Introduction to Space Operations Safety
Tommaso Sgobba, Paul D. Wilde, Isabelle Rongier and Firooz A. Allahdadi
Chapter Outline
1.1 General
The safety of any space system requires a deliberate and interdisciplinary integration of the flight hardware design with the design of its operations throughout the entire lifecycle of the system. This chapter introduces the subsequent chapters that more thoroughly address safety issues associated with the operations of space vehicles, from the design of the infrastructure on ground, through launch, on-orbit, and re-entry operations. This chapter begins with a discussion of safety and risk management at the conceptual level, including several fundamental goals and definitions. The balance of the chapter describes several seminal events and lays the foundation for a graduate level education in space operations safety.
1.2 Safety Risk Management
Risk Concepts, Metrics and Definitions
Webster’s Unabridged Dictionary defines safety as “the condition of being free from undergoing or causing hurt, injury, or loss,” and risk as “the possibility of loss, injury, disadvantage, or destruction.” Thus, complete safety can be thought of as an abstract ideal that equates to a zero risk or absolute protection from any possibility of adverse consequences, such as injury or damage.
In technical terms, risk is a metric that accounts for both consequence and probability over a specified interval of exposure. Launch or re-entry safety analyses typically attempt to quantify two important types of risk: individual risk and collective risk (both terms are formally defined below) that are expressed on an annual, or more commonly for space operations, on a per-mission basis. A common individual risk is the risk of a person being killed by lightning worldwide, which can be estimated as the average number of people killed by lightning per year divided by the total population of the world. A launch risk analysis typically computes the maximum individual risk as the highest probability any given individual has of suffering a serious injury or worse (i.e. becoming a casualty) as a result of the launch. The consequence implicit in any individual risk is an adverse outcome for a single individual, thus individual risk is a quantity that is bounded by zero and one. In other words, the maximum individual risk from an event is always bounded between no possibility and absolute certainty of an adverse consequence. In contrast, collective risk is the risk of an adverse outcome among a group of individuals. Collective risk is often expressed in terms of expected values: the average (generally the mean) consequences that occur as a result of an event if the event were to be repeated many times. The collective risk of fatality posed by lightning on an annual basis is the average number of people killed by lightning each year. Collective risk on a per-mission basis is analogous to an estimate of the average number of people injured by an earthquake, while individual risk would be the likelihood of an individual in a given location being injured by the earthquake.
Individual and collective risk criteria can be defined based on the total risks (also referred to as the “aggregated risks”) or accumulated risks. “Accumulated” risk refers to the risk from a single hazard throughout all phases of a mission, i.e. accumulated over all phases of the mission. “Aggregated” or “total” risk refers to the accumulated risk due to all hazard sources associated with a mission, which includes, but is not limited to, the risk due to any debris impact, toxic release, and distant focusing of blast overpressure. When multiple hazards exist, the aggregated risks (individual and collective) can always be estimated conservatively as the sum of the accumulated risk from each hazard. More sophisticated methods to compute the aggregated risks may be used to eliminate double counting, which can occur if a mission simultaneously poses multiple hazards to the same exposed populations.
Individual risk is an important measure of risk to the extent that most individuals are primarily concerned with their chance of being hurt or killed by an activity. Safety requirements often limit the maximum individual risk to ensure that individuals have an acceptably low probability of serious injury (or worse).
The government typically sets collective risk limits to ensure that the chance of an adverse consequence is acceptably low given an activity that subjects a group of individuals to potential hazards. In establishing the first federal law to define acceptable flight risk limits for commercial launches, the Federal Aviation Administration (FAA) noted that “commercial launches should not expose the public to risk greater than normal background risk,” which the FAA defined as “those risks voluntarily accepted in the course of normal day-to-day activities.”1 Any discussion of the risk acceptability policies should clarify that no adverse consequences (e.g. serious injury or death) from a space operation will ever be “acceptable,” in the sense that a responsible authority would never regard such an event as routine or permissible. Thus, in an absolute sense, no adverse consequences as a result of a space operation are in fact “acceptable.” However, the possibility of accidents that might produce adverse consequences cannot always be entirely eliminated. The acceptable risks discussed here should be interpreted as “tolerable” risks. These are risks that society, via the authority vested in the government, tolerates to secure certain benefits from an activity with the confidence that the risks remain within well-defined limits and are managed properly using established procedures.
Risk measures for space operations often use one or two severity levels: casualties and fatalities. Casualties are people that suffer serious injuries or worse. Injuries severe enough to require hospitalization are commonly considered casualties. However, a precise technical definition of casualty is essential to enable quantitative launch and re-entry risk analyses. For the purposes of accident reporting, US federal law (49 CFR 830.2)2 defined serious injury as any injury that (a) requires hospitalization for more than 48 hours, commencing within 7 days from the date the injury was received; or (b) results in a fracture of any bone (except simple fractures of fingers, toes, or nose); or (c) causes severe hemorrhages, nerve, muscle, or tendon damage; involves any internal organ; or (d) involves second- or third-degree burns, or any burns affecting more than 5% of the body surface. Although that definition is useful for accident reporting, the US uses an Abbreviated Injury Scale (AIS) level 3 or greater as the standard for distinguishing casualties from injuries of lesser severity in public risk assessments for launch.3 The US National Highway Traffic Safety Administration (NHTSA) also uses AIS level 3 injuries as the metric evaluating the effectiveness of occupant safety measures for automobiles4 and for estimating the costs associated with automobile accidents.5 An AIS level 3 injury is one that is reversible but requires overnight hospitalization.
The AIS of the Association for the Advancement of Automotive Medicine provides a useful means to define casualties in a technical way by distinguishing between serious injuries and those of lesser severity. The AIS is an anatomical scoring system that provides a means of ranking the severity of an injury and is used widely by emergency medical personnel. The full AIS codes consist of seven digits representing the affected body region, the type of anatomic structure affected, the specific anatomical structure affected, and injury severity level. In the context of launch and re-entry safety analyses the right most digit is the AIS severity level, a digit between 0 and 6 as shown in Table 1.1.
Table 1.1
| AIS severity level | Severity | Type of injury |
| 0 | None | None |
| 1 | Minor | Superficial |
| 2 | Moderate | Reversible injury; medical attention required |
| 3 | Serious | Reversible injury; hospitalization required |
| 4 | Severe | Life-threatening; not fully recoverable without care |
| 5 | Critical | Non-reversible injury; not fully recoverable even with medical care |
| 6 | Virtually unsurvivable | Fatal |
For launch and re-entry, individual risks are often defined as the maximum probability that any person will be a casualty or by the maximum probability that any person will be a fatality as a result of the operation. The computation of the maximum considers all persons who may be credibly affected by the operation. Collective risk is the total risk to all individuals exposed to any hazard from a launch. Collective risks are often defined by the mean number of casualties (or fatalities), EC (EF) predicted to result from the launch. Casualty expectation or expected casualties, EC, is the statistically expected number of casualties that would occur if the launch were repeated many times under virtually identical conditions (i.e. the same conditions based on the available data from various measurement instruments). Thus, for example, if the casualty expectation is EC = 30 × 10–6 (30 in a million) then if the launch were repeated under identical conditions a million times an average of 30 casualties would occur. Catastrophic risk refers to the potential for multiple injuries or deaths from a single launch or re-entry operation. Catastrophic risk is typically characterized by risk profiles. Risk profiles depict the probability of “N” or more casualties (fatalities) for all values of N. Risk profiles can be used to establish the amount of insurance an operator should carry, as discussed in Chapter 9. Appendix F describes how the probability of one or more casualties can be used as a good measure of collective risk, particularly for a re-entry where very little debris survives to impact.
