I had the pleasure of listening to remarks from John Fulton, who is a manager at Sandia National Labs, at the recent Space Nuclear Policy Summit.
Space Nuclear Systems are being utilized more and more these days. It doesn’t take a rocket scientist to know that adding the word nuclear to anything mean safety needs to be of the utmost importance. To help with that, the government enacted the National Security Presidential Memorandum, or NSPM-20, a few years ago. To learn how the process works, I had the pleasure of listening to remarks from John Fulton, who is a manager at Sandia National Labs. He spoke at the recent Space Nuclear Policy Summit, hosted by the Association of Commercial Space Professionals.
Interview transcript:
John Fulton The commercial industry to start thinking about nuclear launches and help de-risk the process by developing some clear metrics that we could attain to establish clear safety guidelines. So we’ll be talking about here in a second. And then it replace the ad hoc with the Interagency Nuclear Safety Review Panel (INSRP), with then INSRB. So of the SRP became a SRB. The main difference there is the INSRP was stood up on a mission by mission basis, INSRP had the responsibility of doing independent safety evaluations. So my team was leading up the effort for the mission, doing the primary safety analysis report. The INSRP was doing their own analyzes as a confirmatory process. When we went to the INSRB, they are no longer an ad hoc team that stood up on a mission by mission basis. There are standing board, but they no longer have that ability or responsibility to do the independent safety review. They are merely reviewing the safety report put together by the mission, and evaluating it and providing feedback and comments on it.
John Fulton So what did an NSPM-20 implement from a safety perspective? So at first it gave us the safety guidelines. So you have to have a mission where you can show from a probabilistic risk assessment perspective that your probability of 25 mg to any member of the public is less than one in 100. The second is you have to have a probability of less than one in ten thousand for five REM to the public, and then you have to have less than one in a hundred thousand chance of 25 REM to the public. The two main criteria that NSPM-20 is looking at in the safety review process is based on is the quantity and type of material, as well as the doses to the public. So tier one launches have to have a material amount less than a hundred thousand times A2 value. What is the A2 value? It basically is the amount of radioactivity that you can have in various transportation casks that helps determine what kind of container you need for the radiological material and for transport. The [International Atomic Energy Agency (IAEA)] and the Department of Transportation have some great documents that you can read. I guarantee you they will keep you awake all night long. They are really page turners.
John Fulton But the other thing that you need for a tier one launch, is it has to have less than one in a million chance of five REM to the maximally dose member of the public. Tier one systems also can’t be fision based system. So if you’re dealing with fision based system, you’re automatically in Tier two. Now going to Tier two, if you’re dealing with fision based system, that based system has to be based on low enriched uranium, HALEU of course counts, but any form of low enrichment uranium would work. If your fision system is based on anything else, let’s say you were putting up a thorium based reactor, that automatically kicks you into Tier three. The other aspect that keeps you into tier two is you have to have less than a one in a million chance of 25 RAM to the maximally dosed member of the public. Any mission doesn’t fit any of those previous criteria that I mentioned automatically kicks you into a Tier three launch. Main distinction between the tier, at least four federal launches, a Tier three launch automatically goes to the Office of Science Technology Policy in the White House. The head of that agency may kick it up directly to the president for signature. If you’re in a Tier two or Tier one launch that gets designated down to the secretary of the sponsoring agency. So Energy, Defense and whoever they would potentially designate down to. For commercial launches, all launches are right now authorized by the secretary of transportation or any designee that they would so delegate to.
