3
Risk Management Strategy
CURRENT APPROACH
Overall Guidelines for Risk
The most recent integrated probabilistic risk assessment (PRA) for the entire space transportation system, which was conducted in 1995, concluded that the median overall risk of critical failure for a shuttle mission is 1/145 (SAIC, 1995). The median risk of critical failure for the ascent phase alone was calculated to be 1/248, with a risk of 1/118 at the 95 percent confidence level. The study produced an overall median risk of critical failure for each shuttle mission of 1/131, with a 95 percent confidence value of 1/76. The effects of meteoroids and orbital debris were not included in this study.
Following the PRA, however, an interim guideline was established by the shuttle program office establishing an acceptable level of critical risk from the meteoroid and orbital debris hazard. This guideline stated that the risk of critical failure from a meteoroid or orbital debris impact should never exceed 1/200 for a particular mission. (One in 200 was equal to the worst predicted risk of a critical penetration for a single shuttle mission to date [Austin, 1997].) Adding the maximum 1/200 risk of critical failure from meteoroids and orbital debris to the other risks of catastrophic failure increases the overall median predicted risk of catastrophic failure for a shuttle mission from 1/131 to 1/84.
At the same time, the maximum acceptable predicted risk for damage from meteoroid and orbital debris that would cause termination of a mission was set at 1/60. This criterion was based on an analysis that a risk value of 1/60 was achievable during worst-case docking and mated operations with the Russian space station Mir. Radiator damage was the only mission-limiting damage considered in
this analysis (Austin, 1997). The 1/60 criterion has been exceeded on subsequent missions to accommodate Mir operations (Loftus, 1997).
The shuttle program has not established a guideline for the maximum acceptable risk that the orbiter windows or other systems will have to be repaired following a mission. The program has accepted that damage to the crew cabin windows will require that, on average, one window will have to be replaced after each flight.
Assessing Risks for Individual Shuttle Missions
Preflight meteoroid and orbital debris risk assessments for the space shuttle were first conducted in 1993 and are now conducted routinely prior to every shuttle mission. Figure 3–1 is a schematic diagram of the various steps involved in calculating the risk from meteoroids and orbital debris. These risk assessments are based upon an approximation of the altitude and attitude time lines predicted for a shuttle mission. The orbital debris environment model (ORDEM96) and the meteoroid model are combined with a model of the orbiter (BUMPER) to evaluate risks for each mission. (These models are described in detail in Chapter 4.)
For each orbiter mission, an initial risk assessment is presented at the cargo integration review (CIR), which typically takes place approximately 12 months before launch. This gives mission planners enough time to minimize the time the orbiter will spend in high-risk attitudes (Brekke, 1997). Specific risks evaluated for each flight profile include the probability of critical penetration, the probability of penetration of a radiator tube, and the probability of window replacement. When a risk assessment indicates that the risks of a proposed mission profile exceed accepted limits, changes are implemented iteratively until an acceptable level of risk is reached.
Refining Risk Assessments
Until 1995, models of the orbiter’s ability to survive the impacts of meteoroids and orbital debris incorporated extremely conservative failure criteria. For example, the pre-1995 criteria assumed that any penetration of the bottom side of the leading edge RCC elements of a wing, of the wings themselves, or of the wing elevons would be critical Considerable analyses by NASA and the orbiter manufacturer, Boeing North American Reusable Space Systems, however, have significantly improved the understanding of which penetrations could be critical (Hasselbeck et al., 1997).
NASA and Boeing North American first identified the RCC leading edge of a wing, the rest of the wing, and the elevons as the areas of the orbiter that appeared to pose the highest risks for critical failure. Next, detailed analyses and limited testing of the effects of impacts were conducted on these areas. The analyses examined the immediate effect of an impact (e.g., the hole and associated
structural damage), as well as the effects of reentry heating and pressure (e.g., hole enlargement and overheating of structural members). The analyses then determined the size of a hole from an initial impact that could be sustained and not result in loss due to the effects of reentry heating or structural stress during descent maneuvers and landing. Figure 3–2 shows the predicted relative risk (before and after these analyses) that, on a given mission, various orbiter components will be struck by meteoroids and debris and damaged to such a degree that the orbiter or crew will be lost.
