Organization

The contents are organized into five categories: (1) Mission Factors, (2) Vehicle Factors, (3) System Design/Architecture, (4) Crew Interface, Displays and Controls and(5) Crew Training, Procedures Development, and Ground Support. The first two topics address fundamental survivability requirements and enabling technologies and techniques for long duration and deep space (e.g, beyond earth orbit) missions and/ormodular vehicle configurations. The third and fourth topics focus more narrowly on systems design and architecture to enhance their performance, reliability, and man/machine interfaces. The fifth section is incomplete; only the “Training” portion has been addressed, the other two sub- sections are under development.

Section 1. Mission Factors

1.1 Long duration missions

Greater reliability and /or redundancy of systems

1.1.1.5 Capability to reconfigure surviving systems to restore necessary functional capability. For example:

(1) Ability to transfer (“pump”) liquid consumables (propellants, water) from a leaking tank to an empty tank;

(2) Ability to “cross-strap” surviving components from one or more failed systems to create a working system.

1.1.2 Capability to monitor/detect and assess effects of slow, insidious events such as:

(1) Metal fatigue and cracks (especially in the docking apparatus that holds major vehicle elements together);

(2) Corrosion and rust;

(3) Cabin atmosphere toxicity at low levels (and slow increases in toxicity);

(4) Bio-hazards (microorganisms growing in damp spots on filters, walls, and such);

(5) Changes in structural strength and stiffness for large elements or multiple elements hooked together (could monitor “bending” frequency and/or alignment of “fixed” points on the structure, using accelerometers, laser alignment devices etc.);

(6) Deterioration of electrical insulation on wires, thermal insulation on hot/cold devices, etc.;

(7) Seal deterioration on windows, hatches, etc.;

(8) Accrual of debris in mechanisms, etc.;

(9) Space environment effects (meteorites, radiation, etc.);

(10) Food spoilage, potable water contamination.

1.1.3 C&W logic must consider accumulated failures and “response procedures” must take into account the existing complement of vehicle systems and expendables/consumables.

1.1.4 C&W System must have the capability to periodically monitor “health” of dormant(“cold standby”) systems, including the status of Safe Haven and Attached Rescue Vehicle systems and provisions.

1.1.5 C&W System must have the capability to perform trend analysis on system parameters and consumable/expendable usage (e.g., increasing cabin leakage rates asevidenced by increasing usage of atmosphere “make-up” oxygen and nitrogen; increasing heating as evidenced by increasing coolant flows or coolant temperatures; etc.) to predict failures in a timely manner for initiation of recovery/safing procedures.

1.1.6 Crews must conduct hazard-response refresher training (drills on fire fighting, evacuation, solar flare response, emergency medical treatment, etc.).

1.2. Deep Space Missions beyond Earth orbit (e.g., Lunar/Mars).

1.2.1 Complex Rescue/Abort strategy. (e.g., Land/Remain on Lunar/Mars surface and await rescue; Rendezvous with “interceptor” rescue vehicle launched from Earth, Rescue vehicle pre-positioned in lunar/Mars orbit or on surface; etc.).

1.2.2 Safing/Safe Haven procedures might include:

(1) Extreme resource conservation measures (power down, barbecue modes, etc.);

(2) Increased shielding from solar flares, meteoroids, radiation, etc.;

(3) Extensive vehicle/systems reconfiguration and/or large trajectory changes (sealing off modules to reduce leakage and thermal conditioning requirements, jettisoning equipment or entire modules to improve thrust to weight capability, the use of landing stage propulsion to establish abort trajectory).

1.2.3 Increased demand for autonomous operation for relatively long intervals withoutground support. (In the vicinity of Mars the round-trip communication time to/from Earth is about 8 minutes best case and 40 minutes worst case).

1.2.4 Increased on-board medical provisions including doctor and capability for handling a permanently impaired or deceased crewmember. (Airlock/casket-suit for “burial in space”?).

Section 2. Vehicle Factors.

2.1 Spacecraft physical geometry:

2.1.1 Transmission. C&W alarms, visual signals and voice must be replicated in all modules.

2.1.2 Event location. The physical location of hazardous events/conditions must be provided to the crew (This is particularly important for emergency or warning eventsin multi-module vehicles.).

