1

Hazard Mitigation and Safety Practices for Static Firing of 800lbf Nitrous Oxide-Ethane Engine

McKynzie Perry1 and Aaron Hunt2 The University of Alabama in Huntsville, Huntsville, Alabama, 35899, United States

Due to the increasing popularity of competitions such as the Spaceport America Cup and the FAR-MARS Launch Contest, more student groups than ever are attempting to construct and test bipropellant liquid and hybrid propulsion systems, often for the first time in the history of their organization. This is true for the Space Hardware Club at the University of Alabama’s Tartarus Project, which is developing a launch vehicle capable of reaching an apogee of 30,000ft and powered by a bipropellant rocket engine. As the team has moved from flight system design towards testing, the focus has turned to ensuring the system was designed safely for repeated ground testing. This paper will present the analyses used to identify hazards, risks, and operability issues, as well as the different design and operational mitigation methods implemented. It will additionally discuss personnel training practices and risk reduction efforts, such as preliminary non-hazardous testing. As the team moves closer to high pressure testing and static firing with their respective test readiness reviews, the findings from non-hazardous testing will influence final safety protocols, training, and operations. While not applicable to every propulsion system, the practices presented in this paper aim to reduce potential mishaps during Tartarus hazardous testing. It is intended that the presentation of these practices will improve the safety practices of Tartarus, as well as those of other new student propulsion efforts.

I. Nomenclature A = relief device orifice area A1 = frequency factor 𝐸 = activation energy 𝑔! = gravitational constant 𝐾" = back-pressure coefficient 𝐾# = discharge coefficient 𝑀 = molecular mass �̇�$!%" = mass flow of ethane �̇�&! = mass flow of nitrogen �̇�&!' = mass flow of nitrous oxide �̇�() = mass flow through relief valve 𝑃* = upstream pressure 𝑅 = ideal gas constant 𝑇 = fluid temperature 𝑡#! = reaction half-life

𝑊 = mass flow rate through orifice 𝑧 = compressibility factor 𝛾 = specific heat ratio

1 Student, Mechanical and Aerospace Engineering Department, mp0062@uah.edu, Student 2 Student, Mechanical and Aerospace Engineering Department, amh0070@uah.edu, Student

2

II. Introduction

The Space Hardware Club (SHC) at the University of Alabama in Huntsville’s (UAH’s) Tartarus project began in 2017 with the goal of developing a bipropellant launch vehicle that would reach 30,000 ft. In addition to offering students the opportunity to design, manufacture, and assemble liquid propulsion systems, it also requires students to plan and execute hazardous operations, such as high-pressure proof pressure testing, engine firings, and launch. As more university teams move towards in-house propulsion system development, the need to understand associated hazards and implement mitigations becomes more necessary. This is especially true of organizations that are working towards their first attempt at these systems, such as the Space Hardware Club. Unfortunately, student teams often fall in a valley between the hobbyist world and industry practice. Hobbyists can often incur more risk, as they are operating with personal funding with few others and are not associated with an institution. Industry is often heavily risk averse to limit liability and potential reputation damage, but usually at additional cost and time in test development. Student groups are tasked with meeting the industry safety standards on close to hobbyist budgets. The Tartarus project has attempted to bridge this disparity and keep personnel safe above all else. As the project moves towards its first hazardous testing campaign, it is critical to be transparent with safety design so that those with more experience may make relevant critiques and other student teams have the opportunity to learn from our findings.

III. Hardware Safety Design

The most effective method of ensuring a system is safe is to design it in such a way that hazards are automatically mitigated through virtue of the design itself. While hazards can be mitigated through procedural practices during operations, it is both safer and easier during operations to not require any action by the user at all. Whether this consists of proper design of components to prevent failure, the addition of safety devices such as relief valves, or fail-safe systems, hardware safety design is the first line of mitigation for hazards and risks in any system.