ANALYSIS AND FINDINGS
Guidelines for Overall Risk
The PRA performed in 1995, which calculated the median risk of critical damage during a shuttle mission to be 1/145, did not include orbital debris in its calculations. For some missions, adding the risk from meteoroids and orbital debris nearly doubles the overall risk. Table 3–1 shows predicted risks with and without the meteoroid and debris risk, using NASA’s guideline for maximum critical risk from meteoroids and orbital debris of 1/200. (The median and mean risks are noted to establish a baseline uncertainty of about 7 percent.) If the maximum allowable risk from meteoroids and debris is included in the calculations, the total risk of critical failure for a shuttle mission increases from about 1/140 to about 1/80. The increase in risk appears difficult to justify, given that orbiters cost billions of dollars and that the loss of an orbiter or crew would probably leave the nation’s human space program in disarray.
Earlier predictions of the risk of catastrophic failure due to meteoroids and debris may have been somewhat overstated because they incorporated conservative predictions of whether a given impact would cause a catastrophic failure. These predictions, however, are becoming less conservative as the understanding of the effects of impacts on different shuttle areas improves. Whether the risk of catastrophic failure due to meteoroids and debris is 1/200 or 1/400, however,
TABLE 3–1 Total Calculated Risk of Critical Failure
|
|
Ascent |
|
Reentry |
|
Meteoroids and Debris |
|
Total |
Without meteoroids and debris risk |
median |
1/248 |
+ |
1/350 |
+ |
n/a |
= |
1/145 |
mean |
1/219 |
+ |
1/326 |
+ |
n/a |
= |
1/131 |
|
With meteoroid and debris risk of 1/200 |
median |
1/248 |
+ |
1/350 |
+ |
1/200 |
= |
1/84 |
mean |
1/219 |
+ |
1/326 |
+ |
1/200 |
= |
1/79 |
NASA appears to have put much less effort into understanding and reducing this risk than other comparable risks (such as the risk of catastrophic failure of the space shuttle main engine).
In addition to being allowed to be the largest single critical risk factor, the hazard of meteoroids and orbital debris is also allowed to be the single largest mission-limiting risk factor. The maximum allowable risk that meteoroids and orbital debris will force an early end to a particular shuttle mission has been set at 1/60. The second largest risk, an external hydrazine leak in the high-energy auxiliary power unit system, is believed to be about 1/1,300 (Williams, 1997).
Finding. Meteoroids and orbital debris are currently allowed to pose the largest single risk of both critical failure and early termination of a shuttle mission. Compared to the effort NASA has expended to reduce other risks to the shuttle, the effort spent to understand and reduce the risk from meteoroids and debris appears small.
An integrated PRA of the shuttle that includes the meteoroid and orbital debris hazard has not been conducted. If such an analysis were conducted, and if standardized probability, consequence, and probability-consequence terms were implemented across the full spectrum of risk families, NASA could better understand and weigh the risks from meteoroids and orbital debris against other risks to the shuttle. Incorporating error propagation schemes into this analysis would further enhance the utility of the results.
Assessing Risks for Individual Shuttle Missions
The overall survivability of a system can be determined through a series of steps combining the susceptibility of the system (the probability of being hit) with the vulnerability of the system (the probability that a hit will cause significant damage) (see Figure 2–1). NASA has already put the basic elements for this kind of analysis in place. The ORDEM96 model can provide information about susceptibility, and the BUMPER model can provide part of the assessment of vulnerability.
However, a complete assessment of the vulnerability of the shuttle to meteoroids and orbital debris has not been conducted. Currently, there is no standard terminology or process that covers the major components of the shuttle meteoroid and debris risk assessment process, and no end-to-end sensitivity analysis has been conducted of environmental effects (i.e., ORDEM96), impact effects (i.e., BUMPER), and failure criteria (i.e., input from the Shuttle Program Office). Because mission managers cannot weigh the accuracy of the data, they must make trade-offs between safety and mission goals based on incomplete information.
To rectify this situation, NASA will have to conduct an in-depth survivability assessment for the shuttle orbiter, focusing on vulnerability as it relates to the
meteoroid and orbital debris hazard; the results will have to include applicable ranges and associated confidence levels. This assessment would provide shuttle program managers with a complete picture of the potential risks for specific missions and would make it easier for NASA to determine which areas of the orbiter require better protection.
