Comparison of Supportability Analysis Techniques for Lunar Surface
advertisement
AIAA 2010-8699 AIAA SPACE 2010 Conference & Exposition 30 August - 2 September 2010, Anaheim, California Comparison of Supportability Analysis Techniques for Lunar Surface Systems Elements Jennifer L. Green * Casitair Consulting, Boston, MA, 02114-2206 Tovey C. Bachman, Ph.D. †, Robert C. Kline ‡, Julie A. Castilho § and David K. Peterson, Ph.D. ** LMI, McLean, VA, 22102-7805 Since 2004, NASA’s Constellation Program’s Lunar Surface Systems (LSS) Project Office has been assessing the supportability of future surface elements in order to quantify the spares mass and volume contribution to the overall resupply demand and to better understand what technology development investments are needed to significantly reduce the supply chain from Earth. Three different analytical techniques were used to obtain initial estimates for LSS availability and spares mass across varying mission durations. Multiple models were used to better understand the relative merits of each analysis tool, to compare availability estimates, and determine which factors contributed to any dissimilar results. We present results of LSS supportability analyses, compare the different analytical methods, discuss complementary capabilities these methods provide, and explain the practical significance of the results for determining future space logistics needs. Nomenclature DC DFR EnvFactor FPHR Kfactor MApm MAran MAtotal MTBF MTBFadj MTBMA MTBMAran MTBMAtotal MTTF MTTFadj Op PMFREQ QPA λ = the active duty cycle = dormant failure rate factor as a percentage of the active duty cycle =increase failures due to in the way removals, infant mortality, etc. = the number of failures per hour (1/MTBF) = multiplier to account for non-inherent failures induced by the environment or operations procedures = preventative maintenance activities = unscheduled maintenance activities = total maintenance activities = mean time between failure in hours = adjusted mean time between failure in hours = mean time between maintenance actions in hours = mean time between unscheduled maintenance actions in hours = total mean time between maintenance actions in hours = mean time to failure in hours = adjusted mean time to failure in hours = operational duty cycle = the frequency for scheduled maintenance in days = the quantity per application (flight quantity). = random failure rate * Consultant, Casitair Consulting, 5 Grove St. #3, Senior Member AIAA † Senior Consultant, Supply Chain Management, 2000 Corporate Ridge, Senior Member AIAA. ‡ Senior Consultant, Supply Chain Management, 2000 Corporate Ridge. § Consultant, Supply Chain Management, 2000 Corporate Ridge. ** Senior Consultant, Supply Chain Management, 2000 Corporate Ridge. 1 American Institute of Aeronautics and Astronautics Copyright © 2010 by the American Institute of Aeronautics and Astronautics, Inc. The U.S. Government has a royalty-free license to exercise all rights under the copyright claimed herein for Go I. Introduction N ASA’s Constellation Program Office has conducted numerous studies related to lunar surface operations since 2004, ranging from high-level campaign analyses to detailed studies of systems and supportability. While NASA is currently shifting to a flexible view of destinations for human space exploration, there is still much that can be learned from lunar studies that is relevant to other space missions. This is particularly true for supportability analyses, which are a key element of successful mission planning, although historically they have been deferred until late in the planning process, driven by limited budgets 1. It is the authors’ intent that lessons learned from the work described here will be useful to either governmental or commercial organizations who are in the early stages of mission planning (when changes to mission architecture are less costly). We begin with an overview of supportability concepts to provide a context for our work. The remainder of the paper then focuses on alternative methodologies for estimating the spare parts mass required to achieve a given system availability. We also show how the lack of spares significantly degrades the probability of mission success. The motivation for performing a sparing-to-availability analysis early in the design cycle is to ensure that, as the mission design evolves, the spares mass does not grow to the point where it becomes an unacceptably large fraction of the total launch mass, thereby negatively impacting mission goals (e.g. reducing the science payload or supplies for the crew) and costs. If analysis by any of the methods we consider indicates an unacceptably large spares mass, these methods can also identify the subsystems or components driving that mass, and help focus engineering efforts (e.g., increasing reliability or redundancy of the items) to remediate this problem. We have found that each methodology discussed has unique strengths and weaknesses, and that using multiple approaches yields greater insight into the nature of the sparing-to-availability relationship than any single approach. This remains true whether we are analyzing supportability of lunar surface operations or an entirely different mission. II. Supportability Supportability includes the concepts of Reliability, Availability, and Maintainability (RAM), as well as integrated logistics support (ILS). To provide a context for our work, we first define the various elements of RAM and ILS, and then provide a supportability concept for lunar surface operations 2. We then focus on the type of maintenance activity where spare parts are required to repair random failures (unscheduled replacement of components). A. Reliability, Availability, and Maintainability We define the components of RAM as in Ref. 2: • Reliability: Reliability is the probability that an item will perform its intended function without failure for a specified mission time under specified environmental and operating conditions. • Availability: Availability is the degree to which a system or subsystem is operable and in a committable state at the start of a mission, when the mission is called for at an unknown (i.e., a random) time. Thus, availability is the proportion of time that a system is in a functioning condition and available for its intended purpose. We will refer to this as functional availability. • Maintainability: Maintainability is the measure of the ability of an item to be retained in or restored to specified conditions when maintenance is performed by personnel having specified skill levels, using prescribed procedures and resources, at each defined level of maintenance. For maximum effectiveness, maintainability must be made inherent during a system’s early design stages. B. Integrated Logistics Support While the ILS concepts we describe here were developed for lunar surface systems (LSS), they are broadly applicable to other space missions. Depending on mission types or phases, not all of the following elements need be present. For example, during a mission to Mars, the phase of inter-planetary travel would not involve a supply support plan. For lunar surface operations, ILS involves the following planning elements (see Ref.2): • maintenance plan • personnel and training plan • technical data plan • supply support plan • test and support equipment plan 2 American Institute of Aeronautics and Astronautics • • transport and handling plan facilities plan. Since our focus is on maintenance and spare parts and their relationship to system availability, we will next consider the maintenance concept in terms of nominal operations (the normal state) and contingency operations (when unexpected failures occur). C. Nominal Maintenance Operations During nominal maintenance operations, maintenance is performed on a continuous basis by the ground crew, surface crew and surface robotic assets; this is described in more detail in Ref.2. Even if the surface crew is not present, maintenance operations can continue in an autonomous state—especially in the areas of predictive and proactive maintenance where continuous monitoring of the hardware is