1. A range tracking source must be sufficiently reliable to assure that the Flight Safety Officer has the necessary information to make critical real time decisions. The probability of a source producing undetectable out-of-specification data must be small. The probability of a source showing that a non-nominal vehicle is nominal must be extremely small.

2. Tracking sources must be independent of each other. Failure of one system must not degrade the performance of another.

3. The tracking source must produce sufficient information to monitor the vehicle’s in-flight performance, e.g., time, position, and velocity.

4. The measurement accuracy must be sufficient to support range safety decisions.

5. Sample rates must be high enough to accommodate vehicle dynamics and support timely decision making.

6. Time delays (latency) between when a measurement is taken and when it is available to support decision making must be acceptably small.

7. A measurement should be accompanied by indicators of quality or confidence in the measurement. This supports editing and source selection.

1. control vehicles experiencing failure or degraded performance that can lead to a public safety hazard by eliminating thrust, lift, yaw for all vehicle stages;

2. produce a small number of pieces, all of which are unstable and impact within a small footprint;

3. control disposition of hazardous materials (burning propellant, toxic materials, radioactive materials, ordnance, etc.);

4. be supportable during assembly, test, prelaunch, launch and flight operations at launch range; and

5. demonstrate high reliability and probability of survivability of operating environments with adequate reserve margins.

1. Flight Termination Receiver;

2. Antenna System;

3. Independent Battery Source;

4. Safety Lockouts: Safe and Arm devices, timers, etc.;

5. Termination devices (cutting charges and other explosives, fuel valves, ignition cut-off relays, etc.);

6. FTS control and monitoring devices.

• Qualification Testing is used to provide confidence that FTS and components can withstand operational environment and have adequate margins.

• Acceptance Testing is used to prove workmanship. It increases the confidence that production units are as reliable as those that passed the qualification testing.

• Certification Testing is typically performed on critical components after acceptance testing, as close to launch day as possible. Certification testing is typically performed on Flight Termination Receivers and Safe and Arm devices.

• Assembly and Checkout tests are usually performed within 30 days of launch to detect a faulty component that may have developed problems since its last check. These tests are designed to provide end-to-end testing, as well as calibration of telemetry (TM) channels.

• Prelaunch tests are final checks prior to launch on components such as Flight Termination Receiver tone checks, FTS battery, Safe and Arm devices.

1. Loss of tracking resulting in an AFTS action.

2. Integrity of tracking data (clearly defining required actions when one or more sources are lost).

3. Managing software single point failures.

4. Managing potential common cause failures.

5. Providing adequate assurance that conditions warranting vehicle destruct can be detected.

6. Encompassing the range of flight termination rules currently employed at all ranges.

7. Meeting the weight and volume constraints for additional hardware on missile and launch vehicle systems.

1. Solid rocket motors may be equipped with thrust termination ports on the forward portion of the stage. Removing these ports nullifies the thrust of the stage. However, this type of flight termination may result in the impact of a stage containing substantial amounts of propellant with the potential for a large explosion.

2. Liquid propellant rocket motors may be equipped with propellant and oxidizer shut-off valves. Closure of these valves causes the rocket motors to cease thrusting. The impact of the non-thrusting stage may cause the two tanks to rupture and produce an explosion.

3. Vehicles with aerodynamic control surfaces may be caused to pitch into the ground or tumble by appropriate commands to these control surfaces.

• Inert debris striking people or structures housing people.

• Blast waves from explosive debris striking structures or impacting in the immediate proximity of people or structures housing people.

• Explosions producing blast waves affecting people in buildings at some distance as a result of distant focusing overpressure.

• Toxic emissions from impacting burning propellant, a deflagration on impact or from normally thrusting vehicles.

• Thermal hazards from solid propellant firebrands or liquid propellant fireballs.

Vehicle characteristics

Mission characteristics

Modeling challenges

(1) Identify hazards

Hazard identification consists of reviewing vehicle intended performance and potential malfunctions to assess (1) credible sources of threats to life and property; (2) the sequences of events that result in these threats; and (3) the probability of each event sequence. Typical failure modes include: structural failure (joint failure, buckling, loss of fins); loss of inertial reference by the guidance system; loss of control (e.g. nozzle hard-over, nozzle null, actuator jams); propulsion system failures (case burn-through, premature thrust termination); and flight safety system malfunctions (inadvertent flight termination system action, failure of the flight termination system).

Fault trees and event trees are used for this analysis; they are used to identify all of the failure modes and sequences of events that lead to hazardous end states.

(2) Develop failure probabilities

Failure probabilities are frequently based on a failure modes and effects analysis (FMEA). However, manufacturers tend to be very optimistic about mission success, ignoring the possibility of human error. Therefore the probabilities must be anchored to the launch history of the vehicle or, if the vehicle is relatively new, to the failure history of similar vehicles developed under similar circumstances.

(3) Develop breakup state vectors for debris generating events

Breakup state vectors are developed by simulating many malfunction trajectories. If flight termination criteria are being used, the projected impact point or footprint during the malfunction is computed and compared with the criteria. Trajectories that produce criteria violations are terminated to get the destruct state vectors for a vehicle that has been aborted based upon the criteria. In addition, vehicles may breakup or self destruct because of aerodynamic or inertial loads, and breakup state vectors must be determined for these events.

Uncertainties in the breakup state vectors due to vehicle guidance and performance uncertainty and due to uncertainty in the range safety system delays must also be determined.

(4) Define debris characteristics

For each event the likelihood of the vehicle remaining intact or breaking up must be determined. For vehicle breakup, the fragments are defined in terms of their numbers, sizes, aerodynamic characteristics, and any imparted velocities that they might receive from an explosion. The fragments are divided into groups having similar characteristics.

(5) Propagate debris to impact

The fragments usually follow a ballistic path to impact. Impact distributions can be developed using Monte Carlo (random sampling) methods or by propagating state vector uncertainty (expressed as a covariance matrix) using linear relationships. The uncertainties in the ballistic trajectory result from fragment ballistic coefficient uncertainty, dispersion due to explosion imparted velocities, lift effects, and wind uncertainty.

(6) Develop impact probability distributions

The impact probability distributions are generated by summing the covariance matrices representing the impact uncertainties for each of the sources of uncertainty (the covariance matrices are typically expressed in an east (E) – north (N) coordinate system)

(1)

(7) Compute impact probability

The total impact covariance matrix for a given fragment group is usually assumed to define a bivariate normal impact distribution¹

The impact probability (P_I) for a specified fragment and population center is obtained by integrating the bivariate normal density function over the region of the population center.

To compute the probability of one-or-more fragment impacts, statistical independence is assumed resulting in the formula:

(2)

where P_j = impact probability of fragment j, where j covers all of the fragments over all of the fragment groups.

To obtain the total impact probability for a mission, the P_I(≥1) values for each failure time and failure mode are weighted by their corresponding probability of occurrence and these are aggregated.

(8) vCompute casualty expectation

The equation for casualty expectation for a debris group “i” for population center “j” for a given failure time and failure mode, is given by:

(3)

where:

To obtain the total casualty expectation for a given failure time and failure mode, the E_C values are summed over all fragment classes, shelter categories, and population centers, i.e.

(4)

The E_C–Total values are weighted by their corresponding probability of occurrence and summed over all failure times and failure modes to get the total (mission) casualty expectation due to debris impact hazards.

(9) Cumulative procedure to compute risks

The debris risk analysis determines the expected casualties from inert debris impacts and from the overpressure and impulse from exploding debris, for all of the populated areas of concern. For inert debris, probabilities of casualty are computed based on the impact velocity, area, and mass of the impacting debris. For people in structures, the ability of the debris to penetrate the roof is determined and the numbers of casualties are calculated considering the fragment characteristics as well as the roof and upper floor characteristics. If the debris explodes upon impact, which may be the case for intact stages (liquid or solid propellant) or for large chunks of solid propellant, the overpressure and impulse from the shock wave are used to compute casualties for people in the open and for people located in damaged buildings. The models consider the effects of flying glass as well as failing walls and ceilings due to the shock wave.