Safety Risk Management Goals
The initial goal of space operations safety engineering is complete containment of all hazards. Complete containment provides absolute safety through physical limitations that totally isolate the hazards posed by an operation from all surrounding populations and assets. Complete containment satisfies the primary tenet of space operations safety risk management: no hazardous condition is acceptable if the mission objectives can be attained with a safer approach. If hazards cannot be completely contained, then the goal of safety risk management is to minimize the risk posed by an operation to a level below a de minimis threshold. A de minimis threshold has been defined as a level of risk below which a hazard does not warrant any expenditure of resources to track or further mitigate. The term “de minimis” is derived from a Latin phrase (De minimis non curat lex), which translates to “the law does not concern itself with trifles.” The highly energetic nature of space launch and re-entry, especially to and from orbital conditions, generally prevents risk reduction to a de minimis level. Thus, space operations generally employ the safety risk management process described below.
An integrated strategy to ensure space operations safety typically uses Quantitative Risk Assessments (QRA), also referred to as Probabilistic Risk Assessment (PRA), system safety processes, and operational restrictions to identify hazards and risk drivers, mitigate risks, and ensure that any residual risks are maintained at an acceptable level. QRA/PRA, system safety and operational restrictions are equally important and interrelated elements of a sound safety risk management approach. In the US, government agencies that oversee potentially hazardous operations “recognize that risk analysis is a tool – one of many, but nonetheless an important tool – in the regulatory “tool kit” and understand that the principles of risk management “are intended to provide a general policy framework for evaluating and reducing risk, while recognizing that risk analysis is an evolving process and agencies must retain sufficient flexibility to incorporate scientific advances.” QRAs/PRAs are best used to characterize the risks posed by a launch or re-entry in a manner consistent with the risk-informed approach to regulatory decision-making adopted by the Nuclear Regulatory Commission (NRC). In 1999, the NRC wrote that “a ‘risk-informed’ approach to regulatory decision-making represents a philosophy whereby risk insights are considered together with other factors to establish requirements that better focus licensee and regulatory attention on design and operational issues commensurate with their importance to public health and safety.”
QRA/PRA is also used in the International Space Station program to characterize the risks of on-orbit operations.
Safety Risk Management Process
Safety risk management is a systematic and logical process to identify hazards and control the risks they pose. This process should include the following elements (phases) which are depicted in Figure 1.1 and described below:
Mission definition and hazard identification
This is the “problem definition” step of the process. Information is assembled to identify mission characteristics, objectives and constraints. Potential hazard sources must be identified by evaluating the system to be flown and the safety constraints. Information sources typically include: safety data packages (sometimes called safety dossiers), system description documents, mission essential personnel locations, population data on the surrounding populations, data on facilities and transportation assets (including aircraft corridors and shipping lanes), meteorological data, data on the range safety system used, and lessons learned on similar missions. The output of this step provides a basis for hazard analysis and risk assessment, and is useful for evaluating options to mitigate the risks in ways that will minimize adverse mission impact.
Risk assessment
This step provides information needed to determine whether further risk reduction measures are necessary. Risk levels for identified hazards are expressed using qualitative and quantitative methods. This step produces basic measures of the risks posed by hazards of each phase of the operation, such as launch and re-entry. Typical hazards include inert, explosive and flammable conditions, debris impacts, explosive overpressure fields, exposure to toxic chemicals, and exposure to ionizing and non-ionizing radiation, as well as on-orbit collision hazard. In some cases, this step will provide sufficient information to support the decision-making without further analysis.
A valid risk assessment must account for all potential hazards posed by the operation to personnel, facilities, and other assets. It must be based on accurate data, scientific principles, and an application of appropriate mathematics. The assessment must be consistent with the safety controls that are planned for the mission. Valid calculations to assess risk typically use methods that produce conservative estimates; i.e., they produce a scientifically plausible result that characteristically overestimates risk given existing uncertainties. In all cases, the safety engineer is responsible for ensuring that their approach produces reasonable results. This assessment leads to mitigation measures needed to protect individuals, groups of people, critical facilities, and public assets.
Simplified risk models are often employed to make an initial determination of risk. They are also used when the identified hazards are known to result in low risks and the analyst is assured that the estimated risk is conservative. For example, simple models can be used when only inert debris impacts with relatively low values of kinetic energy can occur and shelters would provide protection from the debris. These models are generally less costly and minimize schedule impacts and have the following characteristics: simplified application of input parameters and assumptions, simplified measures of population estimation utilized, a basic injury model and associated casualty areas, and conservative assumptions of debris fragmentation and survivability. If the resulting risk estimate is conservative and well within acceptable limits then employing more costly and time consuming higher fidelity models is not necessary.
When the identified hazards are significant, or the initial risk estimates approach or exceed the acceptance criteria, more complex risk models are typically used. Higher fidelity models are often more costly and time consuming, demanding more sophisticated input data and assumptions such as detailed population and sheltering models, more complex human vulnerability models, and more realistic debris fragmentation and survivability models. High fidelity risk assessments require input parameters and assumptions to be supported by empirical evidence or expert elicitation. Complex launch and re-entry risk assessment models are typically used when significant size debris or explosive debris impacts are present that could compromise shelters and the associated population.
Criteria comparison and risk reduction
Risk measures are compared with criteria to determine the need or desirability for risk reduction. If the risks are initially unacceptable, measures should be considered to eliminate, control or mitigate them. Elimination is achieved by design or system changes that remove the hazard source, such as replacing a hazardous material with a non-hazardous one or moving a trajectory to achieve containment. Mitigation is achieved by reducing the consequences of an event or the probability of an event happening. For example, increasing system reliability of a vehicle or test article will increase the probability of success and lower risk. On the other hand, designing a mission to avoid flight over densely populated areas will decrease consequences of a vehicle failure (casualties) and thereby reduce the risk. Mitigation measures may include elements in the operation plan that reduce risk and are consistent with operational objectives, flight termination systems, containment policies, evacuation, sheltering, and other measures to protect assets from the hazards. Safety intervention criteria should be optimized by balancing the risk given a failure and intervention, such as flight or thrust termination, against the risk given a failure without a safety intervention. To evaluate the effectiveness of mitigation measures, risk must be reassessed assuming they have been implemented. These risk reduction procedures should be followed until risk levels are as low as reasonably practicable.