A. System Safety Factors The most common method for ensuring safe operation of any system is by designing to set safety factors. These

factors vary across engineering disciplines, but in the aerospace industry these typically vary from 1.1 to 1.25 on flight vehicles [1] and from 2 to 3 on ground support equipment [2]. The Tartarus team has elected to follow this guideline for the ground system equipment. For the flight vehicle however, due to the relative inexperience of the team, all flight hardware has been designed to also have a factor of safety of 2. The team did this with the belief that any reduction in performance incurred by this increased weight would be offset by the increased durability these components would have, preventing errors in models and simulations from destroying extremely valuable components to the team. 1. Ground System Safety Factors

There was very little design of individual components for the Tartarus ground systems, due to the prevalence of COTS (commercial off the shelf) components available for use. Almost all components on the ground system were purchased, allowing the team to skip the design, fabrication and test process for many components. This has the downside of sometimes costing the team a significant amount financially, but the benefits often outweigh the financial costs. To illustrate, the team developed its own set of full-size propellant tanks, custom manufactured primarily by students, sized for a 20 second engine firing. These tanks cost the team approximately $2500 in materials and welding costs, not counting the many hours spent machining components. During hydrostatic testing, these tanks burst at approximately half of their required proof pressure. Rather than redesigning these tanks, the team elected to purchase double ended sample cylinders from Swagelok, as seen in Figure 1. These sample cylinders cost approximately half of what remanufacturing a new set of tanks would have, and were able to allow the team to continue the buildup to its low duration firing campaign uninterrupted, instead of having to pause for the design, fabrication, and testing of a new set of self-developed tanks.

Figure 1: Swagelok Double Ended Sample Cylinder

3

The only major component of the ground support system that is entirely team-designed is the hold down structure. This has the relatively important job of restraining the engine during firing, preventing the ground test from becoming a flight test. The hold down is constructed from low carbon steel, and is greatly overengineered to future proof the design, allowing the team to increase engine performance without the fear of overperforming the ground system. The factor of safety for the hold down was determined primarily using Finite Element Analysis (shown in Figure 2) and shows a factor of safety of roughly 6 for the current iteration of the engine. As mentioned previously, this gives the team test stand capacity to “grow into”, allowing for development efforts to be focused on the flight systems. 2. Vehicle System Safety Factors

In contrast to the ground system, most of the vehicle system is student designed, due to the lack of turnkey COTS solutions for vehicles and engines in the team’s performance range. While traditional structural analysis methods such as those shown above can be used for most systems, some components undergo unique load cases that cannot be analyzed with traditional methods. One such component is the engine combustion chamber and nozzle. Due to the elevated temperatures often present inside the combustion chamber prevent the usage of traditional mechanical properties. Instead, properties at elevated temperatures must be used. Thankfully, these values have already been tabulated such values for common combustion chamber materials, such as the 316 stainless steel used by the Tartarus project. In Figure 3, a simple spreadsheet for calculating the thin wall stress in a cylinder at various temperatures and pressures is shown. Using this data, the team can accurately design the combustion chamber instead of having to apply an even greater factor of safety to account for thermal uncertainties.

B. Relief Device Sizing The primary safety devices for any pressurized system are pressure relief devices. These act as intentional failure points, preventing pressure from building to unsafe levels and protecting other system components from damage and personnel from potential harm. There are two primary types of relief devices; relief valves and burst discs. A relief valve is a spring-loaded valve that can be set to a range of pressures. Once that pressure is reached, the relief valve is forced open, venting the system pressure until it falls below the set pressure of the valve. Once the system pressure drops below the set pressure, the valve closes again, allowing normal operation to resume. In contrast, a burst disc is a thin metal diaphragm designed to burst once a certain pressure is reached, completely venting the system. Both types of devices are in use on the Tartarus system, as their different functions and size makes them optimal for different applications in the system. In order to calculate the proper relief valve sizes for the ground system, a worst-case scenario was assumed. All storage bottles were assumed full, and all pressure regulators were assumed to have failed, exposing the entire system to full bottle pressure. This leads to a rather simple equation for sizing the relief devices, where the maximum possible mass flow through the relief valve must at least equal the total possible mass flow of all pressurized fluids in the system.

