Safety Design for Space Systems

By Tommaso Sgobba, Gary Eugene Musgrave and Gary Johnson

The lack of widespread education in space safety engineering and management has profound effects on project team effectiveness in integrating safety during design. On one side, it slows down the professional development of junior safety engineers, while on the other side it creates a sectarian attitude that isolates safety engineers from the rest of the project team. To speed up professional development, bridge the gap within the team, and prevent hampered communication and missed feedback, the entire project team needs to acquire and develop a shared culture of space safety principles and techniques.The second edition of Safety Design for Space Systems continues to address these issues with substantial updates to chapters such as battery safety, life support systems, robotic systems safety, and fire safety. This book also features new chapters on crew survivability design and nuclear space systems safety. Finally, the discussion of human rating concepts, safety-by-design principles, and safety management practices have also been revised and improved. With contributions from leading experts worldwide, this second edition represents an essential educational resource and reference tool for engineers and managers working on space projects.

• Provides basic multidisciplinary knowledge on space systems safety design
• Addresses how space safety engineering and management can be implemented in practice
• Includes new chapters on crew survivability design and nuclear space systems safety
• Fully revised and updated to reflect the latest developments in the field

• Language: English
• Publisher: Elsevier Science
• Release date: Jul 25, 2023
• ISBN: 9780323956550

Book preview

Safety Design for Space Systems

Second Edition

Editor-in-Chief

Tommaso Sgobba

Editors

Gary Eugene Musgrave

Gary Johnson

Michael T. Kezirian

Table of Contents

Cover image

Title page

Copyright

Dedication

List of contributors

About the editors

Preface to the first edition

Preface to the second edition

Acknowledgments

Chapter 1. Introduction

SubChapter 1.1. Space incidents

SubChapter 1.2. Designing safety in a space system

SubChapter 1.3. Staying hungry: the interminable management of risk in human spaceflight

SubChapter 1.4. Book structure and content

Chapter 2. The space environment: natural and induced

SubChapter 2.1. The atmosphere

SubChapter 2.2. Orbital debris and meteoroids

SubChapter 2.3. Acoustics

SubChapter 2.4. Radiation

SubChapter 2.5. Natural and induced thermal environments

SubChapter 2.6. Combined environmental effects

Chapter 3. Overview of bioastronautics

SubChapter 3.1. Space physiology

SubChapter 3.2. Physiological effects of space missions and space analogs

SubChapter 3.3. Health maintenance

SubChapter 3.4. Conclusion

Chapter 4. Space safety engineering and management

SubChapter 4.1. Introduction

SubChapter 4.2. Definitions and key principles

SubChapter 4.3. System safety engineering

SubChapter 4.4. Safety management system

Chapter 5. Safety policy and human rating

5.1. Introduction

5.2. Policies, regulations, and standards

5.3. Human rating

Chapter 6. Probabilistic risk assessment with emphasis on design

6.1. Basic elements of probabilistic risk assessment

6.2. Construction of a probabilistic risk assessment for design evaluations

6.3. Relative risk evaluations

6.4. Evaluations of the relative risks of alternative designs

Chapter 7. Safety considerations for the ground environment

7.1. Introduction

7.2. Ground support equipment

7.3. Documentation and reviews

7.4. Roles and responsibilities

7.5. Contingency planning

7.6. Flight hardware safety

7.7. Training

7.8. Hazardous operations

7.9. Tools

7.10. Human factors

7.11. Biological systems and materials

7.12. Electrical equipment and facilities

7.13. Radiation

7.14. Pressure systems

7.15. Explosive devices

7.16. Mechanical and electromechanical devices

7.17. Propellants

7.18. Cryogenics

7.19. Oxygen systems

7.20. Ground handling

7.21. Software safety

7.22. Summary

Chapter 8. Emergency and crew survival systems

8.1. Introduction

8.2. Emergency and crew survival capabilities

8.3. Personal protective equipment

Chapter 9. Space debris protection

SubChapter 9.1. Risk control measures

SubChapter 9.2. Emergency repair considerations for spacecraft pressure wall damage

Chapter 10. Docking systems design

SubChapter 10.1. Docking systems design and operations

SubChapter 10.2. Docking system standardization

Chapter 11. Parachute system design

11.1. Parachute systems

Chapter 12. Materials safety

SubChapter 12.1. Toxic offgassing

SubChapter 12.2. Stress-corrosion cracking

SubChapter 12.3. Conclusions

Chapter 13. Containment of hazardous materials

SubChapter 13.1. Toxic materials

SubChapter 13.2. Biohazardous materials

SubChapter 13.3. Shatterable materials

SubChapter 13.4. Containment design approach

SubChapter 13.5. Containment design methods

SubChapter 13.6. Safety controls

SubChapter 13.7. Safety verifications

SubChapter 13.8. Conclusions

Chapter 14. Propellant systems safety

SubChapter 14.1. Solid propulsion systems safety

SubChapter 14.2. Liquid propellant propulsion systems safety

SubChapter 14.3. Hypergolic propellants

SubChapter 14.4. Propellant fire

Chapter 15. Environmental impact of propulsion systems and green alternatives

15.1. Introduction

15.2. Current environmental concerns

15.3. Green propellants

15.4. Liquid propellants

15.5. Conclusions

Chapter 16. Life support systems safety

SubChapter 16.1. Atmospheric conditioning and control

SubChapter 16.2. Trace contaminant control

SubChapter 16.3. Assessment of water quality in the spacecraft environment: mitigating health and safety concerns

SubChapter 16.4. Waste management

SubChapter 16.5. Summary of life support systems

Chapter 17. Fire safety

SubChapter 17.1. Characteristics of fire in space

SubChapter 17.2. Design for fire prevention

SubChapter 17.3. Spacecraft fire detection

SubChapter 17.4. Spacecraft fire suppression

Chapter 18. Oxygen systems safety

SubChapter 18.1. Oxygen pressure system design

SubChapter 18.2. Oxygen generators

Chapter 19. Avionics safety

SubChapter 19.1. Introduction to avionics safety

SubChapter 19.2. Electrical grounding and electrical bonding

SubChapter 19.3. Safety critical computer control

SubChapter 19.4. Circuit protection: fusing

SubChapter 19.5. Electrostatic discharge control

SubChapter 19.6. Arc tracking

SubChapter 19.7. Corona control in high voltage systems

SubChapter 19.8. Extravehicular activity considerations

SubChapter 19.9. Spacecraft electromagnetic interference and electromagnetic compatibility control