important. There are five areas within the nominal maintenance operations: • maintenance types • maintenance infrastructure • Corrective and Preventative Maintenance (CM & PM) tools and techniques • Predictive and Proactive Maintenance (PdM & ProM) tools and techniques • maintenance resources. CM includes all of the activities to replace or repair a hardware item after a failure has occurred. This involves troubleshooting to verify and isolate the failure, followed by some amount of diagnostics and testing to verify it is fully functional. PM is focused on interval-based maintenance (e.g., 90-day servicing or preemptively replacing a worn part with a 730 day life limit at 700 days), cleaning and servicing, and inspection by the surface crew. PdM & ProM Tools and Techniques include Diagnostic and Test equipment, In-Flight Vehicle Health Management technologies, embedded sensors, dust mitigation techniques, and tools for root cause fault (or failure) assessment (RCFA). RCFA technologies are particularly important when there is no capability to return failed hardware to Earth in order to determine the cause of the failure. PdM focuses on Condition-Based Maintenance where systems and components are continuously monitored to determine whether there are any signs of degraded performance. When the condition of the hardware reaches a predetermined level, a maintenance action is scheduled and performed to minimize system downtime. ProM identifies the root cause of failure in the hardware so that a maintenance plan can be designed that will eliminate or reduce those causes (e.g. restrict the dust contamination that leads to the filter failure that brings down the CO2 Removal System). In this example, PdM would focus on monitoring the status of the filter and schedule a changeout after the dust particulate count exceeded a certain threshold value. Maintenance infrastructure describes the physical locations and environment where maintenance will be performed (e.g., on the lunar surface). Maintenance resources include crew time, robot time (which may also consume crew time if the robots are teleported), and distributed systems such as power, thermal, data, and communications. Crew time is one of the most critical resources for supportability since maintenance time competes directly with science and exploration crew time and therefore must be reduced as much as possible. D. Contingency Maintenance Operations Despite the best attempts to prevent random failures from occurring through nominal maintenance operations, there is always the risk of unanticipated events that could bring down one or more systems. Such events include the failure of redundant systems, human error, radiation events, failure of adjacent systems due to unrelated failures, power surges, and the failure of the monitors and sensors (allowing system degradation to go undetected), as described in Ref.2. The first step in contingency maintenance operations is to determine whether there is an imminent danger to the crew. If there is, it may be necessary to evacuate the crew and abort the mission. If there is no imminent threat, the surface and ground crews will first determine whether there is a true fault, and if so, then attempt to isolate it to the subsystem, line-replaceable-unit (LRU), shop-replaceable-unit (SRU), or even sub-SRU level. The criticality of the hardware will determine how long the crew has to perform test and inspection. After fault-isolation, ground control will determine whether the item should be fixed, depending on the criticality of the item. 3 American Institute of Aeronautics and Astronautics If the item is of low criticality, it is possible that the ground and surface crew will just finish the mission in a degraded capability mode. If the item is mission-critical but not life threatening, the repair could be handled through the normal depot maintenance procedures. If the item is life critical, but not imminently so, (i.e., the failure removes a level of fault tolerance for a critical function), the ground and surface crew may decide to take the system offline and fix the part in real time. In this situation, the “clock is ticking” on system downtime and the sequence in which maintenance procedures are considered would likely be based on how much time each repair requires. The number of possible procedures may vary over the life of a mission, since capabilities may be ramped up over time. We now focus on the spare parts (“spares”) required for contingency maintenance and their relationship to system availability. In the context of contingency maintenance, we define “system availability” as the percentage of time that a system is not down for lack of a spare part 3. This is consistent with the use of system availability in Ref.1, but more restrictive than the earlier definition of functional availability (which requires resources other than spare parts, such as crew time, tools, and test equipment). As shown in Ref.3, system availability is derived from component reliabilities (e.g. MTBFs), the degree and types of redundancy in the system (e.g. hot or cold redundant components, number of parallel channels, etc.), the number of common components 4 employed by the system, the number of spare parts, and the maintenance strategy employed (e.g., what level of repair is possible; whether cannibalization is employed). It is sometimes useful to compare the system availability attained with a given number of spares and a particular maintenance strategy to the availability attained from no spares and no repair— this availability is sometimes referred to inherent availability. III. Problem Definition Lunar surface system operations require a high degree of system availability to ensure mission success, and this is true of space missions in general. As noted earlier, even with the best nominal maintenance strategy (section II. C.), and designs including extensive redundancy, there is always the risk of component failures that require contingency maintenance and replacement with a spare component. The challenge is to quantify the spare’s mass requirement early enough in the design process, so that alternative designs and associated maintenance concepts can be evaluated in terms of sparing. This permits design decisions at a stage when impacts on cost and schedule are less severe than they will be later. The spares requirement is stated in terms of overall spares mass because early in the design phase, system attributes are not definitive— therefore, specific numbers of spares for each type of component cannot be estimated with a high degree of confidence. The question then becomes—given a system’s design, attributes, and maintenance strategy—what is the minimum spares mass required to attain a target level of system availability? Factors that would affect the sparing-to-availability relationship, but not treated here, include the level of repair possible (e.g. replacement of LRUs only, repair of LRUs by replacing SRUs, repair of SRUs, etc.), whether or not cannibalization is allowed, and tradeoffs between reduced spares mass (by virtue of lower level repair) versus increased crew time (to perform that lower level of repair). Some of these factors are considered in Refs.1,3, and 4. IV. Objectives For systems employed in lunar surface operations, and more generally for any space systems where replacement of failed parts is feasible, we would like to determine: • • • • • • • What system availability is attainable for a specified operating duration with no spare parts (inherent availability)? What mass (kg) of spare parts would be required to attain target system availability for a specific operating duration and contingency maintenance strategy? How sensitive is the spares mass required for a target availability to the level of redundancy, the type of redundancy (hot or cold), and the configuration of redundant components? How sensitive is the spares mass required for a target availability to the degree that common components are employed? How does the use of different sparing-to-availability methodologies affect the answers to the above questions? What are the advantages and disadvantages of each methodology used individually? What are the advantages, if any, of using multiple methodologies? 