John Fulton Another main distinction right now, as I mentioned in the previous slide, is that safety analysis report is required for federal launches. Right now, for commercial launches it’s not required. It’s at the discretion of the secretary of transportation. So what does that all mean, all those various numbers that I threw out to you? Basically it gives you this nice little chart that we’ll be using here in later slides to kind of give you some reference points to how that compares to actual emissions. But chart itself is exceedance probability, so that one in a hundred versus dose to the maximally dose individual the public on the X axis. The orange line is the safety guidelines that we talked about, the blue line and the green line, if you can distinguish them, are Tier two and Tier three. So in graphical form, and put it succinctly, your mission, you want to have as far to the low and the lower left as possible. Getting it to the upper right starts putting you into Tier two and Tier three launches or potentially exceeding the safety guidelines. So kind of address our history at Sandia Labs has been doing the safety analysis report, not one of my coming up slides. We’ll talk a little bit more of our history and supporting the various missions for DOE, NASA. But what we’ve been doing for various government missions and now a growing number of companies have been approaching us is a series of different studies. And the kind of studies that we’ve been engaged in our scoping studies. So scoping study think if you’re really early in your mission and you’re trying to figure out, we’ve talked about Strontium-90 and Cobalt-60 in Americium-241. You’re trying to figure out maybe what rating you want to use, various trade offs between a high energy gamma emitter like Cobalt-60 and an Alpha emitter like Americium-241.
John Fulton What does that mean for shielding and your configuration design? Some of these initial scoping studies can help understand where those various systems and tradeoffs will put you in the NSPM-20 safety space. We also have been doing some preliminary tier guidance. Some missions have come with us with the perspective of we’re pretty sure we’re way down in the safe range. Can you just do some very conservative preliminary tier analysis for us to figure out where our configuration, which we’ve really at this point we’ve solidified on where to use this. This is our design. We just want to have an idea of where we are at. And then once missions get past that phase and they’re trying to get into full blown launches, right now, we’re actively supporting DARPA and NASA’s DRACO mission with, what I would refer to as the full blown safety analysis report. That’s where, again, the design is probably relatively well spoken for. We’re trying to do the very detailed analysis with all of the details of the spacecraft and launch vehicle to understand where your mission is going to lie. So for safety analysis report for compliance with NSPM-20, really for some of the early analyzes what’s needed as a general idea of the system, some of the scoping studies I mentioned really the mission was sufficiently confident of, were in the space that they just gave us or asked us to take the entire inventory of the RTG and just disperse it, and figure out what the dose consequences were from just releasing the entire inventory. And so we didn’t really need much about to know much about the mission other than you fit this, you have this many theories and we’re going to do some basic analysis. Obviously, for missions right now like DARPA DRACO, where we’re getting into the very detailed analysis. Now we start to need CAD diagrams with the material configuration and densities.
John Fulton And as I’ve watched the folks who do all of the solid mechanics calculations, where the screws are so we can we can measure screws into a computer code, a whole lot of very detailed understanding of the spacecraft. And also this is where understanding the launch vehicle that the mission is going to be on becomes very important, because we need at that point to understand what rocket is it, what kind of fuel is it, what are the failure modes of that spacecraft or the launch vehicle. So the launch providers are really the ones providing us their failure modes. Their frequency is an accident to understand that. And obviously, as we’ve worked with a lot of companies for the various government and pure commercial missions, we work through a lot of nondisclosure agreements to make sure that all the information is kept safe. If you’re not familiar with Sandia National Labs or one of your nuclear weapons labs. So we’re very, very well versed in making sure that information is kept secure.
John Fulton So real brief to kind of give a history of Sandia Labs when it comes to space nuclear launch safety. We’ve actually been in this business for about 30 years, going back to the Cassini mission. For Cassini back in the 90s, we were one of the support organizations helping out with those early analysis starting around 2000s with the Mars Science lab, we became the principal lead lab for performing the safety analysis report for that mission. And the most recent mission that we completed and thankfully got to watch successfully launch and successfully reach itself to Mars was the Perseverance Rover. And as kind of I mentioned, space activity is really taking off. If you haven’t been around long enough, Space is really a pun rich environment at this point. Space nuclear launch safety is exploding, it’s taking off. All kinds of things are happening. If you go to some of the conferences, you see that non-nuclear launches are really taking off. There’s projection of about 4,000 satellites to be launched this year, some 400, 3 or 400 odd launches. So we may actually hit the first year ever where we had more than a launch a day, if you think about that. In the not so distant future, de-orbit. So a satellite burning up every hour in the atmosphere is not a far fetched statement. Space is really growing, and nuclear space is growing as well. Yes were a couple orders of magnitude much lower than that. We’re not going to put 300 launches up this year. But we have gone from a long history of basic supporting one, NASA DOE mission, waiting a couple of years for the next one to come around, supporting that one NASA DOE mission to a whole bunch of activities. We’ve been helping out with USNC Tech, as Alex mentioned this morning. We’ve been helping them with Xeno power systems with their safety analysis reports. Were part of the DARPA’s DRACO team doing their safety analysis report supporting a mission for Draper Labs, Lockheed Martin and a few others. And that’s not even including the various companies that have been basically showing up about every 2 or 3 months to ask us about how does the safety analysis process work?