SubChapter 19.10. Design and testing of safety critical circuits

SubChapter 19.11. Electrical hazards

SubChapter 19.12. Avionics lessons learned

Chapter 20. Software system safety

20.1. Introduction

20.2. The software safety problem

20.3. Current practice

20.4. Best practice

20.5. Summary

Chapter 21. Battery safety

21.1. Introduction

21.2. General design and safety guidelines

21.3. Battery types

21.4. Battery models

21.5. Hazard and toxicity categorization

21.6. Battery chemistry

21.7. Storage, transportation, and handling

Chapter 22. Space nuclear systems safety design

22.1. Introduction

22.2. Terminology and key principles

22.3. Types of space nuclear systems

22.4. Other uses for nuclear radiation in space

22.5. Radioactive material containment

22.6. Launch safety and accident environment

22.7. Launch safety risk constraint criteria

22.8. Design to minimize radioactive release risk

Chapter 23. Mechanical systems safety

subChapter 23.1. Safety factors

subChapter 23.2. Spacecraft structures

subChapter 23.3. Fracture control

subChapter 23.4. Pressure vessels, lines, and fittings

subChapter 23.5. Composite overwrapped pressure vessels

subChapter 23.6. Structural design of glass and ceramic components for space system safety

subChapter 23.7. Safety-critical mechanisms

Chapter 24. Pyrotechnic safety

24.1. Pyrotechnic devices

24.2. Electroexplosive devices

Chapter 25. Laser safety

25.1. Background

25.2. Laser characteristics

25.3. Laser standards

25.4. Lasers used in space

25.5. Design considerations for laser safety

25.6. Conclusions

Chapter 26. Extravehicular activity safety

26.1. Extravehicular activity environment

26.2. Suit hazards

26.3. Crew hazards

26.4. Conclusion

Chapter 27. Robotic systems safety

27.1. Introduction

27.2. Robotic applications for space systems

27.3. Hazard mitigation and risk reduction

27.4. Case studies

27.5. Summary

Appendix A. Probability of cancer casualty constraint for exposures to radioactive materials

Appendix B. Risk estimation methodology for RPS & RHU launch accidents

Index

Copyright

Butterworth-Heinemann is an imprint of Elsevier

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

Copyright © 2023 Elsevier Ltd. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

ISBN: 978-0-323-95654-3

For information on all Butterworth-Heinemann publications visit our website at https://www.elsevier.com/books-and-journals

Publisher: Matthew Deans

Acquisitions Editor: Chiara Giglio

Editorial Project Manager: Rafael Guilherme Trombaco

Production Project Manager: Sujithkumar Chandran

Cover Designer: Mark Rogers

Typeset by TNQ Technologies

Dedication

This book is dedicated to the memory of Axel M. (Skip) Larsen

List of contributors

John D. Albright,     Space Shuttle Main Propulsion System, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

David Alexander,     NASA Johnson Space Center, Houston, TX, United States

Kathryn Anne Weiss,     NASA Jet Propulsion Laboratory, Flight Software and Data Systems Section, California Institute of Technology, Pasadena, CA, United States

Panagiotis Artemiadis,     University of Delaware, Newark, DE, United States

David L. Baker,     Propulsion Test Office, Johnson Space Center, White Sand Test Facility, National Aeronautics and Space Administration, Las Cruces, NM, United States

Gregg John Baumer,     International Space Station Safety Review Panel, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Karen S. Bernstein,     Structural Engineering Division, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Tony Brown,     Materials Evaluation Section, MEI Technologies, Houston, TX, United States

Kate Robson Brown,     University of Bristol, Bristol, United Kingdom

Giancarlo Bussu,     Product Assurance and Safety Department, European Space Agency, Noordwijk, The Netherlands

Nick Caplan,     Northumbria University, Newcastle, United Kingdom

Stefania Carlotti,     Department of Aerospace Science and Technology, Space Propulsion Laboratory, Politecnico di Milano, Milano, Italy

Amber Chang-Armstrong,     Space Launch Delta 45 Safety, U.S. Space Force, United States

Antonio Ciccolella,     Directorate of Earth Observation, D/EOP-E, European Space Research Institute, European Space Agency, Frascati, Italy

Francis A. Cucinotta,     Space Radiation Program, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Volker Damann,     International Space University, Strasbourg, France

Daniel L. Dietrich,     Combustion and Reacting Systems Branch, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Jim Duffy,     Bue Origin, Reston, VA, United States

Michael J. Eiden,     Multidisciplinary Mechanical Systems, ESA—European Space Research and Technology Center, Noordwijk, The Netherlands

Simon N. Evetts

Blue Abyss, Crosby-Liverpool, United Kingdom

Northumbria University, Newcastle, United Kingdom

King’s College London, London, United Kingdom

Paul Ferkul,     Universities Space Research Association, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Claire Fortenberry,     Universities Space Research Association, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

William Andrew Foster,     NASA Johnson Space Center, Houston, TX, United States

Kerry A. George,     Radiation Biophysics Laboratory, Wyle Laboratories, Houston, TX, United States

William Gerstenmaier,     Human Exploration and Operations Directorate, NASA, Washington D.C., United States

Mark Glissman,     Space Safety Division, HQ Air Force Safety Center, U.S. Department of the Air Force, United States

Tateo Goka,     Director of Space Environment Measurement Group, The Institute of Aerospace Technology, Japan Aerospace Exploration Agency, Tsukuba, Japan

Jerry R. Goodman,     Acoustics Working Group and ISS Acoustics Lead, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Russell Graves,     Space Exploration Division, Integrated Defense Systems, The Boeing Company, Houston, TX, United States

Nathanael J. Greene,     WhiteSands Test Facility, National Aeronautics and Space Administration, Las Cruces, NM, United States

Gerald Griffith,     Chief System Safety Engineer, JAMSS America, Incorporated, Houston, TX, United States

Ferdinand W. Grosveld,     Consultant, Hampton, VA, United States

Jon P. Haas,     NASA Engineering and Safety Center, NASA Langley Research Center, Hampton, VA, United States

Martina Heer

IUBH International University, Bad Honnef, Germany

University of Bonn, Bonn, Germany

John T. James,     Habitability and Environmental Factors Division, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Judith A. Jeevarajan,     Electrochemical Safety Research Institute, UL Research Institutes, Houston, TX, United States

Michael Johnston,     Combustion and Reacting Systems Branch, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Charles Kappenstein,     Institute of Chemistry of Environments and Materials of Poitiers (IC2MP), University of Poitiers, CNRS, (SAMCat), Poitiers, France

Myung-Hee Y. Kim,     Division of Space Life Sciences, Universities Space Research Association, Houston, TX, United States

Paul Kirkpatrick,     National Aeronautics and Space Administration, Kennedy Space Center, Merritt Island, FL, United States

Heiner Klinkrad,     Institute of Space Systems, Technical University of Braunschweig, Braunschweig, Germany

Holger Krag,     Space Safety Programme, European Space Operations Center, European Space Agency, Darmstadt, Germany

Rod Kujala,     AOES Netherlands B.V., Noordwijk, The Netherlands

Joshua Lamb,     Sandia National Labs, Albuquerque, NM, United States

Evan Laske,     NASA Johnson Space Center, Houston, TX, United States

Nancy G. Leveson,     Aeronautics and Astronautics/Engineering Systems, Massachusetts Institute of Technology, Boston, MA, United States

