Interesting probability theory or how many engines do you need?

In discussing the OTRAG project of the “big stupid carrier” consisting of a package of simple rockets, the issue of the reliability of such a number of engines was repeatedly raised. I remembered the sad story of the Soviet H-1 super-heavy rocket, which had 30 engines on the first stage, and which had never reached the end of its work for four flights. In the commentary, to tell about the theory of probabilities and the calculation of the reliability of a place, there is therefore an interesting story about the number of engines, reliability, combinatorics, and probability theory.

Task one, introductory

To begin, consider a simple example. Imagine that we have a rocket. We can put on it one powerful engine or four medium engine. All engines reliability 0.9. That is, if we started these engines 100 times in flight, they worked normally in ~ 90 cases. In which case our rocket will have higher reliability - on a powerful engine or on medium ones?
')
The flight of a rocket with one powerful engine will obviously succeed with a probability of 0.9 .
If for successful flight of a rocket it is necessary that all 4 engines successfully work, then their reliability should be multiplied. Those.

P _{success on medium engines} = 0.9 * 0.9 * 0.9 * 0.9 = 0.6561

It turns out that, out of 100 launches, the rocket will reach 90 cases on one powerful engine, and only 66 cases on four medium ones. It would seem that OTRAG with 64 blocks for outputting 1 ton to orbit is doomed. However, not all so simple. And if we take four engines with the same reliability, but such a burden, that three of four engines will suffice for successful launch into orbit? How to calculate the reliability in this case?
In this case, the probability of a successful flight will be calculated as follows:
First, with a probability of 0.9 ⁴ = 0.6561, all four engines will work fine.
The event “this engine failed, and the rest worked fine” has a probability of 0.1 * 0.9 ³ . Since there are only 4 engines, you need to multiply the probability of this event by 4:
4 * 0.1 * 0.9 ³ = 0.2916
The events “all engines worked fine” and “one engine failed” cannot occur simultaneously and are included in the full group of possible outcomes, so we can add them to calculate the probability of a successful outcome:

P _{success on medium engines with the possibility of a single failure} = 0.6561 + 0.2916 = 0.9477

This is how, one redundant engine made our rocket much more reliable. We continue our calculations further. But what if our "medium" engines became so powerful that even in the case of two failures, the rocket will successfully go into orbit?
The probability of the event “all engines have worked successfully” is known to us - 0.6561.
The probability of the event “one engine failed” is also known - 0.2916.
Let us find the probability of the event “two engines failed”. The probability of an event “this and this engines failed, and the rest worked normally” is equal to 0.1 ² * 0.9 ² . But how many ways you can choose two of the four engines?

The number of combinations C _n ^k - is read as "C from n to k" - this is the number of ways in which you can choose k elements from a set of n elements, if the elements are not returned back after selection and their order does not matter. The formula for calculating:

We need to choose two engines out of four, so C ₄ ² = 4! / (2! (4-2)!) = (1 * 2 * 3 * 4) / ((1 * 2) * (1 * 2) = 24/4 = 6.
It follows that the probability of the event “two engines failed” is 6 * 0.1 ² * 0.9 ² = 0.0486, and

P _{success on medium engines with up to two failures} = 0.6561 + 0.2916 + 0.0486 = 0.9963

If you look closely, you get a fairly simple pattern:

P _{all engines worked successfully} = C ₄ ⁰ * 0.1 ⁰ * 0.9 ⁴ = 0.6561
P _{failed one engine} = C ₄ ¹ * 0.1 ¹ * 0.9 ³ = 0.2916
P _{failed two engines} = C ₄ ² * 0.1 ² * 0.9 ² = 0.0486
P _{failed three engines} = C ₄ ³ * 0.1 ³ * 0.9 ¹ = 0.0036
P _{failed all four engines} = C ₄ ⁴ * 0.1 ⁴ * 0.9 ⁰ = 0.0001

As it should be for a full group of events, the sum of probabilities gives 1.

Conclusion : Knowing the reliability of the components, we can calculate how many backup elements will provide us with the required reliability.

Reliability OTRAG

To begin with, let's try to calculate whether the unreliability of the blocks in the form of backup CRPUs in the rocket was laid in advance? It is known that for the withdrawal of one ton into orbit it was proposed to use three stages - from 48, 12 and 4 blocks. Taking data on the mass and specific impulse, we calculate the stock of the characteristic speed for the payload of one ton using the Tsiolkovsky formula:

dV of the _{third stage} = 2910 m / s * ln ((1 t PN + 4 * 1.5 t) / (1 t PN + 4 * 0.15 t)) = 4.3 km / s
dV of the _{second stage} = 2910 m / s * ln ((7 tons MO and the third stage + 12 * 1.5 tons) / (7 tons + 12 * 0.15 tons)) = 3 km / s
dV of the _{first stage} = 2646 m / s * ln ((25 t MO, second and third steps + 48 * 1.5 t) / (25 t + 48 * 0.15 t)) = 2.9 km / s
Amount: 10.2 km / s

The characteristic speed in the range of 9.3–10 km / s is normal and means that there was probably no reserve for backup. Now let's try to calculate how many additional blocks we need to get a highly reliable rocket. Initial conditions:

1. It is known that the reliability of the test OTRAG was 0.9355
2. It is necessary to design a rocket with a reliability of blocks not lower than 0.9
3. The total reserve of the characteristic speed must be no less than the original rocket
4. Failure of the stage will be considered the engine non-start / destruction when switched on with conditionally instantaneous bleeding of components. The scenario in which you need to drag a failed unit weighing 1.5 tons with fuel is too pessimistic.
5. Additional complexity will be the need to stabilize the rocket. For simplicity, we will assume that simultaneously with the failed unit, the second unit is turned off from the opposite side, and its components are conditionally instantly merged.