2.1.3 Safe Haven And Escape Devices locations. The C&W system must provide:

(1) Identification of Safe Havens or Escape Devices that remain viable and accessible subsequent to the hazard event;

(2) Identification of clear paths from all locations to reach viable safe havens or escape devices. Paths should be marked and marking should be unambiguous and visible under expected use conditions (i.e., with lighting failures, smoke, etc.).

2.2. Availability and Capability of Safe Havens and/or Rescue Craft

2.2.1 Safe Havens and/or Rescue Craft must provide an independent space-to-earth communication system.

2.2.2 Rescue craft capability to separate quickly under extreme failure conditions in the “mother ship” (rapid depressurization, loss of attitude control, toxic atmosphere contamination, etc.).

2.2.3 Capability to rescue EVA crewmembers (including those on a planetary surface).

2.2.4 Capability to accommodate injured or ill crew members, including medical supplies.

2.2.5 Capability of Safe Haven and Rescue Vehicle to purge their own atmosphere and/or support use of breathing masks by crew members throughout rescue operations.

Section 3 System Design/Architecture.

3.1 General

3.1.1 Function. The C&W system Must be able to receive system data, inform the crew of off-nominal events, and provide sufficient information to direct the crew to the correct response.

3.1.2 Notification. The crew should be informed of off-nominal events, even if there isno required crew response. (Unless there are dozens of trivial events that swamp the crew).

3.1.3 False alarms. The occurrence of false alarms should be minimized. The C&W system must be able to distinguish between system changes due to failures (e.g., powerfailure) and system changes due to deliberate (automatic or manual) commands (e.g., power-off command).

3.1.4 “Growth Capability.” C&W system design must be capable of “growing” to accommodate needs when/if vehicle systems and environments change (e.g., capability for several different emergency-alarm tones, even though there is no currently identified need).

3.1.5 Event coverage:

(1) The system must continue to function through an alarm event;

(2) The system should first consider events that threaten the life of the crew;

(3) Loss of detection/annunciation capability must be considered as an event.

3.2 C&W System fault tolerance

3.2.1 Redundancy. The C&W system should be redundant, and redundant systems shouldbe dissimilar and physically separated to preclude generic failures (e.g., systemic failures that cause multiple identical systems to experience identical simultaneous failures) or failures due to a single event (e.g., an electrical short in a multi-pole switch that effects multiple systems connected to that switch).

3.2.2 Independence. Power, sensors, signal and command paths, and display and control devices must be independent of the system being monitored (e.g., if a particular solar array is being monitored, the C&W system must be configured to drawits power from other sources) and should be selectable (the crew should be able to switch the C&W to alternate power supplies and signal and command paths).

3.2.3 Self Test. Periodic self test of sensors, signal paths, power, logic, etc, are necessary, and should be capable of being initiated both automatically (on some predetermined schedule or according to some automated logic) and manually .

3.2.4 Crew Intercomm. For communications in non-nominal conditions, each crewmember should be provided with a redundant intercomm system (preferablywireless) that is independent of vehicle signal paths, power, etc.

3.3 C&W Priority

3.3.1 Priority. The C&W system must be given high priority; however, it should not interfere with Fault Detection, Isolation, and Recovery (FDIR).

3.3.2 Precedence. C&W data must take precedence over all data not critical for life support and auto-FDIR safing activities.

3.4 Maintenance

3.4.1 Alarm suppression. Audio alarms may be suppressed if maintenance nominally results in an alarm.

3.4.2 Logging. The suppression of alarms must be logged.

3.2.3 Suppression time limit. The system should inform the crew if an alarm is inhibited or suppressed for an extended period of time.

Section 4. Crew Interface, Displays And Controls

4.1 Alarm classifications. Alarms must be classified depending on the potential severity of the consequences of the annunciated problem and the immediacy for crewaction. Generally accepted classifications in the US aerospace community today are asfollows:

4.1.1 Emergency. Events triggering these alarms are of such potential severity as to threaten the health and safety of the crew and potential loss of the spacecraft. Immediate action is required by the crew to attain a safe configuration or provide for crew safety. Examples of events that may be classified as requiring an emergency alarm are cabin depressurization, fire/smoke, toxic spill, bailout/evacuation.

4.1.2 Warning. Events triggering this class of alarms are of the nature that a crewmember must deal with them immediately or serious degradation of the spacecraft and/or systems may occur or safety of the crew could eventually be threatened. Events in this category include: Loss of attitude control, Loss of an electrical power bus, Low oxygen partial pressure, High carbon dioxide partial pressure.

