First published in Engineers Journal 09 August 2016

The Soyuz ‘crew taxi’

For the first three decades of the space age, Europe was divided by the Iron Curtain. Even today, the European Space Agency (ESA) does not build or fly a human-rated spacecraft. But despite all these factors, there is a rich history of Europeans travelling to space on a variety of spacecraft and performing a variety of missions.

As Europe is not a single country with a manned space programme, European astronauts must ‘hitch a ride’ to get into space. This has resulted in many different routes to orbit. Before the period covered by this book, astronauts from communist countries and from France had flown on Soviet Soyuz spacecraft to the Salyut and Mir space stations.

Fig 1: The ESA-built Columbus module being moved to the Harmony module (NASA)

Later, astronauts from other Western European space agencies and ESA flew to Mir. Western Europeans represented their national space agencies and ESA by flying on NASA space-shuttle missions. Naturalised US citizens from around the world, including quite a few Europeans, succeeded in joining NASA’s astronaut corps by applying to the Johnson Space Centre in Houston, Texas.

Spacecraft and missions

European astronauts have travelled to the International Space Station (ISS) in two types of spacecraft: the American Space Shuttle and the Russian Soyuz. They have been resupplied on board the station by payload in the Italian-built Multi-Purpose Logistics Modules (MPLM) carried aboard Shuttles and also by a variety of unmanned vehicles – the Russian Progress, the European ATV, the Japanese HTV and the SpaceX commercial Dragon spacecraft.

Figure 2: The Soyuz ‘crew taxi’

European astronauts have conducted many types of mission on board the ISS. There have been week-long visits, where the ESA astronaut travelled to the station to deliver a new crew, returning to Earth with the previous crew. There have been assembly missions where the ESA astronaut helped deliver a new module or conduct a spacewalk to add solar arrays or antennae. And there have been long duration missions where the ESA astronaut has been a member of a six-month expedition, in one case (Frank de Winne) commanding the facility. While the book covers all 18 missions from 2000 to 2012, here are samples of each type of mission.

Cervantes, A Visiting Mission
Astronaut: Pedro Duque
Mission duration: Ten days, one hour, 37 minutes
Launch date: 18 October 2003

Figure 3: Pedro Duque during an interview with Spanish TV. (NASA)

The Cervantes mission had four objectives:

1. To exchange the Soyuz ‘lifeboat’ at the ISS;
2. To carry out a programme of scientific and technical research organised by the ESA and the Spanish Ministry of Science and Technology via the Centre for Development of Industrial Technology (CDTI) . A number of experiments from the Odissea mission were to be repeated. Educational and promotional activities would be undertaken with the aim of bringing the European human space programme and research performed in space to a wider public, and to young people in particular;
3. To increase operational experience aboard the ISS; from a European perspective the Cervantes mission was important because it would increase the experience of ESA’s astronauts ahead of the launch of the Columbus laboratory module;
4. To exchange the ISS Expedition crews, because Expedition 8 would fly up on Soyuz TMA-3 and Expedition 7 would return to Earth with Duque on Soyuz TMA-2 .

Celsius, An Assembly Mission
Astronaut: Christer Fuglesang
Mission duration: 12 days, 20 hours, 45 minutes
Launch date: 10 December 2006

Figure 4: The kink that developed in the port-side solar array of the P6 truss segment during the first attempt to retract that array on 13 December 2006. (NASA)

ESA astronaut Christer Fuglesang became the first Swedish astronaut to venture into space when he flew as a Mission Specialist on Space Shuttle Discovery for the STS-116 mission that undertook ISS Assembly Flight 12A.1. The STS-116 mission had many objectives:

1. The P5 truss segment was a ‘spacer’ that was installed between the P4 and P6 segments, both of which carried solar array assemblies. The P6 segment had been installed early in the assembly process by being temporarily placed on the Z1 truss atop the Unity node. STS-120 in October 2007 was to transfer P6 to its permanent position at the end of P5, thereby completing the port side of the integrated truss;
2. NASA astronaut Sunita Williams replaced ESA astronaut Thomas Reiter as the second Flight Engineer of the Expedition 14 crew;
3. Although primarily an ISS assembly flight including spacewalks for Fuglesang, a number of experiments in human physiology and radiation dosimetry were conducted for the ESA Celsius mission;
4. Delivery of 2.5 tonnes of supplies, equipment and research payloads in the SpaceHab Single Module.

