International Space Station Risk Management Strategy
NASA is responsible for establishing risk management policies, goals, and processes for the ISS. These policies, goals, and processes are implemented in detail by the ISS prime contractor (Boeing) and the international partners (Canada, Japan, Russia, and the member nations of the European Space Agency). The ISS risk management process is managed by integrated product teams (IPTs) and analysis integration teams (AITs), jointly staffed by NASA and Boeing (for the U.S. on-orbit segment) or the international partners (for the non-U.S. segments). The teams evaluate risks in terms of likelihood and consequences and qualitatively rank them on a relative scale matrix (shown in Figure 2-1). The consequences can be technical, or they can affect the ISS schedule or cost, although cost and schedule risks dominate the current list of risks. ISS program policy requires that action be taken to change designs, processes, or plans to mitigate the impact that high-risk items (those in the upper right corner of the matrix) could have to the program. The ISS program currently ranks the risk of meteoroid and orbital debris impacts as one of the top 15 risks to the ISS program, although it is not one of the top 10.
The ISS safety office maintains a separate ranking of safety hazards and technical risks. The sixth risk in their ranking is directly related to meteoroids and debris. Box 2-1 shows the August 1996 safety office list of the 10 greatest ISS risks and hazards. Program policy requires a two-failure tolerance level for safety hazards in systems that, by themselves, could cause the loss of the station or crew in the event of a failure. Structural safety hazards are dealt with using safety factors, ground tests, materials qualification, fracture control, and other design and process control measures to provide failure tolerance.
BOX 2-1 Safety Office Top 10 Hazards (August 1996)
The ISS program created all AIT to be responsible for meteoroid and orbital debris risk management. The meteoroid and orbital debris AIT members are responsible for all aspects of the problem, including modeling the environment, calculating the likelihood that debris or meteoroids will penetrate modules, performing hypervelocity impact tests, and designing and evaluating shields. The meteoroid and orbital debris AIT reports to the mechanical subsystems AIT, which reports to the systems integration AIT, which, in turn, reports to the vehicle IPT. Figure 2-2 shows this chain of command.
The meteoroid and orbital debris AIT strategic plan for risk management is to shield against particles up to about 1 cm in diameter, to maneuver to avoid collisions with objects larger than about 10 cm in diameter that can be tracked by ground-based sensors, and to implement procedures to mitigate the damaging effects of impacts with objects between about 1 and 10 cm in diameter. These three methods are discussed in detail in chapter 4, chapter 5, and chapter 6. Figure 2-3 illustrates this overall approach to managing the risk from meteoroids and debris.
The main requirement the AIT uses to manage the risk from meteoroid and orbital debris is that the probability that no “critical” ISS component will be penetrated by debris over 10 years should be, at a minimum, 0.81. A 1991 model of the debris environment is used to calculate this probability of no penetration (PNP). As discussed in Chapter 3, the flux of orbital debris, collision velocity distribution, and impact angle distribution in recent models differ from those in the 1991 model.
The AIT has defined as critical those items whose penetration could cause the immediate loss of the ISS or a crew member. Items whose penetration could only cause failures that are not time critical or that could be overcome by system redundancy or operational procedures are considered noncritical. Some tests have been performed to verify whether items should be designated as critical. For example, hypervelocity impact tests of batteries and ammonia accumulators showed that gradual pressure decay, rather than an explosion, occurred after penetration; thus, these items are considered noncritical (Winfield, 1996).
Not all penetrations of critical items will necessarily cause the loss of life or of the station. In some cases, the ISS crew will be able to seal off the penetrated module from the rest of the station. The crew may also be able to repair some penetrations. As described in more detail in Chapter 5, the meteoroid and orbital
debris AIT is studying the various sources of risk to the station and crew, including thrust from venting, critical equipment damage, injury to crew, hypoxia, and delayed effects. Risk and hazard reduction analysis is an ongoing activity for the AIT, and it will continue beyond the design phase in the ISS operational phase.
The PNP requirement of 0.81 was based on past precedent, combined with an understanding of the limitations of design and operations capabilities. The space shuttle orbiter cabin has a 0.95 PNP requirement over 500 missions (roughly equivalent to 10 years of continuous exposure) for the meteoroid environment alone. The precursor to the ISS, Space Station Freedom, adopted a 0.95 PNP for meteoroids and debris, but its design was never able to achieve this goal. The PNP requirement for the ISS was set at 0.90 because this was judged a reasonable goal that could be met with additional shielding. More than 1,400 kg of shielding was added to components derived from Space Station Freedom to achieve a PNP of 0.90. When the Russian modules were added to the ISS, the AIT proposed that the Russian segment of the ISS should also have a PNP of 0.90, thus reducing the overall combined PNP for the ISS to 0.81 (see Box 2-2).