James L. Lewis,     NASA Johnson Space Center, Houston, TX, United States

Miguel J. Maes,     Flight Systems Test Engineer, Johnson Space Center, White Sand Test Facility, National Aeronautics and Space Administration Las Cruces, NM, United States

Filippo Maggi,     Department of Aerospace Science and Technology, Space Propulsion Laboratory, Politecnico di Milano, Milano, Italy

William D. Manha,     Propulsion Pressure Systems, Jacobs Engineering, Houston, TX, United States

Torin McCoy,     Habitability and Environmental Factors Division, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Mark W. McElroy,     NASA Johnson Space Center, Houston, TX, United States

Isaac Mensah Jr. ,     NASA Johnson Space Center, Houston, TX, United States

Ernst Messerschmid,     Institute of Space Systems, Universitaet Stuttgart, Stuttgart, Germany

Marit Meyer,     Combustion and Reacting Systems Branch, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Masami Mitsui,     Japan Aerospace Exploration Agency, Tokyo, Japan

Dean W. Moreland,     Payload Safety Review Panel, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

John Muratore,     Aviation Systems and Flight Research, University of Tennessee Space Institute, Tullahoma, TN, United States

Kornel Nagy,     Structural Engineering Division, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Sandra L. Olson,     Combustion and Reacting Systems Branch, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Rosa Padilla,     Universities Space Research Association, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Dennis Pate,     Science Applications International Corporation, Houston, TX, United States

Michael D. Pedley,     Materials and Processes Branch, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Jeevan Perera,     NASA Johnson Space Center, Houston, TX, United States

Jay L. Perry,     Environmental Control and Life Support Systems, Marshall Space Flight Center, National Aeronautics and Space Administration, Huntsville, AL, United States

Duane L. Pierson,     Habitability and Environmental Factors Division, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Gary F. Polansky,     Sandia National Laboratories, Albuquerque, NM, United States

Peter G. Prassinos,     Office of Safety and Mission Assurance, Headquarters, National Aeronautics and Space Administration, Washington, DC, United States

Kimberlee S. Prokhorov,     NASA Lead, ISS Common Environments Team, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Steven E. Rademacher,     Weapons Safety Division, HQ Air Force Safety Center, U.S. Department of the Air Force, United States

Steven L. Rickman,     Thermal Design Branch, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Brandan R. Robertson,     Mechanical Design and Analysis Discipline Lead, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Summer Rose,     System Safety Engineer for the ISS Program, Houston, TX, United States

Gary A. Ruff,     Exploration Systems Project Office, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Thais Russomano,     InnovaSpace, London, United Kingdom

George Salazar,     NASA Johnson Space Center, Houston, TX, United States

Juergen Schlutz,     Institute of Space Systems, Universitaet Stuttgart, Stuttgart, Germany

Elizabeth Schmida,     NASA Johnson Space Center, Houston, TX, United States

H.F.R. Schöyer,     Schöyer Consultancy B.V., Zoetermeer, The Netherlands

Robert C. Scully,     Space Shuttle E3 Control Technical Panel and JSC EMC Group Lead, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Christopher O.A. Semprimoschnig,     Materials Physics and Chemistry Section, European Space Agency, Noordwijk, The Netherlands

Kimia Seyedmadani,     NASA Johnson Space Center, Houston, TX, United States

Tommaso Sgobba,     IAASS, Noordwijk, The Netherlands

Gerben Sinnema,     European Space Agency, Noordwijk, The Netherlands

Sarah R. Smith,     Laboratories Office, White Sands Test Facility, Johnson Space Center; National Aeronautics and Space Administration, Houston, TX, United States

Michael G. Stamatelatos,     Office of Safety and Mission Assurance, Headquarters, National Aeronautics and Space Administration, Washington, DC, United States

Michael Steele,     NASA Johnson Space Center, Houston, TX, United States

Christine E. Stewart,     Science and Applications International Corporation, Houston, TX, United States

Joel M. Stoltzfus,     Laboratories Office, White Sands Test Facility, Johnson Space Center; National Aeronautics and Space Administration, Houston, TX, United States

Constantinos Stravrinidis,     Mechanical Engineering Department, Directorate of Technical and Quality Management, European Space Agency, Noordwijk, The Netherlands

David E. Tadlock,     Operational Space Systems Support Office, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

David L. Urban,     Combustion and Reacting Systems Branch, Glenn Research Center, National Aeronautics and Space Administration, Cleveland, OH, United States

Marc Van Eesbeek,     Materials Physics and Chemistry Section, European Space Agency, Noordwijk, The Netherlands

Angelique Van Ombergen,     European Space Agency, Paris, France

Keith E. Van Tassel,     Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

William E. Vesely,     Office of Safety and Mission Assurance, Headquarters, National Aeronautics and Space Administration, Washington, DC, United States

Joe M. Victor,     Laser Safety Officer, Johnson Space Center, National Aeronautics and Space Administration, Houston, TX, United States

Monica Visinsky,     NASA Johnson Space Center, Houston, TX, United States

Tobias Weber

European Space Agency, Paris, France

KBR GmbH, Cologne, Germany

Andrew Winnard

Space Medicine Systematic Review Methods, Wylam, United Kingdom

HMRC, Newcastle, United Kingdom

Johannes Wolf,     Electromagnetics and Space Environment Division (TEC-EEE), European Space Technology Center, European Space Agency, Noordwijk, The Netherlands

Stephen S. Woods,     Sierra Lobo Incorporated, White Sands Test Facility, Houston, TX, United States

Gregory Wyss,     Sandia National Laboratories, Albuquerque, NM, United States

Andrey V. Yaskevich,     S.P. Korolev Rocket Space Corporation, Energia Korolev City, Russia

About the editors

Tommaso Sgobba

Tommaso Sgobba is an Executive Director and Board Secretary of the International Association for the Advancement of Space Safety (IAASS). Tommaso Sgobba has been the IAASS cofounder and first president from 2004 to 2013.

Until 2013, Tommaso Sgobba was responsible for flight safety at the European Space Agency (ESA). In that position, he was responsible for overseeing implementation of the Agency's policy, requirements, and standards for all aspects of flight safety engineering, planetary protection, nuclear safety, space debris, and reentries; for ensuring independent verification of compliance; for supporting the development and maintenance of relevant policies, requirements, and standards; for coordinating and cooperating with international partners and bodies; for collecting initiatives and establishing the Agency's R&D plan of activities in the subject domains (except space debris); for ensuring the management and distribution of those activities to the relevant areas of expertise in the Agency; and for providing independent verification and technical advice to ESA projects and suppliers in the subject domains and supporting the resolution of in-flight anomalies.

Tommaso Sgobba joined the European Space Agency in 1989, after 13 years in the aeronautical industry where he was initially a structural engineer and later plant quality manager in international cooperation programs like Boeing B-767/Aeritalia advanced flight controls and Rolls-Royce/Avio military Spey engine.

