System Safety Overview
WBS Element 00536.2.2.1.2.1.02.02
Tim Keepers
Tkeepers@swales.com
(301)902-4019
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
1
Outline











Systems Safety Peer Review - RFAs and Suggestions
THEMIS Safety Policy/Purpose/Mission Statement
Organizational Functions
Documentation Approval Flow
Safety Program Milestones
Integrated Hazard Assessments
Safety Working Group
Industrial Safety
Mishap Reporting
Hazard Reports
EWR 127-1 Tailoring
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
2
Safety Peer Review

Systems Safety Peer Review - May 28, 2004
– FIRST known Safety Peer Review of a GSFC Explorers Office Probe
– Received 6 1/2 RFAs and 3 Suggestions
Safe-001 - Systems Safety Program Plan (SSPP) is outstanding
Action - Conditional Approval should be obtained before Mission CDR
Status - Complete
Safe-001a- Current SSPP lacks details regarding Tailoring of EWR 127-1
Action - Include details on tailoring in the SSPP
Status - Complete and Closed
Safe-002 - EWR127-1 requires System Safety Process est. early in design
Action - GSFC Explorers office will facilitate coordination and communication
with KSC and Range
Status - Closed (see Safe-004)
Safe-003 - EWR 127-1 Tailoring has not been appr/submitted to Range.
Action - Complete Tailoring dealing with design issues prior to CDR
Status - Closed
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
3
Safety Peer Review
– Continuing with RFA Status
Safe-004 - No detailed forum for safety communication between all parties
Action - Establish a Safety Working group (detailed later in presentation)
Status - Complete (first telecom meeting on 6/9/04) and Closed
Safe-005 - Determination of Risk Mitigation levels
Action - Determine Risk Levels for RCS system
Status - Incomplete
Safe-006 - Survivability of inadvertent RCS Pressurant Release
Action - Confirm effectiveness of 2 mech inhibits; verify max thermal condition for
remaining phases will not over pressurize system
Status - Incomplete
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
4
Safety Peer Review
– Safety Peer Review Suggestions
Suggestion - Develop a clearer format for Hazard Reports that demonstrates better
tracking of verification
Status - On going
Suggestion - Hazard Reports for operations not shown during review
Status - The THEMIS mission will produce Hazard Reports for ground
operations as needed. Reports with a Catastrophic or Critical
Severity ranking will be included in the MSPSP.
Suggestion - Formalize Safety Verification Tracking Log
Status - This has been included into the latest version of the SSPP
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
5
Safety Policy