Third stage
With the third stage the biggest difficulty. Only 4 blocks do not allow the possibility of shutting down at least one of them while maintaining any adequate supply of characteristic speed.
Four blocks of reliability 0.9355 without redundancy have reliability 0.9355 ⁴ = 0.77 . Few. Add two more blocks. The probability of success of a six-block stage with the possibility of a single block failure will be 0.9355 ⁶ + 6 * 0.0645 * 0.9355 ⁵ = 0.9475 . In terms of reliability, six blocks is enough.
Calculate the margin of the characteristic speed of the new stage for the case of failure of one unit and turn off the second for the symmetry of thrust. The calculation in WolframAlpha gives 3.9 km / s. Let's try to add the seventh block:
Margin of characteristic speed : 4.24 km / s
Reliability of a seven block stage with the possibility of a single unit failure: 0.93.
In reality, block failure will not necessarily occur in the first second of the flight, so I will choose the optimistic version of the six-block third stage.

Second stage
Since we have four blocks turned into 6, it is necessary to recalculate the number of blocks on the second stage, which would give the same margin of characteristic speed. The mass of the third stage + PN increased from 7 to 10 tons, by the method of selection we determine that we need at least 17 blocks for the same supply of delta-V. Take 18 blocks for symmetry designs.
How many blocks can we afford to lose for the case of the 18-block stage?
Suppose one failure, reliability: 0.67
Allowed two failures, reliability: 0.89
A large system of many blocks has an interesting feature. Failures can occur on different sides of the rung and compensate for traction on their own, without the need to turn off additional units. Different depths of failed blocks may require fewer off blocks to compensate. Only if we are unlucky at all, will the two adjacent blocks on the edge of the step switch off, and we will need to turn off the two opposite blocks. Calculation of reliability in this case is a separate complex process; for simplicity, I will consider the required number of blocks turned off to compensate for as half the allowed failed. Simply put, we put 20 blocks on the second step. With the failure of two blocks and the shutdown of one block to compensate, we will approximately have enough of the characteristic speed margin.

First stage
The second and third stages from TI increased from 25 tons to 40. Therefore, in order to accelerate them by 2.9 km / s, we need as many as 76 blocks.

In the case when we have a lot of independent engines, we can calculate the most likely number of failures according to the formula for the binomial distribution:
n * pq <= k <= n * p + p, where
n is the number of tests (in this case, blocks)
p - the probability of the desired outcome (in this case, success)
q = 1 - p

For our case, the second stage with 76 engines will get:
76 * 0.9355-0.0645 <= k <= 76 * 0.9355 + 0.9355
71 <= k <= 72
Consequently, the most likely failure of 4-5 blocks.

Calculate reliability:
Suppose one failure: 0.039
Up to two failures are allowed: 0.12
Up to three failures are allowed: 0.27
Valid up to four failures: 0.45
Up to five faults are allowed: 0.63
Up to six failures are allowed: 0.78
Up to seven waivers are allowed: 0.88

Seven failures, three blocks for compensation (conservative option). By the selection method, we obtain that we need a stage with 90 blocks.

findings

The third step. There were 4 blocks, it became 6.
The second step. There were 12 blocks, it became 20.
First stage. There were 48 blocks, it became 90.
In total there were 64 blocks, it became 116.

Please note that a very conservative approach was used in the calculations. Firstly, the fact that the failure of the unit may not occur at launch, but after some time of operation, when the unit has already participated in the acceleration of the rocket, was not taken into account. Secondly, real reliability of test launches was used. The simplicity and low parameters of the load design means that the reliability of the unit is easy to improve. Third, the digital control system is able, using terminal guidance, to compensate for the shortfall in the characteristic speed of one stage by the stock of the other stages.


Engine unit OTRAG. The simplicity is amazing ...

As for the sad history of the Soviet H-1, it was not 30 engines that were killed, but the fact that the first stage was not tested as an assembly at the stand, and the engines for it were not tested before installation. The design of the engines NK-15 did not allow multiple start-ups. Lots of engines were tested selectively (2 of 6), which did not allow guaranteed to prevent the defective engine on the rocket. The engine's failure had the character of an explosion, which damaged the cables, pipelines and adjacent engines, making further flight impossible.
By the way, on launch vehicles of the “Soyuz” family at the start five engines with 32 combustion chambers are turned on, and this does not prevent the “sevens” from being very reliable missiles.