Mission Assurance: A Human-Rated Space Perspective

Garry Boggan

Aerospace has a long history of working with NASA on mission assurance initiatives for humans as they venture into space.

Aerospace is no stranger to mission assurance for human-rated space programs, including those of the early space race. The National Aeronautics and Space Act of 1958 stated as an objective "the development and operation of vehicles capable of carrying instruments, equipment, supplies and living organisms through space." Aerospace assisted in early efforts for the Mercury and Gemini programs, sharing its expertise in launch vehicles. Later, when the Air Force planned to deliver satellites to orbit using the Space Transportation System, Aerospace worked to assist in this goal. But after the Challenger accident in 1986, the Air Force decided to deliver defense payloads into orbit using unmanned launch vehicles.

Nevertheless, Aerospace stayed involved with NASA programs. Today, Aerospace personnel working at Johnson Space Center in Houston support the NASA Space Shuttle Program and the military Space Test Program. For more than a decade, Aerospace employees have worked with the NASA Office of Safety and Mission Assurance performing independent assessments during the development and deployment of the International Space Station. Aerospace also assisted the NASA Space Shuttle Systems Engineering and Integration Office directly following the Columbia tragedy, working on return-to-flight initiatives and an ongoing effort for debris risk characterization and testing.

Mission Assurance Perspectives

Mission assurance, from an Aerospace perspective, is the disciplined application of general systems engineering, quality, and management principles toward achieving mission success. It focuses on the detailed engineering of the acquired system using independent technical assessments as a cornerstone throughout the entire concept and requirements definition, design, development, production, test, deployment, and operations phases.

Mission assurance within NASA is formally aligned under the Office of Safety and Mission Assurance; however, NASA policy allocates responsibilities for mission success to the mission directorate associate administrators, center directors, the chief safety and mission assurance officer, and program managers, as well as to supervisors, managers, and employees.

While all space systems share a risk to the general public of accidents on ascent and reentry, human-rated space programs must also be developed with consideration of the risks posed to humans on the flight and those in orbital space system segments. Humans in space are vulnerable to a loss of atmosphere or exposure to hazardous environments, such as fire or radiation. These and other considerations must be addressed so that the support systems in a space vehicle are provided with an appropriately redundant design. Requirements for safe extravehicular activities by humans must also be considered.

These human-rating requirements—and their contribution to mission assurance and success—are by policy the responsibility of the program managers. Other NASA organizations and contractors support program managers as the system requirements are implemented. Endorsement by contractors, NASA project and program managers, and higher-level NASA management occurs through a sequence of flight-readiness reviews prior to mission deployment.

Safety and Mission Assurance Policies

NASA policy distinguishes between human-rated space systems and nonhuman systems. Space systems and their human-rating requirements have evolved over the years, and a review of related specifications and handbooks offers a snapshot of this evolution. For example, lessons learned provide a basis for adaptation and, ideally, improvement of system expectations. Problem-reporting systems are a collection of experiences with systems during development and deployment. Procedures for addressing the root causes of problems, evaluating the risks of using "as is," or requiring immediate mitigation and fielding corrective actions, are all elements of the safety and mission assurance discipline and support the implementation of these policies.

NASA directives and work instructions are designed to help implement established safety and mission assurance policies, addressing the fundamental issues of considering the safety of the flight crew as well as ensuring mission success. These directives and work instructions help guide program managers, the engineering and program teams, and contractors.


Left: The capsule of the Apollo/Saturn 204 space vehicle after the tragic flash fire that killed three astronauts readying for flight. Right: The exterior of the spacecraft after the fire. Results of the investigation into the cause of the fire led to major design and engineering modifications for future space capsules.