A valuable component of the survivability assessment would be an end-to-end sensitivity analysis to determine the impact of uncertainties and variabilities in parameters for each of the three components of the current risk assessment process: ORDEM96 (e.g., size distribution, ballistic coefficient, lifetime, atmospheric density profile, etc.), BUMPER (e.g., velocity effects, shape effects, density profile, etc.), and failure criteria (e.g., conservative estimates of damage effects, etc.). The results would be most useful if they included applicable ranges and associated confidence levels.
NASA may find the methodology used by the Department of Defense (DOD) for aircraft survivability studies (Ball, 1985) helpful. The DOD aircraft vulnerability process passes “shotlines” through aircraft to determine which components could be hit by various impactors at various velocities. The process takes into account shielding of critical components by less critical components that may not be necessary for continued flight. The process also allows the DOD to determine whether redundant components are adequately separated or if one impact could damage both redundant systems. “Damage modes and effects” analyses are conducted to determine whether critical components or subsystems could be rendered inoperable by various impactors at various velocities. “Failure modes and effects” analyses are used to determine which components and subsystems are critical to continued flight. In other words, the DOD uses a systematic process that determines the contributions of all components and subsystems to the vulnerability of the total system.
Finding. NASA has not conducted an end-to-end assessment of the survivability of the shuttle with respect to the meteoroid and orbital debris hazard. Similar analyses, however, have been conducted by the DOD to assess aircraft survivability.
Refining Risk Assessments
The in-depth analyses conducted by NASA and Boeing North American Reusable Space Systems to characterize the risk of critical penetration of the orbiter wings and elevons have provided mission planners with more complete information about potential risks to the orbiter. The analyses have also provided valuable input into decisions on whether to modify existing hardware to provide better protection from the impact of meteoroids and orbital debris.
Analyses like these have not yet been performed for other orbiter components or systems. For example, the risk from meteoroids or debris to redundant
systems that are not physically separated has not yet been assessed. Analyses of this type could also be used to refine assessments of the risk of critical failure, mission-limiting damage, and damage requiring repairs to determine which areas of the shuttle require more protection and to determine whether operational and procedural modifications could decrease the risk.
RECOMMENDATIONS
Recommendation 1. NASA should reevaluate the current guideline that allows the shuttle to experience a 1/200 probability per mission of critical failure from the impact of meteoroids or orbital debris. A lower allowable risk appears to be more appropriate.
Recommendation 2. NASA should establish a survivability assessment process and conduct a systematic survivability assessment of the entire shuttle orbiter—including all subsystems and components—against the meteoroid and debris hazard. The assessment should be integrated with assessments of the risk from other on-orbit hazards, as well as the risk from ascent and reentry, to create a complete, integrated, peer-reviewed PRA for the shuttle.
Recommendation 3. NASA should continue to assess in detail the vulnerability of areas of the shuttle orbiter that are predicted to contribute most to the overall risk of critical failure, mission-limiting damage, and damage requiring repair.
REFERENCES
Austin, L. 1997. Space shuttle meteoroid/debris risk management. Briefing presented to the Committee on Space Shuttle Meteoroid/Debris Risk Management, Washington, D.C., April 27, 1997.
Ball, R.E. 1985. The Fundamentals of Aircraft Combat Survivability Analysis and Design. New York: American Institute of Aeronautics and Astronautics.
Brekke, M. 1997. Meteoroid/debris risk assessment process overview. Briefing to the Committee on Space Shuttle Meteoroid/Debris Risk Management, Houston, Texas, June 16, 1997.
Hasselbeck, M., D.Picetti, and M.Koharchik. 1997. Space shuttle orbiter on-orbit impact critical failure criteria. Briefing to the Committee on Space Shuttle Meteoroid/Debris Risk Management, Houston, Texas, June 17, 1997.
Loftus, J.P., 1997. E-mail to the Committee on Space Shuttle Meteoroid/Debris Risk Management from Joseph Loftus, Jr., Assistant Director (Plans), NASA Johnson Space Center, September 12, 1997.
SAIC (Science Applications International Corporation). 1995. Shuttle Probabilistic Risk Assessment. Washington, D.C.: Center for Aerospace Information.
Williams, J. 1997. Science Applications International Corporation Briefing to Johnson Space Center, August 6, 1997. San Diego, California: Science Applications International Corporation.