At ESA, Tommaso Sgobba initially supported the developments of the Ariane 5 launcher, several earth observation and meteorological satellites, and the early phase of the European Hermes spaceplane. Later he became a Product Assurance and Safety Manager for all European manned missions on Shuttle, MIR station, and for the European research facilities of the International Space Station (ISS). He chaired for 10 years in the ESA ISS Payload Safety Review Panel (PSRP) functionally reporting to the NASA PSRP Chair at the Johnson Space Center. He was also instrumental in setting up the ESA Reentry Safety Review Panel. Tommaso Sgobba was the ESA inventor of the R-DBAS (Reentry, Direct Broadcasting Alert System), to alert air traffic of falling fragments from uncontrolled space system reentry.

Tommaso Sgobba holds an MS in Aeronautical Engineering from the Polytechnic University of Turin (Italy), where he was also a professor of space system safety (1999–2001). He has published several articles and papers on space safety and coedited the first edition of the book Safety Design for Space Systems, published in 2009, that was also translated later in Chinese. He also coedited the book on The Need for an Integrated Regulatory Regime for Aviation and Space, published in 2011. He was the Editor-in-Chief of the book Safety Design for Space Operations published in 2013 and of the book Space Safety and Human Performance published in 2018. He is the Senior Editor of the Journal of Space Safety Engineering.

Tommaso Sgobba received the NASA recognition for outstanding contribution to the International Space Station in 2004 and the prestigious NASA Space Flight Awareness (SFA) Award in 2007.

He received in 2019 the Henry L. Taylor Founder's Award of the Aerospace Human Factors Association, a constituent organization of the Aerospace Medical Association, for outstanding contribution to the field of aerospace human factors.

Gary Eugene Musgrave, Ph.D.

Dr. Gary Eugene Musgrave received his undergraduate training at Auburn University, where he was awarded the Baccalaureate in Biological Sciences in 1969, and at the Georgia Institute of Technology, where he studied Electrical Engineering from 1971 until 1973. He received his graduate education at Auburn University, receiving the Master of Science in Pharmacology/Toxicology from the School of Pharmacy in 1976 and the Doctor of Philosophy in Cardiovascular Physiology and Autonomic Neuropharmacology from the School of Veterinary Medicine in 1979. He was the recipient of a National Institutes of Health postdoctoral fellowship in the field of clinical pharmacology, and conducted his postdoctoral research on the pharmacological mechanisms involved in the treatment of essential hypertension. Dr. Musgrave was appointed Research Assistant Professor in the Department of Medicine at the Medical College of Virginia, where he was Co-Investigator and the Engineering Project Director for a NASA-sponsored investigation of the baroreflex regulation of blood pressure in astronauts during and after missions in space. This experiment ultimately was flown on the Spacelab SLS-I mission. In 1982, Dr. Musgrave joined the NASA team at the Johnson Space Center in Houston, Texas, as an employee of the Management and Technical Services Company (MATSCO), the contractor supporting NASA's DSO Program, where he was responsible for the development, certification, testing, and flight support for various medical hardware flown on Space Shuttle missions. Dr. Musgrave transferred to the MATSCO office at NASA Headquarters in 1984, where he orchestrated the development of a reference science mission for human, animal, and plant research in support of long duration (years) space flight. The product of his efforts, the Reference Mission Operational Requirements Document, provided the initial basis for experimentation and hardware development planning for research on Space Station Freedom by the NASA Life Sciences Directorate at NASA Headquarters, Johnson Space Center, Ames Research Center, Marshall Space Flight Center, and Kennedy Space Center. During this time, he was a member of the prestigious Code E (Office of Space Science and Applications) Space Station Planning Group, which managed the flow of requirements from space station user communities into the Level-II space station design structure. Dr. Musgrave formally joined NASA as a Level-I Program Manager for Space Station Freedom utilization at NASA HQ, where he was responsible for overseeing the incorporation of user requirements into the Level-II Space Station Freedom design, and subsequently as the Branch Chief for Space Station Freedom operations. Upon returning to the Johnson Space Center in 1994, Dr. Musgrave held a variety of positions, including Project Manager for the ExPRESS rack used to support a variety of experiments on the International Space Station, and as the International Space Station Program Manager for NASA's Crew Return Vehicle. He was seated as a member of the Payload Safety Review Panel, representing the Safety and Mission Assurance Office of the International Space Station Program, and subsequently was appointed as one of the panel's three chairmen. During 2006, Dr. Musgrave accepted the position of technical assistant to the Manager, Safety and Mission Assurance/Risk Management Office of the International Space Station Program. During this period, he was the chief editor for the first edition of this textbook. Dr. Musgrave retired from NASA during 2008 and presently resides in Dayton, Tennessee.

Gary W. Johnson

Gary Johnson is an Aerospace Safety Consultant, currently working for J&P Technologies supporting SAIC Safety and Mission Assurance flight safety office. He has worked for NASA on all of the major human space flight programs since Apollo. Gary Johnson started his NASA career back in 1964 in the NASA Manned Spacecraft Center, now Johnson Space Center (JSC), in the Engineering and Development Directorate Power Distribution and Sequencing Section responsible for technical direction in the design and testing of the Apollo Command and Service Module (CSM) system that controls the functions required for spacecraft aborts and Earth recovery parachute operations. In 1970, Gary Johnson received the NASA Manned Spacecraft Center Superior Achievement Award in recognition of his outstanding efforts during Apollo 13 to safely return the crew. After the Apollo 15 mission, he received a Certificate of Commendation for his outstanding performance and technical competence in his analysis of the service module propulsion system firing circuitry problem that allowed the mission to successfully continue. In 1974, Gary Johnson became a subsystem manager for the Apollo–Soyuz Test Project (ASTP), the first international human spaceflight designed to test the compatibility of the rendezvous and docking system of Apollo and Soyuz and the possibility of an international space rescue. Assigned in 1975 to the engineering office of the Space Shuttle Orbiter Project, Gary Johnson was responsible for the integration and implementation of Orbiter level technical requirements for data processing displays and controls. Later, Gary Johnson became the project manager for the Shuttle Avionics Integration Laboratory electrical power distribution and control interfaces. Over the years, Gary Johnson served in the Space Shuttle flight orbit flight control team Electrical, General Instrumentation, and Lighting (EGIL) as flight controller, and later as chief mechanical and payloads systems branch, and afterwards as chief guidance and propulsion systems branch. In 1985, Gary Johnson became deputy director Safety and Mission Assurance and served as cochair of the NASA/Russia Joint Safety Assurance Working Group. In 1994, he received the NASA Exceptional Service Medal in recognition of his contributions to the safety and quality of the Hubble Space Telescope first servicing mission. In the period of 2003–2006, Gary Johnson served as an associate director for technical, safety, and mission assurance. He retired from NASA in 2006. Starting in 2007, he served as a safety expert to the Constellation Program and later Orion Project in the Standing Review Board.

Gary Johnson has a Bachelor of Science in Electrical Engineering, Oklahoma State University, and received a Master of Business Administration degree, University of Houston at Clear Lake City.

