D: NASA's Human-Rating Requirements
_________________________________
The Government reserves the right to update this document with the latest information at contract award.
* Changes that improve safety or reduce costs should be addressed as excursions from the reference requirements for the Space Transportation Architecture Study.
|
JSC - 28354 |
|
Human-Rating Requirements |
|
AA - Office of the Director |
|
June 1998 |
|
|
|
National Aeronautics and |
Human-Rating Requirements
June 1998
Prepared By:
Mike Jenkins
Integration Engineering, MS2
Approved By:
James E. Van Laak
Deputy Manager, Shuttle/Mir Phase 1 Office, YA
Approved By:
George W. S. Abbey
Director, Johnson Space Center, AA
Acknowledgments
The following individuals contributed to the production of this report:
Charles Justiz, Ph.D. / CA2
Scott Horowitz, Ph.D. / CB
Jeff Bertsch / DD4
Mark Hammerschmidt / EG4
Harry Erwin / EX
Mike Jenkins / MS2
Richard Jackson / MV
John Casper / NA
Tim Adams / NX
George Jarrell / NX
Smith Johnston, MD / SD26
Jim Van Laak / YA
Contents:
Safety and Reliability Requirements
Human-in-the-Loop Requirements
Appendix 1: Requirements Matrix
Appendix 2: Reliability Model
Introduction:
This document contains a set of requirements for human-rating the next generation of spacecraft. A human-rated space system is one that "incorporates those designs features, operational procedures, and requirements necessary to accommodate human participants. This provides the capability to safely conduct manned operations, including safe recovery from any credible emergency situation." These requirements reflect the best judgment of the team involved along with pointers to the body of technical information, specifications, and other data already existing on this subject.
These requirements are intended to be applicable to all future human-rated spacecraft operated by NASA. Four basic missions have been considered: Earth-to-Orbit (ETO) vehicles, which are launch vehicles and routine entry vehicles, including reusable launch vehicles or any spacecraft operating in the launch and landing phase; Space Stations (SS), vehicles operating exclusively in a low Earth orbit environment; Crew Return Vehicles (CRV), planned for emergency or other non-routine entry; and Beyond Earth Orbit (BEO) vehicles, which operate away from the Earth and beyond easy access for on-demand logistics resupply or crew escape.
Many of the detailed requirements required to implement these four missions are very different. Even with the very high level of the requirements provided here there are some that cannot be applied consistently across the four missions. However, there is a core set of requirements which can be applied or modified to suit each of the missions and convey the same basic themes. Those themes are centered on the elements of safety for the crew and ensuring that the mission and vehicle designs properly account for the difficulty of operating in the space environment.
The majority of the requirements listed here are focused on making use of the lessons learned to this point in the space program to avoid relearning them at the cost of national treasure and human life. They are focused on system reliability, human-machine interaction, crew escape, and dealing with the consequences of the inevitable hardware and human failure. Emphasis is placed on using tried and true techniques such as those contained in the documents listed in the bibliography.
Technology is rapidly evolving with the result that some of the documents and requirements cited here may need to be revised. When that occurs, alternative implementations will be proposed to satisfy the intent of these requirements, and deviations will be approved on the basis of sound technical rationale.
These requirements reflect the fact that spacecraft operate in an inherently high risk environment, especially during the ascent and descent phases, and that only the best practices of the aerospace industry are sufficient to give reasonable assurance of success. They also reflect the fact that the visibility, safety, and economic implications of space flight make it imperative that failures be avoided to the greatest possible extent.
General Requirements
1.1 Design for Human Space Flight
Spacecraft intended to carry humans have significantly different characteristics from other aerospace vehicles, and it is essential that the design of a human-rated spacecraft fully accounts for these differences. While spacecraft design is built upon the foundation of decades of aircraft experience, the unique operations and environments of the spacecraft mission lead to a different and even more stringent set of design requirements. The high failure rate of the early launch vehicles is indicative of the learning required to upgrade aircraft standards to space standards, and it is essential that the learning process not be needlessly repeated.
It is also critical that the basic design of the vehicle address the aspects of human-rating from the start. The process of human-rating ICBM’s and other vehicles after the fact is less efficient and produces a less satisfactory result than when the ultimate mission requirements are included from inception. The early programs added improvements in systems redundancy and operating margins but relied heavily upon crew escape capability to accomplish the human-rating step.
Requirement 1:
The vehicle shall be designed, built, inspected, tested, and certified specifically addressing the requirements for human-rating.