The process is cumulative. Risk computations are made for failures occurring during specified time intervals (usually between 2 and 5 seconds long) and for each of the failure response modes that can occur during each time interval. For each time and mode, the computations are made for all of the individual debris categories and for all of the affected population centers. The E_C for the entire launch is obtained by summing over all times and all failure response modes.

(5)

Considering the number of times, the number of failure response modes, the number of debris groups, and the number of population centers, one analysis could have as many as 10⁶ individual E_C computations.

Figure 4.1.11 illustrates the overall debris risk analysis process, including critical input and output data.

The following subsections address significant details involved in the key steps of a launch debris risk analysis, including input data development.

(a) Immediate breakup: The vehicle has been flying a nominal mission until onset of failure. The failure initiates an immediate breakup of the vehicle. For example, explosions, structural failure, and inadvertent termination are three types of immediate failures. Immediate breakup failures produce a hazard near the ground trace of the normal trajectory. The dispersion of the breakup state vectors will typically derive from the dispersed trajectories characterizing the uncertainty in the vehicle guidance and the vehicle performance.

(b) Control failures: The vehicle is structurally intact, its guidance and measurement systems are functional; however, they cannot effectively direct vehicle thrust or the vehicle has diminished thrust. Common examples of control failures include: stuck nozzles; inability to direct the nozzle resulting in oscillating nozzle positions; exhausted control propellant/fluid; loss of an aero surface, such as a fin; burn-through of the motor or nozzle misdirecting the thrust; gain error (resulting in over/under compensation); and degraded thrust. Stuck nozzles result in a malfunction turn of the type illustrated in Figure 4.1.12. The thrust vector offset causes the vehicle to follow a spiral trajectory until flight is terminated by a flight termination action or aerodynamic forces cause the vehicle to breakup. Oscillating nozzle positions may cause the vehicle to follow a meandering trajectory until flight is terminated. Degraded thrust may result in an on trajectory failure.

(c) Guidance system failures: The guidance system has lost reference so that it does not know where the vehicle is or the guidance system is misdirecting the vehicle. Some examples of this category of failure include guidance program re-initialization, bad data from a measurement unit being fed to the guidance system, an error in the guidance program, incorrect hardware or software installed, failure to initiate the guidance program, or the wrong initial orientation of the system.
All but the simplest guidance failures are difficult to model. The following are among the failures that can be addressed without a detailed understanding of the vehicle guidance and control system: failure to pitch-over (program) and instantaneous reorientation to a new heading and otherwise normal flight along the new heading. Somewhat more realistic, but more challenging to model, is a coordinated turn to a new heading followed by otherwise normal flight.

(d) Staging/jettison failures: Examples include failure to ignite or re-ignite a stage or a failure to jettison a stage, a fairing or other hardware as planned. Failure to ignite or reignite is likely to result in ballistic re-entry of the vehicle, either in a stable orientation or tumbling. Failure to jettison hardware is, typically, more difficult to model. It requires a 6 degrees of freedom (DOF) model of the vehicle, its guidance and control system to address how the guidance system responds to carrying excessive mass. Typically, although the vehicle is thrusting and under the control of the guidance system, it is too massive to reach orbit or the planned orbit. Should it succeed in reaching orbit, it may be sufficiently off-nominal so as to re-enter after only a few orbits. However, those failures that result in a stable, but erroneous orbit are of secondary concern from a public safety perspective.

Trajectory input data development

This section discusses the two major types of trajectory data that are generally required for a launch debris risk analysis: trajectories spanning the flight envelope for normally performing vehicles and malfunction trajectories.

Figure 4.1.15 illustrates two important trajectory characteristics for flight safety analyses. The figure shows a simple trajectory and identifies for a pair of trajectory points the subvehicle point, the point on the Earth’s surface directly below the vehicle, and the Instantaneous Impact Points (IIP), the points along the surface of the Earth where the vehicle would impact should it cease thrusting and continue along a ballistic trajectory to impact.

Normal flight variations encompass guidance errors or drift within the range of acceptability to achieve the objectives of the mission. The guidance system reference can drift such that the vehicle flight path is displaced in a crossrange direction to the left or to the right of the planned trajectory, while downrange displacements from guidance uncertainty are generally negligible. Normal trajectories will also include variations in vehicle position and velocity (state vector) as a function of flight time resulting from deviations from the nominal flight due to wind and avoiding excessive loads on the vehicle. They also include performance variability where the vehicle propulsion may have higher or lower specific impulse than estimated. The combined dispersion from these effects is mostly in the uprange/downrange direction, particularly after the ground projected impact moves away from the launch point. As a result, the ground projected impact points of the normal variation for a single state vector at a given time in flight have the general appearance of a long slender ellipse. Most of the time, the most important effects on debris dispersions from a range safety perspective, are those in the crossrange direction.

Performance variations of the vehicle’s engines will shift the IIP either in the up-range or downrange direction for any given time after lift-off. Guidance and control variability may impart uncertainty in either the downrange or crossrange directions. (For modern guidance systems most of the uncertainty is in the downrange direction.) In general, the IIP dispersions during normal flight are generally near the planned IIP trace. As a first approximation, the crossrange scatter of the IIPs are often described as using a Normal probability distribution.

Flight termination criteria are implemented to limit the regions that may be placed at risk by a mission. Flight termination criteria can modify the crossrange impact probability distributions in two ways, as shown in Figure 4.1.16. The original distribution is, in effect, truncated by the destruct actions and a secondary distribution reflecting the uncertainties in the detection of violations of the Destruct Lines and time to effect the destruct action is generated about the Destruct Line.

The downrange component of the vehicle impact point distributions is also affected by the guidance and performance dispersions, the IIP rate, and the vehicle failure probability as a function of flight time.

Pre-failure trajectory dispersions persist or grow when a malfunction maneuver begins, as illustrated in Figure 4.1.17.

Developing malfunction trajectories is one of the most difficult challenges in performing launch risk analyses. As previously noted, the first step in developing malfunction trajectories is to identify the appropriate vehicle response modes to various failures. Appropriately characterizing these response modes is a challenge. The best approach, when feasible, is to work with the vehicle developer to simulate the failure response modes, including the role of the guidance feedback, the control system and the subsequent behavior. This requires a detailed study of the possible failure modes, the probability of their occurrence, the time of their occurrence, and subsequent behavior. An additional important factor for launch safety, discussed later, is modeling the effects of range safety interventions (flight or thrust terminations).

Conceptually, it is useful to think of modeling off-course maneuvers either using simple malfunction turns or using a full simulation. Malfunction turns are vehicle turns with the turn rate dependent upon the thrust vector offset. The malfunction turns are assumed to occur in a plane that includes the velocity vector at the start of the turn. Typically, unless vehicle design suggests an alternative assumption, all angles of the tumble plane about the velocity vector are assumed to be equally probable. The thrust vector offset is assumed to remain constant for the duration of the turn. The thrust vector offset is a value between 0^o and the maximum possible offset angle. Figure 4.1.18 illustrates typical turn curves (velocity magnitude and velocity turn angle as a function of time after malfunction) for several thrust vector offsets. A common assumption is that the most probable offsets are very small angles or angles near the maximum possible offset. The path of the vehicle during the turn is simulated using a 3 DOF simulation, preferably including aerodynamic forces. Vehicle breakup occurs when aerodynamic loads exceed the vehicle capacity or when a flight termination criterion is violated. The most commonly used criterion for onset of breakup is the product of dynamic pressure, q, and angle of attack, α. Good practice requires characterizing the uncertainty in the q-α criterion and accounting for that in the breakup state vector samples.