Michael Tevriz Kezirian, Ph.D.

Michael Tevriz Kezirian, Ph.D., is an Adjunct Professor of Astronautics Practice at the University of Southern California where he teaches graduate level space safety courses leading to the Master of Science Degree in Astronautical Engineering. The courses are offered through the Distance Education Network, established through the USC Viterbi School of Engineering in the 1970s. He has taught the course Safety of Space Systems and Space Missions since 2012, with this book as the accompanying text. He also coteaches the course, Safety of Space Operations, based on the companion book, Safety Design for Space Operations.

Dr. Kezirian was an Associate Technical Fellow at the Boeing Company most recently supporting the development of the Boeing Starliner CST-100, through the NASA Commercial Crew Program. For the Space Shuttle Program, he was the Boeing Safety Representative to the Mission Management Team and responsible for all safety products related to flight operations including flight readiness reviews and the resolution of on-orbit anomalies. He was a member of flight team in the Mission Evaluation Room for launch and landing events.

In the Return to Flight activities following the Space Shuttle Columbia accident, a newly identified failure mode was included in the top ten hazards, composite stress rupture of the Composite Overwrapped Pressure Vessels (COPVs) for storage of high-pressure gasses and liquids. Dr. Kezirian became the analysis lead of the integrated cross-agency NASA, industry, and university to develop flight rationale to permit continued Shuttle flight operations. He leads the AIAA standards committee on pressure vessels where he led the development of new standards for pressure vessels. He is a member of the AIAA Standards Steering Committee and teaches IAASS industry-focused courses on COPV design, certification, and operations.

Dr. Kezirian has supported the International Space Station and several commercial and government communication satellite programs in system design and flight operations. Prior to Boeing, he was a propulsion engineer at TRW Space and Technology Group (now Northrop Grumman) on satellite programs.

He is currently focused on Micrometeoroid and Orbital Debris and is working to mitigate hazards in the airspace from reentering space debris.

Dr. Kezirian is the President of the International Space Station Foundation and is the founding Editor-in-Chief of the Journal of Space Safety Engineering.

He received his bachelor’s degree from Brown University and master’s and doctorate degrees from the Massachusetts Institute of Technology, all in chemical engineering. His doctoral thesis was an experimental investigation of the hydrodynamic stability of viscoelastic free surface flows.

Dr. Kezirian is an Associate Fellow of the AIAA and Fellow Member of IAASS. In 2009, he was awarded the NASA Astronaut Personal Achievement Award (Silver Snoopy).

Preface to the first edition

In his book, To Engineer is Human, Henry Petrosky said, No one wants to learn by mistakes, but we cannot learn enough from successes to go beyond the state of the art. In this elegant statement, he poses both the challenge and the opportunity for the space flight system safety engineer. Just how does the engineer facilitate the incorporation of lessons learned from historical failures and close calls into the design of the next spaceflight system?

This book is a compilation of much of the best thinking of the spaceflight safety community. It includes discussion of philosophies, techniques, methods, processes, and standards that over the first 50 years of spaceflight have proven themselves as the basics of the profession. The authors are accomplished practitioners, and acknowledged leaders representing most space faring nations of today. They cover a variety of topics relevant to robotic as well as human spaceflight systems. They discuss the environment, both in earth orbit and deep space, as well as operational hazards both ground and flight. They describe the latest methods and techniques the system safety members of the design team apply to system design, development, and test, as well as integrated hazard and risk methods that the safety integration team applies to the entire system.

If there is a common theme in this comprehensive book, it is very close to the notion captured in Petrosky's quote. Many of the safety engineering tools and techniques of today were spawned as fixes to what in retrospect had been inadequate processes leading up to incidents and mission failures. One of the professional challenges of the system safety community is the sure knowledge that the mishap board investigating a failure will almost always have a chapter in their report dealing with the failure of the safety team to prevent the mishap. Clearly, preventing mishaps is the job of everyone, but traditionally, the safety community nearly always finds itself trying to figure out how to do a better job of anticipating, analyzing, predicting, and thus preventing another failure. This book is an attempt to capture the most important aspects of that ongoing improvement process. Use this book to learn your trade, and to better understand the things your predecessors and peers have learned over the years, often the hard way. And, if you never experience a major failure, you are not off the hook. Take advantage of your close calls, near misses, and high probability risks to continuously improve your trade and your tools. Your learning should never stop, and it will be the basis for future revisions to this book.

Bryan D. O'Connor

Preface to the second edition

Have you ever heard someone say: Safety First? What did they mean? Did they mean stay home instead of walking to work, so that you can stay safe? Or did they mean, think about safety before you undertake any hazardous endeavor—always be aware of the hazards around you—consider the risks you are taking when you take a step into the crosswalk and look both ways before you step?

The slogan Safety First must be used so much because it short, easy to remember, and sounds better than Think about Safety First, but when we see or hear Safety First we imagine a person looking both ways before they step into a street—staying alert—cognizant of hazards, and mitigating the risks involved with accomplishment of a mission.

Human spaceflight is an endeavor where the participants are constantly dealing with hazards. Whether building a spacecraft, fueling a rocket, launching into space, living in spacecraft surrounded by the vacuum of space, trying to rendezvous with a spacecraft that is carrying supplies for the mission or returning in a fireball streaking across the sky, awaiting the proper operation of a parachute system—the mission crews, and the team on the ground that makes their mission possible are working every minute to evaluate risks and to ensure that mitigations of those risks are effective.

With so many hazards to consider, it can be a difficult and time-consuming job to design, develop, test, and operate space craft. The effort that goes into thinking about hazards, risks, and mitigation or elimination of risks is part of the life of every member of the team responsible for accomplishment of a space mission. The longer it takes to accomplish the mission and the more people that are required to do the job, the more resources it takes to accomplish a project, and every program manager has to consider the resources that are available to accomplish their mission. This competition can place pressure on the team to make decisions too quickly, without sufficient understanding of a problem, or to take more risk than is appropriate in the basic design of a system.

Because of this competition for resources, many programs have created safety teams with the responsibility to Think about Safety First, and to try and be a little less influenced by the resource pressures in every program. Still, if the safety team is completely insensitive to the resource pressures of the program manager, they could make it impossible to accomplish any mission. Finding the right balance between enabling missions and mitigating risks is the toughest part of the job for everyone in every space program—and knowledge is the best tool to help maintain the right balance.

That's where this book comes in. By writing down much of the common wisdom concerning the various aspects of space system design and key aspects of safety programs, aerospace professionals have a resource to help them make better decisions and to move more quickly in the development process. The ability to make better decisions in a timely way comes from better understanding of the factors involved in mitigating risks—and better understanding of the approaches to solving problems that may never have been solved before.

