By John F. Connolly
A typical NASA project begins with a set of requirements that describe all the functions and performance a spacecraft must possess. A vehicle is then designed to satisfy those requirements. This process produces a design that initially attempts to meet all requirements equally, after which it is difficult to reduce capability if the vehicle is found to exceed mass or cost limitations. Our risk-informed design approach to Altair, the next lunar lander, is different. Our aim has been first to design a vehicle that meets a minimum set of requirements and then incrementally add functions and performance to that initial design. This approach means that the decision to accept each additional requirement will be informed by its individual impact on cost, performance, and risk. This process was derived in part from NASA Engineering Safety Center Report PR-06-108, “Design, Development, Test, and Evaluation (DDT&E) Considerations for Safe and Reliable Human-Rated Spacecraft Systems.”
After defining the “minimum functional” vehicle in the first lander design-analysis cycle, the Altair team identified major risks that would affect the safety of the crew and the success of the mission in subsequent design cycles. The project team was able to identify the specific performance “cost” of each increment of crew safety and mission reliability added to the minimum spacecraft design. Residual spacecraft risks will continue to be evaluated as subsequent design cycles assess the performance, cost, and risk impacts of adding additional vehicle functionality and other factors, such as manufacturability and maintainability.
The Baseline Design
The first step of the process was to establish a “minimum functionality” baseline design by scrubbing the vehicle requirements back to a small number that described the lander’s essential functions and constraints. The core requirements for the Altair lander were to carry a crew of four to the lunar surface for seven days with 500 kg of payload, loiter for up to 210 days at a polar outpost, deliver 14,500 kg of dedicated cargo, fit within the Ares V shroud, perform the lunar orbit insertion burn with the Orion spacecraft attached, carry an airlock, and work within the Constellation architecture. Key constraints were mass limits of 45,000 kg for crewed missions and 53,600 kg for cargo missions.
The minimum functional design was the baseline from which to identify vehicle risks in order to mature the design to one that was “safety enhanced.” The team first identified risks that contributed most directly to a loss of crew and then studied multiple mitigation options for these risks. We developed decision processes for both selecting the risks to be studied and evaluating the mitigation options that were incorporated into the second design-analysis cycle. In this cycle, the primary measure of risk reduction was the reduction in loss-of-crew risk, and the primary “cost” measure was added mass. The outcome of this risk-reduction design cycle was a reduction in the risk of loss of crew from 1:6 to 1:206 by expending 1,300 kg of mass for more robust components, selective redundancy, and dissimilar system backups. This first cycle of risk-informed design brought the lander design within striking distance of the target risk requirement of 1:250.
The third Altair design cycle focused on loss-of-mission risks in the same way that loss-of-crew risks were addressed in the previous cycle. The team identified lander reliability risk areas and studied options that increased reliability at different levels of mass expenditure. We also began to incorporate additional capabilities, such as the ability to land at any site on the lunar globe. This global access capability will be “bought back” in the same way that safety and reliability were reintroduced into the minimum design—with known impact to risk and performance.
Risk-informed design provides early, critical insight into the overall viability of the end-to-end architecture and provides a starting point to make informed cost–risk trades so risks can consciously be bought down. The Altair team has used the education afforded by risk-informed design to look at risk reduction in its many forms rather than blindly applying fault-tolerance rules or preconceived risk-reduction solutions. The process inherently produces risk metrics for each added capability, and cost analysis can easily be added to facilitate evaluation of the true cost and risk changes that accompany each added capability. Perhaps most importantly, risk-informed design creates a “smart buyer” team that understands the balance of risk drivers and mass performance within the design.
