Commercial crew vehicles may fall short of safety threshold

by

WASHINGTON — The two companies developing commercial crew vehicles for NASA may not be able to meet a safety threshold specified in their contracts, an agency safety panel found.

At a meeting May 25 of the Aerospace Safety Advisory Panel at NASA’s Marshall Space Flight Center, members said Boeing and SpaceX were making good progress in improving the safety of their vehicles in advance of test flights scheduled to begin within the next year, but have yet to achieve a key requirement in their Commercial Crew Transportation Capability (CCtCap) contracts.

That requirement is known as loss of crew (LOC), a measure of the probability of death or permanent disability of one or more people on a spacecraft during a mission. The CCtCap contracts included a requirement that the spacecraft have a LOC of 1 in 270 or better. The shuttle program, by comparison, had a LOC of 1 in 90 at the time of the program’s retirement in 2011.

“The number one safety-related concern for the program is the current situation with respect to the estimate of loss of crew,” Donald McErlean, a former engineering fellow at L-3 Communications and a member of the panel, said at the meeting. “The threshold values were considered to be challenging, and both contractors currently have a challenge to meet that precise number.”

McErlean didn’t identify specific issues the companies were facing in their efforts to meet that LOC threshold. One factor, though, he said, is how the companies and NASA calculate the risk to the spacecraft from orbital debris and micrometeoroids while in orbit.

“The numbers themselves depend very heavily on the model of orbital debris that one utilizes to develop the risk to the system,” he said. “That is a driving factor in determining the potential for loss of crew.” Those models, he said, “have been validated to some degree, but they are not perfect.”

That assessment matches a February report by the U.S. Government Accountability Office, which also warned that the companies could face problems reaching that LOC requirement. It cited the orbital debris and micrometeoroid environment of low Earth orbit as one of the main safety risks for the program.

If either or both companies can’t meet the LOC requirement with the spacecraft, NASA may have to issue waivers for that requirement. “That remains a risk to the program that will have to be addressed, in all likelihood, by a risk acceptance waiver,” McErlean said.

“It may be necessary to do a formal risk acceptance of the variance from the stipulated goal,” he said later in the meeting. “We would remind NASA that that risk acceptance, including a complete presentation of the alternatives and the consequences, should be made formally, and that risk acceptance signed off by appropriate authorities.”

Despite the concern about the potential risk of not meeting the LOC requirement, McErlean praised the companies for working to improve the safety of their vehicles, in part because of the motivation to try and reach that safety threshold placed in the CCtCap contract.

“We are very pleased to report that those requirements did drive systemic behavior on the part of both contractors,” he said. “They have expended considerable time and energy in making their systems considerably safer than they might have been without such an incentive, and they have achieved considerable progress from the first time the estimates were made.”

He also warned against placing too much emphasis on the LOC metric alone. “One has to be judicious in how one applies these statistical estimates,” he said. “One has to look at whether or not the contractors have expended the necessary effort and engineering activity to make the system as safe as they conceivably can and still perform the mission.”

He added that he was ”very positive” both companies were doing so. “There was no known or indicated area where with, by spending even a small amount of money, the contractor could have made their systems considerably safer.”

Bill Gerstenmaier, NASA associate administrator for human exploration and operations, has also warned against focusing too much on the LOC statistic alone in weighing risks of flying crewed spacecraft.

“Blindly striving to achieve a statistical loss of crew number may drive you to design a system that is less safe,” he said in a February speech at a Federal Aviation Administration commercial space transportation conference here. That sounded counterintuitive, he acknowledged, but noted measures that can, on paper, reduce the LOC figure, like the addition of redundant systems, can increase a vehicle’s complexity and result in unforeseen failure modes.

The use of LOC is good when comparing the relative safety of different designs in the same model. “But it’s not a very good tool for determining absolute risk,” Gerstenmaier. “That really misleads, sometimes, our overall design decisions.”

“I really don’t have a better method than to use this as a absolute measure of safety,” he said of LOC. “We just need to be careful when we discuss these numbers.”