Promisse, A Long Term Expedition
Astronaut: André Kuipers
Mission duration: 192 days, 18 hours, 58 minutes
Launch date: 21 December 2011

Figure 5: André Kuipers in the ESA Cupola sending a postcard from space. (ESA)

ESA astronaut André Kuipers was delivered in December 2012 for the fourth European long-duration mission to what was now a fully operational ISS. His term as a member of an international six-person crew was scheduled to last almost six months. The mission objectives were as follows:

1. Microgravity: Kuipers was himself a medical doctor who had been actively involved in microgravity research for at least a decade. As he posted on his ESA blog, “The data I will collect from myself can bring valuable information about the effects of weightlessness on the human body. This research may help to prepare for a future mission to Mars.”
2. Scientific experiments: he undertook around 30 ESA experiments covering human research, fluid physics, materials science, radiation, solar research, biology, and technology demonstrations. Most of the experiments were carried out in the Columbus laboratory, which would mark its fourth anniversary in orbit during his mission. Countermeasures against bone loss in weightlessness, the study of headaches in space, and mapping the radiation environment inside the ISS were among the experiments related to human exploration. In addition, André carried out at least 20 experiments on behalf of NASA and the Japanese and Canadian space agencies involving almost 30 research facilities in the various laboratories of the ISS;
3. Flight engineer: as a flight engineer, Kuipers had assignments ranging from station systems to payload operations. He had to be on hand to deal with visiting spacecraft. He was the prime crewmember for docking ESA’s ATV-3 named ‘Edoardo Amaldi’. He was also involved in berthing the new Dragon spacecraft that had been developed by Elon Musk’s company SpaceX as part of NASA’s commercial resupply programme;
4. Education: André Kuipers shared some of the magnificent views of Earth from the ISS’s Cupola and invited children to become involved in a wide range of educational activities. Spaceflight is uniquely able to inspire primary and secondary pupils to learn about biodiversity and climate change on Earth. André transmitted to classrooms across Europe, demonstrating experiments on convection and wet foam formation. Being an advocate for health and well-being, he also encouraged new generations of space explorers to stay fit by following the international education initiative Mission X: Train Like an Astronaut;
5. Science: around 30 experiments were carried out during the Promisse mission, covering a wide range of disciplines. Kuipers had an extensive science, technology and education programme focused on life on Earth and looking ahead to future global human exploration missions.

The European Space Agency (ESA) has a long history of human spaceflight, flying in space with both NASA and the Soviet/Russian space agencies over the years. John O’Sullivan’s new book tells the story of the ESA astronauts who have visited the International Space Station over its first decade and how they have lived on board, helped construct the space laboratory and performed valuable scientific experiments.

In the Footsteps of Columbus, European Missions to the International Space Station is published by Springer-Praxis. It is available as kindle or paperback at www. Amazon.co.uk, 391pp; ISBN: 978-3319275604

John O’Sullivan, author of In the Footsteps of Columbus: European Missions to the International Space Station pictured at the National Space Centre in Cork

John O’Sullivan BE, Dip Phys Sci, Dip PM, CEng MIEI, PMP, FSP, CMSE ® studied Electrical Engineering at University College Cork. He has over 20 years’ experience in the automation and control sector delivering solutions to the life-science industry in Ireland. He is a Chartered Engineer with Engineers Ireland and a Project Management Professional with the Project Management Institute. He has always had a fascination with aviation and space, leading him to gain his Private Pilot Licence in 2003 and to study Astronomy and Planetary Science with the Open University. Since 2010 he has been awarded a Certificate in Astronomy and Planetary Science and a Diploma in Physical Science by the OU, as well as a Diploma in Project Management from the Cork Institute of Technology. He was an unsuccessful applicant for the ESA Astronaut Corps in 2008, and lives in East Cork with his wife and daughter.

Safety Integrity Levels: An Overview

John O’Sullivan outlines how to assign a Safety Integrity Level to a system and how to mitigate risk with Safety Instrumented Functions.

Author: John O’Sullivan, Engineering Director, Douglas Control and Automation

Introduction

The term SIL is used as a convenient shorthand to describe the safety rating of various hardware components and systems, e.g. “This PLC CPU is rated SIL3”. The Safety Integrity Level (SIL), was designed to be a short hand to represent the results of complex analysis but it is still only a part of an overall lifecycle approach to functional safety.

Technically, the Safety Integrity Level is the level by which the risk is reduced by the introduction of a Safety Instrumented System (SIS). There are 4 levels, SIL1 being the least reduction in risk, SIL4 being the greatest.

The Safety Instrument System is separate to and independent of the Basic Process Control System (BPCS) and, like the BPCS, consists of sensor(s), logic solver(s) and final element(s). The SIS reduces the risk by intervening during a failure of the BPCS to ensure the system remains safe. While the SIS hardware and software components may resemble the BPCS components and may come from the same manufacturer, they are required to be more reliable.