The difference between reliability and safety, the purpose of redundant systems, and the factors that go into designing systems that must work to prevent the loss of a crew or the loss of a mission are some of the key concepts for any aerospace professional who wants to make a positive contribution to their team. In the future, as humans move deeper and deeper into space, the teams that make it possible will gather new data, come up with new concepts, and rewrite this book many times. It is my hope that instead of learning from major failures and losses of their teammates, future space explorers will learn from the lessons that are captured in books like this, and from the small missteps that occur along the way.

To the editors and writers of this book—thanks for the effort you put into capturing these important lessons to help us get further into space, faster, more efficiently, and more safely.

Kenneth D. Bowersox

Acknowledgments

We wish to thank Mr. Arturo Trevino and Ms. Danielle Krab for the continuous assistance in managing this book project, and Mr. Kristhian Mason, IAASS Graphic Designer, for creating the cover and helping with figures.

Chapter 1: Introduction

Tommaso Sgobba     IAASS, Noordwijk, The Netherlands

Abstract

This chapter defines the scope and objectives of the book. It starts with a discussion of major space incidents from Apollo 1 to Soyuz, Shuttle, and SpaceShipTwo and continues with the definitions of system and system safety. A generic space system comprises hardware, software, and liveware (i.e., mission controllers, flight crews, ground personnel), each with its own specific functions, capabilities, and limitations, which interact to achieve the system purpose. Safety is an emergent property of the system, in the sense that it cannot be apportioned to the system's components as we do, for example, for reliability or mass budget, but it emerges from the characteristics, functions, and interactions of those components. It is therefore very important during the design to clearly define what constitutes the overall system in each phase of a reference space mission, because it may change from phase to phase and with it the technical and organizational factors that determine the safety of the system under development. The safety of a space system is achieved through an integrated safety analysis process that rests on three pillars: Safety Authority, Design Authority, and Independent Safety Review Panel.

Keywords

Apollo 1; Design authority; Incident; Safety authority; Soyuz 1; Soyuz 11; SpaceShipTwo; System of systems

The purpose of this book is to introduce the reader to the principles and best practices of safety design for space systems. The book focuses on crewed space systems; however, several chapters could also be a useful guide for the design of uncrewed space systems.

This book is part of a trilogy that includes the book Safety Design for Space Operations and the book Space Safety and Human Performance. The three books together provide an exhaustive introduction to space mission hazards and to the prevention of incidents.

SubChapter 1.1

Space incidents

Tommaso Sgobba ¹ , and John Muratore ²       ¹ IAASS, Noordwijk, The Netherlands      ² Aviation Systems and Flight Research, University of Tennessee Space Institute, Tullahoma, TN, United States

Historically, a number of incidents occurred in the course of space programs. Although not all those incidents resulted in death, each placed the crew in a position of imminent danger. In every case, strict adherence to the principles and practices of safety in the system design would have minimized the danger to crew or even prevented the incident altogether.

David Shayler's book, Disasters and Accidents in Manned Spaceflight (Shayler, 2000), presents an excellent chronology of spacecraft incidents and close calls. In reviewing the updated chronology, it is possible to separate major events into seven flight phases (Table 1.1.1).

This information leads to the conclusion that although the risk of incident is approximately uniform throughout flight, the risk of a fatal accident is largest during the dynamic phases of flight, i.e., ascent and reentry. This is consistent with conventionally held wisdom within the aerospace industry that the dynamic phases of flight represent the greatest hazard, and can be summarized by the adage, the farther the hardware is from the launch site, the safer it is. The experience of the industry indicates that once space hardware is within the quiescent state for which it was designed, it generally is less likely to succumb to critical failure. It is interesting to note that even when very dramatic failures have occurred in the space environment, e.g., the Gemini 8 thruster failed on, the Apollo 13 explosion, the Mir fire, and the Mir collision, each of them represents a situation where the crew and ground control were able to stabilize a precarious situation and bring the crew home alive. Dynamic flight phase incidents generally do not afford the luxury of time. Rescue and escape mechanisms must be designed, implemented, and ready for use at the notice of a moment, for there is usually no time to improvise when an incident occurs.

1.1.1. Apollo 1

The Apollo 1 fire accident during ground testing in 1967 was caused by using a 100% oxygen pressurized atmosphere in the presence of combustible materials, vulnerable power wiring, plumbing carrying a combustible and corrosive coolant, and finally, but not unimportantly, inadequate provisioning for crew escape. The test capsule pressure was over 1.10 bar, and the raging fire raised further the delta-p on ambient atmospheric pressure. After the accident, a worldwide survey of artificial oxygen-rich environments found that rarely if ever had a 100% oxygen environment been created and maintained at such a high pressure. There were 3.2 m² of Velcro throughout the spacecraft and Velcro was later found to be explosive in a high-pressure, 100% oxygen environment. There were more than 30 kg of other nonmetallic, flammable materials exposed. To open the hatch of the Apollo 1 capsule, a minimum of 90 s were required under nominal conditions. When fire erupted, it took approximately 5 min for test personnel to open the hatch. This amount of time was much too long for any chance for crew survival (NASA, 2000).

Table 1.1.1

1.1.2. Soyuz 1

As Soyuz 1 descended in the atmosphere at the end of a mission riddled with malfunctions, the drag parachute deployed but failed to extract the main parachute that was jammed inside its container. Sensors detected Soyuz 1's increased velocity and activated the backup system. The backup system was programmed to eject first both the drag and main parachutes. However, since the main parachute was stuck in its container, the primary drag chute remained flapping above the craft, and the backup parachute got tangled when deployed. Soyuz 1 slammed fatally to the Earth at 90 miles per hour and then fire consumed the spacecraft and the body of Vladimir Komarov, the single astronaut onboard. It was later determined that the root cause of the accident was a manufacturing mistake, but also political schedule pressure contributed to a poorly prepared mission. The Soyuz spacecraft is composed of three modules, the crew descent module, the orbital module, and the service module. In preparation for flight, technicians coated the crew descend module with a thermal protectant that was then polymerized in a high-temperature chamber but without the covers of the parachutes containers. Masses of hard resin built up inside the containers and impeded the parachutes correct deployment (NASA, 2010/6).

1.1.3. Soyuz 11

In 1971, the loss of the Soyuz 11 crew resulted from the spacecraft decompression during reentry. The cause was the untimely opening of a pyrotechnic ventilation/equalization valve. At the time, the Soyuz descent module separated from the other two modules at an altitude of approximately 170 km by firing 6 pyrotechnic-cartridges and 6 pyrotechnic bolts sequentially. The descent module included two pyrotechnic ventilation/equalization valves designed to open when the module reached the dense layers of the atmosphere at 4 km altitude. During the Soyuz 11 reentry, contrary to design intent, the 6 pyrotechnic-cartridges and 6 pyrotechnic bolts fired simultaneously instead of sequentially with a delay. The resulting off-nominal separation shock to the descent module caused one of the two ventilation/equalization valves to open prematurely thus leaking the spacecraft atmosphere to vacuum. Biomedical sensors showed that 4 s after the depressurization crew asphyxiation began, and death occurred within 40 s. The two ventilation/equalization valves lacked both a warning system and an emergency closure mechanism. Designers may not have conceived of a failure mode forcing either valve to open and prematurely rupture the seal. Verification testing did not include the higher shock of simultaneous pyrotechnic fastener firing. After the accident, a manually operated valve, accessible to the crew, was placed in series with the two ventilation/equalization pyrotechnic valves (NASA, 2010/9).