THEMIS Safety Policy
1.
To provide a safe work place for all personnel and operations.
2.
All accidents and incidents are preventable.
3.
The THEMIS Program places safety before cost and schedule. If it is
not safe, stop work immediately and notify your supervisor.
4.
The THEMIS Program uses an organized and systematic approach to
identify and control potential hazards, measure the safety risks
associated with all hazards and provide risk assessment and risk
mitigation plans to management.
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
6
Systems Safety Program
Purpose:
1.
Identifies and details the safety systems and methods that will be
implemented during all phases of the THEMIS Mission.
2.
Identify, evaluate and document all risks and hazards in order to
eliminate or control them within the cost, schedule and technical
constraints of the program.
3.
Ensure that additional risks are not introduced during the design,
production, integration and testing phases.
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
7
THEMIS Mission Safety Team
Mission Statement
Safety is a Priority of every person
Working on the THEMIS Mission.
Therefore, every person working on the
THEMIS Mission is part of the
THEMIS MISSION SAFETY TEAM!
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
8
Systems Safety Program Plan
THEMIS Safety Organization Functions
The NASA Explorers Office is the Range User. As such, the
Explorers Office is responsible for submitting all required safety
documentation and obtaining all necessary Range Safety
approvals.
Under the direction of UCB, Swales is responsible for all Safety
Engineer Tasks. Under the guidance of Safety Representatives
from the NASA Explorers Office, Swales will produce all
required safety documentation in an approved form for Range
Safety submittal.
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
9
Systems Safety Program Plan
Documentation
Submittal/Approval
Flow
Swales
Explorers
Office
UCB
KSC
Range
Safety
Formal Approval Flow
Allowable Pre-Review Flow
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
10
Systems Safety Program Plan
THEMIS
Safety Program
Milestones
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
11
Safety Deliverables
Event 01
Safety
System
Milestones
Flow
Develop System Safety
Program Plan (Draft)
NASA-STD-8719.8 Table 5.1
Task # 1.1
EWR 127-1 1.5.4 (b)
EWR 127-1 1B.3 Task 2
THEMIS Range Safety
Documentation and
Review Process
Event 02a
System Level
FMECA’s
Event 02
Perform Preliminary Hazard
Analyses
EWR 127-1 1B.2.1
Event 02b
Hazard Report
Hazards Identified
Event 03
Event 04
Perform Subsystem Hazard
Analyses
EWR 127-1 1B.2.2
Mission PDR
MSPSP Data Presented
EWR 127-1 1F.3.2 (a)
Event 05
PSWG Meeting
Event 04a
*EWR 127-1 Tailoring
Event 04b
*Subsystem FMECA’s
NASA-STD-8719.8 Table
5.1 Task # 1.3
EWR 127-1 1.5.4 (a)
*Hazard Reports
Controls Established
Event 06
Mission CDR
Initial MSPSP Submittal
EWR 127-1 1F.3.3 (a)
Final SSPP Submittal
PSWG
Meeting
Event 07
Event 10
Draft MSPSP Submittal
EWR 127-1 1F.2.2.1 (a)
EWR 127.1 3.4.1.1 (a)
NASA-STD-8719.8 Table 5.1
Task # 2.1
Launch - 12 Months
Event 08
Mission Orientation
NASA-STD-8719.8 Table 5.1 Task #1.2
EWR 127-1 1F.3.1(a)
Confirmation Review +45 Days
Perform Operating and
Support Hazard Analyses
EWR 127-1 1B.2.4
PSWG Comments
CDR + 45 days
Hazardous Procedures
Payload Ship - 90 Days
Event 08a
PSWG Comments
Launch - 315 days
Event 09
Hazard Reports
Controls Verified
Event 11
Payload Safety Working Group TIM
NASA-STD-8719.8 Table 5.1 Task # 4.3
Payload Shipment - 180 days
Event 12
Event 13
Final MSPSP Preparation
NASA-STD-8719.8 Table 5.1 Task # 4.1
Payload Shipment -120 days
NASA Payload Organization Approval of MSPSP
NASA-STD-8719.8 Table 5.1 Task # 4.2
MSPSP In this context
includes the GOP and
Supporting Documents
Event 14
Final MSPSP Submitted to PSWG
Payload Shipment - 45 days
Hazardous Procedures will
be prepared and submitted
per EWR 127-1[T]
*Tasks can be extended beyond the Mission CDR
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
12
Safety Deliverables
Safety System Milestones:
(numbers shown correlate with event numbers from Milestone Flow)
01 System Safety Program Plan - Draft SUBMITTED
02 Preliminary Hazard Analysis
a.System Level FMECA’s COMPLETED
b.System Level Hazard Identified COMPLETED
03 MSPSP Data Presented (CDR) - PSWG Meeting SUBMITTED
04 Subsystem Hazard Analysis
a.Subsystem FMECA’s COMPLETED
b. Hazard Reports and Controls COMPLETED
05 EWR 127-1 Tailoring Final (Chapter 3 submitted, 1 and 6 by July 2)
06 SSPP Final, Initial MSPSP, Hazard Reports SUBMITTED
07 Mission Orientation - PSWG Comments
08 Operating and Support Analysis