�̇�() ≥ 𝑚&!̇ + 𝑚&!'̇ + 𝑚$!%"̇ (1)

However, on the Tartarus system, the nitrogen is stored at a much higher pressure (2500 psi) than the nitrous oxide and ethane (800 psi and 625 psi), meaning that no propellant will flow due to backflow check valves. This means that only the mass flow of the nitrogen must be considered. To find the mass flow of the nitrogen the flow coefficient of the most restrictive valve in the system and find the maximum flow through it. Then, using Eq. (2) [3], the required orifice area of the relief valve can be calculated.

Figure 2: Finite Element Analysis of Hold Down System

Figure 3: Hoop Stress Factor of Safety Table for High Temperature Stainless Steel

4

𝐴 =𝑊 ∗ 7

(𝑇 ∗ 𝑧)𝑀

8𝛾 ∗ 𝑔!𝑅 ∗ 9 2

𝛾 + 1;(,-*)∗(,0*)

∗ 𝐾# ∗ 𝑃* ∗ 𝐾"

(2)

Where 𝐴 is the orifice area, 𝑊 is the mass flow rate, 𝑇 is the temperature, 𝑧 is the compressibility factor, 𝑀 is the

molecular weight of the gas, 𝛾 is the specific heat ratio of the gas, 𝑔! is the gravitational constant, 𝑅 is the ideal gas constant, 𝐾# is the discharge coefficient of the relief device, 𝑃* is the upstream pressure, and 𝐾" is the back pressure factor. If the orifice area of the relief valve is larger than the required area found using Eq. (2), than the valve is properly sized.

For the vehicle tanks, a different procedure must be followed to size the burst discs. The primary driver for the sizing of the tanks is a nitrous oxide decomposition event. The decomposition of nitrous oxide can occur at temperatures as low as 98 °F if contamination is present. This decomposition is exothermic and can result in runaway reactions. In order to properly size the relief device for the nitrous oxide tank, a transient decomposition model was constructed to ensure that the relief device could adequately remove pressure from the system and prevent hardware damage. A pseudocode flowchart of the model can be seen in Figure 4. The model is primarily based off Eq. (3) [4], which calculates the half-life of nitrous oxide decomposition as a function of frequency factor, activation energy, and temperature.

ln >𝑡*1? = ln @

0.693 × 102

𝐴*G +

𝐸𝑅𝑇

(3)

Where 𝑡#

! is the half-life of the decomposition reaction, 𝐴* is the frequency factor, 𝐸 is the activation energy, 𝑅 is

the ideal gas constant, and 𝑇 is the temperature of the reaction. The activation energy and frequency factor of nitrous oxide at pressure can be found in Figure 5 [5]. Using this model, the burst disc can be sized to ensure that no damage occurs to the tanks. A plot of the pressure and temperature inside the nitrous oxide tank over time can be seen in Figure 6. The rapid increase in pressure due to the decomposition can be seen up until approximately 10 seconds, when the

Figure 4: Nitrous Oxide Decomposition Model Pseudocode

Figure 6: Activation Energy and Frequency

Factor of Nitrous Oxide at Elevated Pressures

Figure 5: Tank Pressure and Temperature During

Nitrous Oxide Decomposition

5

tank pressure reaches 1000 psi and the burst disc ruptures. Then the pressure quickly decreases as the tank vents to atmosphere, ensuring no damage to either the tank or other hardware or instruments.

C. Fuel and Oxidizer Isolation Another important component of system design is preventing the mixture of fuel and oxidizer at any place in the system except for the combustion chamber of the engine. While the consequences for this occurring on the Tartarus system are less drastic than on a hypergolic system, propellant mixing still could present a major hazard for both personnel and hardware. The primary mitigation to prevent this from occurring is one of isolation. Both fuel and oxidizer travel directly from their respective propellant farms to the tanks in isolated lines. The ullage pressurization nitrogen, while coming from a single source, is routed through separate lines for each tank to prevent intermix. Additionally, all lines have check valves, to prevent backflow from the tanks during static fire operations.