Risk acceptance
Presentations to the decision authority must be sufficient to support an informed decision. The Federal Tort Claims Act (FTCA) enjoins the US court system from second-guessing decisions made by properly authorized government officials in determining the acceptability of operational risks. A key test under the FTCA requires that the decision-making official be fully advised and informed of the known risks. Failure to fully advise the decision-making authority of known risks can result in liability of the US Government or its officials. Thus, the decision authority should be presented with all mandated risk control measures, residual risks, measures of catastrophic loss potential (e.g. maximum collective risk given a failure with safety intervention, maximum collective risk given failure of a safety intervention, and risk profiles), key analysis assumptions, and the protective measures that have been considered and implemented. The decision authority must approve proposed mission rules and should compare the operational risk to the pre-defined risk acceptability criteria. In general, higher-risk operations require a higher level of approval. The decision authority may tolerate risk levels within criteria to secure certain benefits from an operation with the confidence that the risk is properly managed and consistent with best practices. The outcome of these presentations to the decision authority is the acceptance of operational risks by a properly informed decision authority. This acceptance includes a determination that the residual operational risk is within tolerable limits. The risk acceptance decision affirms that the proposed conditions for allowing the operation to be initiated and the rules to allow the mission to continue to completion comply with best practices used to ensure that risk falls within accepted levels. The terms of this acceptance and required implementation conditions must be documented. The responsible safety office should document a risk assessment to demonstrate compliance with the risk management policy applied.
1.3 Launch Site Safety
On August 22, 2003, at 13:30 (local time) a massive explosion destroyed a Brazilian Space Agency VLS-1 rocket as it stood on its launch pad at the Alcantara Launching Center in northern Brazil. Twenty-one technicians close to the launch pad died when one of the rocket’s four first-stage motors ignited accidentally. The rocket had been scheduled to launch in just a few days and had two satellites on-board when the explosion occurred. The investigation report established that an electrical flaw triggered one of the VLS-1 rocket’s four solid fuel motors while it was undergoing final launch preparations. The report said that certain decisions made by managers long before the accident led to a breakdown in safety procedures, routine maintenance, and training. In particular, the investigation committee observed a lack of formal, detailed risk management procedures, especially in the conduct of operations involving preparations for launch.
In the history of humankind, every space adventure, great or small, has begun on the ground. Mission and flight hardware designers who have overlooked this fact have paid a high price, either in loss or damage to the hardware pre-launch, or in mission failure or reduction. Designers may not only risk their flight hardware; they may also risk their own lives, that of their co-workers, and even the safety of the general public by not heeding to calls for safety when designing spaceport facilities and establishing ground processes.
Chapter 2 of this book deals with ground safety topics related to spaceport design and infrastructure, starting with the presentation of the criteria for the selection of the geographical location of a launch site, then explaining how to master the development of the spaceport infrastructure. The European Spaceport in French Guyana is used as example.
Ground risk control concepts are introduced. There are general industrial safety regulations to be followed and specific safety rules to be determined and applied as an integral part of the assembly, integration and testing (AIT) activities performed at the launch site. Generally, rules concerning risk evaluation and accident prevention for explosives and pyrotechnics processing plants, and environment protection regulations drive the design of several facilities and the general layout (e.g., distance between buildings).
Flight risk controls as the execution of destruction or neutralization commands to stop a vehicle flight, lead to the establishment of danger zones on the launch site and all around it. We will see how to define the danger zones and how to limit the exposure of personnel. In reality, a wide group of areas is hazardous because of the space activity. The definition of hazardous effect zones is explained, as is their major impact on the design of a spaceport: buildings locations, design rules for roadways, lightning protection systems, fire protections, handling and lifting, command and control process for fluids, etc. We will see that the applicable safety design requirements basically depend on the locations of the buildings and associated roadways that define the operating flexibility (independence of activities, access and escape routes, growth potential). Other important aspects of spaceport safety design are that of launch pads lightning protection systems, and of launch pad escape systems in the case of crewed vehicles. Finally, an important topic closely linked to safety is the environment protection. Chapter 2 uses numerous examples to explain how action plans are used to protect the environment.
Chapter 3 deals with some topics that apply to several kinds of flight hardware, from the largest rockets to small experiment hardware, during ground processing. One, for example, is lack of recognition of the need for detailed ground safety documentation and rigorous technical safety reviews. Many hardware and mission designers assume that if the hardware is safe to fly, it will also be safe during ground processing. Some also assume that the industrial safety processes commonly used during development and manufacture are sufficient for use at the launch and landing sites.
Another topic is processing of pressurized gases. Propulsion, life support, and thermal management subsystems require the use of high pressures gases. Additionally, gases are critical to payloads including science experiments like those performed on the International Space Station (ISS). Special storage, use, and handling precautions are necessary in order to control the hazards introduced by the presence of pressurized gases. This chapter provides some basic energy considerations of stored gases, and describes the hazards and corresponding causes associated with compressed gases. Finally it discusses operational controls that should be followed to minimize the risks.
1.4 Launch Safety
On January 26, 1995, a Long March 2E rocket veered off course 2 seconds after take-off from Xichang Space Center and exploded, killing at least six on the ground. On February 14, 1996, a similar failure happened during the launch of Intelsat 708 telecommunication satellite. The rocket veered severely off course immediately after clearing the launch tower and crashed in a rural village. Xinhua News Agency eventually reported six deaths and 57 injuries.
Space access has become increasingly important to the nations of the world. Upon achieving the status of a space-faring nation, however, a key responsibility that devolves upon a state is to establish the technology and processes to protect life and property against the consequences of malfunctioning space systems. Moreover, at most launch ranges the emphasis is on protecting people against injuries resulting from a launch operation. The common practice is to attempt to achieve protection by isolating the hazardous condition from populations at risk. When this is not feasible, risk management can be used to provide an adequately high level of safety as described under the section on “Safety Risk Management” above.
Identification of launch hazard areas may range from simplistic rules of thumb to sophisticated analyses. When simple rules are applied, they commonly specify a hazard radius about a launch point, and planned impact points for stages, connected by some simple corridor. More sophisticated analyses attempt to identify credible rocket malfunctions, model the resulting trajectories, and determine the conditions that will result in debris due to exceeding the structural capacity of the rocket or a flight termination system activation by the range safety officer.
These analyses typically include failure analyses to identify how a launch vehicle will respond followed by failure response analyses to define the types of malfunction trajectories the vehicles will fly. The vehicle loads are assessed along the malfunction trajectory to determine whether structural limits will be exceeded. Vehicle position and velocity may be compared against abort criteria to assess whether the vehicle should be allowed to continue flight, terminate thrust, or be destroyed. Debris-generating events then become the basis for assessing the flux of debris falling through the atmosphere and the impact probability densities. The debris involved may be screened by size, impact kinetic energy, or other criteria to assess which fragments pose a threat to unsheltered people, people inside various types of shelters, people on ships, and people in aircraft. The resulting debris impact zones or impact probability isopleths are then commonly used as part of the basis for defining exclusion areas.
Other hazards associated with launch operations are frequently addressed in defining exclusion zones. Explosive hazards (overpressure and fragments thrown by an explosion) are an important component in the launch area. Toxic hazards from the rocket’s exhaust products are often an additional consideration in defining exclusion regions. Additional sections of the complex may be restricted to protect against radiation from radars and other support instrumentation. Although full hazard containment is considered to be the preferred protection policy, it is not always possible. The next line of protection after defining exclusion areas is real-time tracking and control of the rockets. Range safety systems are used for this purpose. They include a means of tracking a launch vehicle’s position and velocity (tracking system) and a means of terminating the flight of a malfunctioning vehicle (flight termination system).