A space booster developer with a 6 DOF flight dynamics computer program can incorporate the simulation of the guidance and control response into the behavior of the vehicle as it malfunctions. Such simulations require aerodynamic and inertial modeling of the vehicle including the interaction with the guidance and control system. Moreover, data required for such simulations may require special testing or modeling to develop aerodynamic characteristics outside for regimes outside the normal operating regime. That being said, this approach offers the possibility of a substantially higher fidelity description of vehicle behavior in response to a malfunction. A full simulation must produce many malfunction trajectories for each representative failure time spanning the full range of possible accidents, each with its own probability of occurrence. Each of these simulated accidents may contribute to the total mission risk.

Regardless of which method is employed to characterize malfunction trajectories, the resulting trajectories must account for the flight termination criteria. There are two major common approaches to defining flight termination criteria. The first approach begins by identifying population centers and valuable assets to be protected. A buffer zone is established about these regions as adequate protection. One form of buffer used at a number of ranges employs Impact Limit Lines (ILL) between the trajectory and the regions to be protected. Conceptually, the ILL is a limit beyond which hazardous debris should not be allowed to impact. Flight termination lines or Destruct Lines are placed between the trajectory and the ILL. When a Range Safety Officer sees that a projected instantaneous impact point for the vehicle is crossing the Destruct Line, a destruct signal is sent to the vehicle to terminate further powered flight. Other types of criteria may be employed to supplement the impact point based Destruct Line to assure that errant vehicles are terminated before they can hazard the protected regions.

The alternative approach is a “capability based” approach that involves an assessment of how quickly the Range Safety Officer can be expected to detect a malfunctioning vehicle and terminate it. Suppose that a Range Safety Officer can detect and terminate failure within five seconds of the onset of failure. Each failure trajectory is allowed to persist for 5 seconds. The projected vehicle impact point is computed for each state vector after five seconds of the failure maneuver. An envelope of all such impact points is defined. The envelope becomes the candidate flight termination boundary. To assure that the proposed termination boundary has not induced unacceptable levels of risk by concentrating the debris that would result from termination over population centers, the risk to an individual given a flight termination is computed. As long as high individual risk contours do not overlie protected regions the terminate limits are regarded as acceptable.

Aerodynamic breakup criteria and the flight termination criteria can be used in to determine how far into the malfunction the vehicle flies before onset of breakup. As noted earlier, uncertainty in each set of criteria should be considered in developing a set of representative breakup state vectors. For any given failure scenario debris impacting at the Earth’s surface generates the threats to life and property.

Debris data development

There are three categories of fragment characteristics:

From a physical perspective, only the characteristics related to the trajectory affect the development of a debris footprint. However, practical considerations of limiting the number of distinct fragments that must be individually modeled leads to the concept of a fragment group, a collection of fragments that are sufficiently similar so that they can be modeled as a single set. The discussion begins with the issues of characterizing individual fragments and then extends to considering how this must be adapted to model fragment groups.

Trajectory-related fragment characteristics include: the initial condition as expressed by the breakup state vector, the guidance and performance uncertainty, and the velocity imparted at breakup; drag characteristics as expressed by the ballistic coefficient and its dependence on fragment speed, orientation, and ablation; and fragment lift, which is dependent on the fragment shape and orientation as it falls.

Table 4.1.1 provides guidelines for estimating the coefficient of variation of a fragment ballistic coefficient as a function of parameters that are expected to affect that uncertainty. Fragmentation introduces uncertainty in both a fragment’s weight and its aerodynamic characteristics (C_DA_ref). This uncertainty is significantly smaller when it is a well-defined piece such as a nose cone rather than a fragmented portion of the vehicle. Aerodynamic stability of a piece strongly affects the uncertainty in the impact point due to lift and drag effects. A tumbling piece will have higher uncertainty in its aerodynamic characteristics than one that will trim at a predictable attitude. Cubes, spheres and similar compact symmetric shapes have more predictable aerodynamic characteristics than irregular shapes, such as a bent pipeline segment. The last factors are the re-entry speed. There is substantially less variability in aerodynamic characteristics at low subsonic speeds (M < 0.5) than at transonic/low supersonic speeds. When tables of drag coefficients (C_D) are available as a function of Mach number this reduces some of this uncertainty.

Impacting fragments may pose a threat from some combination of mechanical injury, injury caused by explosive shock waves, thermal injuries, and toxic injuries. Fragment characteristics related to threat are as follows: Mechanical injuries are a function of the impact velocity, the fragment shape and the fragment mass. Injuries produce by shock waves depend on the impact velocity and the resultant explosive yield. Burns depend on the weight of the burning material, its exposed surface and the chemical composition of the burning material. Toxic injuries depend on the toxic substance and the conditions of its release.

Fragment grouping speeds calculations and provides a mechanism for explicit modeling of uncertainty contributors. Breakup of large space boosters can result in a sufficient number of fragments so that fragment-by-fragment analysis is burdensome. A fragment group must consist of fragments that arise from the same events, have common threat characteristics, have common aerodynamic characteristics, and common initial conditions. Definition of fragment groups begins with the grouping by initiating events. The next step is to form preliminary groupings on the basis of ballistic coefficient. It has been suggested that fragments in a fragment group satisfy the following inequality:

(6)

The following additional guidelines should be followed:

(7)

(8)

(9)

(10)

When fragments are grouped the uncertainties for the individual fragments must be combined to develop group uncertainties. The fragment mean ballistic coefficient is calculated as:

(11)

Three sigma low and three sigma high limits are modeled as the smallest three sigma low values from any contributing set of fragments and the largest three sigma high values from any contributing set of fragment respectively. These three parameters can then be used to define a probability distribution for the fragment group ballistic coefficient. Common parametric distributions employed include the lognormal distribution and the beta distribution.

A breakup list is a catalog of the debris resulting from breakup. For each fragment category it must include the number of fragments, a representative fragment weight, fragment aerodynamic characteristics (ballistic coefficient and lift-to-drag ratio) and velocities imparted to the fragments by breakup and their uncertainties, and the fragment projected area. Additional information is needed for fragments with explosive potential or the potential to release toxic material.

In the presence of aerodynamic loads, the vehicle will begin to breakup at its weakest point. The most likely place for the initial failure is at an inter-stage. Subsequent points of failure are points with combinations of highest loads and lowest capacities. This type of reasoning can be used as a guide through the first few failure points, it then becomes very speculative. It then becomes more productive to identify items like pressure bottles or batteries that may remain intact and to breakup the rest of the vehicle. Nevertheless, the interested reader is referred to Nyman et al., 2011, for a discussion of a systematic approach for developing debris lists from detailed drawings, photographs, and technical data for a vehicle. Alternatively, Bryce et al., 2009, provides an innovative modeling approach for characterizing debris based on the self-similarity of different stages of breakup.

Figures 4.1.19 and 4.1.20 depict bounds on casualty areas from all fragments in breakup lists for ELVs as well as bounds on the number of fragments resulting from a Command Destruct Action. These charts are useful checks as to the validity of any proposed breakup list.

Ballistic coefficients are the ratio of fragment weight to the product of drag coefficient and the reference area for which the drag was defined. Hoerner, 1966, and Blevins, 2003, provide useful drag models to support building a debris catalog. Table 4.1.2 provides representative ballistic coefficients for typical launch vehicle hardware.

Velocities imparted to fragments at breakup are typically modeled analytically. One or two dimensional engineering models are developed to conserve mass and energy. Typically, momentum is conserved by assuming symmetric or radial fragment dispersions. The engineering models are calibrated by comparison with available empirical data from observed breakup events. There are two fundamental sources of energy that create and throw fragments in vehicle explosions. Pressurized gases split open solid boosters and partially depleted liquid propellant tanks. Imparted velocities tend to increase with failure time as a result of increasing chamber volume and decreasing web propellant thickness. Chemicals in liquid or solid propellants may react explosively. Imparted velocities from this energy source may decrease later in flight due to propellant depletion. Table 4.1.3 presents a summary of relatively conservative imparted estimates developed by various launch vehicle developers that may be used as a cross check to modeled imparted velocities.