D. Safe Distances Going into novel engine test campaigns, it’s always hoped that the anomalies requiring safety radii and shields

won’t occur during test. However, it is critical for systems to identify what anomalies will produce the most energy and how far away personnel must be stationed to not be impacted by the anomaly. The most energetic anomaly on Tartarus’ system is the overpressure of the full load of fuel and oxidizer. This is the release of all pressure energy inside of the tanks without flow restriction. For initial tests, this load is 2 seconds of mass flow. This risk scenario was more likely when the run tanks were student-developed pressure vessels with a shared bulkhead. The team has since transitioned to separate, DOT-rated double ended sample cylinders, but conservatively has chosen to maintain the full overpressure case as the most catastrophic outcome.

Using methods developed by Kashkarov and Molkov, the team performed 2 analysis of the pressure energy. The first is a Brodes energy model for compressed gas, and the second TNT Equivalent model. The models were used to determine a pressure decay curve [6]. The data points of the curves are shown in Figure 7. FEMA and CDC standards were referenced to define what pressures cause the horizontal damages, and the distance is listed underneath each heading [7] [8].

The following assumptions were made in this analysis: • Homogeneous properties • Atmospheric pressure of 14.7 psia • No chemical release (no combustion or detonation) • Instantaneous Release of pressure • Spherical Blast • 1.8 Reflectivity Coefficient (80% bounceback from downward firing blast) • Van der Waals Model • 1404 in3 Nitrous Oxide Tank Volume • 819 in3 Ethane Tank Volume

Figure 7: Overpressure versus Distance results for Overpressure Wave

6

E. Safe State Design Once components are selected, it’s important to configure them in a manner such that the system fails safe. In

addition to nominal operations, any test system is subject to large scope anomalies, such as loss of communications and loss of power. It’s important for the system to be configured to be reliably safe across a variety of failure modes. The most obvious example of fail safing is the normally open/normally closed configuration of each valve. Figure 8 shows the piping and instrumentation diagram of the system with the normal valve state next to each valve. This diagram is available in larger form in Appendix A.

Each vent valve is normally open, while valves that increase the risk of the system (propellant fill, engine run, and drain) are normally closed. All remote operated valves are pneumatically actuated ball valves. The normal state of the valve is set within the ball valve itself, meaning that valves will return to safe in the event of power loss or pilot pressure loss. The electrical relays commanding the valves are also set to normally open, such that loss of command will return all valves to unpowered safe state.

The system response to power loss is the easiest to test during low hazard preliminary testing. Through this testing, it has been found that the system reliably returns to an approachable state (no pressure > 120 psia in the system). Therefore, the loss of communications failure can be mitigated through the use of power shutoff. The main computer is operating at the field station and the ground station is communicating with it over remote desktop. Loss of communications between these computers would mean loss of command and visibility through instrumentation. While having the ground station computer be the commanding computer was considered, worries of packet communication and delays impacting the efficacy of redlines ultimately drove the decision to have command at the field station. The field station and test stand are run from an independent generator due to the safe distance required. This is shown in Figure 9. A normally open relay was implemented in between the main power source and the field station. This relay will be powered close by a power supply and normally closed shutoff switch at the ground station. This allows for safing of the system under any condition, as the system is well characterized to return to a safe state under power loss. The stand can then be approached and reset for further operations. While this system

Figure 8: System Piping and Instrumentation Diagram with Valve State

Figure 9: Electrical System Block Diagram

7

was primarily designed to mitigate the loss of communications, it will work effectively for all other anomalies. The only potential drawbacks of this mitigation design are the loss of propellant and loud venting concerns. The latter can be mitigated through field operator hearing protection as well as announcements over communications when the emergency shutoff will be activated.

IV. Operational Safety Design

Engineering education, especially undergraduate, typically focuses on design, modeling, and analysis. Students will occasionally participate in well-structured labs, where procedures, procurement, and assembly has been taken care of by professors. This ecosystem puts additional strain on all student teams, but especially testing driven teams such as Tartarus. Many aspects of testing, such as procedure writing and safety assessment, rely on the author’s intuition and engineering judgement. Students are still developing these skills, which necessitates additional programmatic consideration to ensure that the student developed test campaigns are safe and effective prior to entering hazardous operations. Tartarus has implemented many top-level programmatic operations, such as non-hazardous preliminary testing and review cycles, with operational safety design to ensure that the operations development process results in a well thought out and safe test campaign.

