I
|
|
|
This chapter establishes minimum design, fabrication, installation, testing, inspection, certification, and data requirements for flight aerospace vehicle equipment (AVE) and pressurized systems, pressure vessels, and pressurized structures.
|
I
|
|
|
Flight Hardware Pressure System and Pressurized Structure General Requirements. |
I
|
|
|
Hazardous flight hardware pressure systems are defined as follows:
-
Flight systems containing hazardous fluids such as cryogens, flammables, combustibles, and toxics;
-
Systems used to transfer hazardous fluids such as cryogens, flammables, combustibles, and hypergols;
-
Systems with operating pressures that exceed 100 psig;
-
Systems with stored energy levels exceeding 14,240 foot pounds; and
-
Systems that are identified by Payload Safety Working Group (PSWG) as safety critical.
|
I
|
|
|
12.1.1. Flight Hardware Pressure System and Pressurized Structure General Design Requirements
|
I
|
|
|
12.1.1.1. The structural design of all pressure vessels and pressurized structures shall use industry or government standard processes and procedures for manufacture and repair.
|
C
|
|
|
12.1.1.2. The design shall provide for access, inspection, and pre-launch servicing as required.
|
C
|
|
|
Throughout this chapter there are numerous specific design requirements that allow for safe access, inspection and pre-launch servicing (i.e. 12.1.10.1.1 addresses design of hypergolic propellant systems to allow for fill and drain operations by individuals dressed in SCAPE or other approved propellant handling ensembles; 12.1.10.2.1 addresses handling and hoisting attachment points; 12.2.5.3.2 addresses COPV pre-launch pressure test and inspection; 12.5.2.4 addresses remotely operated shutoff valves for hydraulic tanks and reservoirs; 12.8.1.1 covers hypergolic propellant system low point drains; 12.8.3.5 covers monitoring of remotely controlled hypergolic propellant system valves; etc.). The Payload Project System Safety Engineer must ensure that all of the requirements in this chapter and document are well understood and incorporated by the spacecraft design engineers or tailored appropriately.
|
I
|
|
|
12.1.1.4. Repaired, refurbished, or hardware transferred from another payload project shall meet the same conditions of flightworthiness as new hardware. To be considered flight worthy, repaired, refurbished, or hardware transferred from another payload project, items shall pass all the applicable qualification, acceptance tests and inspections required for new flight hardware.
|
C
|
|
|
12.1.2. Flight Hardware Pressure System and Pressurized Structure Failure Tolerance
|
I
|
|
|
12.1.2.1. Spaceflight hardware pressure systems shall be designed to be single failure tolerant against inadvertent actuations (including leakage) that could result in a critical hazard during prelaunch operations. See paragraph 12.1.2.6 of this Volume for exceptions.
|
C
|
|
|
12.1.2.2. A pressure system shall be dual failure tolerant if the failure of two components could result in a catastrophic hazard.
Examples: The system must be dual failure tolerant if the degradation, loss or removal of all the inhibits of the system would result in any of the following:
-
Personnel exposure to an atmosphere that poses an immediate threat to life or immediate or delayed permanent adverse health effects or prevent escape from such an environment as defined by OSHA, NIOSH and local safety requirements.
-
The potential hazard exposure from a release of hazardous material exceeds the confines of the facility operating bay, or boundary of the launch complex (i.e., a public safety hazard).
-
A potential release could result in a flammable or explosive hazard due to incompatible materials or ignition sources present creating a potential catastrophic hazard.
|
C
|
|
|
12.1.2.3. Temporary re-configuration of a mono-propellant dual failure tolerant system to a downgraded mode with an inhibit removed (e.g. latch valve opened) requires PSWG and Range Safety concurrence and implementation of the following controls:
-
System/branch is configured in a downgraded mode for the shortest possible time.
-
Personnel access is limited to essential personnel only; no trainees or visitors are permitted.