The discussion of debris catalogs to this point has addressed debris hazardous to persons on the ground resulting from a tumbling vehicle.

As discussed later, persons on the ground, whether inside buildings or unsheltered, do not face serious threats from lighter inert debris. Historically, breakup lists developed by launch vehicle manufacturers underrepresented fragmentation into fragments weighing less than a few pounds. This approach to developing breakup lists addressed risk analysis requirements for many years. In recent years, concern about protecting aircraft passengers has caused the risk analysis community to turn their attention to potential threat from debris as small as a gram. While a variety of approaches have been employed to supplement traditional breakup lists with smaller debris, there is no universally accepted approach for estimating the number and characteristics of these pieces.

When a launch vehicle is tumbling, it is not meaningful to attempt to model any preferential directionality for imparted velocities. However, for some failures, such as an on-trajectory explosion, the vehicle attitude can be reasonably established. For such failures, it may be important to examine the directionality of imparted velocities. Typically, pieces toward the front end of the vehicle, such as the noise cone components, will receive an imparted velocity generally in the forward direction of the vehicle axis. Pieces toward the aft end, such as a nozzle, may be expected to be blown backward. Much of the skin and other components will tend to be ejected in an angular band about the radial direction. It should be noted that while the directionality is important under some conditions, it cannot be modeled with the Normal impact distributions discussed in the section describing risk analyses based on a debris footprint.

Casualty area computations

Hazard areas, casualty areas, and fatality areas (definitions in the next paragraph) of impacting debris characterize the area about an impact point threatened by the impacting fragment. The values of these quantities are typically computed based on the input fragment characteristics and the computed impact conditions. The discussion on risk computations toward the end of section 4.1 will show how these values are used for computing risks.

The hazard area is the region about a fragment impact that is potentially hazardous. Within the hazard area different impacts will produce different probabilities of severe injuries. The area within which a person will be sufficiently seriously injured to be deemed a casualty is called the casualty area. Fatality areas are similarly defined. Definitions of hazard areas, casualty areas and fatality areas may be required for a number of cases spanning the different types of hazards and the types of sheltering provided to people. Different models are required for characterizing these areas for inert fragments, explosive fragments, burning fragments and fragments that emit toxic substances. Moreover, different modeling approaches are required for unsheltered persons than for sheltered persons.

Several factors should be considered in the computation of casualty areas for inert debris. These include the vulnerability of the person, the size of the fragment, the size of a person, the velocity vector at impact, and whether the fragment remains intact after impact or disintegrates (splatters). As indicated by Figure 4.1.21, the direction of the velocity vector on impact and the potential for indirect hits after bouncing and secondary hits as a result of splattering or crater ejecta may increase the hazard area. If a fragment remains intact, it may ricochet or slide upon impact, depending on the velocity vector (magnitude and angle), the effective coefficient of restitution, and the effective coefficient of friction between the fragment and the surface impacted. Included in ricochet are the effects of tumble as well as rebound or bounce.

For direct impact, the casualty area must take into account both the projected area of the debris and the projected area of the human body onto the plane normal to the velocity of the debris. Since it is typically assumed that a person can be represented by a 6 ft tall cylinder with a 1 ft radius, if the debris falls vertically, the projection of the human body onto the ground would be a circle with a 1 ft radius (representing primarily a standing person). When these two projections overlap such that any location where the debris projection overlaps the center of the projected area of a person (i.e. the center of the circle is assumed to be the head/center of the human torso) would be considered a casualty. The left side of Figure 4.1.22 identifies a piece of vertically falling debris and locations where a person would be considered a casualty if struck by the falling debris. The resulting projections, their overlap, and the ensuing basic casualty area defined by the radius r_D are presented on the right hand side of the figure.

As indicated in Figure 4.1.23 there are secondary impact effects that could cause a casualty due to post-impact events. For example, if the debris piece stays intact, it may ricochet or slide upon impact, depending on several parameters including the magnitude and angle of the velocity vector, the effective coefficient of restitution, and the effective coefficient of friction between the fragment and the surface impacted. Included in ricochet are the effects of tumble as well as rebound or bounce. Since a person that is struck by a casualty producing secondary impact effect must also be considered a casualty, the casualty area must also include the full extent of these secondary impact effects.

The total extent of these secondary impact effects can be modeled with the Secondary Impact Effects Factor (F_A). The projected area of the debris fragment is multiplied by this secondary impact effects factor to find the total area within which a person could be considered a casualty if the area reaches the center of the person’s projected area. The reach of these secondary impact effects and the location of a person that could result in a casualty are presented in the left hand side of Figure 4.1.23. The right hand side shows the components of the resulting casualty area that accounts for all secondary impact effects.

As identified previously, it is assumed that a person can be analytically represented as a 6 foot tall cylinder with a 1 ft radius, r_P. The casualty area identified in Figure 4.1.23 is calculated as a function of the effective debris fragment radius accounting for secondary impact effects () and the radius of a person, r_P, as in equation (12):

(12)

where

(13)

The casualty area accounting for all secondary impact effects can be expressed as:

(14)

F_A is defined as the ratio of the area containing secondary debris impact effects and the projected area of the fragment. Modeling and experimentation has shown that F_A depends on several factors, including debris fragment characteristics, the magnitude and angle of the impacting fragment velocity vector, and the hardness of the impacted surface. Typical values observed have ranged from about 3 to 25.

Figure 4.1.24 illustrates how debris descending at an angle, , elongates the basic casualty area. A fragment approaching a person at an angle places the person at risk whenever the person’s midline is located within the swept volume of the debris fragment (i.e. the volume through which the debris fragment passes) once it reaches the top of a person’s head.

If the velocity and mass of the fragment exceed criteria presented in Figure 4.1.25, the person becomes a casualty. Criteria in Figure 4.1.25 are for “average general public.” (Human vulnerability is discussed at greater length in Appendix B.) It is believed to be conservative because the basis of injury is being struck vertically on the head and not all impacts are to the head. Note that the impact velocity should account for the contribution due to feasible winds.

When the roof of a structure is capable of absorbing the energy of the impact of a fragment without allowing debris to hazard the structure’s occupants, the occupants tend to be safer inside of the structure. However, fragments can penetrate roofs and hazard the occupants. Penetrability is based on the impact velocity, the fragment area and the fragment weight, as well as the capability of the roof to resist the impact. A fragment that does penetrate the roof can also produce secondary fragments that will also hazard the occupants. The following material provides effective casualty areas considering conditions where roof penetration is possible. (Appendix B presents roof penetration thresholds for several building classes.)

The roof penetration capability of a fragment will vary with the impact location. For example, impacts midway between joists or beams, directly on joists, or somewhere between, will have different penetration capability. The processes modeled for roof/floor penetration and the production of secondary debris are illustrated in Figure 4.1.27. The effective casualty area from roof penetration is also a function of the impact velocity and the size of the fragment. Although the figure shows multiple floors, the material provided in this section conservatively assumes that all vulnerable people are on the top floor sheltered only by the roof. Figure 4.1.26 shows the layout of a typical wood roof and different impact configurations.

The dark and pale shaded circles in Figure 4.1.27 indicate two different sizes of the impacting debris. Assume that it is equally likely that a fragment impacts at any point on the roof. Then the effective casualty area for a fragment impacting the roof can be computed by simulating many impacts on the roof, determining for each impact the structural elements resisting the fragment penetrating the roof for the selected impact and whether these elements fail, and if these elements fail, allowing roof penetration characterizing the resulting debris cloud including the primary fragment and the secondary debris.