The governing principle followed in operation design is a Department of Defense cardinal principle in explosives handling: “Limit exposure to a minimum number of personnel, for a minimum amount of time, to the minimum amount of explosives consistent with safe and efficient operations” [7]. Tartarus uses this principle to determine the flow of operations (e.g. the ignitor should be armed at the end of field operations, not at the beginning) as well as design interlocks to eliminate hazards in the field when personnel must approach for manual operations.

A. Preliminary Testing Campaigns The most effective way the Tartarus team has found to train inexperienced groups of

students in how to run test procedures is simple: have them participate in several test procedures. Fortunately, the development of the Tartarus project has necessitated the execution of several low-hazard tests, which serve the dual purpose of testing both the system in question as well as the operators of the test itself. These low-hazard tests allow for mistakes in operations and procedure creation to be detected early, in scenarios where the risk of harm to personnel or equipment is low, rather than in full-up tests where the risk of harm to personnel or equipment is much higher. A summary of preliminary test campaigns conducted prior to, during, and planned for after the writing of this paper are shown below. 3. Cold Flow

The first proper test procedure the Tartarus team conducted was a cold flow test of a subscale injector. This test had three stated goals; observe the spray pattern of the injector to empirically characterize the mixing of the propellants, anchoring of the fuel injector flow coefficient model, and ensuring the data acquisition system could accurately read pressure data. Additionally, it carried the unstated goal of familiarizing the team with procedural operations and working around pressurized fluids. The stand consisted of two water tanks, which acted as simulants for fuel and oxidizer and were pressurized by an air compressor. An additional air line was tee’d into the fuel feed line, allowing for the fuel to be injected at a simulated quality. The test was successful on all counts. Observation of the injector spray pattern showed acceptable mixing, the measured flow coefficient at the given pressure differential matched the team’s model, and the data acquisition system collected correct readings throughout the procedure. 4. Flight Tank Hydrostat

The second Tartarus test procedure, and the first procedure with a failure, was the hydrostat of the team designed flight propellant tanks. These tanks were custom welded 6061 aluminum tanks, designed to a burst pressure of 2000 psig. In order to qualify these tanks for service at 1000 psig, they would need to be proofed at a pressure of 1500 psig for no less than twice the desired service time. This test was conducted onsite at the UAH Propulsion Research Center, as it already possessed the facilities required to remotely hydrostat equipment. During the test, the fuel tank dome weld failed at approximately 900 psig, and the test was concluded early. While the test article failed, and the team did not achieve the desired result, the test was highly successful in all other regards. The team

Figure 10: Cold Flow Test Apparatus

Figure 11: Hydrostat Test Configuration

8

demonstrated its ability to safely operate high pressure fluid systems, as well as the ability to work together with the staff at the Propulsion Research Center. Additionally, all members of the team always remained calm during the test, following proper system isolation and depressurization procedures once the rupture of the tank weld became known and waiting until the system was confirmed safe before moving to inspect the test article. 5. Ground System Dry Runs

During the Fall 2019 academic semester, the Tartarus team began its first steps into full scale integration testing. In a subscale setup inside the UAH Machine Shop, the team started the process of integrating the mechanical, electrical, and software components of the ground system. This phase of testing consisted of the assembly and checkout of the fluid panels and the final development and troubleshooting of the LabVIEW user interface. The goal of the ground system dry runs was to ensure the team had the ability to reliably actuate the solenoid valves on the system. This test campaign was the first experience in operations for the many underclassmen who had joined the Tartarus team, and proved to be a valuable introduction. These new members gained valuable experience with tasks such as leak tests and the assembly and mounting of the fluid panels shown in Figure XX. This testing phase took several months to complete, as new problems and complications with both the mechanical and software components of the ground system appeared nearly weekly. However, this long period of repeated informal testing allowed the new members of the team to build an intimate, intuitive knowledge of a system they had no part in the design of. This knowledge transfer was a key goal of the dry run tests, as the loss of tribal knowledge in student organizations due to graduation can be crippling. However, with the new members of the team participating in the testing and solving problems alongside older members of the team, a much more organic knowledge transfer was able to take place, hopefully ensuring the future success of the team. At the beginning of the Spring 2020 semester, the team finally was able to reliably control solenoid valves, and was prepared to enter formal integration testing 6. Low-Pressure Integration Testing