1.1.4. Shuttle Challenger

The Space Shuttle Challenger disaster in 1986 was caused by the failure of a joint in one of the solid rocket motors. The failure was determined to be due to several concurrent factors. Among these, the poorly designed joint permitted exposure of the redundant O-ring seals to hot gases, and a further loss of O-ring sealing capability was caused by temperatures that exceeded the low temperature qualification limit on the day of launch. As with the Apollo 1 fire, lack of escape provisions eventually doomed those crewmembers still alive after the explosion. Ejection seats that could have been used had been removed from all Space Shuttles after the first four qualification flights when the number of crew members was increased from two to seven.

1.1.5. Shuttle Columbia

The Shuttle Columbia was destroyed in 2003 at reentry in the atmosphere because of hot gases intruding through a breach of the reinforced carbon-carbon (RCC) left-wing leading-edge panels. The accident claimed the lives of the seven astronauts onboard. During launch, 15 days before, a large piece of thermal insulation foam from the main tank, weighing approximately 750 g, used to protect the left bipod joining the external tank to the Orbiter, had broken off at 81.7 s and struck the left wing at a relative speed of 800 kph. Similar cases of release of thermal insulation foam pieces had occurred several times on previous launches without consequences. No immediate insight of possible damage was available when the case was reported to the Shuttle program management the day after launch because the launch video was blurry and projectile strike location and damage impossible to identify. After 6 days, a Debris Assessment Team (DAT) was formed by the contractor including engineering and safety members from multiple NASA centers. The DAT requested extra imagery that was rejected by program management and therefore could not provide any conclusion about the risk. Furthermore, due to the mission profile, there was no possible rescue scenario at the time. However, the mindset that prevailed was the same of the Shuttle Challenger: We've foam strikes before and we have always landed OK.

The Columbia Accident Investigation Board report identified organizational factors such as the agency's can do culture and a distorted acceptance of risk as significant contributors to the accident. In fact, this was probably the first time in the history of accident investigations that organizational and cultural causes of an accident were held on the same level as the technical cause (Camarda, 2014).

1.1.6. SpaceShipTwo

In 2014, during a test flight, the reusable suborbital vehicle SpaceShipTwo, owned by Virgin Galactic and operated by Scaled Composites, disintegrated and impacted terrain. The copilot was killed, and the pilot seriously injured. Apparently, during ascent, the copilot had commanded some seconds too early the unlocking of the wing-tail feathering mechanism that serves to stabilize the vehicle during descent. Under unfavorable aerodynamics load conditions, the unlocked tail rotated, which caused the structural loads to exceed the strength of the vehicle. The National Transportation Safety Board that investigated the accident, concluded: … that the probable cause of this accident was Scaled Composites' failure to consider and protect against the possibility that a single human error could result in a catastrophic hazard to the SpaceShipTwo vehicle. This failure sets the stage for the copilot's premature unlocking of the feather system as a result of time pressure and vibration and loads that he had not recently experienced (Sgobba, 2018).

Prevention of human errors is an integral part of a good design. Indeed, operational errors can result in inadvertent commanding, or in the execution of operations that exceed the qualification envelope of the hardware. In the past, human operational errors were controlled mainly through instruction and training. Nowadays, any foreseeable mistake that is not prevented adequately by design is considered in every respect to be a design error, e.g., the wrong mating of connectors or the accidental activation of a switch.

1.1.7. Data on human spaceflight incidents

The NASA Johnson Space Center Flight Safety Office maintains a set of interactive infographic products at https://sma.nasa.gov/SignificantIncidents/ that are continually updated to reflect a comprehensive history of the most significant accidents, incidents, and close calls associated with human spaceflight.

SubChapter 1.2

Designing safety in a space system

1.2.1. The space system

A space system is a collection of components that are organized for a common purpose in the space mission environment. A space system is anything from a scientific instrument or a suborbital vehicle to a space station or a Moon rover. Generally, a space system comprises hardware, software, and liveware (i.e., mission controllers, flight crews, ground personnel) (Fig. 1.2.1).

Hardware, software, and liveware have each their own specific functions, capabilities, and limitations, and interact to achieve the system purpose. The purpose of a system as well as its safety are properties of the whole. Furthermore, safety is an emergent property of the system, in the sense that it cannot be apportioned to the system's components as we do, for example, for reliability or mass budget, but it emerges from the characteristics, functions, and interactions of those components. It is therefore very important during the design to clearly define what constitutes the overall system in each phase of a reference space mission, because it may change from phase to phase and with it the technical and organizational factors that determine the safety of the system under development. For example, a space project may deal with the development of an orbital capsule, but during the launch phase it is the composite launcher-capsule that determines the safety characteristic of the capsule. Another example, the safety of a scientific payload integrated in one of the modules of the International Space Station (ISS) is driven by the safety requirements of that module, which in turn is just one of the several individual systems, including transport vehicles, of the ISS. The ISS is a good example of what we call System of Systems (SoS).

Figure 1.2.1  Definition of system.

1.2.1.1. Systems of systems

When an individual space system is a component of an SoS, its safety is driven by the integrated system. The following definitions apply to SoS and SoS Engineering (Dahmann, 2015).

System of Systems is a set or arrangement of systems that results when independent and useful systems are integrated into a larger system that delivers unique capabilities.

Systems of Systems Engineering is the process of planning, analyzing, organizing, and integrating the capabilities of a mix of existing and new systems into a system-of-systems capability that is greater than the sum of the capabilities of the constituent parts.

The following five characteristics are typical of an SoS:

1. Operational Independence of Constituent Systems

In an SoS, constituent systems can operate independently of the SoS and other systems. Sometimes the individual system existed prior to the formation of the SoS (e.g., Shuttle, Soyuz, and Progress existed before becoming the ISS crew and cargo transportation systems).

2. Managerial Independence of Constituent Systems

The systems in an SoS are managed independently and their owner/managers may be evolving the systems to meet their own other needs (for example, SpaceX Dragon capsule servicing the ISS).

3. Geographical Distribution

In some cases, constituent systems in an SoS are geographically distributed. The ISS is a good example.

4. Evolutionary Development Processes

SoS development is based on developments in the constituent systems. These developments may take place asynchronously based on the independent development processes of the constituent systems. This means that the SoS will evolve incrementally rather the be delivered as normally envisioned in a single system development or acquisition.

5. Emergent Characteristics

The emergent characteristics of an SoS (e.g., safety) are the result of the characteristics, interactions, and relationships between individual system elements rather than the sum of the existing characteristics of the individual systems.