The four roof classifications were analysed for penetration by six ballistic coefficient classes for the debris (Table 4.1.4). The debris fragments impacted the roofs at terminal velocity and had weights ranging from 0.1 lb to 10,000 lb. The resulting effective casualty areas for people in structures impacted by inert debris are shown in Figures 4.1.28 to 4.1.31. Each figure provides the casualty area for a given roof-type as a function of fragment weight in each of the ballistic coefficient classes. The effective casualty areas in the figures are based on many impact points over a roof for each fragment weight and roof type. In some cases, penetration will not occur every time because the fragment is stopped by the joist supporting the surface. The average effective casualty area considers those cases where there is no penetration and, consequently, the effective casualty area due to roof penetration can be less the basic casualty area.

When people are not protected by a building, the primary injury mechanisms of the blast wave are soft tissue damage and whole body translation. The primary soft tissue effects are damage to the lungs, the gastrointestinal tract, the larynx and the eardrum. It should be noted that eardrum damage is typically considered at two different levels – eardrum rupture for serious injury and temporary hearing loss for minor injury. Whole body translation by a blast wave can result in impact of the body causing severe injuries.

Lovelace data (Richmond et al., August 1982) for each of the types of soft tissue damage has been used to define the combined pressure and impulse (P–I) associated with the 1% (threshold) and 50% probability of serious injury. These levels have then been used to define probit functions for each effect.³ The potential for serious injury due to whole body translation induced by a blast wave is a function of both the peak overpressure and positive impulse. Pressure–impulse (P–I) diagrams for serious injuries due to whole body translation have been constructed based on the Netherlands Organization of Applied Scientific Research (TNO) fatality probit function (Merx et al., 1992) for whole body translation scaled based on the ratio between the impact velocity for fatality and serious injury at the 50% probability level.

P–I diagrams for soft tissue and whole body translation effects and for slight injury, serious injury and fatality have been developed based on the methods described above. Casualty areas can then be determined as a function of yield. Figure 4.1.32 shows the effective casualty area as a function of critical overpressure and yield for computing expected casualties resulting from the effects of a blast waves on unsheltered people. For solid propellant impacts, the potential for casualties from impacting firebrands should be modeled. The simplest method available to account for casualties due to firebrands is to define an effective casualty area based on the region where the peak incident overpressure is at least one psi. Later in this section an alternative method for addressing the threat from firebrands is described.

While structures are usually thought of as providing protection to people from debris and blast waves, a blast wave can produce considerable harm to people inside the structure, either due to flying glass shards or elements (panels, etc.) of the structure itself. In fact, when loads applied to the building from these hazards are sufficient, the effective casualty areas may be significantly larger inside than outside.

Figure 4.1.33 shows a general approach for systematically estimating effective casualty areas due to blast wave effects for people in structures. The steps shown in the figure capture the physical phenomena that define the effects of air blast loading on a structure and its occupants. First, the blast loading on the structure is defined and the window glazing is checked for breakage. If breakage occurs, the flying shards are tracked and their impact on a building occupant is used to estimate their contribution to the probability of casualty given an explosive event occurs. After glass breakage occurs, the loads acting on the structure are revised to account for potential pressure increases inside the structure (called venting) and the external cladding checked for failure. If wall or roof segments fail, the cladding debris is tracked and its impact on building occupants used to estimate their contribution to the probability of casualty. If the building is susceptible to collapse, the blast loads are revised again to reflect the potential for additional venting and the structure checked for collapse. If the building construction is susceptible to collapse, the impact of large building components striking occupants is used to estimate their contribution to the probability of casualty. The contributions due to glass breakage, debris throw, and collapse are then combined. Depending on the level of blast loading and the type of construction, the overall casualty probability may be dominated by glazing breakage alone, or from combinations of glass breakage, cladding failure and/or collapse.

Table 4.1.5 shows four generic building classes that can be used to estimate effective casualty areas due to blast wave effects only. These building classes conservatively represent the construction types and glazing characteristics typical of buildings.

Figure 4.1.34 shows effective casualty areas as a function of explosive yield for four generic classes of buildings due to blast wave effects only. The 1-psi curve in the figure offers a convenient and clearly conservative upper bound to the effective casualty area for people in structures due to blast wave effects from explosions below 20,000 lb TNT equivalent, assuming the structure is adequate to protect against firebrands or other fragments propelled by the explosion.

Thermal injuries are a consequence of launch vehicle malfunctions that have been directly addressed by exception. Nevertheless, omission of these injuries in a risk analysis can materially understate the risks. Solid propellant fragments falling to the ground after the breakup of an ignited rocket motor are generally expected to continue burning during fall back to the ground. Liquid propellant boosters employ a fuel and an oxidizer. If mixing occurs at or near impact a fireball results. Moreover, when tanks of certain type of chemicals or pipelines containing these chemicals are struck by impacting debris fires may result. The types of casualties possible due to falling burning propellant fragments are listed below.

While all of these effects are potentially important, addressing them completely is complex and beyond the scope of this text. This discussion is limited to people inside the fireball and to those affected by direct radiation.

On impact, liquid propellant tanks may explode and create a fireball. The fireball is modeled as a sphere with radius r. At the boundary of the fireball, the heat flux is given by Collins et al., October 2005.

(15)

where P is the vapor pressure in MPa, and tends to be between ¾ MPa and 1.5 MPa.

In the mid-1960s a series of fireballs were created for the main types of liquid propellant that tend to be used in rockets (Gayle and Bransford, 1965). The time durations were measured, and empirical data fits were made for given liquid propellant weights W. A single expression is given for all propellant types:

(16)

where time is in seconds and W is in pounds.

Since a fireball is spherical, the configuration factor need only reflect the inverse square law:

(17)

leading to the heat flux at the receptor to be:

(18)

The radius r of the fireball depends on the type of liquid propellant. Based on the data from Gayle and Bransford, 1965, the fireball radius, in feet, for common liquid propellants are as follows:

(19)

where W is the liquid propellant weight in pounds.

While fire balls are large they only last for a short duration. Fire injuries are dominated by injuries to those people who are inside the fireball (Merx et al., 1992). Clothes will likely ignite and therefore this model considers all the people inside the fire ball to be injured fatally.

The combined term, , is often referred to as the “heat load,” where t is the exposure duration in seconds and q is the heat flux in W/m². The US Coast Guard (Tsao and Perry, 1979) developed Probit functions for burn injuries based on the data published by Stoll and Chianta, 1969, as presented below:

Probit function for first degree burn, Probit_1deg is given by:

(20)

Probit function for second degree burn, Probit_2deg is given by:

(21)

Probit function for lethality/fatality burn, Probit_fatality is given by:

(22)

Probability of casualty corresponding to the Probit function can be computed from:

(23)

where erf is the error function.

Here, for simplicity, buildings are assumed to consist of a single room of circular shape with the area equal to the area of the building. Building shape is not given in the building database and therefore this is a conservative assumption for computing casualty area. Casualty area for a circular building can be computed from:

(24)

where p(r) is the probability of casualty at a distance r from the center of the fire.

Figure 4.1.35 shows the Abbreviated Injury Scale (AIS) for burn injuries. According to this scale (AAAM, 1990), most of the cases with second degree burns are classified as AIS = 2 or higher. When face, hand, or genitalia are involved in the burn, burns of 10% or more body area is classified as AIS = 3. For second degree burns of 20% or more of the body, . For range safety, it is customary to classify casualties as any injuries that result in . Second degree burns have been adopted as the criterion for casualties. Figure 4.1.36 shows the maximum casualty areas for first degree burns, second degree burns, and fatalities to people inside of a building as a function of the amount of Class 1.3 propellant impacting the building.