John Fulton Space nuclear is really a growing area, just as well as regular space. So what we do and have done at Sandia Labs is as we’ve been managing the safety analysis reports, and the main thing that we’re trying to do is identify the main sources of risk for your mission, and helping the mission identify potential mitigating actions that they can take to reduce the overall risk in the mission. Maybe redesigning the space vehicle differently, using a different source. And even in one case, so for the NASA mission, one of the main risks at launch was actually they had observers, members of the public too close to the launch pad. And so simply banning people from being at those observation decks and moving them further out was, believe or not, a way that you could reduce risk to that mission for how much dose a member of the public would get. So our goal is to give and produce quantitative estimates of risk that are defensible and credible. And so this is not your hand wavy, if you will, paper reactor. This is a very detailed analysis of the system to evaluate what are the consequences to the public, what is the consequence to the environment. So if we have that bad day, we have our nuclear fission system on top of a rocket, that doesn’t give us a beautiful launch into space, but a big, enormous fireball and shock blast wave. What does that was that mean? All of this gets expressed basically against that chart that I showed you. So what are the error bars on that that risk? So it’s a very simple equation. Essentially, we need to know what is the probability of an accident. So that’s really where the launch providers come in. That’s why our Space X and ULA, and the various launch providers are providing us their data book associated with their launch vehicle. What is the probability that the launch vehicle is going to fail, both at take off, a kilometer into the sky, what’s the probability that some engine failure is going to prevent the spacecraft from reaching orbit? So it’s going to come crashing back down.
John Fulton Once we know the probability of accident, we have a whole bunch of codes that I’ll be talking about here in a bit that figure out, well, given that accident occurred, given that we had an explosion that sent a violent shockwave through our spacecraft, what is the probability then that we’re going to have a release of radiological material? What’s the chance or what are the mechanisms that are going to cause us to breach all of our layers of protection, all the things that are meant to keep the radiological material where it is? Once we have the probability of the release, then we get into what is the probability of the consequence given the release. So it’s ultimate at the end of the day, it’s a whole lot of running simulation after simulation after simulation of how did the rocket detonate or how did the spacecraft reenter and crash back into the ground to understand what material got out of the spacecraft, did it get to a member of the public? And what dose and what consequences was that to the member of the public? And did it exceed those safety guidelines? Another way to think about it, as Ari mentioned, the nuclear industry, rather terrestrial nuclear power industry, thinks of things in terms of probabilistic risk assessments. This is the primary system that the NRC, of course, uses for a lot of their analysis. You start off with essentially level one PRAs. So those are essentially fault threes. So for us, that would be, okay, the rocket exploded. Now that exploded, what’s the probability that a house sized chunk of concrete crashed onto our spacecraft after it slammed into the beach or maybe the spacecraft crashed into the ocean? After we’ve had that house sized chunk of concrete crash on the spacecraft, maybe a good solid ton of solid propellant also landed on top of it and burn it 3,000 degrees for 20 minutes. That’s what you get out of the PRA level one assessment, is all of those various accident sequences that might be experienced by the spacecraft. Level two is then calculating running the more detailed, sophisticated models to figure out how much material then got out of the spacecraft or if we find ourselves in a fire environment. How did we change our particle size distribution or did we vaporize more of the reactive material? Or did the fire finally crack open that last line of defense? And that gives us ultimately a source term to the environment. So how much radioactive material was released and what particle size was it released in?