Flight termination criteria are customarily designed based on the capability of the range safety system to limit the extent of the hazards from a malfunctioning launch vehicle. Frequently, ranges assume that they can reliably detect a malfunctioning launch vehicle and terminate its flight whenever good quality tracking data is available. This assumption is based on high-reliability designs customarily used for range safety systems. At present, however, there are no international design standards for range safety systems. Moreover, efforts to assure that the design standard does, in fact, achieve the intended reliability levels may be limited.
The final tier of protection is risk analysis and risk management. Residual risks from the launch are quantified and assessed to determine if they are acceptable. This step involves an extension of the model outlined above for assessing hazard areas. It is common to perform these protection steps in an iterative manner, using the results of each step to adjust the approach to the others until the desired level of safety is achieved with acceptable impacts on the proposed launch operation. The current practice is to assess risks for each launch and to approve the launch only when risk levels are acceptable. Unlike most other regulated activities, annual risk levels are evaluated by exception.
A proper risk analysis addresses the credible risks from all launch-related hazards. These may include inert debris, firebrands, overpressure from exploding fragments, and toxic substances generated by normal combustion as well as toxic releases from malfunctions. For many launches the contribution from one or more hazards can be demonstrated to be negligible. When these contributions are not demonstrably negligible, appropriate hazard controls and risk management are desired. Inert debris hazards are relatively obvious and well addressed, but current practice often fails to properly address toxic hazards, explosive hazards, and hazards from firebrands.
When assessing launch risks it is important to account for all exposed populations: people on land, people in boats, and people in aircraft. Proper consideration must be given to the effect of sheltering on the risks. It is often assumed that neglecting sheltering will overstate the risk. When sheltering is adequate to preclude fragment penetration, this assumption is valid. When fragments are capable of penetrating a structure, debris from the structure often increases the threat to its occupants.
Additional consideration must be given to the relationship of population groups to the launch. People directly involved in supporting launch operations may be expected to tolerate higher risk levels than members of the general public who are not involved. Typically, launch support personnel are confined to a region near the launch point within the territorial domain of the launching nation. As launch vehicles proceed downrange, they typically leave the territorial domain of the launching nation and begin to over-fly international waters and the territory of other nations.
Tolerable risks for a launch are commonly expressed in terms of a collective or societal risk level and risk to the maximally exposed individual (individual risk) as discussed above. Collective risk is commonly expressed as the number of individuals statistically expected to be exposed to a specified injury level. Individual risk is commonly expressed as the probability that the maximally exposed individual will suffer the specified injury level. The two most commonly used levels of injury are fatality and serious injury. Serious injury is often correlated with level 3 or greater of the AIS. When it is difficult to quantify risk directly, impact probability for specified classes of debris is often used as a proxy measure. Thus, for example, it is customary to protect people on ships or people on airplanes by creating exclusion zones based on impact probabilities because the consequences of a debris impact on a ship or especially on an aircraft are relatively difficult to quantify. Historically, many ranges computed impact probability based upon the most comprehensive debris lists they could obtain. Alternatively, many have based their decisions on protecting against “hazardous debris”. The definition of hazardous debris for this purpose has varied between ranges and over the passage of time. Recent efforts to standardize the definition of “hazardous debris” include the US Range Commanders Council Publication RCC 321-99 and its more recent updates, such RCC 321-07 and RCC 321-10.
When an exclusion area is defined, each nation has its own procedures for communicating the boundaries of the area. On land, this is commonly through sign postings and guards. Formal notices are frequently used to communicate with operators of ships and aircraft. Moreover, the degree of compliance varies with location and time. When the exclusion area is near the launch complex, ranges frequently employ some form of surveillance to determine whether any vessels have intruded into the hazardous area. When intruders can be identified, the ranges may request them to depart, passively wait for their departure, or proceed with the launch based on the decision that the risk to the vessel is sufficiently small.
Outside of the immediate launch area, surveillance becomes more difficult and more costly. Consequently, most ranges use surveillance very selectively outside of the immediate launch area, typically restricting surveillance to planned impact areas for spent stages and other planned jettisons. As a result, publishing hazard areas at these distances is much more important. Advanced tools for surveying these remote locations and communicating with intruders are emerging to enhance the effectiveness of protecting ships and aircraft in these areas. Controlling risks to seafaring vessels from space launch testing activities is most successful when mariners are notified about hazard areas and when the responsible launching agency surveys the potentially affected areas to detect intruders and to warn them to leave the area. Following a mishap, communication with these vessels to proceed at maximum speed in a prescribed direction to minimize impact probability is essential to control undue risks. Currently, costs and technology often limit surveillance and communication to locations relatively near land. Management of airspace must consider aircraft traffic. At present, there are limited capabilities for addressing these issues worldwide. The FAA has begun an initiative to address these concerns for US operations as discussed in Chapter 10.
Minimal attention is paid to annual risks generated by the range’s launch operations. There is no agency – national or international – that monitors and controls risk posed to overflown populations. A city may be placed at risk by launches from multiple launch sites without the performance by involved launching nations of any coordinated assessment to assure that the risk levels are acceptable. Citizens of all nations should be equally protected from the risk posed from overflying by launch vehicles and returning spacecraft. The common practice is to make these determinations on a launch-by-launch basis with no consideration of previous or planned future launches. As a result, it is an uncontrolled outcome whether a nation that is subjected to overflight will be subjected to significant annual risks from (1) a single launch facility; (2) a single nation’s activity; or (3) all nations’ launch activities.
Finally there is the health risk related to the dropping of rocket stages and ascent failures. During normal launches, stages separate sequentially and fall down to Earth. Most launch trajectories and spaceport locations are chosen to ensure that the impact areas are outside populated areas and mainly contiguous to the oceans. Nevertheless, there are inland spaceport locations and land overflying trajectories that lead to stages dropping to ground in sparsely inhabited areas with ensuing soil contamination. Approximately 9% of the propellant from a launch stage remains in the tank once it is dropped. The penetration of contaminants depends on the nature and properties of the soil and can lead to the contamination of groundwater as well as surface water. For example, hydrazine (UDMH) is often used in hypergolic rocket fuels as a bipropellant in combination with the oxidizer nitrogen tetroxide and less frequently with IRFNA (red fuming nitric acid) or liquid oxygen. UDMH is a toxic carcinogen and can explode in the presence of oxidizers. It can also be absorbed through the skin. A tablespoon of hydrazine in a swimming pool would kill anyone who drank the water. In a study conducted by Vector, the Russian State Research Center of Virology and Biotechnology in Novosibirsk, health records from 1998–2000 of about 1000 children in two areas in southern Siberia polluted due to launches from Baikonur in Kazakhstan were examined, comparing them with 330 records from a nearby unpolluted control area. Grouping all cases of disease together, the research team concluded that children from the worst affected area were up to twice as likely to require medical attention for diseases such as endocrine and blood disorders during the 3 years studied and needed to be treated for twice as long. Contamination can be far worse and massive in case of launch failure. In September 2007, the explosion of a Russian Proton M rocket contaminated a vast swath of agricultural land in Kazakhstan with 200 metric tons of toxic fuel.