The overall 0.81 PNP requirement was approved by NASA management, and it has been apportioned, by area, to the critical modules and equipment. Figure 2-4 shows how the PNP requirements for all critical items contribute to the overall PNP requirement. These requirements are documented in the top-level ISS system specification and in the specifications for the U.S. and other major segments of the ISS. The requirements are controlled by the specification control process, and modifications must be approved by the ISS program manager.
The BUMPER-II code is the primary tool used by the AIT to determine the
BOX 2-2 What Does a 0.81 PNP Mean?
A PNP of 0.81 is equivalent to a 0.19 probability that one or more penetrations of a critical item will occur over a 10-year period. The expected number of penetrations (Npen) of critical items on the ISS can be calculated from PNP using the equation:
Npen = −In(PNP)
With a 10-year PNP of 0.81, the expected number of times an ISS critical item will be penetrated over 10 years will be about 0.21. If the 10-year PNP is 0.55, then the expected number of penetrations is 0.6.
The number of expected penetrations varies linearly with time, assuming no changes in the predicted environment. Thus, an expected rate of 0.21 penetrations over 10 years would increase to an expected value of 0.42 penetrations over 20 years, and an expected 10-year rate of 0.6 penetrations would increase to a predicted 1.2 penetrations over 20 years.
PNP values, however, are far from exact because they are based on many assumptions. First, they are based on assumptions about the future debris environment. If the rate of launches or breakups, for example, turns out to be higher or lower than expected, the predicted PNPs may prove to be incorrect. Second, PNPs are based on assumptions about the effectiveness of ISS shields in preventing the penetration of critical items. And finally, the PNP calculations do not include impacts on noncritical items, such as the truss or the radiators, even though such impacts could potentially cause severe damage to the ISS.
PNPs of ISS critical items. This computer program uses a finite element model and statistical analysis to combine spacecraft geometry and design, the meteoroid and orbital debris environments, and calculations of the particle size that would penetrate each component to calculate the PNP for each element of the ISS and to provide output for graphical representation of the results. Figure 2-5 depicts the BUMPER finite element model of the space station at the end of its assembly sequence. The BUMPER-II code can use both the 1991 and the 1996 NASA models of the meteoroid and debris environments. The environment model from 1991 is still used to assess whether critical items meet their PNP requirements, while the 1996 model is used for most other applications.
Although noncritical items are not included in the PNP calculations, contractors must meet requirements that ISS components have a low risk of failure: thus some noncritical items that are particularly vulnerable to damage from meteoroids and debris are protected. The meteoroid and debris AIT provides the contractors with tools (including the environment model, hypervelocity impact equations, and hypervelocity impact tests) to help determine the risk of failure of particular components due to meteoroid or debris impact. For example, NASA has conducted for contractors numerous high-velocity impact tests on such items as wiring harnesses and pressure vessels. Contractors use the test results to determine whether actions need to be taken to reduce the risk of component failure.
ANALYSIS AND FINDINGS
The overall risk management approach employed by the ISS program is valid. It follows the risk management strategies that have been applied successfully to the space shuttle and to Department of Defense (DoD) programs. The approach provides a systematic framework that forces management to evaluate identified risks regularly and to take action to mitigate critical risk items. It encourages the continuous identification of new risks at the working level (AITs and IPTs), with a clear review and approval path to top ISS program management. It is a qualitative system that emphasizes the relative magnitude of risks but does not try to quantify that which cannot be quantified.
There are two concerns with this overall approach. First, the meteoroid and debris hazard does not fit well into the risk assessment approach of either the program office or the safety office. The risk matrix of the program office focuses on items that may affect the cost and schedule of the program, rather than on hazards to the ISS and crew once the ISS is operational. Due to the unique nature of the meteoroid and debris hazard—it is a hazard for which the ISS is forced to accept a risk of single-point failure—it does not fit well into the scheme of the safety office either. The second concern is that because the meteoroid and orbital debris AIT is so far down in the chain of command, the team may have difficulty bringing issues to the attention of top management.
Finding 1. The ISS approach to risk management appears to be valid, but the unique nature of the meteoroid and orbital debris hazard makes it difficult for the top-level ISS risk management schemes to properly weigh this hazard against other risks to determine whether urgent action is needed.