4 American Institute of Aeronautics and Astronautics V. Methodologies E. Overview Over the past several years, lunar supportability analysis has been performed using several different methodologies, as shown in Figure 1 and described in Ref.1. Because the designs of lunar surface elements are still in the conceptual phase, the emphasis has been on developing estimates for spares requirements that are then incorporated into the higher level strategic analysis of the overall campaign. Historically, spares requirements are generated by taking the list of equipment for any given design and breaking it down into a list of maintenance significant items, which in the case of the International Space Station (ISS) program is the LRU or Orbital Replacement Unit (ORU) level. Then attributes such as MTBF, duty cycle, criticality, spares mass, and maintenance crew time are assigned to each item. This data is fed into whichever modeling tool is employed. The two general types of modeling tools are 1) Monte Carlo simulations, which use random number generators as a source of uncertainty and require running multiple trials to examine a range of possible outcomes for a single spares requirements problem; and 2) analytical models, which solve equations that account for uncertainty via probabilities or expected values, but are run only once for each spares requirements problem. Figure 1. Modeling Approaches The main challenge for supportability analysis of the LSS elements is that in order to perform this type of “bottoms-up” analysis, detailed data is required, which is difficult to obtain when the designs are in the conceptual phase and the overall architecture is rapidly changing. Therefore, the process of creating (and re-creating) the element-level supportability dataset is time-consuming and may be counter-productive in the early design phases. However, the “Catch-22” in this situation is that the detailed data is required in order to generate better estimates for spares and crew time, which are required to support the strategic-level analysis (which is subsequently used to help determine the optimal designs of the lunar surface elements). For these reasons, there is a need to simplify the data wherever possible and to use different modeling approaches to try to bracket any associated uncertainties. Three main modeling approaches have been used to perform spares requirements analyses: a simple pipeline model which is used to determine the average annual spares requirement; a “sparing-to-availability” model (such as LMI’s Spacecraft Sustainability Model [SSM]), which optimizes the spares mix in order to obtain a specified system availability given limits in the amount of resources (e.g., spares mass) available; and a Monte Carlo simulation model (such as ARINC’s Raptor). While differing in their methodologies, each of these models requires some form of reliability modeling, whether only at the individual component level or at the subsystem level, which consists of various configurations of 5 American Institute of Aeronautics and Astronautics components (e.g., parallel vs. series). The next section compares several approaches to reliability modeling and contrasts the strengths and limitations of these processes. We will refer to this section later when discussing the various spares requirements models. F. Alternative Reliability Models A system, over its life cycle, will typically exhibit a changing set of reliability and maintainability (R&M) characteristics. To model these dynamically changing characteristics, a variety of R&M modeling approaches have developed. Static models (such as fault tree analysis [FTA] and reliability block diagrams [RBD]) capture a system’s configuration at a point in time; dynamic models (such as Markov chains or Stochastic Petri Nets) can capture a system’s configuration as it changes over time. 1. Fault Tree Analysis (FTA) and Reliability Block Diagrams (RBD) Originally, both FTA and RBD modeling employed Boolean algebra to evaluate the chances of a system’s failure based on properties of its components 5. FTA is an analytical method, based on logic diagrams, which identifies and analyzes likely modes of system failure. FTA starts with the failure of a system (represented by the top of the tree) and relates it to component failures by means of two basic alternatives – represented by the logical operations AND and OR. In contrast, RBDs will diagram the way in which the reliability of individual components, within the context of their system’s structure, contributes to the overall system reliability. RBDs focus on the system’s availability (i.e., reliability) with interconnected blocks representing system components forming an uninterrupted path from the start (source) to the finish (sink). A failed component is represented by a break in the path at the corresponding block. Despite their visual differences, the basic RBD and FTA methodologies are equivalent, with series and parallel connections in an RBD corresponding to the alternatives OR and AND in FTA, respectively. One advantage of these approaches is their simplicity and focus on a single, top-level-oriented objective (such as identifying potential causes of accidents or predicting system reliability). However, this simplicity requires separate models be built for each objective, which can become overwhelming if there are a number of possible scenarios to examine. In addition, while the simplicity of these approaches can lead to compact models, they are not well-suited to modeling systems whose configuration may change over time (e.g., a multi-component system with periodic inspections and repairs). Over time, both FTA and RBD have evolved and now often accommodate dynamic scenarios (such as individual component repairs) through either a Markovian analysis (see below) or discrete-event simulation. Still, neither FTA nor RBD models provide convenient visualization for examining the interactions and dependency among system components. 2. Markov chains An alternative to FTA and RBD’s static, binary representation of a system’s configuration is directly describing the relevant possible states of a system and the transition rules among those states. A continuous time Markov chain is the simplest type of such a state-space representation 6. Markov chains form state-space diagrams where the likely states of a system are identified along with the probabilities of transitioning from one state to another. Since a Markov chain represents a discrete random process which is “memory-less,” the probability of transitioning from one system state to another is independent of the system’s earlier states. Markov chain-based reliability models are typically homogeneous with respect to time; therefore, the transition rates between system states are constant 7. The advantages of Markov chains are that they allow for true dynamic modeling of dependent events, and conceptually they are very simple - consisting of states and transitions between states. In addition, the system’s dynamics can be described by a set of linear differential equations which can be solved in a precise and efficient manner. However, Markov chains have some distinct disadvantages too, such as the size of the model (which exponentially increases with the number of modeled system states), and component transition rates (e.g. failure and repair rates) that are constant over time (e.g., no aging). For example, at the component level, Markov chains do not provide a natural means to capture physically meaningful transition rate variability, such as the replacement of an aged component with a new one. 3. Stochastic Petri Nets (SPN) Similar to Markov chains, SPN structures are state-space based, so the dynamics of a system can be fully captured. However, unlike Markov chains, where each state represents the system as a whole, in SPN the states of individual components are described, and the state of the system is inferred from the states of its components. This “local” view facilitates modeling system aging and often mitigates the