The goal of low-pressure integration testing is to completely simulate a full static fire operation, using low pressure nitrogen in place of propellants. This included a formal procedure with official roles for all members present, as well as implementation of some range safety protocols. This testing phase has also had some minor difficulties, including problems with instrument calibration, user interfaces, and system muscle pressure all leading to testing setbacks. However, these setbacks have not been entirely negative. Much like the ground system dry runs, these problems have given new members of the team the opportunity to troubleshoot and solve more problems, again facilitating an organic knowledge transfer that is far more effective than any class or presentation can be. The team has solved the problems that have arisen during these low-pressure tests, and, as of the week of writing this paper, successfully completed a simulated system setup, fill, firing, drain, and shutdown of the system. As always, both procedural and hardware problems were found during the execution of this test, and the team is well on its way to solving those problems. Future plans for low pressure testing include abort sequencing, both manual and automated, as well as rotation of operators between test roles to attempt to mitigate reliance on individual team members. 7. High-Pressure Integration Testing

The final phase of preliminary testing before beginning the first static fire campaign is high-pressure integration testing. This is a relatively similar type of testing as the low-pressure integration tests, but with full line pressures instead of low-pressure nitrogen. This test is mostly administrative, showing faculty and industry advisors that the team can adequately write and perform procedures involving hazardous operations. However, it also demonstrates the pressure systems capability to operate at the correct pressures before propellants are loaded onboard. Additionally, the test will serve as a final checkout of all hardware before propellants are introduced. As the final test prior to the team’s Test Readiness Review for static fire, this test will serve as a full dress rehearsal for a static fire, with all abort modes and redlines confirmed to be operational, and with all range safety measures in full force.

B. Review Cycles After implementing industry and academic references on safety factors, arming sequences, command and control,

and safety, the system appeared to have handled all safety concerns. This is generally true no matter the experience level of the test designer. The next logical step is a review of the test design by a third party who has background on

Figure 12: Field Setup for Dry Runs and Integration Tests

9

similar systems but was not actively involved in the design of the system. Tartarus extends this mentality by also looking upwards to experienced industry and faculty mentors. Oversight was brought in early on the project with invitations to the preliminary design review for the comprehensive launch vehicle/ground system. While the feedback was helpful, the system still had to go through procurement, assembly, and maturation. The operational design for subsystem testing (such as engine firing) was presented. To fill in this deficit, the team presented a critical design review (CDR) on the static fire test system, which encompassed the engine, fluid system, data acquisition, and command and control. This smaller review allowed the team to go into more depth on specific hazards associated with engine firing. It also ensured that the work the team would perform between CDR and Test Readiness Review (TRR) would be sufficient to certify the system ready for hazardous operations at TRR.

A key component of a successful review cycle is a well-informed review board. The team reached out to over 20 individuals but defined a core review board that must be present at the review and who’s approval was one of the success criteria. The Critical Design Review Panel consisted of the director of the UAH Propulsion Research Center, the SHC Faculty Advisor, and an industry professional with significant experience in the Tartarus-size liquid propulsion systems. In addition to the formal panel, a survey was sent out to all reviewers to capture their feedback in 3 categories: Request for Actions, Findings, and Recommendations. Those are presented in order of significance. Request for Actions are any issues in the CDR that threaten success criteria and must be resolved with the panelist. Findings must be taken under consideration and presented upon, but do not require redesign effort. Recommendations are non-binding suggestions for improvement by the team but require no action on the part of the team. In order for this structure of review to be successful, the success criteria for review was defined as follows:

1.1 Systems are designed to high enough fidelity to proceed with preparations for first static fire campaign (NOE-1W)

1.1.1 New technologies are developed to adequate level for upcoming activities, or a viable alternative is presented

1.1.2 Safety systems presented are correctly designed and approved to mitigate personnel risk

1.2 Upcoming milestones and operations are understood and concurred upon (first static fire campaign, NOE-1W)

For test readiness review, the same system will be repeated and the panelists from CDR comprise the TRR panel. Success Criteria will focus on more in depth parts of the system, and the same feedback response system will be used.