Events can drive changes to policies and how they are implemented. The flash-fire on January 27, 1967, that killed the Apollo 1 crew was a jolt to NASA and drove the agency to address safety as part of its culture. The team that led the failure investigation identified flaws in all aspects of the capsule design, operations, and testing. NASA took efforts to increase flight crew safety by addressing basic operational concepts, such as reducing the likelihood of a fire by making changes to the capsule's atmosphere while on the ground and introducing fireproof covers for suits. Design flaws were also addressed, such as providing for quicker crew escape with a redesigned hatch, by reducing flammable materials in the capsule, and by redesigning electrical connections to avoid disconnects with the power on. Even with these fixes and lessons learned, the Apollo program still encountered problems that impacted safety of flight, including the well-publicized Apollo 13 mishap. In the Apollo 13 case, a design discrepancy within the oxygen tank, coupled with improvised ground procedures, were identified as the likely cause of the on-orbit explosion that could have ended in tragedy if not for an available lunar module refuge and operational workarounds.

As it began its initial set of orbital tests on April 21, 1981, the space shuttle represented the start of a new mode of space transportation—that of a large, mostly reusable space vehicle. Reusability brought its own set of concerns, namely, that the vehicle's design had to address the rigors of multiple launches and recoveries. Unfortunately, the program has witnessed its own set of problems, in which the objective of crew safety fell victim to mistakes and failures in the safety and mission assurance processes, as exemplified by the losses of Challenger in 1986 and Columbia in 2003.

In the case of the Challenger disaster, the Rogers Commission highlighted the root cause as a leaky O-ring on the starboard solid rocket motor that allowed hot exhaust gases to compromise the external tank. But the commission also wrote a chapter about the "silent safety program" that contributed to organizational missteps. The commission highlighted pressures to maintain the launch schedule as contributing to the accident.

More than 15 years later, the Columbia accident raised additional concerns about lapses in safety. Aerospace assisted the Columbia Accident Investigation Board following this loss. The board recommended changes within NASA to instill a renewed commitment to safety and mission success, including providing independent reviews and elevating dissenting opinions to program managers.

Using the shuttle's robotic arm and 50-foot-long Orbiter Boom Sensor System, the STS-118 crew photographed this close-up view of damaged tile on the underside of the Endeavour during an inspection of the shuttle's heat shield while docked with the International Space Station on August 12, 2007. After extensive analysis, engineers decided that the tile did not need to be replaced before the shuttle disembarked for a return to Earth.

The organization and operation of NASA's Mission Management Team was changed as a result of the board's recommendations. This team is responsible for making programmatic decisions and trades associated with launch countdown and in-flight activities. The Mission Management Team is now responsible for oversight and daily reviews of ongoing operations during shuttle flights, while the flight control team and flight crew continue to have operational authority of all crew and mission safety matters. Mission Management Team roles and responsibilities are assigned to several elements of the Space Shuttle Program, including the Office of Safety and Mission Assurance, which is charged with reporting independent risk evaluations of anomalies, in-flight anomalies, and problem reports, and elevating concerns through the in-flight crew safety and mission success reporting process.

The paths leading up to deployment of an operational system must also be included in safety and mission assurance policies and processes. NASA has implemented these procedures agency-wide within its civil servant and contractor organizations. Individual NASA centers also house their own safety and mission assurance organizations, and supporting contractors participate in program reviews and analyses. Contractors charged with the development of flight hardware and systems are also tasked with including mission assurance functions in their development and manufacturing processes. They must supply NASA with the information necessary to meet the safety and mission assurance requirements levied on their system.

The on-orbit imagery collection procedures that were updated following the Columbia accident help to better inform the flight control team, the flight crew, and the mission management team of the state of the shuttle after its ascent. This image from STS-121 shows an inspection of the external tank following its separation from the orbiter. Astronauts use handheld cameras to evaluate the performance of the external tank foam after it has experienced the rigors of ascent heating. The digital photographs are downlinked to engineers for imagery analysis. The shadow of the orbiter is shown on the intertank region. Missing foam is shown near the foot of the third ice/frost ramp from the intertank flange. Foam ramps are used to provide a more aerodynamic shape for the brackets supporting the tank repress lines. Design changes to the orbiter systems include adding imagery assets that will work in sunlit and unlighted separations.