state-explosion problem as well. Solutions to 6 American Institute of Aeronautics and Astronautics SPN can be obtained either by converting the problem to a Markov chain (in the case of smaller systems with constant transition rates) or via Monte Carlo simulation. SPN models a system in terms of its static (structural) and dynamic (entities) components. In SPN, entities are represented as tokens and places represent the possible states of those entities. The places that tokens occupy define a particular state of the system, and tokens move between places, simulating changes in the system state. Transitions between places are described by rules for token movements, and transitions only fire when they are enabled (i.e., if certain conditions are satisfied 8). SPN models offer distinct advantages for R&M modeling. They provide a visual means for dynamic changes in system configuration (i.e., moving tokens). They can model concurrent events and a token can have continuous counters assigned, which keep track of the token’s age. Representing aging effects is a natural extension of colored Petri nets (labels can change discretely upon a token’s transition or continuously if a token stays at the same place, as discussed in Ref.8.).In terms of modeling disadvantages, given that SPN models are graphical in nature, they are subject to visualization limits when trying to model complex systems. In addition, their apparent simplicity belies the degree of sophistication required on the part of the R&M modeler when portraying complex models with multiple interrelationships (e.g., modeling a system of systems). 4. Conclusions There are many situations where classical reliability tools, such as FTA and RBD, are sufficient and adequate for modeling a system. However, modeling dynamic R&M effects can be crucial to understanding a system’s reliability. Of course, dynamic models are generally more complex than static models since more R&M details and component information are required by the models to gain this additional insight into a system’s dynamic behavior. In addition, this detail and insight comes at a cost. Markov chain modeling is prone to state-space explosion (although this can be addressed via hierarchical modeling and taking advantage of symmetry to reduce possible system states). SPN models, on the other hand, rely on Monte Carlo simulation to provide a more flexible and realistic modeling environment for R&M scenarios, but the resulting SPN models can be very sophisticated and may also require hierarchical modeling to compensate for higher levels of system complexity. G. Simple Pipeline Model There have been two main variations on the simplified pipeline model (developed in Microsoft® Excel® ††) that have been used to obtain the average spares estimates for LSS elements: A simple spreadsheet calculates maintenance demands based on simplified formulas as shown below: where DC is the active duty cycle; FPHR is the number of failures per hour (1/MTBF), the Kfactor and EnvFactor increase failures (due to in-the-way removals, infant mortality, etc.,) and QPA is the quantity per application (flight quantity). The simplest version of this spreadsheet calculates an average number of failures per year and has no way to account for life limit failures, preventative maintenance, outpost buildup or varying duty cycles based on extended periods of down time. This simple version works well with deterministic demand processes such as estimating the number of air filters required when their replacement is on a set schedule. However when FPHR is assumed to be the mean of a distribution, this approach drastically underestimates spares unless other factors, such as redundancy, compensate. A more complex spreadsheet is based on a verification tool that was developed by the ISS Program in the late 1990s, which was used to validate results from the ISS Reliability & Maintenance Assessment Tool (RMAT) model. RMAT is a Monte Carlo simulation tool that predicts maintenance demands for long-term operations and was used †† Microsoft and Excel are registered trademarks of Microsoft Corporation. 7 American Institute of Aeronautics and Astronautics by the ISS program for its spares predictions. This verification spreadsheet was adapted for lunar supportability analysis and is used to calculate average maintenance demands per year. As compared to the simpler spreadsheet, it adds in a capability to account for life limit failures, dormant failure rates, preventative maintenance, and distributions around a given MTBF or life limit. The main formulas are shown below. In the RMAT, after the MAtotal/year is known for each ORU type, the kg/year, m3/year, crew hours/year and cost/year can be easily determined by multiplying the MAtotal/year by the ORU weight, volume, MTTR (mean time repair) or cost for each ORU type. If the MTTR is different for corrective or preventative maintenance, the crew hours can be calculated separately for each type of action and then added together. While both versions of the spreadsheet model have been used during this analysis over the past five years, only the simpler model was used for the latest LSS Supportability analysis presented in this report. In comparing results from the two spreadsheets from previous analysis, it was determined that the difference between the projected average annual spares mass and maintenance crew time estimates was well within the margin of error associated with the input supportability data. Therefore, the simpler method was determined to be sufficient until the LSS input data reached a higher maturity level. H. Raptor Model Raptor is a software tool created by ARINC to simulate the operation of complex systems, based on operating scenario data and a RBD decomposition of the system into subsystems and their components. For each component in the RBD, the analyst enters attributes such as a probability distribution for failures, maintenance concept, number of spare parts, and cost. The analyst can model hot or cold redundancy, as well as parallel or serial component configurations. Hierarchical decompositions of subsystems are also possible. Raptor uses a Monte Carlo simulation to model the effects of uncertain failures, together with the effects of maintenance and sparing strategies, on system downtime and degraded mode time. I. Spacecraft Sustainability Model 1. Overview LMI developed the Spacecraft Supportability ModelTM (SSMTM) ‡‡ sparing model for estimating the minimum required mass and volume of spare parts for future human space missions 910; this is discussed in detail in Ref.3. The model produces an estimate of these requirements as well as a resource-versus-system availability curve. From this curve, the analyst immediately sees the increase in resources necessary to move to a higher performance level, or, alternatively, the decrease in performance that would arise if resources were constrained. The curve enables the analyst to judge the sensitivity of performance and resource requirements to reliability improvements, miniaturization, or changes in a variety of mission factors. ‡‡ Spacecraft Sustainability Model and SSM are trademarks of the Logistics Management Institute. 