Hazardous Procedures
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
13
Systems Safety Program Plan
Safety System Milestones (continued):
09 Hazard Reports Controls Verified
(on going (possibly thru launch)
10 MSPSP Draft Submittal (launch-315 days (11/05))
11 Payload Safety Working Group TIM
(payload ship-180days (12/05))
12 MSPSP Final Submittal (payload ship-120 days (2/06))
13 NASA Payload Organization Approval of MSPSP
14 Final MSPSP Submitted to PSWG (payload-45days (4/06))
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
14
Systems Safety Program Plan
Deliverable Data
Title
System Safety Program Plan
Eastern and Western Range Safety
Policies and Processes – Tailored for the
THEMIS Project (see section 4.2)
THEMIS Missile Systems Pre-Launch
Safety Package
Hazard Reports
Phased Completion
MHE List
MHE Design and Initial Test Data
MHE Single Point Failure List
MHE NDE Plan
RF Safety Interlock Test Plan
RF Safety Interlock Test Results
Safety Compliance Matrix
RF Site Plan
Radiation Protection Program RF User
Request Authorization
Launch Site Ground Operations Plan
Hazardous Procedures
THEMIS Mission CDR 6/18/04
Document Number
This Document
EWR 127-1 [T]
Means of Delivery
Hard Copy
Hard Copy
SAI-SFTY-TBD
Hard Copy and CDROM Distribution
Hard Copy and
Electronic
Part of MSPSP
Part of MSPSP
Part of MSPSP
Part of MSPSP
Hard Copy
Part of MSPSP
Part of MSPSP
Hard Copy
Part of MSPSP
SAI-PLAN-TBD
SAI-PLAN-TBD
SAI-PLAN-0650
SAI-PROC-TBD
ITAR Restricted Data
Hard Copy
PDF Files
15
Systems Safety Program Plan
Non- Deliverable Data
Document or Data
Range User SSPP Review
Subcontractor SSPP Reviews
Work Order System
Problem Records
MHE Test Records
MHE SFP Analyses
THEMIS Mission CDR 6/18/04
Document Location
Format
PDF
Paper File
Paper File
Paper File
Paper File
ITAR Restricted Data
16
Systems Safety Program Plan
Integrated
Hazard
Assessments
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
17
Systems Safety Program Plan
Hazard Identification Processes
TOP Down System Hazard Analysis
During the first stages of the THEMIS design, a System Level Preliminary
Hazard Analysis (PHA) was completed. This was completed in order to
follow the Hazard Elimination/Mitigation Procedures
Bottom Up Subsystem Hazard Analysis
A Failure Modes and Effect Analysis (FMEA) is being performed which will
include all possible sources of failure and their effects on both the
subsystem and the system.
Operations & Support Hazard Analysis
Used to identify potentially hazardous operations and critical GSE.
Conducted using the final design, I&T Plan and Launch Site Ground
Operations Plan. Output is the correct classifications of hazardous and
non-hazardous operations for the Work Order Authorization process.
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
18
Systems Safety Program Plan
Hazard Analysis
The inputs to the Hazard Analysis are the PHA (system level), FMECA (subsystem
level with respect to the system) and the Operations and Support Hazard
Analysis. The products of the Hazard Analysis are the Hazard Reports
Mission
System
Design
Requirements
PHA
Hazard
Analysis
Subsystem
Design
FMECA
Controls
Hazard
Reports
Verification
Operations
&Support
Hazard
Analysis
Hazard Reports will contain a Hazard Severity based on EWR 127-1 guidelines.
All Hazard Reports with a Catastrophic and Critical severity rating will be
included in the MSPSP.
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
19
Systems Safety Program Plan
Hazard Elimination/Mitigation Procedures
a.
b.
c.
d.
e.
f.
g.
Eliminate Hazards by design
Minimize or Negate Hazards through Design
Install Safety Devices
Provide Protective Clothing and Equipment
Install Caution and Warning Devices
Develop Administrative Controls including Special Procedures
Establish Controlled Areas
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
20
Systems Safety Program Plan
Hazardous Operations
The System Safety Engineer, in addition to the Subsystem Lead Engineer,
will ensure all controls are in place for any Hazardous Operations.
All operations will be governed by a Work Order system and the Safety
Engineer will be a required sign off on any Hazardous Procedures.
Requirements
I&T Plan
Hazardous
Procedures
Launch Site
Ground
Operation
Plan
Meetings
and
Reviews
Operation &
Support
Hazard
Analysis
Signatures
I&T Manager,
Lead Resp. Eng
Lead Mech. Eng.
Lead Elect. Eng
Quality Eng.
Safety Eng.
Work Order
Authorization
Operations
Work Order
Authorization
Operations
Verification
NonHazardous
Procedures
Signatures
I&T Manager,
Lead Resp. Eng
Lead Mech. Eng.
Lead Elect. Eng
Quality Eng.
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
21
Safety Working Group (SWG)