The specification, design and operation (Safety Life Cycle, SLC) are defined in the standard IEC 61508, “Functional Safety of electrical/electronic/programmable electronic safety-related systems”. This standard has spawned a number of industry and sector specific standards that delve into more detail for specific industries, although we will focus on IEC 61508 in this article.

IEC 61508 defines the Safety Life Cycle in three sections

• Phases 1 to 5: Analysis

• Phases 6 to 13: Realisation

• Phases 14 to 16: Operation

The following standards elaborate on the approach to SIL assignment outlined in IEC 61508:

• IEC 61511”Functional Safety – Safety instrumented systems for the process industry sector”

• IEC 61513 “Nuclear power plants – Instrumentation and control important to safety”

• IEC 50128 “Railway applications – communication, signalling and processing systems – software for railway control and protection systems”

• IEC 50129 “Railway applications – communication, signalling and processing systems – safety related electronic systems for signalling”

Hazard and Risk Analysis

During the analysis phases of a project, hazard identification and risk analysis are carried out by an interdisciplinary team. This should consist of all the system stakeholders including designers, process owners, safety, automation, mechanical & electrical specialists. Where possible, hazards are designed out of the system. Where this is not possible, e.g. a volatile raw material is essential to the process, the risks associated with the hazard are identified.

Hazards are considered occurrences of harm and once identified the risk is assessed as the product of “frequency of the occurrence” and the “severity of the harm”.

Methods of analysis include:

• HAZOP: Hazard and Operability Study

• FME(C)A: Failure Mode Effect (and Criticality) Analysis

• FMEDA: Failure Mode Effect and Diagnostic Analysis

• ETA: Event Tree Analysis

• FTA: Fault Tree Analysis

Normally a risk matrix uses the likelihood of the occurrence and the consequence of the event to categorise the risks. Risks that cannot be designed out and are not tolerable will require safety functions to reduce the risk to a tolerable level. This results in the “residual risk” which must be less than the pre-defined “tolerable risk”. The greater the reduction required to reach the residual risk, the higher the SIL. See the diagram below where the consequences, frequency/exposure, probability of avoidance are used to determine the required SIL.

Figure 1: Risk Assessment

Risk Parameters:

C₁:       Minor injury or damage

C₂:       Serious injury or one death, temporary serious damage

C₃:       Several deaths, long term damage

C₄:       Many dead, catastrophic effects

Frequency / Exposure Time:

F₁:        Rare to quite often

F₂:        Frequent to continuous

Possibility of Avoidance:

P₁:       Avoidance possible

P₂:       Unavoidable, scarcely possible

Probability of Occurence:

W₁:      Very low, rarely

W₂:      Low

W₃:      High, frequent

Safety Integrity Levels Required:

-:         Tolerable Risk, no safety requirements

a:         No special safety requirements

b:         A single E/E/PE is not sufficient

1:         SIL 1

2:         SIL 2

3:         SIL 3

4:         SIL 4

Depending on the SIL level to be achieved based on the risk reduction required, a device must achieve a low enough Probability of Failure and a high enough Safe Failure Fraction.

Probability of Failure

Probability of Failure comes in two flavours: Probability of Failure on Demand (PFD) for safety functions that are only activated when required and Probability of Failure per Hour (PFH) for safety functions that are operating continuously. The lower the Probability of Failure the higher the Risk Reduction Factor. The higher the risk reduction factor, the higher the SIL achieved. See the tables below for the figures related to PFD and PFH.

Table 1: Probability of Failure on Demand

Table 2: Probability of Failure per Hour

Safe Failure Fraction

While the PFD and PFH tell us how likely a failure is to occur, the Safe Failure Fraction (SFF) tells us what fraction of failures will be safe or if dangerous, detected. This is achieved by increased diagnostics and reporting of the safety function. The Greek letter λ is used to define the rate of failure per hour.

• λ_safe = Failure rate leading to safe state

• λ_dangerous = Failure rate leading to dangerous state

• λ_total = λ_dangerous + λ_safe

This results in 4 types of failure rate depending on whether the failure is detected or undetected. λ_du  is the rate of dangerous undetected failures.

Thus SSF = 1- λ_du  / λ_total  

So for SSF to be as high as possible, failures have to be safe or detected. If all the failure were safe and/or detected the SFF would be 1 or 100%.

Before SSF can be used to determine the SIL, other factors have to be considered. First is the Hardware Fault Tolerance (HFT) of the device. Achieved through redundancy, a HFT of N means that N+1 faults are required before the safety function is lost. Secondly devices are treated differently for SSF depending on their type. Type A devices are considered to be well defined and have sufficient failure data from experience in the field. Type B devices are considered to have insufficient data and field experience. See the tables below for the figures related to SSF.