Maturing the Design
Risk-informed design is a time-consuming process that may not work for projects with compressed schedules; the first three design-analysis cycles took the Altair team approximately twenty-four months to complete. To optimize the risk-based design effort, the Altair team chose to hold the vehicle design constant so as not to introduce new variables into the design, with a plan to revisit vehicle configuration once the first two buyback cycles were complete. With the completion of those cycles, the next step was to prioritize the configuration and maturation studies that would have the greatest impact on the vehicle design. Altair considered a list of more than two hundred potential configuration–maturation trades, and from that list chose the following studies as the basis for a special trade-analysis cycle that was inserted into the vehicle’s development schedule:
- Alternate descent-module configuration
- Alternate ascent-module and airlock configuration
- Alternate ascent- and descent-module separation concepts and analyses
- Structural stiffness design
- Descent-module tank residuals
- Human-piloting capability maturation
- Operations concepts and timeline maturation
- Spacecraft “safe” configuration for critical faults
The trade-analysis cycles will give us a fresh look at the lander design to determine if the current configuration is optimum for the current architecture. Possible changes may include a reduced number of descent tanks, alternative descent-stage structure, alternative placement of the ascent module and airlock, change of the ascent-module pressure-vessel shape, and alternative methods of packaging cargo. It’s important for a design to be revisited on occasion. As engineers, we sometimes become so enamored of our designs that we fail to see large innovations or subtle alternatives that may improve the design solution. Scheduling regular revisits to the design configuration offers the team the opportunity to step back and reconsider the design choices they have made.
Design Challenges Abound
As we’ve worked through the early phases of the Altair design, we have a sense that we are walking the trail the Apollo designers blazed before us. The physics of lunar landing demand that the lander perform velocity changes—about 1,000 m/sec to decelerate into lunar orbit, 2,000 m/sec to decelerate to a soft landing, and another 2,000 m/sec to accelerate back into lunar orbit. Additionally, a lander must include life support for the human crewmembers. So much of the lunar lander “design space” is determined by physics. Large tanks of propellant surrounded by structure, an attenuation system for landing, and a pressurized volume for crew habitation all directly address the physics of lander design. Those physics and engineering realities mean that the Altair lander will bear little resemblance to an X-wing fighter or even a homely Star Trek shuttle craft, as much as the designers would have liked it to.
Instead, Altair will look like the big brother of the Apollo lunar module because the physics of lunar landing is unchanged and technology has improved only incrementally since Apollo. Apollo designers not only understood the physics of the problem perfectly, they were very smart, especially given that they were inventing much of the technology. Our challenge is to apply the lessons learned from Apollo and combine them with the incremental improvements in technology from the past four decades.
Still, the design process is full of technical challenges, including the timely development of a variable-thrust descent main engine, control of propellant levels in a multiple-tank system, scavenging of cryogens for fuel-cell use, development of a high-reliability ascent main engine, control of lander center-of-gravity, and lander stack frequency during launch and translunar injection.
In addition to the technical challenges are management and administrative issues encountered during the early conduct of the lander project. These include acquiring a skilled workforce, competing with other projects for resources, and coordinating projects in different points in their project life cycle.
NASA lacks adequate human spacecraft design and development expertise. As an agency, we simply don’t have enough large human spaceflight projects to consistently train human spacecraft developers. New human spacecraft developments occur at NASA approximately once per generation, and those spacecraft are typically developed by industry with NASA providing initial conceptual work, requirements, and then oversight and insight. New projects such as Altair offer an opportunity to take the inhouse phase of the design to system design review (or perhaps a bit beyond) to expose a new generation of designers to the early design phases beyond writing requirements. Innovative partnering between NASA and industry can further extend in-house experience into the mature design phases of a project. To supplement its design teams, NASA is reaching into its robotic lander experience, Space Shuttle and International Space Station development expertise, and its Apollo lunar module knowledge to bring experience to the current design challenge.
Another challenge is that of ramping up a new project at the same time other projects are peaking in their development and resource needs. The lander project will be several project milestones behind Constellation’s Orion and Ares I and will compete for resources with these more mature projects. These projects, though started at different times, must eventually perform future missions together, which creates challenges in defining the interfaces among these elements. This challenge is reflected in interface requirements documents: the more mature projects will have more fully developed interfaces, and the projects that are closer to the beginning of their life cycles may be left to accept interface requirements established by their more mature siblings.
In other words, designing a new human lunar lander is a multilayer systems challenge. The Altair project must create a lander design that reflects the physics of spaceflight and limitations of human performance while balancing performance, cost, schedule, and risk; works within the integrated architecture performance, cost profile, schedule, and integrated risk and reliability targets of the Constellation program as a whole; and fulfills the policy directives of NASA’s strategic plan, Congress’s NASA Authorization Acts, and policy and budget guidance from the Administration’s Office of Management and Budget, Office of Science and Technology Policy. To pull this off requires a team with a true systems perspective—an understanding of how a change made to one lander parameter affects other factors, and other levels.