The International Space Station

Aerospace has also provided support in addressing technical challenges encountered by the International Space Station. During the station's development phase, Aerospace addressed technical concerns during several independent assessments. These included component breakdown phenomena present in the design of the electrical power system, such as the dc-to-dc converter unit, and concerns with the remote power control module. Aerospace assessed the fiber optics integral to the onboard avionics computer network because there was concern that the installation procedures could degrade the transmission quality of the communication path between the avionics boxes. NASA also asked Aerospace to assist in evaluating technology for maintaining the fiber-optic cable installation and signal integrity equipment being considered for use on orbit. The flight equipment, an optical time-domain reflectometer, is based on technology evaluated by Aerospace prior to the ISS 6A mission, which was launched in 2001 and was the sixth American flight delivering materials for the construction of the International Space Station.

Aerospace was asked to evaluate the plasma charging models developed for the space station because NASA was concerned for the crew's safety in respect to the level of electrical discharge that might traverse a spacesuit during a spacewalk. Aerospace and NASA reviewed the spacecraft charging models and environments and compared them to those used for military satellite operations. In addition to review of the orbital environment (i.e., the ambient electron density and temperature, and variations based on orbital parameters and seasons), Aerospace reviewed contractor-developed models for validity of ground rules and assumptions, such as charge-collection areas based on physical configuration.

Aerospace evaluated command and control software procedures used to increase the capability of the International Space Station throughout various configuration changes, and also assisted in developing an observation window that would satisfy stringent optical requirements for on-orbit photographic experiments. The internal active thermal control system that provides cooling for the internal heat sources of the space station was evaluated by Aerospace for corrosion and microbial contamination. Aerospace chemists reviewed the system configuration and its operation in the orbital environment, conducted analyses of the material compatibility and possible causes of corrosion, made recommendations of options, and evaluated a contractor-offered solution. The operation of this thermal control system remains under observation to ensure that the solution implemented provides the necessary mitigation.

on-orbit inspection of the thermal protection system tiles

New operational techniques have been developed for on-orbit inspection of the orbiter's thermal protection system tiles. The image on the left shows a protruding gapfiller on STS-121 and the gaps between the tiles where heat resistant filler material can protrude following ascent environments. The image on the right is a photograph taken by an astronaut in space of the underside of space shuttle Discovery on mission STS-114. The new techniques help to identify additional debris threats not considered by NASA prior to the Columbia tragedy in 2003.

As the International Space Station began operations, NASA began a review of the system-readiness reporting procedures and asked Aerospace to evaluate options for improving the status reporting of the various distributed systems. This analysis included developing a methodology that would provide linkage of the relationships between redundant system components, on-orbit spares, and flight rule procedures for workarounds.

Trash and how it is discarded is a logistical problem for an orbital human-rated station. Trash in space is typically stored for eventual return to Earth via an expendable capsule, such as Russia's Progress spacecraft or onboard the orbiter itself. One idea was to discard the trash overboard so that it would disintegrate during reentry. An Aerospace and space station program team worked together to assess the risks to the public from trash that would survive reentry, and also for the potential of an increase in orbital debris.

The Apollo-Soyuz interchange, American participation on Russia's Mir space station, and involvement of Russian spacecraft and ground elements (i.e., Soyuz, Progress, and Baikonur) in the International Space Station program offer opportunities to evaluate risk management and mission assurance processes from different cultures and nations. Aerospace has also supported NASA with independent assessments for encryption analysis for the command and control communication of the Zarya module of the space station, evaluation of Russian nickel-cadmium batteries, and postentry analysis of the Mir space station.