C. Range Safety The final piece of a safe test is the way the range will be maintained. Range safety encompasses the personal protective equipment worn by operators, operator training, the systems to keep track of personnel, the systems to alert personnel to operations and hazards, and the systems to keep operators safe in the field. Roles for observers, test operators, test conductors, and the test lead and the range safety operator have been defined and will be reviewed prior to operations. The above list is in order of succession (i.e. the test lead’s decision will supersede decisions made by the test conductor). Operators will wear ANSI Z87.1 compliant protective eyewear, ANSI S3.19-1974 compliant 27 dB noise reduction rating rated hearing protection, long pants, cotton clothing, and closed toed shoes. Steel toed footwear will not be required per OSHA 1910.136(a). Operators will be trained through dry and wet dress rehearsals prior to and on static fire test day. The field team personnel will be required to have at least two operators with active CPR/AED certification. Personnel will be tracked through the use of a badge board at the ground station, where operators must trade their student ID for a numbered neon badge before entering the field. The badge board will be checked prior to entering red (hazardous) steps in the operations. The stand is equipped with a red strobe light to indicate when the stand is in a non-approachable state. The ground station will use a green/yellow/red tower light to indicate if the stand is approachable (green), approachable with test lead approval (yellow), or not approachable (red). The ground station will be protected behind a Kevlar blast curtain and polycarbonate shield. All personnel regardless of role will be required to stand behind these barriers during hazardous (red) operations. The field features multiple safing features for local operators to quickly safe the system, such as switches. The ignition system requires the insertion and turning of a key by the test lead before it can be armed. The ignition system specifically has 4 points, one of which is a physical switch in the field, that must be armed before the ignitor can be fired. Primary communications will occur over amateur radio (ham radio), but an air horn will also be sounded in specific patterns to indicate events such as firing. Operators are trained to stop operations at any point by repeating “HOLD” 3 times. This call will stop all operations until the situation or operator concern is resolved.

10

V. System Safety Analysis

Once all the above design considerations are finished, it’s important to ensure all hazards have been addressed and are ready for presentation during a review. There are many ways to find, document, mitigate, and present hazards and risks. The Tartarus project uses two tools: Hazard and Operability Studies (HAZOPs) and Hazard and Risk Assessments (HRAs). These tools have many similarities, but the subtle differences in analyst mentality allow each to have its own usefulness. To show the differences between each analysis, the Nitrous Oxide Decomposition hazard is presented in each format.

A. Hazard and Operability Studies Hazard and Operability Studies (HAZOPs) have seen increased use in industry in recent years due to their more thorough approach to hazard identification. A HAZOP walks through a system in its hypothetical operational state considering different types of failures using guide words and deviations from nominal. This leads to more creative thinking in failure modes of the system, which can catch failures that are not as obvious. Microsoft Excel is an excellent software for capturing HAZOP findings. The use of numerical likelihoods and severities allows numerical rules to be set in the score cell, reducing the risk of math error and automating the risk identification step. Overall, the form factor, structure, and usability of a hazard and operability study make it highly valued in a meeting setting, where a council of knowledgeable individuals on the system can brainstorm failures using well defined guide words. An example of a Hazard and operability item for too much pressure in the system resulting from nitrous oxide decomposition is shown in Figure 13

B. Hazard and Risk Assessments Hazard and Risk Assessments are more traditional in industry. However, they generally are better understood in the context of design reviews and are a more concise tool for describing specific risk scenarios. The Tartarus team performed initial safety analysis using a HAZOP, then transitioned the findings into risk assessment matrices for presentation. The conditions for the Critical Design Review hazard and risk assessment are shown in Figure 14. The creation of the Tartarus specific Risk Assessment Matrix referenced NASA S3001: Guidelines for Risk Management as well as MIL-STD-882E. By reading separate agencies approaches to HRA’s, the team was better able to determine how it wanted to quantify and classify hazards. It should be noted that the Severity 4 x Probability 2 risk is different for hardware and personnel. From the early days of safety analysis, it was