Purpose: Provide a forum where Safety Concerns and
questions can be addressed with all agencies represented

Chaired by UCB (David King). Members include
representatives from UCB, Swales, GSFC, KSC and the
Range

Meet weekly (Wednesday 3pm (eastern))

Weekly agenda items will include deliverable documentation
and Safety Program Schedule

An Issues and Actions List will be created and updated at
each meeting. SWG Chairperson will maintain this list
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
22
Industrial Safety
Swales
– Well established, OSHA Compliant program at Swales (Barry McCarthy)
– Standard Operating Procedure (SAI-HAS-0001) governs all work at any
Swales facilities
– Industrial Safety Specialist will be used for all safety training/cert.,
protective clothing, hazardous material storage, incident reporting and
safety audits
Other Facilities
– Swales will work with GSFC, Astrotech and the Range to verify that we
are in compliance with the applicable facility Safety Operating
Procedure
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
23
Mishap Reporting

Swales company policy that all accidents, incidents and close
call occurrences will be reported
– Swales Safety and Health Manual (SAI-HAS-0001)

NASA facilities
– Processing Mishap, Incident and Close Call Reports (GPG-8621.2)
Mishap Type
Classification
Details
Type A Mishap
Death or 3 in-patient hospitalizations within 30 days or
Property damage or loss X > $1M
Disability or <3 in-hospitalizations within 30 days or
Property damage or loss $250< X <$1M
Lost workday or
Property damage or loss $25k< X <$250k
Injury requiring more than first aid or
Property damage or loss $1k< X < $25k
Unplanned occurrence with no injury that had the potential to
become a Mishap.
Type B Mishap
Type C Mishap
Incident
Close Call
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
24
Hazard Report

Preliminary Hazard Reports have been generated
– Swales generated bus hazard reports in THEMIS standard format in a
single excel database
– Swales generated additional mechanical subsystem hazard reports in
KSC shuttle format using word files
– Swales generated additional I&T hazard reports in KSC shuttle format
using word files
– UCB generated instrument hazard reports in THEMIS standard format in
a single excel database