John Fulton The last step of it is to do the environmental transport. So moving the material through the air. Yes, seeing if we just contaminated Orlando. I’ve contaminated Orlando hundreds of thousands of times. Nobody was going to go to Orlando after some of our analysis. Maybe one of the best was when we accidentally, we would have potentially had an impact of a German nuclear power plant with our spacecraft. That would have been a really bad day for everybody. So how do we do this? Well, first, we break everything down into launch phases. You can imagine that the kind of accidents that you’re going to have in pre-launch when you’re in the VIF. That first image, that’s the vertical integration facility. So you’re putting everything together. But there’s no rocket fuel yet and there’s no liquid propellant in the rocket. It’s a very different set of accidents than you’ve reached 100, 100 miles above the surface of the earth. But somehow something about your spacecraft, your launch vehicle failed and now your spacecraft is plummeting back to the earth instead of inserting into orbit. And so one of the first things that we do is work, with course, the launch provider in the mission to figure out what are the appropriate phases that apply to that rocket. If you just have a single stage or a multi-stage rocket, that affects kind of the appropriate mission phases that you’re looking at. Once we’ve done that within each mission phase, we work to develop what they call representative accident scenarios. So you can imagine you might have a fault three with 3 or 400 different leaves on it at the very end. A lot of those are basically from impact to the space vehicle perspective, identical to each other. We don’t want to sit there and spend a hundred years running scenarios for every single one of those leaves, when only three of them are distinct. And so with the development of the rovers in accident scenarios, you’re collapsing down those fault trees into those scenarios that are truly unique and really deserve to be analyzed separately.
John Fulton The way that we do this at Sandia labs, the way we’ve been supporting NASA DOE, and DARPA and everybody, is using our launch safety code suite. So starting with the row of blue boxes on the one side, that’s all our data needs. So that’s where we’re working with the launch provider to get the data book regarding their launch vehicle. What’s the probability of failure, what are the various accident modes that they would expect? And they’ve calculated it’s working with the mission to get the CAD diagrams regarding their spacecraft, what materials are using, what amounts, how is it oriented? Those go into a series of codes for blast impact, fire and thermal environments and reentry environments. I’ll talk about each of those in more detail here coming up. But once we’ve done all those independent calculations of what happens to the spacecraft when it impacts the ground at many, many kilometers per second. What happens when a couple thousand pound chunk of solid propellant lands on top of it and burns for the next 20 minutes. What happens when the shockwave from that hundreds of thousands of pounds of rocket fuel goes flying through it? That all gets brought into a code that puts together this accident sequence. So again, kind of what I talked about. Spacecraft detonated on launch, sent a shockwave through this the spacecraft. The launch vehicle detonates sends a shockwave through the spacecraft. The spacecraft then crashes into the ground. And then concrete and other things start raining down upon it. That code puts together those various sequences that produces then release records of how much material was released. What was the particle size distribution that goes into our consequence code? It does all the atmospheric and environmental transport, and then does the human health consequences on the back end. And finally, there’s a risk integration code that not only provides the mission. Here is your mean probability of exceeding these various dose thresholds or doses, but also here’s your error bars, and that’s often been used by missions in the past. The error part of it helps the mission focus in on what aspects of your mission are driving your risk and potentially can be optimized. So it really helps the missions to figure out where to optimize their design or their choices as to mitigate mission risk.
John Fulton So as I mentioned, risk and uncertainty. Primarily we’re doing a lot of basic Monte Carlo kind of sampling. We’re just doing lots and lots and lots of simulations. We’re taking the launch trajectory and figuring out what’s the probability that you’re going to crash into South Africa, what’s the probability you’re going to be landing into one of the Indonesian islands or wherever your launch director might take you. If my statistician was here, they would get into a lot more detail and get all jazzed up about Bayesian analysis and Latin hypercube sampling. That’s not my thing. But that’s part of course, what’s going on here is all that statistics. Remember, part of the analysis is not just getting from, say, the launch provider. There’s a 1% chance of our vehicle failing. They’re always giving us error bars. We’re all scientists and engineers, we like our error bars. And so they’re giving us 1% chance of failure, plus or minus a tenth of a percent, plus or minus half a percent. And so through this process, we’re propagating error through every one of those steps and facets. And the end result, with the risk and uncertainty phase is provide the mission with an understanding of well, here’s your mean probability, but here’s your 95th percentile, bad day, here’s your fifth percentile, bad day. And if all three of those lines are really on top of each other, then you don’t have a whole lot of uncertainty. You’re pretty confident about the kind of risk you’re going to be seeing, and you can maybe rest a little bit more at ease or potentially those lines are really far apart and we need to really think about the mission, and mission design and things that should be done to narrow those down.