4.1.3 Caution. Events in this category are of a nature that the crew needs to be aware of them and take appropriate corrective action when time permits. These events do not immediately imperil the crew or spacecraft but generally indicate off-nominal system performance or low level failures. Examples of events triggering a caution alarm would be events such as low voltage on a non-critical electrical bus or low pressure in a gas storage tank.

4.1.4 Advisory. An advisory requires an off-nominal correction by automated response but no crew intervention. Examples of advisories include: switch to analternate ventilation fan motor or switch to a secondary fluid pump.

4.2 Controls, Displays and Signals

4.2.1 Standardization. Elements of the C&W system and crew interfaces should be standardized across all modules and elements of the complete system regardless of provider.

4.2.2 Visual Features. Visual C&W information must exhibit the following features:

(1) Nomenclature and labels must be clear and concise and clearly understood by crewmembers regardless of national heritage;

(2) No more than eight, generally accepted colors must be used (Normally red for warning and emergency conditions, yellow for caution conditions, green for safe conditions, etc.). The use of a large number of colors requires extensive memorization and multiple shades of a color may be indistinguishable in some lighting/visibility conditions;

(3) Visual signals/information must be clearly readable from the usual crew locationsin all lighting conditions. Text information must be of a size that is easily read by crewmembers with normal visual capability. Colors must be chosen to provide adequate contrast with backgrounds;

(4) A master alarm light must be provided and illuminated with any alarm. The light must be reset by crew acknowledgement.

4.2.3 Aural Features. Aural C&W information must exhibit the following features:

(1) Aural alarms/signals should have different sounds that correspond to different classifications of hazard events (e.g., emergency, warning, caution, and advisory). If different crew responses are required for each type of event in the emergency classification, then the C&W alarm for each specific hazard must have a unique sound such that the crew can unmistakably associate it with that hazard (e.g., depressurization, fire, toxic spill, etc.);

(2) Aural annunciation must be loud enough to be heard by all crewmembers in work or sleep environments (despite background noise);

(3) Must be capable of being reset by crew action;

(4) Voice annunciation of specific event and immediate response steps (e.g., fire in node 2, Don breathing masks, Crewmember Johnson proceed to Node 2 with portable fire extinguisher, all other crew members evacuate node 2 and proceed to safe haven 1 etc.) is desirable, especially with crew members who are specialists in “science” and have little vehicle operations experience.

Section 5. Crew Training, Procedures Development, and Ground Support

5.1 Training considerations. Crew training for response to off-nominal events should consider the following factors:

5.1.1 Multiple crew response. Training must address individual crew member responsibilities and command/coordination procedures, especially for situations where response requires multiple crewmembers to act together in different locations (evacuation of some portion of vehicle, identification of safe location if there is more than one option, fire extinguisher use in more than one location, power down of selected multiple devices, trouble-shooting routines and visual checks of event/response of various devices in different locations etc.).

5.1.2 Crew size and shift operations. Procedures must consider total crew size, divisionof crew into two or more shifts, and crew “specialization” (some crew members have little or no exposure to hazardous situations or vehicle management). During EVA, at least two crewmembers will not only be unable to perform hazard-response duties; they will likely become liabilities creating additional recovery requirements.

5.1.3 Cross-training. More than one crewmember should be trained for each task in the event a crewmember is unavailable (injured, EVA, asleep, etc.) at the time an emergency occurs.

5.1.4 Training realism. Ground training (and, to the maximum reasonable extent, on-orbit drills) should strive to create realistic hazard conditions (for example, for fire drills in the NBF or on-orbit, crews could wear goggles with "smoky" faceplates to simulate poor visibility) and system capabilities (Realistic FDIR and expected ground support should also be included in training).

5.1.5 Body (Hand, Arm, Posture) Signals: Crews should learn a set of body signals that allow some communication ability in the event of complete communication system failure (the traditional hand signals used by aviators are an example for close proximity hand signal communication in space.) Such signals might be especially useful for an EVA crewmember that has experienced loss of normal communication systems (e.g., a failed microphone or earphones in the helmet).

5.1.6 Manually-Operated Signal Devices The use of lights, flags, placards, etc. could extend the range of crew manual signaling capability, and would be especially useful during EVA or proximity operations if normal communications fail.