The plan to use shielding to protect the ISS against smaller particles and collision warning to avoid larger objects makes sense. However, the ISS program may be optimistic about the size range of objects against which these methods will protect the ISS. Program hazard reports suggest that objects larger than 10 cm in diameter will be tracked and avoided, and objects smaller than approximately 1 cm in diameter will be stopped by shielding. As discussed in Chapter 6, however, the U.S. Space Surveillance Network (SSN) is unable to catalog many objects in the 10 to 20 cm diameter size range, and the capability of the SSN to catalog small objects is more likely to decline than to improve over the next few years. In addition, as discussed in Chapter 4, the ISS program may be optimistic in assuming that current shielding can stop all objects smaller than 1 cm in diameter.
The BUMPER code appears to be an effective tool for determining the level of shielding necessary for particular modules. However, the capability to use two different environment models in the code raises some potential problems. Users need to be made aware that there are significant differences between the two models. Although using the 1991 model to determine whether modules meet PNP requirements is acceptable, using it for any other purpose (such as to determine mean-time-between-failure values for external ISS components) may produce misleading results.
The PNP-based system has been largely successful in reducing the hazard to the ISS from meteoroids and debris. ISS components derived from the previous Space Station Freedom design have been enhanced for meteoroid and orbital debris resistance and survival. The U.S. segment has thicker pressure walls and improved and added shielding that result in calculated PNPs that exceed the requirement (and also reduce the probability of loss due to catastrophic “unzipping”—a significant effect). In addition, the European and Japanese partners have
agreed to adopt the U.S. approach to shield design and to accept their respective PNP requirement allocations.
The design of the Russian segment for meteoroid and orbital debris resistance is a major problem, however. A 1994 design review indicated that the Russian segment had a total PNP of 0.122, which is equivalent to more than two predicted penetrations over 15 years, even assuming an “on-orbit fix” to provide additional protection for the service module. Considerable improvement has occurred since then, but the current Russian segment design still falls far short of its apportioned requirement. The current estimated PNP for the Russian segment is 0.60, compared to the 0.90 requirement. This shortfall brings the overall PNP of the ISS down to 0.55—well short of the 0.81 requirement.
The ISS team believes this problem can be solved. If the 1996 (instead of the 1991) debris environment model is used to calculate PNP, the meteoroid and debris AIT estimates that with additional proposed Russian module shielding, the ISS can be brought up to a PNP of 0.85, which exceeds the requirement. However, the tight launch schedule and launch vehicle volume constraints make it impossible to augment the shielding on the Russian-built service module—a key element of the early ISS configuration—before launch. The current proposal is to augment the shielding of the service module in space at a later date. However, the tight schedule of ISS assembly flights will not allow such an augmentation until years after the module has been launched.
The Russian international partners appear to be responding to NASA ’s concerns about meteoroids and orbital debris. They are using the BUMPER code (and thus the NASA model of the debris environment) to determine whether their modules meet PNP requirements. They are also actively investigating shield designs and sending shield samples to NASA for testing. However, the Russian partners have not officially reached agreement with the ISS program on individual module PNP apportionments. Sustained NASA pressure is required to negotiate Russian compliance with meteoroid and orbital debris requirements. Having a Russian engineering representative on site at the Johnson Space Center might be helpful, and continued technical exchanges and video conferences will be necessary.
Finding 2. As currently planned, some segments of the ISS will be much less well protected from meteoroid and debris impact than others. The service module poses a particular problem because shielding cannot be added before launch if the ISS program is to stay on schedule.
Recommendation 1. The International Space Station program should take action to ensure that the findings of the meteoroid and debris analysis integration team are communicated clearly to senior program managers. The International Space
Station hazard reports, for example, should be modified to reflect the fact that some debris larger than 10 cm in diameter are not tracked and cataloged. Particular concern should be taken to address issues that may not fall within the purview of either the overall International Space Station program risk management approach or that of the safety office.
Recommendation 2. The International Space Station program should strive to improve the shielding for areas of the International Space Station that do not meet required probabilities of no penetration. In particular, improving the protection of the service module must receive a very high priority.
Recommendation 3. Further efforts—such as exchanging on-site engineering representatives and augmenting the schedule of technical interchange meetings and video conferences —to improve coordination with the Russian Space Agency and hasten agreement on meteoroid and orbital debris issues should be explored.
Winfield, D. 1996. Briefing presented to the NRC Committee on International Space Station Meteoroid/Debris Risk Management, Houston, Texas, April 3, 1996.