John Fulton Blast and impact. This is the cool kid on the block. Because this is the group that gives you all the really nice videos and animations of the space vehicle slamming into the ground, and breaking apart into a million pieces and screws and bolts and everything flying everywhere. None of those phases get to give quite the nice videos, if you will. But we use a code called Sierra/SolidMechanics that was developed at Sandia Labs. Again, a lot of the code that we’re using and leveraging we’re all designed for and built upon the nuclear weapons program to help them characterize environments and what happens when things go boom. And so we are using Sierra/SolidMechanics again to analyze the blast, the impacts of shock waves and the impacts of physical impacts on the space vehicle from various accident conditions. So again, understanding the amount of liquor propellant in the rocket gives us an idea of the kind of shock waves we’re going to see propagate those shockwaves through the space vehicle to help understand how it’s going to break apart. In this case, for this scenario, with the perseverance and a full system, none of the protective layers were broken through. So the really expensive or long pole in the tent is always the actual doing physical testing. But it’s something that we are always looking for to getting as much as we can. We always like to validate our models. It’s a big question that comes up is how validated are they against physical experiments? And the simple answer is as much as we possibly can, because these things, these tests get really, really expensive. But as you can see, some examples here of some impact studies that were done up at Los Alamos. We work very closely with Los Alamos to do these safety analysis reports and kind of mutually support each other to validate what we’re doing. You can see some again, we’re working to compare our computer simulations with what the physical test did to make sure that we’re actually giving answers that make sense, and that our physical models line up. We have a fire and thermal facility. So if there’s one thing Sandia is definitely good at. If you need your vehicle destroyed, we are more than happy and have lots of facilities to do that for you and shake it apart. We can burn it. We can burn it while shaking it apart. Some of our facilities are just fascinating what they can do. But this is an example of a test that’s actually done in Sandia in our burn facility where we took a chunk of solid propellant, lit it up with some surrogate materials. We didn’t get put real plutonium-238 under there. So we had surrogates to figure out what kind of flows you get underneath the solid propellant. What temperatures are you’re reaching? How does that potentially vaporize material? What does that mean to the radioactive material? Are we going to be changing its particle size distribution? And is it going to be able to stay in place? So that’s the fire and thermal aspect of what we do.
John Fulton Reentry. Of course, one of the things that we’ve done going back to the Cold War is worrying about things coming back in. And what does that mean for how do they heat up? How do they hold together? Do they break apart? So this is, again, an assessment of the spacecraft. We had an accident scenario in this case where the spacecraft did not reach orbit. It’s coming back down or one of the scenarios we had to deal with the Mars Perseverance mission in March 2020 was you’re in the planetary plane. So as we know from past missions, sometimes we send it there and it doesn’t actually go into orbit around the planet. It goes flinging off into space. And Earth is one of those scenarios where it might come back towards Earth. And so understanding reentry, what’s going to happen to the spacecraft, what’s going to happen to the multiple layers of defense around the radioactive material as it comes crashing back down through the atmosphere is one of the things that we’re analyzing and assessing. We talked about accident sequence. This aspect of the code in what we’re doing in this phase of the process is what I really kind of have laid out a few times. Ok, we’re on the launch pad. Accident sequences going in this scenario, the rocket detonated, it sent a shockwave through the spacecraft, through the spacecraft which crashed into the beach. Solid propellant slammed down upon it. It burned for the next 15 minutes. It got up to a couple of thousand degrees. How much material comes out the back end of it. So the end phase of that process is basically a graph that look something like this. It’s an exceedance probability for source terms. So what is the probability of this much radioactive material being released given the mission in question and the space vehicle in question? The green line is actually two lines. So that highest most line is actually two lines. So it’s the overall mission risk and the phase one. So early launch mission risk. They’re both identical to each other. And the overall mission risk, of course, is a little bit higher. This is a long, normal chart. So all those other lines would add up to the overall mission risk. But this helped identify in this case