1.2 Aerospace Design Standards
Aerospace design practices are the product of a long and costly evolution. Many failures and lost lives have been incurred in accumulating the combined knowledge base now available to the designer. This knowledge is captured in a variety of certification requirements documents, "lessons learned" documents such as JSCM 8080.5, military standards, and other technical publications. This data base contains thousands of valid requirements and is too extensive and detailed to capture in a set of top level requirements, but the documents listed in the bibliography provide the major sources for this information.
It is essential that the intent of the detailed design requirements and practices specified in these documents be incorporated in the design of human-rated spacecraft. The direct applicability of these documents varies, but as a minimum the practices listed in JSCM 8080.5 should be applied to human-rated spacecraft. Alternative approaches to these practices must demonstrate that they are as effective as the accepted methods.
Requirement 2:
The vehicle design, manufacture, and test shall comply with JSCM 8080.5 and applicable military standards. Where alternative approaches are employed, verification shall be provided that the alternative approaches meet or exceed the performance of accepted approaches.
1.3 Crew Habitability
NASA has developed excellent references for the design of human spacecraft environments. These design requirements pertain to all habitable spacecraft volumes inclusive of the preflight, in-flight, and postflight phases of the spacecraft mission. They also apply to spacecraft volumes that may require ingress by the crew on orbit, even if the vehicle is not crewed during ascent or descent, such as in the case of a pressurized cargo carrier used on a logistics mission. These design requirements draw from the numerous successful spacecraft designs of Mercury, Gemini, Apollo, Skylab, and the Shuttle Transportation System and provide the experience base for future crewed systems.
Requirement 3:
The vehicle crew habitability and life support systems shall comply with NASA Standard 3000 and NASA Space Flight Health Requirements for crew habitability and life support systems design.
1.4 Flight Test
No aerospace vehicle can be certified on the basis of analysis alone. Flight experience has shown that many critical design parameters are highly design-specific and require a careful flight test program to verify. Virtually all flight programs have shown important areas where flight experience did not match predictions.
Whenever possible, the flight test program should be conducted across the entire mission profile. This is generally possible for vehicles with discrete mission profiles of manageable duration such as the ETO and CRV vehicles. These vehicles can usually be operated through several complete ascent and/or descent profiles and should give good confidence in the suitability of the design for the planned mission.
In the case of a Station or BEO vehicle, flight test across the entire mission profile may not be feasible, either due to the excessive amount of time required to cover the planned mission duration, or the lack of suitable conditions to test, as in the case of planetary landing vehicles. In these cases a series of individual stand-alone tests under actual or high fidelity-simulated conditions is required. Backed with extensive analyses and simulation, these test results are used to verify vehicle performance across the integrated mission profile. The cardinal rule should be that all aspects of the mission that can be flight-tested, should be flight-tested.
Requirement 4:
A successful, comprehensive flight test program shall be completed to validate analytical math models, verify the safe flight envelope, and provide a performance data base prior to the first operational flight (flights other than for the specific purpose of flight test) with humans on board.
1.5 Proximity Operations
Spacecraft operations in proximity to another vehicle constitute a significant hazard to both vehicles. Therefore, the design and operation of both vehicles must be compatible with and responsive to the unique requirements of proximity operations.
Specific requirements are unique to vehicles and missions but must address the following: docking mechanisms and mating hardware; inter-vehicle communications, software, command and telemetry, trajectory monitoring, and attitude control; remote abort, breakout, and separation commanding for uncrewed vehicles, and external environments, including pluming, contamination, induced structural loads, electromagnetic interference, and thermal.
Proximity and docking operations must be designed so that no single failure in a critical system will result in a catastrophic hazard to a crewed vehicle. When uncrewed vehicles operate in proximity to crewed vehicles, they must provide the capability for the crew to halt or abort the proximity operations at any time, and when docked they must provide redundant capability for the crew to initiate undocking and separation.
Requirement 5:
Spacecraft operations in proximity or docking with a crewed vehicle shall comply with joint vehicle and operational requirements so as to not pose a hazard to either vehicle. Provisions shall be made to enable abort, breakout, and separation by either vehicle without violating the design and operational requirements of either vehicle. Uncrewed vehicles must permit safety critical commanding from the crewed vehicle.
Safety and Reliability Requirements
2.1 Crew Survival
The design and operation of the spacecraft should strive for the highest possible reliability to protect public safety, ensure crew survival, safely return the vehicle, and ensure mission success. The current state of space flight technology requires full use of all available techniques to assure acceptable reliability. Techniques available include mission completion, mission aborts, safe haven, crew escape, and flight termination (including destruct systems for launch vehicles).