Plan to consolidate all hazard reports in the THEMIS
standard format in a single excel database prior to CDR
– Update data, complete all sections and standardize format
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
25
Hazard Report Summary
NUMBER
THE_HAZ_01
THE_HAZ_02
THE_HAZ_03
THE_HAZ_04
THE_HAZ_05
THE_HAZ_06
THE_HAZ_07
THE_HAZ_08
THE_HAZ_09
THE_HAZ_10
THE_HAZ_11
THE_HAZ_12
THE_HAZ_13
THE_HAZ_14
THE_HAZ_15
THE_HAZ_16
THE_HAZ_17
THE_HAZ_18
NAME
DESCRIPTION
RCS Propellant Tanks
Significant leak of propellant
Separation System
Porbe Separation from Carrier
Deleted
Transponder
S-Band RF Transmitter
Solar Array
Loss of array
Pyros
Pyro leak or misfire
Replaced by THEM_MECH_01
Deleted
Battery
Battery leakage or explosion
Battery
Battery Leakage
RCS Propellant Tanks
Tank comes loose-fatigue
RCS Propellant Tanks
Tank comes loose-stress overload
RCS Propellant Tanks
Tank failure-stress overload
RCS Propellant Tanks
Tank failure-unstable crack grow th
RCS Propellant Tanks
Tank leakage-subcritical crack grow th
RCS Propellant Tanks
Tank leakage-w eld porosity
RCS Propellant Tanks
Tank leakage-material defect
RCS Propellant Tanks
Tank leakage-corrosion
HAZARD
Hydrazine exposure, explosion
Crush hazard, Hydrazine exposure, explosion
Human exposure to non ionizing radiation
None, spare array planned
Contamination, loud noise
Explosive pressure loss
Exposure to irritants
Hydrazine exposure, explosion
Hydrazine exposure, explosion
Hydrazine exposure, explosion
Hydrazine exposure, explosion
Hydrazine exposure, explosion
Hydrazine exposure, explosion
Hydrazine exposure, explosion
Hydrazine exposure, explosion
THEM_MECH_01 MGSE
THEM_MECH_02 MGSE
THEM_MECH_03 Primary flight structure
Structural failure of lifting/handling fixtures
GSE moves, tips, falls
Structural failure during lifting/handling
Crush hazard, Hydrazine exposure, explosion
Crush hazard, Hydrazine exposure, explosion
Crush hazard, Hydrazine exposure, explosion
THEM_INST_108
THEM_INST_109
THEM_INST_110
THEM_INST_113
THEM_INST_117
THEM_INST_123
THEM_INST_125
THEM_INST_126
THEM_INST_127
Mag boom release
Axial Boom release
Axial Boom release
ESA Cover release
Purge GSE
Flight H/W current overload
Purge GSE
Purge GSE
ESA High Voltage
Inadvertant boom release
Inadvertant boom release
Inadvertant boom release during restraint removal
Inadvertant release of EAS cover
Pressure release
short circuit
Exposure to LN2
Exposure to excessive GN2
Electrical discharge/shock
Minimal personal hazard
May cause serious injury
May cause minor injury
May contaminant instrument
Stored energy release
Fire, exposure to hot surfaces
Frostbite or cryrogenic burn
Asphyxiation hazard
Personal injury hazard
THEMIS_IT_01
GSE
Use of hazardous materials/substances
Fire/Injury & Illness
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
26
Tailoring
Tailoring Sheets: Tailoring is conducted in to order to produce an
EWR 127-1 document that is specific to THEMIS.

Chapter 3 - Gone through a review process (between UCB, Swales
and GSFC). 56 Tailoring Items have received preliminary approval to
be forwarded onto KSC (and then to the Range)
• Majority of tailoring sheets deleted sections that did not apply to
THEMIS.

Chapters 1 and 6 will be completed by July 2
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
27
Systems Safety Program
Back Up
Slides
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
28
Systems Safety Program
Organization
THEMIS Safety Team
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
29
Systems Safety Program Plan
University of California, Berkeley Safety Organization
Principal Investigator: Vassilis Angelopoulos
Project Manager: Peter Harvey
Deputy Project Manager: David King
Mission Assurance Manager: Ron Jackson
Mission Systems Engineer: Ellen Taylor
Lead Mechanical Engineer: Paul Turin
Integration and Test: Rick Sterling
Swales Aerospace Safety Organization
Program Manager: Mike Cully
Safety Program Engineer: Tim Keepers
Industrial Safety Specialist: Barry McCarthy
Electrical Safety: Bob Kraeuter, Ginger Robinson
Mechanical Safety: Chris Lashley, Rob Eppler, K.Hylan
Systems Safety: Tom Ajluni, Kevin Brenneman W.Chen
Software Safety: Steve Hammers, Chris Xenophontos
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
I&T Safety: Marc Kaylor
EGSE Safety: Tammy Faulkner
RCS Safety: Mike McCullough
RF Safety: Jim Jew
ACS Safety: Richard LeBoeuf
Thermal Safety: Rommel Zara
30
Systems Safety Program Plan
NASA GSFC Explorers Office
Mission Manager: Frank Snow
Observatory Manager: John Thurber
Systems Assurance Manager: Ron Pierson
Explorers Program Safety Manager: Jamie Harper
Explorers Program Safety Engineer: Jamie Burget
NASA KSC/Range Safety
?
THEMIS Mission CDR 6/18/04
ITAR Restricted Data
31