8 American Institute of Aeronautics and Astronautics The model estimates the mass and volume of spare parts for future human space missions via a hybrid parametric-analytical approach. At its core, the hybrid model has a notional item database and an analytical optimization engine. The notional item database contains the characteristics of a representative set of items. The analytical optimization engine takes the item data and mission parameters (such as operating durations) and solves stochastic backorder equations, distributes backorders over systems, and computes system availability as a function of the chosen set of spare parts. The model’s optimizer then finds the set of spare parts that either minimizes the spares resources needed to attain a specific availability goal or maximizes availability for a given set of resources. The model’s core is surrounded by a “parametric shell” that allows the analyst to choose key mission elements, adjust the characteristics of notional items to better represent a particular set of hardware, and analyze the sensitivity of results to changes in item characteristics. As system designs mature, notional items can be replaced by real items without changing the model or analytical technique. The model can estimate the minimum spares cost to attain an availability goal, as an alternative to minimizing spares mass and volume. It can also estimate total maintenance time as well as how the repair of lower indenture items affects maintenance time and spares mass and volume, although we did not use those capabilities in this work. 2. Modeling Redundancy in the SSM In order to establish that the SSM sparing model can be used to model certain kinds of system redundancy with a high level of fidelity, we used the SPN@ R&M Monte Carlo simulation to benchmark SSM results with a variety of redundancy configurations. Techniques for accurately modeling commonality, k of n items in parallel, and channels were established and will be discussed in detail below. Commonality Part A k of n Channels Part A Part B Part A Part B Part C Part A Part B Part C Part A Part A Part A Part C Figure 2. Modeling Redundancy in the SSM a. Commonality First, commonality of items across systems in a serial configuration was considered. As shown in Figure 3, the SSM results in blue align with the SPN@ results in red. This is akin to the Raptor “spare pool” method of specifying spares for like items. When the economies of scale are taken into account for items common to several systems, the total spares requirement is less than it would be if each system were considered as separate and independent. 100.0 90.0 80.0 Availability 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0 0 10 20 30 40 50 60 70 Day SSM SPN Figure 3. Several Systems with Commonality 9 American Institute of Aeronautics and Astronautics 80 90 b. K of N Second, a k of n configuration was modeled (see Figure 2). This refers to n parallel components, k of which are required for the system to be up. The SSM models cold redundancy of items in parallel by assuming two free spares and one operating component. When the component fails, the spare is assumed to have been switched automatically. Switching failures are not considered. With these assumptions, we again were able to accurately align SSM system availability results to SPN@. c. Channels Lastly, channels were modeled. This refers to two parallel configurations of several items in series, sometimes called “high-level redundancy”. Again, cold redundancy was assumed, the items in one channel do not operate until the other channel has failed (i.e., one of the items in the channel fails). To model this, it was necessary to create a subsystem to represent one entire channel and then identify the items in series within the channel. Though this is an approximation, Figure 4 and Figure 5 demonstrate that the SSM and SPN@ models’ system availability estimates were very close. 100.0 90.0 80.0 Availability 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0 0 10 20 30 40 50 60 70 80 90 Day SSM Cold SPN Cold Figure 4. Channels, Cold Redundancy, No Spares 100.0 90.0 80.0 Availability 70.0 60.0 50.0 40.0 30.0 20.0 10.0 0.0 0 10 20 30 40 50 60 70 Day SSM Cold w/Spare SPN Cold w/Spare Figure 5. Channels, Cold Redundancy, With Spares 10 American Institute of Aeronautics and Astronautics 80 90 J. Comparison of Methodologies The simple spreadsheet model is quick to set up and requires little data—it only needs component failure rates or MTBFs and operating durations, along with several factors used to adjust these quantities (as shown in section V.G.). It makes no assumptions regarding redundancy or commonality, so it does not require the user to set up diagrams that describe parallel or series configurations. However, the spreadsheet model only computes spares required to cover mean failures for each component in its operating duration. Because no probability distribution is assumed, it does not consider variability of failures around the mean—there is a significant probability that failure in excess of the mean will occur, and these will not be covered. Also, given the fact that all of the components’ pipeline means are much less than 1, one is faced with the decision to bring either no spares or one spare for each type of component, and the model cannot determine which choice to make. Yet another disadvantage is that the spreadsheet model cannot link spares mass to system availability (but if it did, the system availability rapidly approaches zero as the number of system components increases). Raptor is well-suited for assessments of the combined effects of maintenance and sparing strategies on system uptime, degraded mode time, and downtime, and system availability. This availability is an average across simulation trials. It enables the user to model a component’s failure distributions, which may be parameterized by a mean and variance. Raptor also allows the user to specify detailed configurations of redundant components or channels. However, Raptor is not as well suited for determining the optimal mix of spare parts for a given maintenance strategy, and requires exhaustive testing of spares mixes across numerous simulation trials (on the order of 1,000), to determine a good, if not optimal, set of spares. It also requires detailed data on configuration of subsystems and components, which are not typically available early in the system design phase. Thus Raptor is most useful for assessing overall system availability as a function of spares mass and maintenance strategy once a system is well-defined. SSM determines the spare parts mass required to achieve expected (average) system availability, computed in a single pass via stochastic equations rather than through numerous simulation trials. The model enables the user to model components’ failure distributions either with a Poisson or negative binomial distribution, the latter parameterized by a mean and variance. As discussed in section V.I., the model can be configured to approximately treat redundancy and commonality of components without building reliability block diagrams. In test cases, the availability of several key redundant component configurations agrees closely with that obtained through explicit treatment of the configuration of channels and redundant components with the reliability model SPN@. Analyses with SSM are less time-consuming than those with Raptor, since it is not necessary to build reliability block diagrams that explicitly describe the network of components. The model produces spares mass estimates in a single pass in minutes, rather than numerous simulation trials, which can take hours. Thus SSM can rapidly analyze the spares mass for a variety of missions and hardware designs early in the design phase—this is its strength. The limitations of SSM are that, once definitive system designs are known, it does not model certain complex redundant configurations of components, nor does it model multiple failure modes or degraded system operation. Thus for mature system designs, SSM does not provide as detailed a view of the range of possible system events as does Raptor. VI. Analyses K. Scenario and Systems This analysis is based on a specific lunar surface mission described in Ref.2. This scenario does not represent any specific, currently planned mission. It serves only to illustrate, using real lunar surface systems data, the tradeoffs of using each analytical technique under consideration. 1. Operating Scenario The Malapert Massif is of interest from both a scientific and operational standpoint. Malapert Mountain is an uplifted section of the lunar crust and therefore may have rocks that include some of the earliest and most catastrophic events of lunar basin formation. It is also the highest point in the region, which will be important for communications, lighting and observations of the surrounding terrain. In the scenario used for this analysis, a 15-day mission is performed using a limited number of surface elements. The Malapert excursion of approximately 350 km roundtrip is shown below. 