1.2.2. Space system safety

A modern space system is designed for safety through a risk-based process. In a nutshell, it consists in analyzing the design for potential mishap scenarios (called hazards), and then identifying the root causes, and the relevant design features or operational procedures that would minimize the [mishap] risk, i.e., mishap probability and/or severity. Sometimes, it is possible to include certain features in the design that make a failure cause no longer credible. For example, the breakage of an ammonia piping due to stress-corrosion is no longer credible if replacing the originally foreseen material with stress-corrosion resistant material, or the burst of a pressure vessel is not credible if designed, manufactured, and tested in accordance with well-proven standards. Instead, there are instances in which a failure/fault is always considered credible no matter how strict the design standard is, like the case of software, avionic boxes, pressure regulators, etc. In such cases (safety) redundancies are used on top of other design actions meant to achieve a high standard of reliability. It is important to note that a safety redundancy and a reliability redundancy, even if identical from the design viewpoint, have completely different purposes. The former is meant to allow a safe mission abort and prevent the loss of crew (LOC), the latter to allow the continuation of a mission following a failure. In a crewed system, the latter can exist only on top of the former.

The safety of an individual space system rests on three pillars:

1. A safety authority, which establishes the acceptable safety thresholds (e.g., radiation, toxicity, noise, touch temperature, etc.), the design safety goals and processes, the top-level safety technical requirements (e.g., failure-tolerance), and the safety certification rules.

2. A design authority, which through a risk-based design process, develops a design aiming to meet the requirements levied by the safety authority, and which provides data to support the system safety certification.

3. An independent safety panel/board of experts, which is tasked to peer-review the design proposed by the design authority to validate its compliance with the requirements levied by the safety authority.

The safety of an SoS is very much driven by its typology and it is greatly influenced by the level of standardization of safety requirements and processes across the SoS. There are three possible types of SoS: directed, acknowledged, and collaborative (Dahmann, 2015) (Table 1.2.1).

A complex national space program is a good example of directed SoS (e.g., NASA Apollo), while a complex international space program, like the ISS, belongs to the acknowledged SoS type. Finally, commercial spaceflight operation, like a private capsule serving a private space station, is an example of collaborative SoS.

Depending on the SoS type, potential conflicts of authority may arise, which can negatively influence the safety of the SoS, as it happened, for example, on the ISS for a physiology experiment back in 2002.

Table 1.2.1

In accordance with the ISS agreements, Russia as any ISS partner has ownership, jurisdiction, and ultimate safety authority on its systems, while NASA has an overall program management role including safety certification responsibility for the integrated ISS. In 2002, the Russian transported to the ISS and operated a physiology experiment called CARDIOCOG, developed by the French space agency, which was powered by thionyl–chloride batteries. Those batteries were forbidden by NASA because their failure represented a catastrophic risk for the crew and could contaminate the space station environmental control and life support system beyond recovery. However, the Russians were convinced of the batteries safety based on their previous experience. The experiment was conducted without incident, but it flagged a critical weakness of the ISS agreements. The report for the year 2002 of the ASAP (Aerospace Safety Advisory Panel) to the NASA Administrator and US Congress stated, with reference to the CARDIOCOG episode, that:

This event highlights the difference in philosophy of the Russian and NASA safety organizations … Great need exists for both organizations to work more closely together to resolve these issues before they become problems. This situation begs the question Who's in charge of safety? (ASAP, 2002).

SubChapter 1.3

Staying hungry: the interminable management of risk in human spaceflight

William Gerstenmaier ¹      Human Exploration and Operations Directorate, NASA, Washington D.C., United States

There is great risk in space travel beginning with placing people on top of rockets that use millions of pounds of highly energetic propellants and operate at the edges of technology. Once through the atmosphere, spacecraft must protect the people from the unforgiving environment of space and then safely travel back through the atmosphere to Earth, which heats the spacecraft to many thousands of degrees.

Currently, and for the foreseeable future, no other pathway exists except these rockets for putting people into space and bringing them back home. Thus, we must do the best we can with our current tools, experience, and expertise to manage the risks associated with that journey. This is much easier said than done despite the incredible effort of all involved to minimize the risk. I think the Shuttle Columbia Accident Investigation Board described it best when it wrote: Attempting to manage high-risk technologies while minimizing failures is an extraordinary challenge. By their nature, these complex technologies are intricate, with many interrelated parts. Standing alone, the components may be well understood and have failure modes that can be anticipated. Yet when these components are integrated into a larger system, unanticipated interactions can occur that lead to catastrophic outcomes. While risk can often be reduced or controlled, there comes a point when the removal of all risk is either impossible or so impractical that it completely undermines the very nature of what NASA was created to do: to pioneer the future. This risk is a result of physics, and no amount of hype can reduce the risk or make it less real. SpaceX, Orbital, and Virgin Galactic have seen this risk firsthand resulting in failed missions. Even NASA and Roscosmos have experienced the risk, in the worst cases resulting in the loss of human life. As long as physics remains physics and we have no other way out of the gravity well, this risk will affect all spacecraft, no matter whether they are legacy systems or new designs. All in this industry face the same physical challenges.

I would add even identifying all of the risks is impossible. We perform extensive analyses and tests during the development of our spacecraft to reduce risk. But hardware and software test and analysis campaigns are never perfect. They can never address every possible condition that may be experienced, because our knowledge of hardware and software behavior as well as the environments in which they operate is always imperfect. We do the best we can using best engineering practice, and within bounds of reasonableness, to test and analyze what we expect to be nominal and bounding operational cases. Then we implement appropriate hazard controls to mitigate known risks. But there are always unknowns and there is always more that could be done if we had unlimited foreknowledge, time, and money.

At some point, we declare we are satisfied that the safety requirements have been met, using good engineering practice. But, again, risk is never mitigated to zero. The amount that remains is the residual risk we agree to accept, because additional actions to further mitigate risk are not pragmatic, either due to knowledge limitations or limited resources.

If a system is used for multiple years, because of operational experience, and technology and processes change, safety/reliability goals that were impossible to achieve previously can become possible. Therefore, keeping a viable upgrade program is important to help manage and reduce risk.

Obviously, this process is very complex, and it requires a significant amount of engineering judgment. It is not black and white where one design feature is risky and another one is not. As a matter of fact, it is many times the interaction between the systems (think about foam from Shuttle External Tank hitting Orbiter wing) and features that introduce the most risk. There is usually a risk-versus-risk trade that must take place and that is where engineering judgment and experience come into play.

Also, risk cannot be boiled down to a simple statistic. We live and work in a time when people like things simple. Perhaps because of this, some people also talk about these things as though they are simple. But designing human space transportation systems and the risk associated with operating them are not simple.

At NASA we have developed a requirement called Loss of Crew to characterize, at a high level, the safety of our systems. At the end of its operational life, the Space Shuttle's Loss of Crew number was 1 in 90. That essentially means there was a high likelihood to lose a crew in 90 missions, statistically speaking.

Performing the LOC calculation is a useful tool