Chapter 4 provides a guideline for managing third party risks generated by the launch of a space booster. First it defines the hazardous conditions necessary for risk to be present, exposure of people or assets to the hazards, and the vulnerability of people or assets to the hazardous conditions. This provides the structure for how to control risks. Commonly used risk measures are defined. The discussion then turns to the implementation of risk and hazard controls, including defining exclusion regions based on prelaunch analyses to protect populations and defining real-time range safety systems for limiting the risk during an operation. The remainder of the chapter is devoted to the flight safety analysis process with an emphasis on debris risk analysis. With the foundation of terminology and the framework for applying risk controls established, the narrative provides a detailed discussion of the processes required to develop the data needed for debris risk analyses and the key models needed to assess debris risks. This discussion includes a characterization of highly simplified models that can be used for rapid risk estimation as well as more sophisticated models for more refined risk estimation.
Chapter 5 extends the launch safety analysis to toxic and distant focusing overpressure hazards. A major section of the chapter is devoted to each of these hazards. Rocket motor propellants and their combustion products may pose toxic hazards in the extended launch vicinity. Moreover, accidental explosions on or near a launch pad may, with adverse atmospheric conditions, cause explosive shock waves to break windows at distant population centers, potentially threatening their occupants. Currently, liquid propellants may be hazardous; however, their combustion products are often not. Solid propellants, by contrast, do not directly pose a toxic hazard; their combustion products are, however, frequently hazardous. The chapter introduces the reader to each of the hazards, characterizing the source term, factors governing the propagation of the hazards to people, and guidelines for evaluating the severity of the hazardous conditions that may exist at population centers. Comprehensive modeling of these two hazards is complex. Consequently, for each hazard one or more screening methodologies is presented to allow scoping studies to be performed to assess if there is a need for more comprehensive modeling. Each section then presents a comprehensive discussion of the analysis of the threat and the risk posed by the two hazards so that the reader understands how the complete analyses must be performed.
1.5 Nuclear-Powered Payloads Safety
The Soviet Cosmos 954 satellite was placed in orbit on September 18, 1977. In January 1978, a news item surfaced about a Soviet nuclear-powered satellite that had become unstable and was gradually descending. The nuclear reactor worked on uranium enriched with isotope of uranium-235. At first there was only minimal media interest, but as the days went by news of the impending re-entry of this satellite moved onto the front pages. The Soviets had in the meantime conceded that something had gone wrong and they no longer had any control over it. The scenario had all the makings of a major nuclear catastrophe: a satellite carrying a lethal nuclear payload circling the earth every 90 minutes and coming ever closer to the point where it would enter the atmosphere and plummet down somewhere.
Eventually on the morning of January 24, 1978, the satellite entered the Canadian air space at about 11:53 a.m. Greenwich Mean Time to the north of the Queen Charlotte Islands. A man from a group of campers at Warden’s Grove, near the Thelon River, noticed a white blazing object streaking across the sky spewing fiery bits in its wake. A couple of people ventured to the impact site and noticed smouldering pieces of metal wreckage. To make things worse Cosmos 954 had been unable to jettison the satellite’s reactor core due to a mechanical malfunction. Later the same day, the Soviet Ambassador in Canada advised about the satellite re-entry and asserted that there would be no sizeable hazard and only insignificant local pollution at the site of impact. He also stated that the construction of the nuclear reactor on board the satellite envisaged its complete destruction on re-entry into the atmosphere.
After the Soviet Government admitted that Cosmos 954 indeed had a nuclear reactor on board, a clean-up operation was commenced dubbed Operation Morning Light. The purpose was to identify the nature and extent of damage caused by the debris, to limit the existing damage, to minimize the risk of further damage, and to restore to the extent possible the affected areas to the previous condition. The clean-up effort not only involved the on-site recovery of radioactive debris, but also utilized spectrometer-equipped aircraft and helicopters from US and Canada as well as high-altitude missions by U2 spy planes. Hercules airplanes flying the search grids marked the wreckage positions, so that the recovery helicopters (with suitable lead-lined boxes and people carrying hand-held radiation monitors) could go right to the spot.
The clean-up effort ended in April 1978. By that time, crews assigned to Operation Morning Light surveyed over 124,000 km2 and logged over 4500 hours of flying time. A few radioactive fragments were recovered, and some fragments proved to be of lethal radioactivity. The Cosmos 954 re-entry was considered a lucky one. It did not result in a major catastrophe for two reasons. The first is the obvious one that the region is sparsely populated, and the second one was that almost 50% of the area is covered by lakes and rivers, which eventually absorbed most of the radioactive debris with minimal harm to the environment. What was probably not appreciated was that had the re-entry happened a little less than three orbits earlier, the impact trajectory would have strewn radioactive debris over a footprint extending from the Gulf of Mexico and passing close to major population centers of North America like Detroit and Toronto.
The use of radioactive materials on space systems is currently unavoidable for pursuing interplanetary and deep space exploration. It has enabled humankind to pursue scientific research and gain insights into our universe that would have been impossible by any other means. Spacecraft designers understand the importance of preventing the release of radioactive materials into the environment and have built robust structures to ensure containment of radioactive material in the case of an accident.
Chapter 6 briefly introduces the concepts of Space Nuclear Power Systems (SNPSs), describes the history and nature of these ingenious energy generating machines since their inception at the start of space age. The basic working principles of static power conversion systems as in the Radioisotope Thermoelectric Generator (RTG) or a dynamic heat conversion system as in the recently developed Stirling Radioisotope Generator (SRG) is to convert the heat differentials into electric power. A full account of their successful applications in several extra-terrestrial missions and space exploration experiments are presented. Furthermore, the possibility of a nuclear fission power as a promising alternative for future outer planet and extra-solar explorations is discussed.
The flight safety review and launch approval processes for US, as well as, the failures and accidents for US and USSR (Russian) nuclear powered space missions since 1961 are presented chronologically. A comprehensive probabilistic consequence analysis of all conceivable potential hazards associated with space flights, from the moment the space vehicle is rolled on to the launch pad to the orbit insertion such as full stack impact, large scale solid propellant fire, re-entry breakup and fragmentations, Earth debris footprint, and risk to population and environment is presented. Consequently, Chapter 6 discusses how the SNPSs must be designed with the built-in safety features to minimize accidents and to prevent radiation exposure to the Earth’s population or environment.
A narrative of the potential future employment of SNPSs for prolusion to explore our solar system and beyond and the prevailing political dynamic between the spacefaring nations and the United Nation Committee on Peaceful use of Outer Space (UNCOPOUS) attempt to maintain a sustainable space environment for all future humankind is presented.
1.6 Orbital Safety
The principal safety issues related to orbital spaceflight are: protection from dangers arising from the space environment (debris, and ionizing radiation); provision of escape capabilities during the on-orbit phase (crewed systems); and prevention of collision risk. Collision risk can be divided into three categories: (1) risk of collision during proximity operations (i.e., rendezvous and docking/berthing); (2) risk of collision between space systems operating autonomously; and (3) risk of collision with orbital debris.
In January 1994 Soyuz TM-17 struck MIR space station two glancing blows 2 seconds apart during proximity operations due to a switch error. A more serious accident happened on June 25, 1997, during testing of the Mir station’s manual docking system. Progress M-34 cargo ship struck and punctured Mir’s Spektr module, causing the station to depressurize and leading to Spektr being permanently sealed off. In addition the solar arrays were also damaged, which in turn led to a power crisis aboard causing the station to power down and begin to spin and drift.
In February 2009, a non-operational Russian satellite, Cosmos 2251, collided with Iridium 33, a US commercial telecommunication satellite, over Siberia at an altitude of 790 km causing the destruction of both satellites and the creation of an enormous amount of space debris.