-
Quantitative analysis shall be performed to determine personnel exposure, stay-out zones, or additional monitoring methods.
-
The removed inhibit can be immediately reinstated under emergency and nominal conditions.
-
All inhibits and system parameters remain verifiable, operational, restored remotely, and can be monitored directly via telemetry.
-
The removal of inhibit does not affect the function of the remaining inhibit(s) (i.e., independence of inhibits is required).
-
Facility vapor monitoring shall be in place.
-
Persons performing the work shall be clad in appropriate PPE (Personal Protective Equipment).
-
All material that could react with propellant is removed from the vicinity.
|
C
|
|
|
12.1.2.4. Propellant tank service (fill and drain) valves that are not isolated from the storage vessel flow path shall be two failure tolerant to propellant leakage.
|
C
|
|
|
12.1.2.5. For the purpose of risk assessment, potential releases of propellant or pressurant shall be supported by quantitative analysis or test, otherwise the design, operations, and hazard mitigation requirements shall be determined by a credible worst case scenario with concurrence from the PSWG and Range Safety.
|
C
|
|
|
12.1.2.6. The design, fabrication, qualification, testing and hazard controls related to hazardous pressure system components and component housings such as tubing, welded joints, piping and fittings, pressure vessels, filters, venturis, other component valve bodies and pyrovalves are extremely critical to flight hardware pressure systems and safe payload processing. Provided that the requirements of this document are met and a Design for Minimum Risk (DFMR) approach is employed, structural failure of these types of components or component housings (i.e., rupture or leakage) shall not be considered mechanical single failure points. Hazardous pressure systems containing normally-closed pyrovalves as flow control devices shall comply with Category A ordnance device requirements established in Chapter 13 of this volume. At least three independent electrical inhibits shall control the opening of flow control devices in hazardous systems.
|
C
|
|
|
12.1.2.6.1. All normally closed pyrovalves shall be designed, analyzed, and undergo a comprehensive development and qualifications program in accordance with approved project drawings, specifications, standards, tests, and pyrovalve requirements documents.
|
C
|
|
|
12.1.2.6.1.1. The pyrovalve internal flow barrier and shear section must be fabricated from a continuous unit of nonwelded parent-metal compatible with the working fluid such as vacuum furnace remelt 304L stainless steel (Specificaiton SAE-AMS-QQ-S-763 Steel, Corrosion Resistant, Bars, Wire, Shapes, and Forgings).
|
C
|
|
|
12.1.2.6.1.2. The pyrovalve’s valve structure must preclude inadvertent operation as a result of exposure to all potential environmental conditions.
|
C
|
|
|
12.1.2.6.1.3. Details of the pyrovalve design and test methods used to ensure system integrity shall be adequately addressed in the safety data package and appropriate hazard reports for PSWG review.
|
C
|
|
|
12.1.2.6.2. When the failure of pyrovalves used in hazardous pressure systems may lead to a catastrophic hazard, at least one additional mechanical inhibit (such as a latch valve or closed thruster valve) shall be provided in series with the pyrovalve.
|
C
|
|
|
12.1.3. Flight Hardware Pressure System Offloading
|
I
|
|
|
12.1.3.1. For contingency safing operations, hazardous pressure systems shall be designed so that depressurization and drain fittings are accessible and do not create a personnel or equipment hazard for offloading commodities.
|
C
|
|
|
12.1.3.2. System design and accessibility shall permit the offload of propellant and pressure systems at any point after pressurization or loading, including the ability to offload all systems at the launch pad and/or vehicle integration facilities. This shall occur without demating of the spacecraft from the launch vehicle or any other disassembly of vehicle systems unless approved by the appropriate authorities as identified by the PSWG and Range Safety.
|
C
|
|
|
System design and contingency planning shall permit for safe movement of the payload. Planning shall address the worst-case scenario.
Accessibility through payload fairing door(s) is the desired approach. Verification/validation of the design for accessibility is best achieved through a high fidelity modeling or mock-up of hardware, including required GSE, tooling, PPE, etc., or by demonstrating similarity to accepted design and processes.