11 American Institute of Aeronautics and Astronautics Figure 6. Malapert Excursion 2. Mission Elements The Malapert mission elements included in this analysis are as follows: two Lunar Electric Rovers (LERs); two Chariot Mobility Chassis (CMCs); two Active-Active Mating Adapters (AAMAs); two Portable Utility Platforms (PUPs); four Suitports; and four EVA suits. Each of these elements will be described in turn. A top-level RBD of the entire set of elements is shown below. Figure 7. Malapert Mission Elements Configuration a. Lunar Electric Rover (LER) The Lunar Electric Rover (LER) provides a pressurized environment for a crew of two to conduct extended-range exploration of the moon, and can carry four crew members for contingency operations. The LER consists of a Chariot Mobility Chassis (CMC) and a pressurized crew cab (PCC). The LER uses two suitports to facilitate quick egress for EVA activities and includes externally mounted manipulators to allow crew to interact with the surface from within the pressurized environment. The LER incorporates a common hatch to facilitate docking with a habitat element, and, with its built-in shielding, the LER fulfills the safe-haven role by providing a radiation shelter for the crew that is accessible from the habitat or while roving on the surface. Figure 8. Lunar Electric Rover (LER) 12 American Institute of Aeronautics and Astronautics b. Chariot Mobility Chassis (CMC) The Crew Mobility Chassis is a roving vehicle designed to carry up to four crewmembers (nominally two) in an unpressurized environment or in a pressurized cab. The chassis can support up to 3000 kg at nominal speeds and greater payloads at reduced speeds. The chassis has interfaces to connect tools for outpost support operation. The chassis can be controlled directly through the chassis driving kit or the pressurized crew cab, telerobitcally or autonomously. Figure 9. Chariot Mobility Chassis (CMC) c. Pressurized Crew Cab (PCC) The Pressurized Crew Cab provides a pressurized environment for a crew of two to conduct extended-range exploration of the moon and can carry four crew members for contingency operations. The PCC carries sufficient consumables for three day operations without resupply or battery recharge. The PCC uses two suit ports, encompassed by an environmental protective cover, to facilitate quick egress for EVA operations and includes controls to operate externally mounted work packages for interacting with the surface from within the pressurized environment, or for use when no crew are present on the surface. The PCC incorporates two common hatches to facilitate docking with habitat and logistics elements, and fulfills, with its built-in shielding, the safe-haven role by providing a radiation shelter for the crew that is accessible from the habitat or while roving on the surface. Figure 10. Pressurized Crew Cab (PCC) d. Active-Active Mating Adapter (AAMA) The Active-Active Mating Adapter enables docking and pressure equalization with other surface systems. It will allow LERs, Hab, and Logistics Modules to dock to each other. The Active-Active Mating Adapter is a new design that is very conceptual in nature. Figure 11. Active-Active Mating Adapter (AAMA) e. Portable Utility Pallet (PUP) The Portable Utility Pallet is designed to attach to mobility chassis with or without a crew cab. It is designed to enable a two-crew, 14-day excursion in an LER. A single 5 m solar is used to provide 4.385 kW net. A PUP is 13 American Institute of Aeronautics and Astronautics carried with each LER and provides power generation and storage capability as well as the ability to recharge the LER batteries. The PUP also has gas and water tanks, and avionics and communication systems. Figure 12. Portable Utility Pallet (PUP) f. Portable Communications Terminal (PCT) The portable communications terminal provides a communication hub for the lunar surface. The services of the PCT are gateway services (low and high data rates) data delivery to Earth via DTE; SWN services; hard wire communication, data storage for retransmission and file sharing; local time and store and forward service and routing. The PCT includes the Ka-Band, S-Band and WLAN systems for the lunar elements. Figure 13. Portable Communications Terminal (PCT) g. Suit port The suit port is a pressure sealing interface between the rear hatch of the EVA Suit and the habitable volume. When the suit is attached (external to the LER aft bulkhead or rear wall of LER pressure vessel), it is continuously exposed to a pressure differential, as the exterior of the suit is at vacuum while the internal volume of the suit is kept at a predetermined pressure to maintain thermal conditioning of the suit. The suit port and suit pressures are raised to nominal LER pressure (8 psi) for donning and doffing suits. During non-EVA periods, the suits are protected from the lunar environment by an environmental protective cover. Figure 14. Suit Port h. Suits The Extravehicular Activity (EVA) System includes the elements necessary to protect crewmembers and allow them to work effectively in environments that exceed the human capability during all crewed mission phases. These elements provide protection from pressure and thermal environments. The EVA System elements include spacesuits, umbilicals, portable life support systems (PLSS), spacesuit servicing equipment, and EVA tools, and stability aids. 14 American Institute of Aeronautics and Astronautics Many factors will affect the spares requirements for the EVA Systems, including the amount of usage, the amount of time that the suit is left pressurized, and exposed to the lunar environment (particularly important when used in a Suit Port configuration). as well as the effect of dust, thermal cycling, and radiation of the suit components, especially the soft materials. Figure 15. EVA Suit L. Analyses with Spreadsheet The spreadsheet model calculates the maintenance demands to obtain the average spares estimate for LSS elements. It performs these calculations assuming a random failure rate λ, based on 1/MTBF (memory-less, no wear out, no event-driven failures). It is also assumed that maintenance actions take place at the end of the mission, so neither repair nor preventative maintenance is considered. The spreadsheet model assumes a 100 percent duty cycle for all elements. In other words, it assumes continuous operation for 15 days, or 360 hours. This is then multiplied by the failure rate and item mass to produce the total spares mass by element. As mentioned previously, the spreadsheet analysis does not calculate inherent or achieved availability for the system, and therefore does not treat degraded modes of operation. It is used to find data anomalies and to identify “heavy hitters”. M. Analyses with Raptor The Raptor analysis also assumed a 15 day mission with a 100 percent duty cycle. It included the elements’ complex redundancy configurations. It assumes everything is locally dependent and all items are critical. Each item’s failure affects the overall availability, unless they are in a redundant path, which is often the case. The analysis covers random failures and does not include preventative maintenance, which is expected to greatly increase the spares and crew time requirement. The results of this analysis are based on the average spares used over 1,000 runs, where common components share a spares pool. Spares values include 30 percent growth. The availability results include the consideration of degraded modes of operation. The Raptor analysis allows for a more fine-grained look at the individual elements, in particular it can assess how redundancy impacts the spares mass requirements. To do this, components or subsystems are modeled as blocks that contain item specific failure, mass, commonality, capacity and dependency data. Nodes are used in conjunction with links to model connectivity logic for complex redundancy structures. Events, which can be used to model discrete event-driven failures such as human error (e.g., running into an unseen rock or crater) and environmental effects (e.g., wear and tear due to dust contamination, thermal cycling, or radiation events), were not employed