Orbital Debris Environment
Space is not an empty vacuum but contains both natural debris (i.e. micrometeoroids, interplanetary dust) and human-made space junk. Humans generally have no involvement in natural debris, thus here we concentrate exclusively on human-made debris. Orbital debris generally refers to any human-made material on orbit which is no longer serving any useful function. There are many sources of debris. One source is discarded hardware such as upper stages of launch vehicles or satellites that have been abandoned at the end of their useful lives. Another source is spacecraft items released in the course of mission operations. Typically, these items include launch vehicle fairings, separation bolts, clamp bands, adapter shrouds, lens caps, momentum flywheels, and auxiliary motors. Various shapes and sizes of debris are also produced as a result of the degradation of hardware due to atomic oxygen, solar heating, and solar radiation, and also from combustion of solid rocket motors. Examples of such products are paint flakes, aluminum oxide exhaust particles, and motor-liner residuals.
Fifty years of spaceflight have cluttered the space around the Earth with an enormous quantity of human-made debris. Scientists assume that there are approximately 500,000 objects in orbit whose sizes are above 1 cm. Currently, about 21,000 objects at least 10 cm in diameter or larger are being tracked by the US Space Surveillance Network (including about 800 objects representing functional satellites). Only the largest pieces of debris in orbit can be regularly tracked, mainly by using optical sensors. The minimum size objects that are regularly tracked are 30 cm in the geosynchronous orbit and about 10 cm in low Earth orbits. Among the tracked pieces of debris, there are about 200 satellites abandoned in geosynchronous orbits occupying or drifting through valuable orbital positions and posing a collision hazard for functional spacecraft. The survival time of the debris can be very long. Objects in 1000 km perigee orbits can exist for hundreds of years. At 1500 km, the lifetime can go up to thousands of years. Objects in geosynchronous orbit can presumably survive for a million years.
The amount of debris on orbit in the future will depend upon whether the creation or removal rate dominates. Currently, the only mechanism for removal of debris is orbital decay by drag, which ultimately leads to re-entry. This mechanism is only effective in a restricted range of low Earth orbits. At higher orbits, it takes hundreds to thousands of years for objects to re-enter the Earth’s atmosphere. Historically, the creation rate of debris has outpaced the removal rate, leading to a net growth in the debris population in low Earth orbit at an average rate of approximately 5% per year. A major contributor to the current debris population has been fragment generation via explosions. As the debris mitigation measure of passivation (e.g., depletion of residual fuel) becomes more common, explosions will decrease in frequency. It may take a few decades for the practice of passivation to reduce the explosion rate, which currently stands at about four per year.
Several environment projection studies conducted in recent years indicate that, with various assumed future launch rates, the debris populations at some altitudes in low Earth orbit will become unstable. Collisions will take over as the dominant debris generation mechanism, and the debris generated will feed back into the environment and induce more collisions. The most active orbital region is between the altitudes of 900 and 1000 km and, even without any new launches, this region is highly unstable. It is projected that the debris population (i.e., objects 10 cm and larger) in this “red zone” will approximately triple in the next 200 years, leading to an increase in collision probability by a factor of ten. In reality, the future debris environment is likely to be worse than as suggested, as satellites continue to be launched into space. To better limit the growth of future debris populations, active removal of objects from space needs to be considered. The debris population of interest for possible removal includes small (1–10 mm), medium (1–10 cm) and large (derelict spacecraft/expended rocket bodies) sized debris in low Earth orbit (LEO), as well as large sized debris in geosynchronous Earth orbit (GEO).
Collision Risk with Orbital Debris
Orbital debris generally moves at very high speeds relative to operational satellites. In LEO (i.e., altitudes lower than 2000 km), the average relative impact velocity is 10 km/s (36,000 km/h). In the geosynchronous orbit, the relative velocity is lower, approximately 2 km/s, because most objects move in an eastward direction orbit. At these hyper velocities, pieces of debris have a tremendous amount of kinetic energy. A 1 kg object at a speed of 10 km/s has the same amount of kinetic energy that a fully loaded truck, weighing 35,000 kg, has at 190 km/h. A 1 cm sized aluminum sphere at orbital speed has the energy equivalent of an exploding hand grenade. A 10 cm fragment in geosynchronous orbit has roughly the same damage potential as a 1 cm fragment in low Earth orbit.
Pieces or particles of debris smaller than 1 mm in size do not generally pose a hazard to spacecraft functionality. Debris fragments from 1 mm to 1 cm in size may or may not penetrate a spacecraft, depending on the material composition of the debris and whether or not shielding is used by the spacecraft. Penetration through a critical component, such as the flight computer or propellant tank, can result in loss of the spacecraft. NASA considers pieces of debris 3 mm in size and above as potentially lethal to the Space Shuttle and the International Space Station. Debris fragments between 1 and 10 cm in size will penetrate and damage most spacecraft. If the spacecraft is impacted, satellite function will be terminated and, at the same time, a significant amount of small debris will be created. For example, if a 10 cm debris fragment weighing 1 kg collides with a typical 1200 kg spacecraft, over one million fragments ranging in size from about 1 mm and larger could be created. Such collisions result in the formation of a debris cloud that poses a magnified impact risk to any other spacecraft in the orbital vicinity (e.g., other members of a constellation of satellites).
Certain regions of the debris cloud are constricted to one or two dimensions. Such constrictions do not move with the debris cloud around its orbit. They remain fixed in inertial space while the debris cloud repeatedly circulates through them. In many satellite constellations, there are multiple satellites in each orbital ring. If one of these satellites breaks up, the remaining satellites in the ring will all repeatedly fly through the constrictions. If many fragments are produced by the breakup, the risk of damaging another satellite in the ring may be significant. If satellites from two orbital rings collide, two debris clouds will be formed with one in each ring. The constrictions of each cloud will then pose a hazard to the remaining satellites in both rings.
The collision in 2009 of the Russian satellite, Cosmos 2251 with Iridium 33 was the worst space debris event since China intentionally destroyed in 2007 one of its aging weather satellites during an anti-satellite weapon test. The Iridium satellite that was lost in the collision was part of a constellation of 66 low Earth orbiting satellites providing mobile voice and data communications services globally. As expected, the risk of collision of other Iridium satellites in the same plane dramatically increased with daily announcements of possible collisions (called conjunctions) with the debris from Iridium 33.
Collision Risk to Crewed System
Orbital debris collision is the primary source of risk for the International Space Station, and accounted for 11 of the 20 potential problems that were most likely to cause the loss of a Space Shuttle and crew.
The 2003 Shuttle risk assessment performed after the Columbia accident was the first one that evaluated orbital debris as a potential cause of an accident on orbit. It determined that the likelihood of orbital debris bringing down the Shuttle was far greater than that of the widely feared failures of main engines, solid rocket boosters, or thermal protection. Orbital debris colliding with different spots of the wing flaps were the most likely catastrophic failure. Damage could have rendered a wing flap (elevon), unable to steer and slow the Shuttle during re-entry. Following the Shuttle STS 114 mission in the summer of 2005 (i.e., the return to flight mission after the Columbia accident), NASA inspection teams catalogued 41 orbital debris impact locations on the Orbiter Discovery. There were 14 impacts on the windows, and two windows had to be replaced (as had happened several times in the past). The largest impact, featuring a 6.6 mm × 5.8 mm crater, was caused by a particle with an estimated diameter of 0.22 mm. The impact was among the largest ever recorded on a crew module window.