Space Shuttle Return to Flight

NASA focused on reinvigorating its systems engineering capabilities following the investigation into the Columbia accident. Aerospace assisted these and other return-to-flight activities, working closely with NASA's Space Shuttle Systems Engineering and Integration Office and its Safety and Mission Assurance organization. Aerospace helped develop plans for recertification of the vehicle, assisted in developing a method to assess the risks of debris in comparison to the capabilities of the vehicle and its components, and helped in the understanding of new imagery technology that would evaluate debris during ascent (see sidebar, Analysis Techniques for the Space Shuttle).

An Aerospace model designed to predict damage and its depth to the space shuttle thermal protection system. The numbers along the axes refer to the coordinate system of the integrated vehicle in inches. The overall length of the shuttle is 184 feet; the wingspan is 78 feet.

Aerospace worked with NASA to develop a debris risk assessment approach that evolved from a basic understanding of risks to establishing a probabilistic assessment technique for determining the debris threat to the space shuttle system's capabilities. The goal was to understand the origins of all potential debris sources and determine the level of threat from each one. Meanwhile, the vulnerabilities of the various components, such as the reinforced carbon-carbon or ceramic tiles of the orbiter's thermal protection system, were being scrutinized. The analysis revealed that the strength of these structural capabilities did not remain intact after reuse. This reduction in capability had to be factored into NASA's debris threat risk assessment. Aerospace has since participated in risk assessments of foam debris, including on the Discovery STS-114 return-to-flight mission in 2005, and subsequent flights.

Aerospace has also been supporting NASA's Space Shuttle Program by testing iceballs to understand the physics of their release and breakup, performing residual risk analysis on the potential for metal particle combustion with the orbiter's liquid-oxygen system, and assisting in structural modeling. Aerospace has also worked on propellant quality methodology comparisons between approaches used in the Space Shuttle Program and for expendable launch vehicles, assisted in peer reviews of wind-tunnel test planning and evaluation of results from thermal and acoustics testing, and with tin whisker concerns for orbiter avionics. Aerospace assists NASA with estimates of risks to the public on shuttle reentry sites and provides support on in-flight anomaly investigations, safety reviews, and integrated hazard reports. Aerospace is acknowledged as playing "a key role for systems engineering for debris and end-to-end Monte Carlo analysis" in NASA's 2007 implementation plan, "Space Shuttle Return to Flight and Beyond."

Conclusion

Aerospace's involvement with mission assurance for NASA programs has evolved into support of independent evaluations of advanced human-rated space programs, including an orbital space-plane project where program requirements were evaluated for interface, safety, and allocation requirements.

Aerospace has also provided independent assessments for launch vehicle structural and propulsion technology trade studies in support of the most recent vision for space exploration. As the human-rated space program takes its next steps with the Constellation program, Aerospace plans to support NASA in mission assurance activities, just as it has since the beginnings of Project Mercury.

John Brekke and John Skratt, Space Launch Operations, with Jim Peters (right) of NASA's debris integration group. The three are standing under the belly of the orbiter prior to inspection of its thermal protection system at Kennedy Space Center.

Acknowledgments

The Aerospace efforts presented in this article represent work by many technical experts from a variety of departments and organizations over many years. NASA has publicly recognized many of these people for their efforts. Space Flight Awareness Award honors have gone to Raymond DeGaston and Karen Scott for recognition of their work on the International Space Station, and to Pete Choban for his efforts on the STS-102 flight. NASA awarded Bruce Wendler with the Exceptional Public Service Medal, which he received for his support of the space shuttle return to flight and debris identification and mitigation efforts.

Recent Aerospace work that has drawn praise is in the end-to-end risk assessment for ascent foam debris accomplished by John Brekke and Matthew Eby. Their work has been supported by a team of scientists, engineers, and technicians from several organizations within Aerospace. Randall Williams, Richard Welle, and Brian Hardy developed test techniques to provide NASA with novel, lower-cost test options for combined environments and iceball testing. Mike Cavanaugh, Yontha Ath, and Jim Womack provided statistical options for use in the probabilistic risk techniques. John Murdock supported aerodynamic modeling techniques. Peter Pollock and Scott Peck developed material modeling techniques for the external tank foam.