The discussions above of hazards from inert fragments, explosive fragments, and burning fragments provide a method for describing the area affected by each hazard as a casualty area. Toxic hazards may arise from the impact and rupture of a tank of a hazardous substance, such as hydrazine, or the impact of burning solid propellant fragments that emit toxic combustion products. Both types of impacts generate a multi-hazard environment. A proper formulation will avoid the excessive conservatism of adding the casualty areas by taking the appropriate envelope of the regions. Inclusion of toxic hazards is made more complex because the hazarded region tends to be elongated in the direction toward which the wind is blowing. (A detailed discussion of toxic hazards is presented in Section 5.1. Nevertheless, it is possible to develop a simplified approach for toxic hazards for preliminary analyses as outlined below.

As discussed in Section 5.1 the area hazarded by toxic substances depends of the chemical, on the wind speed, and the turbulence. Toxic analyses involve developing a toxic source term, modeling the transport and diffusion of the toxic material, and assessing the levels of concentration to which people are exposed and for how long. These analyses must be performed on a scenario basis.

For any given scenario, an area may be computed of a region within which exposed people may be expected to be seriously injured. An estimate of the relative importance of the toxic hazard in the debris risk analysis may be assessed by developing expected values for toxic casualty areas. Three different conditions must be considered:

Expected toxic casualty areas for the first two cases are computed by first defining a Level of Concern (LOC) and then computing the expected area to be contained within the corresponding LOC isopleth averaging over wind velocity and stability class distributions. Assessing the expected casualty areas for people inside buildings requires a modification of this procedure to account for the attenuation of the concentration of the toxic material by the building. Probit functions are available that characterize the likelihood of serious injury to people inside buildings as a function of the (attenuated) concentration of the toxic material in the building.

The consequences of a toxic emitting fragment impacting and penetrating into the structure are more complex. A conservative approximation is to assume that all of the toxic material is emitted within the structure. If it is further assumed that people cannot escape the concentration within the total volume of the building is a measure of the expected consequences. When particular impact and meteorological conditions are known, scenario specific casualty areas may be computed. Otherwise, some combination of average and bounding cases may be used for safety planning.

Impact probability computations

Approaches for developing models for these impact probability distributions have ranged from heuristic models, characterized by simple closed form expressions based on physical reasoning, to extensive physics-based simulations of the underlying contributors to debris as described below.

When a vehicle malfunctions it may be expected to continue flying on its original trajectory or on some malfunction induced trajectory until some event terminates powered flight. Powered flight termination may result from an explosion, aerodynamic or inertial loads exceeding the structural limits of the vehicle, by an action of a Flight Safety Officer to terminate flight, or by action of the on-board system. After flight termination the hazard becomes many fragments instead of a single large piece.

In order to assess the risk to assets on the ground the trajectories of each class of debris from the point of origin to the ground must be computed. The following equations (expressed here in two dimensions, vertical (y) and horizontal (x)) characterize these trajectories. The forces on the fragment are: gravitational (downward, parallel to the y-axis); drag (in the opposite direction of the velocity vector); and lift (in a direction perpendicular to the velocity vector). In the two-dimensional model, lift is in the plane of the trajectory. More generally, lift can be in any direction perpendicular to the velocity vector and that direction typically changes with time. The density of the atmosphere is a function of the altitude, y. The gravitational constant g is also a function of altitude and, to a lesser extent, latitude.

(25)

If there is no lift, L, the equation simplifies to:

(26)

Substitution of the ballistic coefficient β (with units of lb/ft²) into the equation above simplifies the numerical computation.

The initial conditions for the fragment are defined by position, velocity, and time . This is also referred to as the breakup state vector (BUSV). The velocity components of the BUSV can also include an incremental velocity added due to explosion. Both position and velocity can include incremental changes due to vehicle motion during a malfunction turn subsequent to the identification of the initial BUSV.

As the vehicle comes apart, different pieces receive different imparted velocities. In addition, there will be a range of fragment sizes and aerodynamic properties. High drag (low ballistic coefficient, β) pieces are carried in the direction of the effective wind; low drag pieces (high ballistic coefficients) are carried along the direction of the vehicle’s flight azimuth. The locus of these impact points is the debris centerline as shown in Figure 4.1.39.

Variability of imparted velocities, wind variability, and variability in aerodynamic characteristics will cause a scatter about the debris centerline. The combination of dispersive effects is illustrated in Figure 4.1.40. When all of the debris resulting from a single event is characterized this way the resulting pattern is called a debris footprint or a debris pattern.

There are at least two important ways in which these calculations can be improved. The trajectory equations were written in a way that suggests that ballistic coefficients, β, are constant. Ballistic coefficients for fragments vary as a function of fragment speed. At subsonic speeds they are reasonably constant. However, there are significant changes in the transonic regime. This is commonly addressed by computing the ballistic coefficient along the trajectory using Mach-C_D tables. This information can be found in published tables, such as by Hoerner, 1966. The second case derives from conditions when the fragment characteristics change during re-entry.

Solid propellant fragments produced as a result of breakup may be chunks of propellant or segments of propellant attached to the booster skin. Burning may occur on the exposed phases of the solid propellant. Liquid propellant contained in a tank may “bleed off” during re-entry or it may burn. For these propellant fragment fragments the ballistic coefficient change during re-entry is a result of the loss of mass just described. In addition to the changing mass, the consumption of solid propellant alters the reference area and, depending on the burn pattern, may alter the drag coefficient.

In addition, re-entering spacecraft or boosters with near orbital velocities may undergo aerothermal loading, breakup, and demise of some of the resulting fragments as they descend through the 70 to 80 km altitude band as described in subsequent chapters and by Koppenwallner et al., November 2005, and NASA.

What sources of dispersion should be included in the definition of a debris footprint and how should they be modeled? The most appropriate answer depends on how the footprint will be used. When a debris footprint is used to define an exclusion region for hazard protection a different selection may be required than when the footprint is being used to support a risk analysis. Exclusion analyses err on the side of defining the potential bounds of the region that could be affected under the range of conditions that could occur. Risk analyses require a characterization that expresses what is expected to occur.

The major sources of debris dispersion that a model needs to address as part of a debris risk analysis are:

While other sources of dispersion could be considered, they are generally minor contributors to the overall dispersions. Examples include uncertainty in the atmospheric density, variations in the impact altitude due to terrain, and uncertainties introduced by the Earth gravitational model.

A flight safety analyst must address three questions: Which of the sources of dispersion listed are relevant to the analysis being developed? How will the dispersion be allocated between selecting mean conditions and dispersions about the means? What numerical models will be used for developing the debris impact footprint statistics?

Thus, as an example of the first question, free flight dispersion of inadvertently separated thrusting strap-on motors is only a potential source of dispersion for those vehicles with strap-on motors. The dispersive effects of malfunction turns and guidance and performance dispersions fall under the second question. Moreover, both malfunction turn dispersions and dispersions of free-flying strap-on motors are frequently treated as generating the state vectors about which footprints will be calculated rather than as dispersion sources to be included in a footprint. Two types of modeling have been used for these effects: Samples from these dispersions may be used to develop a reference state vector about which impact dispersions are developed; alternatively, the distribution of state vectors resulting from these effects may be incorporated into the impact dispersions. These options will be examined in greater detail later on.

Risk analysis process using a debris footprint

Debris footprint methods characterize impact probability by simulating debris footprints for a representative collection of planned jettisons and malfunction breakup state vectors. Typically, planned jettisons only require analysis for a small period of flight time. By contrast, modeling impact probabilities using debris footprints resulting from failures requires substantial samples of failure times and simulated failures. Sampling must be at a high enough frequency to assure a smooth overlap of the footprints. Figure 4.1.43 illustrates the basis steps of a debris pattern based risk analysis.