Orbital debris risk is best controlled by limiting the creation of debris through a number of measures that usually increase development and operating costs, such as passivation to prevent explosions, collision avoidance maneuvers, shielding, and end-of-life disposal. In the coming years, the orbital debris population will probably be also controlled by the use of debris removal systems.
Chapter 8 deals with several key topics of orbital safety. It starts with an overview of the open issue of space traffic control and space situational awareness, and then proceeds to address conjunction analyses and collision avoidance maneuvers. The experience gained in performing collision avoidance maneuver for the International Space Station is discussed because of particular safety implications. Another kind of collision risk discussed for the space station is the jettison of discarded hardware, which became very useful after Shuttle retired.
The chapter then covers rendezvous and docking/berthing operations. Rendezvous and Docking/Berthing involves two spacecraft, chaser and target, a controlled approach to contact, and the subsequent coupling between the two vehicles. Any contact outside the margins set for position, velocities and angular rates constitutes a safety critical collision. Collision safety risks, their causes and consequences, and the measures for protection are discussed in detail. In this context, external trajectory disturbances, navigation and thrust errors, the safety features and failure possibilities of the on-board systems and communication links, and the possibilities for the design of safe approach trajectories are discussed. The chapter discusses also the issues of space vehicles charging and contamination hazards, including the shock hazard for astronauts involved in extravehicular activities. Finally the chapter presents end-of-life mitigation measures and techniques for space debris removal like space tugs, drag devices and, in particular, electrodynamic propulsion.
Chapter 12 presents the application of QRA/PRA to on-orbit operations. Risk assessments can help inform not only design decisions during the development phase of a project, but can be even more effective in the operational phase of a program where most of the resources of a program or project are typically spent. In an operational program PRA can be employed not only for upgrades or redesigns, but also for maintenance actions, improving performance, reducing operation costs, understanding high risk operations, and, most importantly, decreasing risk to mission success and decreasing risk to the crew on the vehicle. On the International Space Station program over the last 12 years it has proven to be a very effective decision support tool for management to decrease technical and safety risk to the crew, the vehicle, and to the overall program. In other words, PRA has been used to increase the probability of success of the program. This chapter is intended to provide an understanding of quantitative risk assessments as it has been applied in the operational phase of the International Space Station.
1.7 Re-Entry Safety
As the orbits of non-functional satellites, spent launch vehicle stages and other pieces of debris decay, they lose altitude and enter denser regions of the atmosphere where friction with atmospheric gases at high velocity generates a tremendous amount of heat. As a result, a major portion of the hardware (between 60% and 90%) will typically burn up. However, some components and parts can and do survive the re-entry heating.
Component survival will occur if the melting temperature of the component is sufficiently high or if its shape enables it to lose heat fast enough to keep the temperature below the melting point. During re-entry, the object experiences a period of rapid deceleration where the structural loads can exceed 10 g (ten times the acceleration of gravity). These loads, combined with the high temperatures, often cause fragmentation to occur. When the resulting objects lose enough speed, the heating rate is reduced, the temperature decreases, and the objects begin to cool. By this time, the objects have fallen to even denser regions of the atmosphere and fall virtually straight down from the sky in the absence of significant winds. They impact the ground at generally subsonic speeds, but still represent a potential hazard to people and property on the ground. They also represent a serious risk to maritime and air traffic.
It is very difficult to predict where debris from a randomly re-entering satellite will hit the surface of the Earth. Over the last 50 years, more than 1400 metric tons of materials are believed to have survived re-entry with no reported casualties. The largest object to re-enter was the Russian Mir Space Station, which weighed 120,000 kg. More than 50 pieces of debris were recovered and documented over the years. The items shown in Figure 9.4.2 represent some examples of re-entered materials ranging in weight from a few grams to hundreds of kilograms. In 2004 and 2005, the same type of Delta 2 titanium motor casings reached the ground in Argentina and Thailand respectively. Another seven Delta 2 titanium motor casings re-entered in the period 2001–2005 and probably fell into the ocean. In general, components made of aluminum and similar materials with low melting temperatures do not survive re-entry while pieces or components made of materials with high melting temperatures, such as stainless steel, titanium, and glass often do survive.
On 21 February 2008, an uncontrolled re-entering US spy satellite (USA 193), was shot down on officially stated grounds of public safety. The satellite was destroyed at an altitude of 247 km in space by a three-stage Standard Missile-3, which was a modified version of an existing missile adapted to intercept ballistic missiles in flight. The intercept was planned so as to create only short-lived space debris. The decision was made at the US presidential level. The malfunctioning spacecraft carried 450 kg of highly toxic frozen hydrazine fuel in its titanium fuel tank that could survive re-entry with its toxic content. Similar tanks are known to have survived re-entry. However, following piping rupture and metal softening due to re-entry heat, the normally unfrozen fuel completely leaks out and is dispersed high in the atmosphere. The titanium tanks of the ill-fated Shuttle Columbia survived re-entry but when found were virtually empty. In any case, it was expected that about 50% of USA 193 mass of 2270 kg would survive re-entry, thus adding to public risk on ground.
Returning Vehicles Risk
The disintegration during re-entry of the Shuttle Columbia on February 1, 2003 was a seminal moment in the history of launch and re-entry safety analysis. It highlighted the need to select vehicle re-entry trajectories that minimize the risk to ground populations, and the need to take measures to keep air traffic away from falling debris if a re-entry accident occurs. The Columbia accident initiated a chain of events that demonstrated the need for a deliberate, integrated, and ideally an international consensus approach to public safety during launch and re-entry operations. This is especially true for the management of air traffic and space operations.
Shortly after the breakup of Columbia over a relatively sparsely populated area of Texas, dramatic images of the debris from the breakup of the Orbiter were seen around the globe: an intact spherical tank in a school parking lot, an obliterated office rooftop, mangled metal along roadsides, and charred chunks of material in fields. The NASA Administrator testified before the US Senate that it was “amazing that there were no other collateral damage” (i.e., that no members of the public were hurt). Some people wondered if it was a “miracle” that no one on the ground had been hurt, and raised some important questions about public safety during re-entry.
The Columbia Accident Investigation Board (CAIB) raised and answered many questions relevant to public safety during launch and in particular re-entry. Given the available data on the debris recovered and the population characteristics in the vicinity, a CAIB study found that the absence of ground casualties was, in fact, the statistically expected result. Specifically, based on census data and modeling methods consistent with US standards and requirements set by other US agencies (e.g., the Range Commanders Council in RCC 321, the USAF in the Air Force Space Command Manual 91-710, and by the Federal Aviation Administration (FAA) in the Federal Register), the study found that “the lack of casualties was the expected event, but there was a reasonable probability (less than 0.5 but greater than 0.05) that casualties could have occurred.” However, a similar event over a densely populated area such as Houston would almost certainly have produced casualties among the public on the ground.