for the mission planners at really a long term reentry was not your primary concern, wasn’t your area of focus. It was that early phase of the mission and what could potentially be done to make that less risky. So after we’ve done the accident sequence, and we figured out how much materials comes out, we do atmospheric transport and consequence. And so atmospheric transport is exactly what says, take that source term, take where it released and move it through the atmosphere. In this case, we are avoiding the house of mouse, but not by much. One of my favorite examples of all the analysis I got to look at was a scenario that somehow knew the house of mouse was there, because it it dipped just south of Orlando and then it looped back North. And so a nice little arc around Orlando. But we put a lot of thought and detail into this. We’re sampling meteorological conditions for perseverance. It was over ten years. One of the things that we do is focus in on picking meteorology that’s appropriate to the launch date and window. So if you’re only going to launch from 9 to 10, we’re not sampling meteorology at 8 pm. in Florida. That’s a big deal with the land sea breeze, and we’ll give you a completely inaccurate view, logical conditions. Another thing that we factor in to all of our analysis is, believe it or not, they will not launch during a hurricane. And so we make sure that we are obeying all the launchpad rules regarding metrological conditions. So if there’s lightning within a certain distance, within a certain time, they won’t launch. And yes, there are metrological databases that record lightning strikes. And so we have a pretty good idea of how to factor that in and make sure that we’re not doing analyzes that are putting the spacecraft in the launch vehicle, taking off in conditions that they would never launch in.
John Fulton The last thing, of course, that we’re doing is you’ve gone through all the effort of figuring out how the spacecraft potentially might experience damage. You figured out, given those accident states, how much material got into the environment, you used the meteorological codes to figure out where did it go? You know it’s on the ground now. What does that mean now to human health? So the pathways that we’re thinking about is as the radioactive plume is going by, how much radiation are you getting externally? Did you take a nice big sniff of that plutonium-238 as it came by? How much got into you from breathing it in? If it’s on the ground, what is that dosing you at? How much is the land contaminated? Ultimately, from an NSPM-20 perspective, and from a historical perspective, that’s all about breaking it down into dose to the maximally exposed individual. We also translate that into cancer risk. So what is the probability of long term latent cancers? And also just from a land contamination perspective. You can imagine, the house of mouse is a big deal, but also the orange groves are a major economic concern in Florida, as are the sugar cane fields. So there’s a lot of agricultural influences down there, and understanding how contaminated those areas got. What does that mean from a food embargo perspective, What does that mean from a land contamination perspective is also a big deal. One of the things that we’re calculating and helping the mission understand.
John Fulton Ultimately the end product, we’re going back to that chart that I talked about at the beginning, where we’re talking about the various tiers and the safety guidelines. We’re taking overall mission risk and we’re plotting that. Here’s an example just to plotting the means. So there’s no error bars here, but this is the means on that chart to help you understand. Here’s where your mission lies with respect to NSPM-20 and the safety guidelines and how much pushback or conversation with the regulators you might find yourself dealing with. So the solid line is mission A, we’re way to the lower left. We’re in a nice, happy place. We’re far away from the safety guidelines were clearly in Tier one, unless we’re dealing with a vision system, life probably is pretty good with the safety analysis of that mission and its ability to get launch approval. The second mission is the dotted line that crosses over into Tier two, but not necessarily by a lot. So maybe there are some things that that mission can now do to think about how to change its configuration or to design or maybe do a few more physical tests to get rid of some uncertainty that might drive it into Tier one in a simpler approval process. The third mission, the dash line it’s also kind of safely into the Tier one area. It’s away from the safety guidelines, but it’s getting kind of close. And particularly if the error bars are saying that it’s hitting those areas, it’s exceeding the safety guidelines maybe for the 95th profile or percentile, they get the mission might want to think about doing some further things to deal with that risk or maybe move that mission a little bit further away from the safety guidelines.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Eric White is news anchor and Federal Drive producer at Federal News Network.
Follow @FEDERALNEWSCAST