Figure 14: Risk and Hazard Assessment Matrix, Severities, and Probability

Figure 13: Hazard and Operability Study Example Item

11

decided that any severity equal to or greater than “Serious” that was at least “Unlikely” was unacceptable. The project is unwilling to accept any risks of personnel injury that severe. However, due to the inherent cost of a bipropellant engine test system and the non-zero chance that hardware will be damaged during an anomaly, a 2x4 risk to hardware is only Mitigation Suggested.

A benefit of the Hazard and Risk Assessment model is its increased focus on root causes rather than potential outcomes. Whereas the HAZOP uses guidewords to predict behavior, the HRA calls out specific known hazards. This can help experienced reviewers with knowledge of specific failure modes ensure that the failure mode is captured. The most prevalent in the minds of those familiar with nitrous oxide is the exothermic decomposition of nitrous oxide. Figure 15 shows the RHA, mitigations, and residual risk to both hardware and personnel in the event of a nitrous oxide decomposition. This slide encapsulates the mechanical, electrical, software, and operational safety mechanisms and which features are reducing the risk and/or hazard, depending on the hazard in question. However, it is also much briefer than the HAZOP, which can lead to confusion with or omission of key mitigations/outcomes.

VI. Conclusions and Future Work

Student developed systems are constantly changing as students learn, redesign, and test. Continued attention and dedication to safe practices must always be in the future work plan of Tartarus. Additionally, a student’s time on a project is transient. The better and more efficiently each generation trains the next, the more the team can advance. This document is the first step towards more efficiently training Tartarus team members in the safety considerations taken for such a complex system. In the near term, the above considerations will be put to the test with the inaugural, short duration firing of the engine. Further safety considerations will have to be taken as the team moves towards full duration testing in warmer months, which carries more hazard and risk. In the very long term, as the team moves towards launch and lighter flight weight hardware, it will have to reconsider its ground test operations.

References [1] Roe Jr., R. R., "STRUCTURAL DESIGN AND TEST FACTORS OF SAFETY FOR SPACEFLIGHT HARDWARE," NASA-

STD-5001B, 2016 [2] Ryschkewitsch , M. G., "STANDARD FOR THE DESIGN AND FABRICATION OF GROUND SUPPORT EQUIPMENT,"

NASA-STD-5005D, 2013 [3] Crowl, D. A. and Tipler, S. A. "Sizing Pressure-Relief Devices," CEP, October 2013 [4] Stokes Fishburne, E., Nicholson, J. R., and Edse, R. "Studies on the Decomposition of Nitrous Oxide," U.S Airforce Aerospace

Research Lab., Rept. ARL 63-134, Ohio State University, OH, August 1963 [5] Kalbeck, W. M. and Silepcevich, C. M., "Kinetics of Decomposition of Nitrous Oxide," Ind. Eng. Chem. Fundam., Vol 17, No.

3, 1978 [6] Molkov, Vladimir, and Sergii Kashkarov. "Blast wave from a high-pressure gas tank rupture in a fire: Stand-alone and under-

vehicle hydrogen tanks." International Journal of Hydrogen Energy 40.36 (2015): 12581-12603. [7] Chipley, M., Kaminskas, M., Lyon, W., Beshlin, D., and Hester, M., "Reference Manual to Mitigate Potential Terrorist Attacks

Against Buildings," FEMA 426, December 2003 [8] Zipf Jr., R. K., and Cashdollar, K. L., "Effects of Blast Pressure on Structures and the Human Body," NIOSH Docket 125, 2007 [9] DOD Contractor’s Safety Manual For Ammunition and Explosives, DoD, Washington, DC, United Stated, 2008, pp. 24-37

Figure 15: Example Nitrous Oxide Decomposition RHA

12

Appendix A

Figu

re 1

6: P

ipin

g an

d In

stru

men

tatio

n D

iagr

am w

ith N

orm

al V

alve

Sta

te