At the time of the Columbia accident, NASA had no formal policy regarding public risk during Shuttle re-entry. NASA’s Associate Administrator for Safety and Mission Assurance was quoted in a newspaper article on this subject as saying, “And so what our assessment says is that if this thing is safe enough to fly human beings in for an entry and a landing, then we feel that that’s adequate safety for the public that’s underneath the flight path.” The CAIB disagreed with that approach, and made specific recommendations for public safety. The updated NASA public safety policy embraces many of the risk measures and thresholds already in use by other US agencies, such as individual and collective risk limits in terms of casualties. However, NASA’s public safety policy also put forward innovative criteria for risk budgets governing distinct phases of flight which have gained broad acceptance. Therefore, the Columbia accident led to greater consensus and innovation in the management of risk to people on the ground from launch and re-entry operations.
Chapter 9 focuses on re-entry operations safety, and presents material that will help answer the following critical questions without undue expenditures of time or other resources:
• Is an uncontrolled re-entry safe enough, or is a controlled re-entry necessary?
• If a controlled re-entry is necessary, how reliable a system is needed?
• What warning/hazard areas are necessary to ensure protection of people in ships and aircraft?
• What are the constraints imposed by the physics of re-entry?
• What are the dominant sources of risk?
• How can the risks be mitigated?
• What are the dominant sources of uncertainty in the safety design?
• How can the uncertainty be reduced?
• What is an appropriate amount of insurance coverage in case of an accident?
The chapter describes various analytical models of re-entry trajectories for both controlled and uncontrolled flight above and within the sensible atmosphere, which is conventionally delineated by an altitude of 120 km. These analytical models will help the reader develop an understanding of the physical phenomena and constraints involved with both controlled and uncontrolled re-entries. The chapter also presents analysis methods that can be used to predict the breakup and demise during uncontrolled or controlled re-entry. The chapter includes empirical data on debris from controlled and uncontrolled re-entries, such as the results of re-entry testing conducted to provide insights on re-entry breakup and an overview of a device designed to provide definitive data by recording, preserving, and transferring data during actual re-entry events. The data on objects known to have survived re-entry can help validate, refine, or refute models for breakup and demise. In addition, careful study of the empirical data in Subchapter 9.4 can provide insight into potential design techniques to enhance demise. Subchapter 9.5 discusses analysis techniques used to predict the hazards and risks from controlled and uncontrolled re-entries with or without breakup, and includes subsections with examples of re-entry risk and hazard analyses for various types of re-entry missions.
1.8 Aircraft Protection
The Columbia accident also promoted the development of improved methods and standards for aircraft safety during launch and re-entry. Following the release of the final report of the CAIB, the FAA funded a more detailed aircraft risk analysis that used the actual records of aircraft activity at the time of the accident. That study found that the probability of an impact between Columbia debris and commercial aircraft in the vicinity was at least one in a thousand, and the chance of an impact with a general aviation aircraft was at least one in a hundred. The analysis used the current models which assume that any impact anywhere on a commercial transport with debris of mass above 300 grams produces a catastrophic accident: all people on board are killed. Best practices are captured in RCC 321 “Common Risk Criteria for the National Ranges”, which provides a vulnerability model for the commercial transport class of aircraft and other useful debris thresholds.
The safety of aircraft are a particular concern during space operations because aircraft are more vulnerable to space vehicle debris impacts than other assets (even a relatively small piece of debris could produce a catastrophic impact on an aircraft leading to many casualties), aircraft may be flying over remote or broad ocean areas, and aircraft sweep out a relatively large volume of space during the time a space mission potentially creates debris, which increases the probability of an impact relative to a stationary asset.
Chapter 10 addresses the protection of aircraft during space operations. It includes material that will help the reader understand the computation of risks to aircraft from launch or re-entry operations and various approaches to mitigate aircraft risks.
There are four major elements of aircraft protection during space operations: safety criteria, aircraft vulnerability models (AVMs), debris dispersion models, and mishap response systems.
Safety criteria allow establishing an appropriate level of protection for aircraft from launch or re-entry vehicle hazards, such as collision with planned or accidental debris. The aircraft protection measures put forward in Chapter 10 include probability of impact limits for debris capable of causing a casualty, as well as explicit quantitative risk acceptability criteria, debris hazard thresholds and vulnerability models for various classes of aircraft.
AVMs are used to quantify the areas of aircraft susceptible to an undesirable outcome from a debris impact, such as a casualty due to a fragment that penetrates the fuselage or an uncontrolled landing following a ruptured fuel tank. AVMs developed in the US for debris impacts on civilian aircraft built upon past work done to assess military aircraft survivability and the threat posed by potential fragments from an uncontained aircraft engine failure, such as turbine blades. These efforts produced improved AVMs for commercial transport and long-range business jet aircraft adopted in RCC 321 after multiple independent reviews by recognized experts in various fields.6 The FAA is presently sponsoring tests and analyses to produce more refined AVMs. Future AVMs will use more detailed information on the location and vulnerability of critical systems in commercial transport and other long-range aircraft.
Debris dispersion models are sophisticated physics-based computer models that predict the probability of an impact on an aircraft developed over a four-dimensional regions (including time). These models account for various sources of debris dispersion, including launch or re-entry vehicle trajectory deviations, breakup induced velocities applied to fragments, lift and drag uncertainties for irregular fragments, and atmospheric winds, as well as the likelihood of foreseeable debris generating events and a variety of vehicle fragmentation scenarios.
Mishap response systems are used to alert aircraft and rapidly clear potentially threatened airspace. In the event of an unplanned debris event, a mishap response system immediately notifies the appropriate air-traffic control authorities of the region potentially threatened by debris. The FAA has recently expanded the US real-time aircraft warning system developed in the wake of the Columbia accident to more efficiently integrate air and space vehicles without compromising safety.
Chapter 11 deals with another risk for aviation, which is the increasing use of ground based lasers for space applications. Controlling the amount of laser radiation illuminating satellite targets in the Earth orbit during the laser ranging process in the field of space geodesy has become very sophisticated over the years. This ensures the protection of the valuable payload on sensitive satellites. In addition the presence of astronauts on space systems like the international space station requires even higher standards of laser eye safety when performing experiment as, for example, optical time transfer to atomic clocks on board. While all current laser tracking stations stay well below the maximum permissible energy level, additional safety measures at each observing site must be exercised such as physically controlling the outgoing laser beam on a shot-by-shot basis to ensure safe power density levels at all times.
1Federal Aviation Administration, Department of Transportation, Commercial Space Transportation Licensing Regulations, Final Rule, Federal Register, Vol. 64, No. 76, April 21, 1999, page 19605.
2Federal Register, Part III, Department of Transportation, Federal Aviation Administration, 14 CFR Parts 413, 415, and 417, Licensing and Safety Requirements for Launch; Proposed Rule, Vol. 67, No 146, July 30, 2002 (see p. 49479).
3Ibid, p. 49465.
4Office of Regulatory Analysis and Evaluation, National Center For Statistics And Analysis, FMVSS No. 214 Amending Side Impact Dynamic Test Adding Oblique Pole Test, August 2007.
5Blincoe, L. et al., The Economic Impact of Motor Vehicle Crashes, DOT HS 809 446, May 2000.
6Wilde, P.D., and C. Draper, Aircraft Protection Standards and Implementation Guidelines for Range Safety, 48th AIAA Aerospace Sciences Meeting, 4–7 January 2010, Orlando, FL., AIAA #2010-1542.