for this particular analysis. Hierarchies were used to model redundancy within subsystems of each element. N. Analyses with SSM Three types of SSM analyses were conducted. All were designed to model the 15-day Malapert excursion noted earlier. These runs assumed that no repairs or cannibalization were possible, but did consider commonality across sub-elements. a. No Redundancy (pessimistic) The first run made no item-level redundancy assumptions, it considered all items to be in a serial configuration (if one item fails, the system is down) with the given failure rates. The system was modeled as a “fleet” of two LERs and was run to a 49 percent availability target to account for the high-level redundancy of the system. The resultant total spares mass was, as expected, higher than the Raptor results which modeled the complex redundancies within the system to a high level of fidelity. The results of the first run were analyzed by subsystem. The subsystem driving the spares requirement was identified: 53 percent of the spares for the first run were for items in the CMC element. b. General CMC Redundancy (optimistic) The second run made a broad redundancy assumption for the CMC element. The same kit was run with a one-oftwo parallel redundancy assumption for every item in the CMC element (the serial configuration assumption made 15 American Institute of Aeronautics and Astronautics in the first run still held for the other elements). The resultant spares mass was lower than the Raptor results but provided a floor for the spares mass estimates, bracketing the results with minimal configuration assumptions. c. Select CMC Redundancy The third run more precisely modeled the redundancy configuration by using the Raptor reliability block diagrams to identify items within the CMC frame which displayed k of n redundancy. The broad assumption of redundancy made in the second run was fine-tuned to only take into account actual redundant items. VII. Results Results for spares mass, and where applicable, the expected system availability, are displayed in Table 1 below. For all models, the scenario was a 15-day Malapert excursion with two LERs, whose constituent elements are displayed in column 1 (Element). For all methods, the repair strategy was limited to removal and replacement of LRUs—there was no repair of LRUs or replacement of SRUs. The required spares mass to cover the pipeline requirements (essentially mean failures in an operating duration) was computed via spreadsheet for each element and is displayed in column 2 (Simple Pipeline Model). Note that the simple pipeline model does not have information on distributions of failures, commonality, and redundancy. It also does not link the spares requirement to an attained availability for the two LERs. To estimate the availability of the pipeline model, we converted roughly 15 kg solution into a set of spares for the largest pipeline and evaluated that mix in the SSM. Raptor estimated spares mass for each element, required to obtain an overall 50 percent availability (at least one LER operational over the 15 days), is displayed in column 3 (Raptor). Raptor results did account for common components and the complex redundant configuration of components assumed in its reliability block diagrams. Furthermore the results are averages over 1,000 simulation trials, where failure variations across trials reflect component’s failure distributions—a Poisson distribution was used in this case for simplicity, but several other distributions are available. The fact that the spares mass was less for the Raptor analysis (in fact, less for each element) than for the simple pipeline analysis in column 2 is due to Raptor’s ability to model the effects of common components and complex redundancy, as well as to link failures to system availability. The proximity of the totals in columns 2 and 3 is coincidental; there is no reason to expect that for other mission durations, hardware characteristics, or maintenance strategies, the results would still be close. The SSM results in column 4 (No redundancy), targeting 50 percent system availability, are a near-worst case analysis, in the sense that they assume no redundant components; they do however reflect the use of common components. In this case SSM was configured to treat variability of failures with a Poisson distribution as did Raptor (column 3). While in general the spares masses for elements are higher in column 4 than in columns 3 (Raptor) and 2 (pipeline model), that is not always the case, due to the optimization, which selects the spares that produce the most benefit for system availability, given their mass. For example, the SSM did not select any spares for the PUP, where as both Raptor and the simple pipeline model did so. The higher spares mass in the Total row for column 4, relative to the other columns primarily reflects the fact that the SSM was configured for no redundancy. The SSM results in column 5 (CMC redundancy) are close to a best case scenario for spares mass, in the sense that the CMC, which was found to be the overall driver for overall spares mass, was assumed to have a redundant unit for every component. This is responsible for reducing the total required spares mass by more than a factor of three, relative to the Raptor results in column 3, which assume a more limited level of redundancy for the CMC (as well as for other elements). For the results in column 6 (selected CMC redundancy), SSM was configured to approximately model redundancy for each component on the CMC that was treated as redundant in the Raptor RBD. The resultant spares mass was close to that of Raptor, with only a small difference for the same availability (blue line in Figure 16), although the methodologies of Raptor and SSM are quite different. 16 American Institute of Aeronautics and Astronautics Element PCC CMC PUP AAMA PCT SUIT Total Simple Pipeline Model 4.08 4.88 3.04 0.44 0.53 1.56 14.53 Avail 25(estimate) §§ Raptor 4.02 4.69 2.35 0.34 0.41 1.21 13.02 SSM: no redundancy 5.85 19.80 0.00 4.60 2.20 5.06 37.51 SSM: CMC redundancy 1.80 0.00 0.00 0.00 0.40 1.81 4.01 SSM: CMC selected redundancy 3.95 0.00 0.00 4.60 0.40 4.09 13.04 49.50 50.18 49.03 49.05 Table 1. Model results (mass in kg) for 15 day Malapert Excursion The SSM analyses produced spares mass-to-availability tradeoff curves as well as the point estimates for spares mass required to attain the target system availability. The availability-to-resource curves are shown in Figure 16, along with the Raptor point estimate of spares mass, shown in black. Availability vs. Mass 100.00 90.00 Availability (%) 80.00 70.00 Total CMC redundancy Select CMC redundancy No redundancy Raptor SSM Solution 60.00 50.00 40.00 30.00 20.00 10.00 0.00 0 10 20 30 40 50 Mass (kg) Figure 16. SSM and Raptor results The red tradeoff curve was produced by the SSM analysis that assumed no redundancy (but did have common components). The SSM solution on that curve shows the spares mass required to have the mean number of LERs not down for lack of parts equal to one out of two, for the entire 15-day scenario. For comparison with simulations, such as Raptor, this would be equivalent to the average number of LERs up, across an infinite number of trials, being one out of two. The fact that the SSM solution on the red curve is significantly to the right of the black point (Raptor result) illustrates the benefits of redundancy for reducing required spares mass. One should remember of course that moving from non-redundant to redundant systems increases total launch mass. §§ As noted earlier, the simple pipeline model cannot assess system availability. To estimate availability, items were ranked in decreasing order of their pipeline means, and then, moving down the list from the top, we allocated one spare (since all pipeline means were less than one) to each item until the spares mass reached 14.5 kg. We then assessed the system availability for these spares with the SSM—the result was 25 percent. 