Early coordination with the launch vehicle supplier is necessary to establish required payload fairing door size and placement, operational support, and ability to perform contingency support in hazardous and/or explosive environments. Also, see 12.1.10.1.
|
I
|
|
|
12.1.3.3. If the payload project and the local safety authority decide that depressurizing and/or offloading the pressure systems of a spacecraft is necessary, spacecraft offload procedures shall be approved by the local safety authority prior to use, in accordance with Volume 6 section 4.4 and attachment 2 of this publication or as required by the local safety authority.
|
C
|
|
|
12.1.3.4. Flight hardware propellant systems shall be designed to permit propellant loading or offloading without the need for internal or external power to re-configure propulsion system components.
|
C
|
|
|
12.1.4. Flight Hardware Pressure System Operations. The requirements for operating hazardous pressure systems found in Volume 6 of this publication shall be taken into consideration in the design and testing of these systems in addition to the general requirements identified in 12.5 of this chapter.
|
C
|
|
|
12.1.5. Flight Hardware Pressure System and Pressurized Structure Analyses
|
I
|
|
|
12.1.5.1. Flight Hardware Pressure System and Pressurized Structure Hazard Analysis
|
I
|
|
|
12.1.5.1.1. A hazard analysis shall be performed on all hazardous systems hardware and software (if applicable) in accordance with a PSWG approved SSP (Volume 1, Attachment 2).
|
C
|
|
|
12.1.5.1.2. Hazards related to the test, integration, and planned and contingency operations of these systems in payload processing facility and launch site area shall be analyzed.
|
C
|
|
|
12.1.5.2. Flight Hardware Pressure System and Pressurized Structure Functional Analysis
|
I
|
|
|
12.1.5.2.1. A detailed system functional analysis shall be performed to determine that the operation, interaction, or sequencing of components shall not lead to damage to the launch vehicle, payload, or associated ground support equipment.
|
C
|
|
|
This requirement is generally satisfied in the subsystem/system hazard analysis.
|
I
|
|
|
12.1.5.2.2. The analysis shall identify all possible malfunctions or personnel errors in the operation of any component that may create conditions leading to an unacceptable risk to personnel or equipment.
|
C
|
|
|
12.1.5.2.3. The analysis shall also evaluate any credible secondary or subsequent occurrence, failure, or component malfunction that, initiated by a primary failure, could result in personnel injury.
|
C
|
|
|
12.1.5.2.4. Items identified by the hazard analyses shall be designated safety critical and shall require the following considerations:
|
C
|
|
|
12.1.5.2.4.1. Hazard identification and proposed corrective action.
|
C
|
|
|
12.1.5.2.4.2. Design action.
|
C
|
|
|
12.1.5.2.4.3. Safety procedures and operating requirements.
|
C
|
|
|
12.1.5.2.4.4. Safety supervision.
|
C
|
|
|
12.1.5.2.5. Systems analysis data shall show that:
|
C
|
|
|
12.1.5.2.5.1. The system provides the capability of maintaining all pressure levels in a safe condition in the event of the interruption of any process or control sequence at any time during test or countdown.
|
C
|
|
|
12.1.5.2.5.2. Redundant pressure relief devices have mutually independent pressure escape routes.
|
C
|
|
|
12.1.5.2.5.3. In systems where pressure regulator failure may result in a critical hazard to personnel or hardware safety systems, regulation is redundant and, where passive redundant systems are specified, includes automatic switchover.
|
C
|
|
|
12.1.5.2.5.4. When the hazardous effects of safety critical failures or malfunctions are prevented through the use of redundant components or systems, all such redundant components or systems shall be operational before the initiation of irreversible portions of safety critical operations or events.
|
C
|
|
|
12.1.5.3. Flight Hardware Pressure System and Pressurized Structure Stress Analysis
|
I
|
|
|
|