Table 3: SSF for Type A subsystem

Table 4: SSF for Type B subsystem

In summary, the tools are available to identify and analyse risks associated with a system design and then implement the appropriate Safety Instrumented System to mitigate those risks and save lives and assets.

John O’Sullivan BE, Dip Phys Sci, CEng MIEI, Engineering Director of Douglas Control and Automation, has 20 years’ experience in the automation industry focusing on the pharmaceutical, biotechnology and medical device sectors.

He has developed design and test specifications for the regulated environment and project manages automation and safety projects for life science customers.

He has consulted on the validation of certified failsafe, high availability systems.

Although ostensibly the last competition of the 2010/2011 fencing season in Ireland, the South of Ireland Open, hosted by UCC Fencing Club last weekend, was the de facto first competition of the 2011/2012 season. After the summer break the fencers congregated at the Mardyke Arena to compete in all 6 weapons; Mens Epee, Mens Sabre and Womens Foil on Saturday and Mens Foil, Womens Epee and Womens Sabre on Sunday.

Mens Epee was won by Foyle Fencing Club’s David Burnside who beat his club mate and Irish No.1 Andrew Fenwick in the final. Maynooth’s Fergal Martin and formerly Cork-based Frenchman, Nicolas Veyrat shared the bronze medals. UCC’s Matthew Tracey and Paul Whelan were Cork’s best, both getting to the Final 8.

National No.2 ranked Stephen Concannon won Mens Sabre, with Foyle men, James Nichol, David Connolly and Richard Magee taking silver and bronze. Last years winner, Cork Sabreur, Hugh Tobin of UCC just missed the medals.

After a strong season last year, UCD’s Portuguese fencer Joana Romahlo, captured the gold in Womens Foil, beating Belfast’s Victoria Duxbury. Again, it was Northern Ireland based fencers who rounded out the medals. Katie Gillespie and Lucy Taylor took bronze medals home to Derry and Down respectively. UCC’s Shu Tay just missed the medals and led the strong Cork field of 10 UCC and 2 Cyrano women foilists.

Sunday saw an unusual entry in Mens Foil as both Epee finalists, David Burnside and Andrew Fenwick decided to enter the competition instead of cheering on their clubmates from the sidelines. Andrew made it to the final where he was beaten by Irish No.2 Fergal Martin of Maynooth. Maynooth’s Kevin Maher and UCD’s John Wyatt took the bronzes. Rory Hayes of UCC was the best placed Cork based fencer.

The pattern of Foyle Fencing Club success was repeated in Women’s Epee with the final being an all Derry affair. Emile McSorley beat Lucia McCafferty in the final. UL’s Miriam Cashman and UCC’s Jacinta Clair shared the bronzes.

In Womens Sabre, UCC’s Aoife O’Loughlin, ranked Irish No.1, couldn’t repeat last year’s victory, sharing bronze with Michelle Narey, from the UK’s White Eagle club. Oxford’s Francine Robb won gold, with Niamh Spence adding to Foyle’s trophy cabinet with silver.

All in all, a good turnout meant that 125 fencers entered across 6 weapons, although a recent change to the ranking system could mean that top Irish fencers concentrate on UK and European competitions to earn ranking points ahead of next years Olympics in London.

For Cork’s two clubs, UCC Fencing Club and Cyrano Fencing Salle, it was good opportunity to start the season close to home before the next competition which is the Intermediates to be held in UCD on the 1^st and 2^nd October.

John O’Sullivan

The Project Management Triumvirate

John O’Sullivan, 29 Jun 2011

I can’t remember when I first heard it or who said it but the phrase stuck with me as an obvious truth of project management (it also applies to providing a service or doing business in general).

It can be phrased a number of ways:

“I can do cheap, fast and well. Pick two”.

“I can deliver on-schedule, on-budget and in-spec. Pick two”,

“Performance/Cost/Time”,

“Scope/Cost/Schedule” etc.

I’ve looked at it any number of ways to get around it and there doesn’t seem to be a solution which offers the whole triumvirate as all three seem to be mutually exclusive.

As a supplier/service provider it is equally important to communicate the priorities internally to the team. There is no point in an engineer spending days striving for 5 9s accuracy or millisecond response when the customer is not willing to pay for it or wait for it.

Also at review meetings, the trilogy can be used as a convenient short hand to capture status. “Are we on budget? Are we on time? Are we on spec?” If the answer to any one is no, then are we slipping on the highest priority item or the lowest?

We can’t deliver all things to all men but we can clarify the priorities early and often so that everyone is on the same page. This way

1)      The client expectation is met

2)      The team is more productive and efficient

3)      The project is kept on track