17 American Institute of Aeronautics and Astronautics The blue tradeoff curve shows results for the SSM analysis where we assumed one redundant component for each CMC component for which the Raptor RBD indicated some level of redundancy. The fact that the SSM solution on the blue curve is nearly coincident with the black point shows that the SSM, using its approximate treatment of CMC redundancy, produced a spares mass similar to that of Raptor, with its more detailed treatment of CMC redundancy. If the SSM analysis included redundancy for all systems, the spares mass would be less than that of Raptor, since Raptor does not make tradeoffs between parts based upon mass. Usually the SSM’s spares mass is roughly 20 percent less than that of non-optimizing resource tradeoff models. The green curve shows the results of the SSM analysis that assumed one out of two redundancy for every component on the CMC. The fact that the green curve is significantly above the blue curve for every spares mass (on the horizontal axis) illustrates the effects of the greater degree of redundancy on LER availability. The three SSM runs together show the sensitivity of availability with respect to the degree of redundancy. These results agree with the more detailed RBD-based Raptor simulation in the case where the redundancy assumptions of the two models’ analyses most closely align. The results of the SSM analyses bracket the results of the more detailed simulation in the case of the spares mass produced by Raptor (green curves above and below black point). The green and red curves estimate the range of outcomes that might be expected with varying degrees of detailed redundancy assumptions. VIII. Findings While all of the spares models produce a required spares mass to attain a mean availability of one out of two LERs for the hypothetical 15-day Malapert mission, spares mass ranges from about 4 kg to almost 38 kg, depending on the methodology employed and the assumptions concerning the degree of commonality and redundancy. In this illustrative case, spares mass estimates can vary by as much as an order-of-magnitude. This wide range would not have been observed had we used only a single methodology and a single set of assumptions regarding the system configuration. Thus we find there is a benefit to using multiple approaches for sparing-to-availability analyses. The simple spreadsheet pipeline analysis has benefit only for checking the pipeline computations and providing a lower bound for mass for a more complex model such as Raptor or SSM. It does not consider variability of failures around the pipeline mean, does not project the effect of a particular set of spares on availability, and does not optimize the spares to produce the greatest availability for least spares mass. The fact that the simple pipeline model produced a spares mass that was close to that of Raptor is coincidental, and we do not expect that this would be true in other cases. In the SSM analyses with approximate treatment of redundancy for the CMC, the results were surprisingly close to the results of Raptor, which had detailed RBDs (Table 1, Total row, columns 3 and 6). The differences in spares mass were at the element level—this is not surprising since the SSM optimizes spares across parts (Raptor does not), and uses a simplified treatment of redundancy (Raptor does not). That means there is benefit to using an optimization model to focus on which elements of the LER should receive most of the spares mass. The SSM results for the no redundancy case (Figure 16, green curve) and the case with complete redundancy for components of the CMC (Figure 16, red curve) bracket the results for the other approaches. Thus the SSM analyses were able to bound the spares mass requirement with a relatively simple treatment of redundancy and commonality; it did not require precise system configurations or the time and detailed data to build RBDs or other system configuration diagrams. IX. Conclusion For future space missions, the overall logistics supportability should be an integral part of mission development and hardware designs, as it interacts with hardware design decisions and plans for deploying that hardware. We were able to show how the supportability concept could be developed in the early stages of planning for hypothetical lunar surface operations. Supportability can be thought of in terms of a nominal maintenance strategy with emphasis on monitoring system health and providing preventative maintenance, and putting in place contingency maintenance strategies, which involved unplanned replacement of components and may involve component repair. For contingency maintenance, sparing-to-availability is a key part of developing the strategy. Furthermore the spare parts required to attain a target system availability is strongly related to the level of redundancy and commonality in the hardware, as well as the maintenance concept. Thus it is important to make sparing-toavailability a part of early system design and mission planning. 18 American Institute of Aeronautics and Astronautics Resource Constraints For sparing-to-availability analyses, there is benefit to using multiple methodologies, as results for the spares mass required to attain a target availability may vary by as much as an order of magnitude, depending on the methodology and assumptions. There is a benefit to using an analytical model such as SSM early in the design phase, because of the ability to rapidly explore the trade space for spares mass vs. availability while the design is not yet well-defined. Detailed simulation models, such as Raptor or SPN@, can provide additional insight into degraded operations and multiple failure modes once more definitive system designs and component characteristics become available. We believe that the use of the varied methodologies, with analytical models such as SSM used more in the early design stages, and increased use of detailed reliability simulations, such as Raptor or SPN@ later in the process would provide the most insight into sparing vs. availability. This phased use of complementary methodologies and models is depicted in Figure 17. Raptor Simulation SSM Optimization Conception Planning Launch Operations Life Cycle / Data Certainty Figure 17. Complimentary models over life cycle Acknowledgments The authors would like to acknowledge Dr. Vitali Volovoi of the Georgia Institute of Technology for his assistance with the R&M modeling and sparing versus redundancy discussions. References 1 Green, J.L. and Watson, K.J., “Supportability and Operability Planning for Lunar Missions,” AIAA-2008-7779, AIAA SPACE 2008 Conference and Exposition, San Diego, California, Sep. 9-11, 2008 2 Green, J.L. and Spexarth, G.R., “A Mars-Forward Approach to Lunar Supportability Planning,” AIAA-2009-6427, AIAA SPACE 2009 Conference and Exposition, Pasadena, California, Sep. 14-17, 2009. 3 Kline, R.C. and Bachman, T.C., “Estimating Spare Parts Requirements with Commonality and Redundancy,” Journal of Spacecraft and Rockets, 44, no. 4, 2007, pp. 977-984. 4 Siddiqi, A., and de Weck, O.L., “Spare Parts Requirements for Space Missions with Reconfigurability and Commonality”, Journal of Spacecraft and Rockets, Vol. 44, No. 1, AIAA, 2007. 5 Rausand, M. and A. Høyland. System Reliability Theory: Models, Statistical Methods, and Applications. 2nd ed. Hoboken, NJ: Wiley-Interscience, 2004. 6 Kijima, M. Markov Processes for Stochastic Modeling. London: Chapman & Hall, 1997. 7 Volovoi, Vitali, Dynamic Approaches to Risk and Reliability Modeling in Design and Operations, Tutorials, Annual Reliability and Maintainability Symposium, San Jose, CA, January 2010. 8 Volovoi, V.V., “Modeling of System Reliability Using Petri Nets with Aging Tokens,” Reliability Engineering and System Safety, 84, no. 2, 2004, pp. 149–161. 9 Bachman T. C., and Kline, R. C., “Model for Estimating Spare Parts Requirements for Future Missions,” AIAA2004-5978, AIAA SPACE 2004 Conference and Exposition, San Diego, California, 2004. 19 American Institute of Aeronautics and Astronautics 10 Kline, R.C. and Bachman, T.C., “Estimating Spare Parts Requirements with Commonality for Human Space Missions,” AIAA-2006-7233, AIAA SPACE 2006 Conference and Exposition, San Jose, California, 2006 20 American Institute of Aeronautics and Astronautics