The following are the basic steps of the analysis:

Risk analysis process using a corridor approach

The corridor approach is a very fast algorithm for computing impact probabilities. It achieves this speed because the key parameters for this approach must be developed as input to the method and because it employs very simple algorithms. The method generally applies to portions of the flight for which the projected (Instantaneous) Impact Points (IIPs) progress steadily downrange. Thus, it does not apply in the early phase of flight shortly after lift-off when the IIP traces can have irregular behavior as a result of vehicle maneuvers or wind effects. This approach has been used to compute the hazards for an on-trajectory loss of thrust, breakup, or explosion, as well as for malfunction turns. It is not directly amenable to incorporate effects of flight termination on the impact distributions. Impact probability distributions are developed in the downrange direction and the crossrange direction independently. The downrange component is based on the failure probability and the rate of downrange progression of the IIP. Simple one-dimensional probability distributions, such as uniform distributions or normal distributions, are used to characterize the crossrange distribution.

Typically, each combination of vehicle failure response mode and fragment group must be modeled separately. Each combination will have its own unique failure rate, IIP trace, and crossrange dispersion.

This modeling technique requires development of the following input data for each vehicle failure response mode:

Conceptually, the corridor approach computes the probability of impact of a fragment group on a population center for the period while the vehicle IIP (in the modeled failure response mode) is passing over or near the population center. Mathematically, the impact probability on a population center is given by:

(41)

where is the downrange component of the impact probability and is the crossrange component. The downrange component is simply the integral of the failure rate over the period of time the IIP traverses the population center, symbolically,

The crossrange distributions are referenced to the IIP trace. A second parameter is used to define the limits of the crossrange distribution. The most commonly employed crossrange distribution is the normal distribution, where three or five standard deviations are used to define the sensible crossrange limits of the distribution. This form of modeling is commonly employed for the downrange risk analyses for launch vehicles. A variation employed for Unmanned Aerial Systems (UAS) is the use of a uniform crossrange distribution over some set of limits.

Figure 4.1.46 illustrates the relationship of the probability distribution to a (square) population center when the crossrange component of the distribution is modeled using a normal distribution. The edges of the population center that are closest and furthest from the IIP trace may be expressed in terms of the population centroid, , and the area, , as and . Thus, the probability, , of impacting within the crossrange limits of the population center is:

(42)

where is the standard deviation of the crossrange impact uncertainty during the time the IIP trace traverses the population center centroid.

Figure 4.1.47 depicts the uniform probability distribution as the crossrange probability distribution. If the width of the crossrange distribution is designated as (for consistency with the prior example) and if the entire crossrange extent of the population center falls within the bounds of the crossrange distribution, then:

(43)

If some portion of the population center extends beyond the crossrange limits of the distribution, then the numerator needs to be reduced by the amount the population center extends beyond the crossrange limits of the impact distribution. For example, if the population center has one edge inside the crossrange distribution and the other edge extends a distance, , beyond the distribution then the crossrange component of the probability distribution is:

(44)

(Other crossrange probability distributions may, occasionally, be appropriate and should be evaluated over the crossrange extent of a population center when they are employed.)

The total impact probability for the combination of the fragment group and failure mode being modeled is then:

(45)

The casualty expectation, , to a single population center with multiple levels of sheltering from a single failure mode and a single fragment group is given by:

(46)

where is the casualty area per fragment to the j^th level of population sheltering, is the population in the j^th level of population sheltering category, and is the number of fragments in the debris group.

Computation of mission risks requires summing overall population centers at risk, all failure modes, and all fragment groups:

Risk analysis process using general Monte Carlo methods

The previous sections have discussed the various independent sources of debris dispersion resulting from a launch vehicle malfunction. Both of the previous sections apply some assumptions for the form of the impact distributions used to characterize the independent sources of debris dispersion and develop the final composite impact probability density functions. An alternative approach that makes no such assumptions is to develop a model based on numerically derived best estimates of the probability distributions of the debris characterization and the atmosphere. Monte Carlo methods build impact probability distributions by judicious sampling from the underlying probability distributions to develop impact probability distributions. There are many fine references discussing considerations in employing Monte Carlo methods and interpreting the results (for example Liu, 2008, Robert and Casella, 2004).

Important issues include (1) the representation of the probability distributions of the independent variables, both marginal distributions and joint distributions; (2) defining the characteristics on the ground that are most important for the evaluation; (3) designing the sampling strategy to account for the characteristics of the impact probability distribution to be captured; and (4) interpreting the results of the Monte Carlo sampling to obtain the best representation of the impact probability distribution.

While it is possible to devise a Monte Carlo analysis that samples initial conditions of the fragments, winds and atmospheric conditions along the ballistic path and the orientation of the lift vector at each step along the trajectory, most Monte Carlo analyses performed for developing debris impact dispersions are more modest in scope. The sampling, more typically, addresses the guidance and performance dispersions, malfunction trajectory dispersions, breakup velocities, and fragment ballistic coefficients. It is useful to think of the Monte Carlo sampling as being composed of two parts. In the first part a sample of breakup state vectors is developed; in the second the debris pattern resulting from each breakup state vector is developed.

When a set of normal trajectories is used to characterize the guidance and performance-induced dispersions, the natural approach is (1) select a failure time; (2) select one of the trajectories characterizing the guidance and performance dispersion; (3) initiate the malfunction response beginning with the selected failure time and selected trajectory; and (4) continue the simulation until the earlier of two conditions – the sampled structural limits for the vehicle is reached or a flight termination criterion has been violated and the sampled reaction time for the flight termination system has passed. The vehicle state vector at the final condition becomes the breakup state vector.

The breakup list for the breakup condition that has occurred and the breakup time of flight is selected. If the model being employed for velocities imparted to fragments at breakup is directional then the vehicle attitude in addition to its position and velocity is part of the breakup state vector. Thus, for example, the breakup model may include a nozzle ejected along the vehicle axis to the rear with a cone half angle of 30 degrees. The fragmentation may consider alternative detachment points for the nozzle which affect the mass of the piece, its drag characteristics and reference area, and the magnitude of the velocity imparted to the piece. When such interdependency exists, it is important that the sampling technique account for the relationship; however, it is uncommon to address inter-relationships at this level because the causality in such variability is hard to define. Instead, the model may only be able to characterize the piece as having some maximum velocity with perhaps a best estimated velocity and a range of ejection directions and a preferred ejection direction. Probability distributions must then be fit to the parameters that can be estimated. Similarly, connecting the fragment’s aerodynamic characteristics to the imparted velocities may often be beyond the capability of the model.

It is important to have a systematic process for sampling and, when it is feasible, to properly address functional dependencies or correlations among variables.

The final step of the Monte Carlo analysis is interpreting the results in the form of impact probability distributions. One approach, discussed previously, is to assume that the impact points follow some particular probability distribution such as a bivariate normal distribution. The parameters of the specified distribution are estimated by a standard approach such as maximum likelihood estimators or the method of moments. When this approach is justifiable, it requires smaller sample sizes and allows more rapid calculations. However, when the use of this approach cannot be justified for the portions of the impact probability distribution of interest an alternative methodology is needed. Perhaps the simplest approach employed under these conditions is a two-dimensional histogram. The region of interest is divided into a regular grid. The number of impact points is recorded for each grid cell and the fraction of the impact points for the condition of interest in that cell represents the local impact probability density. If the region of interest is where the impact probability on a 1000 ft² ship is 1 × 10^–6, stable estimates of these contours will require enormous sample sizes. Moreover, there are additional concerns about the simplistic histogram.

These issues are more easily illustrated in a one dimensional histogram. To create a one-dimensional histogram, the interval covered by the data values is divided into equal sub-intervals (“bins”). The number of data points in each bin is counted, and assigned to the bin. Transforming the histogram into a density function simply requires dividing the value assigned to each bin by the number of data points.

Disadvantages of the histogram include:

Figure 4.1.48 shows two histograms of the same data (the data are shown by the plus symbols). Obviously, the histograms are quite different. The only difference between these two interpretations of the data is the endpoints of the histograms. The diagram on the left suggests a skewed distribution; the diagram on the right suggests a bimodal distribution. Obviously, each representation depicts only certain characteristics of the data and masks other characteristics. The solution to be described is based in part on the desirability for a smooth representation and in part on the recognition that the data being employed in the calculations are samples.

