hide”. Figure 3.2.3 shows a Space Shuttle OMS/RCS Pod which has been removed from the Orbiter for ground processing. The two metallic propellant tanks are each covered with a protective cover which would be removed at the conclusion of ground processing prior to final closeout. Figure 3.2.4 shows the aft view of a Space Shuttle Forward RCS module which has been removed for ground processing. The COPV and the metal tanks have protective covers which are only installed during ground processing. Typically these covers are designed so that any impact would leave a mark and would be detected by routine visual inspection. In the event that such impact is identified either through appropriate problem reporting or subsequent visual inspections, an anomaly investigation team would be assembled to identify the root cause of the incident. If the damage is significant, the corrective action might include replacing the affected hardware.
FIGURE 3.2.3 The underside of a Space Shuttle OMS/RCS Pod during ground processing shows an RCS oxidizer propellant tank (foreground) and OMS oxidizer propellant tank covered with a protective “elephant hide”. These protective covers are removed prior to flight. Both tanks contain liquid oxidizer, pressurized with helium. (Courtesy of NASA.)
FIGURE 3.2.4 Aft view of the Forward RCS module with white protective covers on the helium tanks (COPVs), and grey protective covers on the oxidizer and fuel liquid propellant tanks (metal). These protective cover are removed prior to flight. (Courtesy of NASA.)
An alternate design is to install custom covers with a hard shell exterior and soft foam interior, similar to many commercially available protective bicycle helmets. These covers are typically custom manufactured in segments and held in place with Velcro to facilitate easy removal at the end of ground processing.
NASA WSTF offers a training course to certify ground personnel who operate, inspect and transport pressurize vessels. Through their COPV Damage Detection Course, NASA has established a means for characterizing and recording mechanical damage. By following a consistent process in the lifecycle of the program, operators are best able to isolate, detect and quantify damage through routine visual inspections.
Conclusion
Pressurized gases are essential to processing and operating space vehicles. The presence of pressurizes gases presents numerous hazards with potentially catastrophic consequences. Tanks can leak or burst or fail due to improper design or use or collateral damage. These risks can be reduced and mitigated through strong design controls.
References
1. Beeson HD, Davis DD, Ross WL, Tapphorn RM. Composite Overwrapped Pressure Vessels. Las Cruces, New Mexico: NASA/TP–2002–210769, NASA Johnson Space Center White Sands Test Facility; 2002.
2. Crowl DA. Understanding Explosions (A CCPS Concept Book). New York, New York: Center for Chemical Process Safety of the American Institute of Chemical Engineers; 2003.
3. Dean J. Florida Today. January 7, 2009.
4. Keddy, C.P., personal communications, 2010–2012.
5. Kezirian MT, Johnson KL, Phoenix SL. Composite Overwrapped Pressure Vessels (COPV): Flight Rationale for the Space Shuttle Program. Long Beach, California: AIAA SPACE 2011 Conference and Exposition; Sep. 27–29, 2011; (AIAA-2011-7363).
6. Phoenix SL, Kezirian MT. Analysis of Potential Ti-Liner Buckling After Proof in Kevlar/Epoxy COPV. Palm Springs, California: 50th AIAA/ASME/ASCE/AHS/ASC Structures, Structural Dynamics, and Materials Conference 17th AIAA/ASME/AHS Adaptive Structures Conference 11th AIAA No; May 4–7, 2009; AIAA-2009-2520.
7. Walker P. Guardian Unlimited. July 27, 2007.