A solution to the problem is to assign a kernel, a function with a specified shape and area equal to 1, to each data point. It is common to use a Gaussian distribution as the kernel. An illustration of this for the same data is shown in Figure 4.1.49. Notice that this figure shows a smooth density function that captures both the skewness and the bimodal characteristics illustrated in Figure 4.1.49.

A challenge with kernel density estimation (KDE) is to choosing the appropriate “bandwidth” (for a Gaussian kernel, the standard deviation). A poor choice of bandwidth can over-smooth or under-smooth the data. For one-dimensional data, analytical methods have been developed to determine the “optimal” bandwidth for specific functions. However, non-constant bandwidths may be appropriate for some data sets.

The KDE methodology can be applied to two-dimensional and higher dimensional data, where the kernel is now a two (or more) dimensional Gaussian distribution. However, there is no method to choose the optimal bandwidth for these higher dimensional cases. Moreover, it is possible to choose a different bandwidth in each dimension, and the orientation of such a kernel is also important.

• The front skirt is a very sturdy structure interfacing the EPC with the upper stage, but also receiving the full thrust of the two Solid Boosters EAP thanks to two ball bearings.

• The rear skirt is also a massive structure interfacing the Vulcain engine with the tanks, but also connecting the EAP struts.

• In between, a huge tank with a common bulkhead houses the 160 tons of liquid hydrogen and liquid oxygen of the stage; it is made of light aluminum alloy, and very thin (1.5 mm in some zones).

• massive objects, such as turbo pumps of the Vulcain or structures interfacing the Solid Boosters;

• pieces in titanium, such as liners for high pressure tanks;

• large panels, often flying a “leaf like” pattern which averages the thermal fluxes;

• filament wound tanks, potentially resisting at temperatures as high as 1600°C;

• pieces shaded by others during re-entry, such as electronic boxes, inside the front skirt of the stage, on metallic trays, behind large carbon walls;

• smaller pieces such as paint flakes or bits of thermal protection.

• the leading debris chosen representative from a dense element such as a turbo pump (M/S.Cx = 300 kg/m², L/D = 0.1);

• the trailing debris representative from a gliding element such as a tank panel (M/S.Cx = 10 kg/m², L/D = −0.3).

• Ascent phase: this modeling is classical, performed for the customers during the mission analysis. The dispersions are taken into account by covariance matrix propagation considering launcher dispersions (mass, propulsion), aerology (air density, wind), and IMU dispersions.

• Separation phase: this starts at MECO and lasts some 1000 seconds, after which the pressures in the tanks are so low that no perturbing torque is applied any more to the EPC. To avoid any skipping effect where EPC would rebound in an uncontrolled way, a large shaped hole was pyrotechnically opened in the walls of the liquid hydrogen tank, inducing a fast tumbling movement of the stage; this valve, associated to a similar one on the liquid oxygen tank side, also depressurizes the EPC, thus avoiding any risk of highly energetic explosion during re-entry. This phase is very complex and numerous sub-phases shall be modeled:

• the residual thrust of Vulcain after separation shall be taken into account;

• eight small pyrotechnical jacks that force a quick distancing between EPC and upper stage, aiding physical separation;

• the LH₂ tumbling valve is opened, generating a large torque on the stage, greatly dependent on residual propellant masses in the tanks;

• the LOX passivation valve is opened, but the perturbing torque is negligible;

• when applicable, the effect of the plume of the upper stage engine, ignited at 5 meters distance from the EPC, shall be taken into account.

• Coasting phase: this phase is the easiest to model, being purely ballistic. A 6 DOF model of the EPC is used, considering the residual propellants as masses attached to the tank walls; damping effects due to propellants can be neglected.

• EPC re-entry phase: starting arbitrarily at an altitude of 120 km; this phase is characterized by the increasing effect of atmosphere, slowing the stage, slowing its tumbling motion and heating the structures.

• Complex aerodynamic effects are modeled based on the results of numerous sub-scale wind tunnel tests at high Mach numbers. The breakup of EPC is considered to happen somewhere close to 70 km altitude, when the dynamic pressure induces torques in the structures larger than they can bear, taking into account the effect of temperature on the effective strength of materials. At breakup, the debris are ejected following the worst case distributions for the direction and a ΔV corresponding to the rotational motion of EPC and some explosive behavior for elements not passivated (high pressure vessels).

• Debris re-entry phase: the trajectories of the two-dimensioning debris are simulated separately, using a 3 DOF model down to the 0 altitude. Aerology effects are taken into account.

• The first plane, AST (Airborne Surveillance Testbed), was a prototype of the Boeing 767 modified to house a huge infra-red sensor (Figure 4.2.5b, plane and sensor).

• The second plane, ARGUS, was a modified C-135 housing two very sensitive optical benches (Figure 4.2.6) covering all the range from infra-red to ultra-violet wavelengths, in addition to numerous visual sensors.

• The third plane, Big Crow, was a modified C-135 housing a 50 MHz radar operated by SPC (System Planning Corporation). This third plane was meant to qualify a simplified system which could be used on several of the following Ariane 5 launches.

• A fourth plane, Cast Glance, from the US Navy, was even used to follow the re-entry of the two Solid Boosters EAP and did a superb job, but is out of the scope of the present paper.

Missions

These five flights (including 503) were chosen in order to cover a wide range of launcher versions and missions:

Figure 4.2.10 gives a schematic representation of the various versions of Ariane 5.

Observation means

The measurement system is based on a VHF radar, 50 MHz, developed by SPC (US) and an infra red video camera. Initially flown on a USAF C135 plane called Big Crow, the observation system was adapted on the Airbus A300-0g belonging to Novespace, normally used to perform 0g experiments.

The radar system block diagram, from SPC, enabling low RF voltage is depicted in Figure 4.2.11 (Rubin et al., May 9–12, 2005).

The external antennas are “patch” antennas conformally mounted on dedicated doors adapted to the Airbus, enabling wide azimuth pattern and wide bandwidth. They are covered with dedicated radomes ensuring a good aerodynamic and structural integrity, as shown Figure 4.2.12.

The video camera adapted on its special mount is shown Figure 4.2.13. The equipment inside the plane is shown on Figure 4.2.14.

Observation data

To perform its observation, the plane follows a turn in order to have the antennas always oriented towards the re-entering stage, which is a complex maneuver considering the high altitude and velocity of the EPC during re-entry.

The signal before treatment is a range vs. time signal as shown in Figure 4.2.15, which after analysis gives all the required information, such as the precise trajectory followed by the stage, the altitude of breakups, the intensity of the return signal denoting the size of the debris, and the scattering of the debris after rupture.

This information is cross-checked with the video information, witnessing all the main events during the breakup phase. An example of a snapshot of the video is given in Figure 4.2.16.

Synthesis of the results

The various observations turned out to be very coherent, giving the same major results:

A typical analysis of the results is shown Figure 4.2.17 (altitude versus longitude).

The results from observation are the small dots. The four external lines (two on top, two at the bottom) correspond to our predictions at 99% and 99.9%, the dotted line corresponds to our mean prediction; the small difference between this mean prediction and the observation is the effect of passivation of the EPC, which could then be determined with precision.

The observation results from the five missions are summarized in Table 4.2.1. From all these observations it can be confirmed that the breakup is due to thermo-mechanical loads and overpressure loads, and that the tumbling rate due to the passivation valve was quite close to that expected; the main rupture mode leads to two distinct large objects, as expected. They also showed that the EPC is progressively stripped of elements (thermal protection?) at very high altitudes.

These results definitely reassured us in our models, allowing us to open the flight domain of Ariane 5 even more.