Crew survival is specifically addressed in this requirement and is best described in terms of a reliability requirement for the space flight program. The requirement must address all aspects of a space flight program, including vehicle design, operations, logistics, maintenance, and training. This reliability requirement must also address all missions and flights planned for the life of the program, not just a single vehicle for a single mission. Therefore, the requirement should account for cumulative risk exposure during the life of a program, and address specific reliability requirements inherent in the different missions.
Earth-to-Orbit Vehicles (ETO)
For ETO vehicles, the goal should be a flight program with the high
reliability of commercial airline operations. This is because regular
access to low Earth orbit results in a high degree of exposure due to
the large number of flights anticipated over time.
The nature of the ETO vehicle mission permits the use of aborts and crew escape systems to increase the probability of crew survival. Experience has shown that for the foreseeable future the reliability of the main propulsion system will limit the overall reliability of the ETO vehicles. Whereas benign failures of engines and other systems during ascent can be dealt with through the use of abort modes, the relatively high probability of catastrophic failure of the main propulsion system requires the inclusion of a high performance crew escape system.
Space Station
The goal should be to reduce the integrated hazard to the crew to
that of personnel operating in remote terrestrial stations such as the
South Pole. The very long mission duration virtually assures that
emergencies will arise and requires that the means be provided to
manage them to successful resolution rather than returning or
evacuating at the first indication of trouble. However, the means to
evacuate must be provided at all times through the provision of a crew
return vehicle (CRV).
The station is a high value, one-of-a-kind vehicle, with the result that greater emphasis may be expended on preserving its safety and, with a robust escape capability provided, the crew may be expected to remain on board and continue to work problems that would result in mission termination for the Shuttle. These goals can be accomplished through resilient system design, including high degrees of maintainability, skip cycle logistics stores on orbit, a robust logistics chain, and the availability of a crew return vehicle.
Crew Return Vehicle (CRV)
The CRV must achieve its reliability through appropriate system
design for reliability, simplicity of hardware and mission, and failure
tolerance. Russian flight experience has shown that it is likely to be
used at least once during the life of the Station program, most likely
due to a medical contingency, but far less than ETO vehicles.
Therefore, its per-use reliability goals and consequent redundancy
requirements may be reduced, if required, by legitimate mission
requirements. However, its reliability must not be reduced so as to
affect confidence in its ability to function on demand, since that
capability is essential to the accomplishment of the Station mission.
Beyond Earth Orbit (BEO)
The BEO mission should have the same program-level goal with regard
to the potential for loss of life, weighted by the fact that there will
presumably be only a few missions conducted at that level of technical
and safety risk. As experience with the mission grows, and the
possibility of establishing a permanent outpost or colony arises, the
reliability goal for each individual mission must rise to account for
the increased flight rate and consequent exposure. Technology will
likely pace the schedule for accomplishing this.
The requirement for crew survival is best expressed as a cumulative reliability requirement across the entire exposure of the flight program. This overall reliability must be properly allocated over the expected number of flights in the program and to the systems and subsystems that provide mission success, intact abort, and crew escape. For example, in an ETO vehicle program designed to fly 100 missions (whether flown by one reusable vehicle or a fleet of expendables), the probability for crew survival for any one mission must be at least 0.9999 in order to satisfy the requirement defined below.
Since the practice of reliability allocation is often iterative, can be done in a number of different ways, and depends on the knowledge of system capability, an attachment has been provided to illustrate potential scenarios with typical reliability values that could be used to achieve this overall reliability level for each vehicle case.
Requirement 6: Crew Survival
The program shall be designed so that the cumulative probability of safe crew return over the life of the program exceeds 0.99. This will be accomplished through the use of all available mechanisms including mission success, abort, safe haven, and crew escape.
Requirement 7:
A crew escape system shall be provided on ETO vehicles for safe crew extraction and recovery from in-flight failures across the flight envelope from prelaunch to landing. The escape system shall have a probability of successful crew return of 0.99.
2.2 Aborts
For the ETO case, an intact abort provides for the recovery of the vehicle and its crew to a suitable site without exceeding stability and control, structural or thermal limits of the vehicle, or physiological limits of the crew. It is the preferred alternative when a successful mission is not possible, and permits safe recovery of the crew and vehicle for various levels of system malfunction that do not require crew escape. The design of the intact abort modes should protect the use of the crew escape system if it should become necessary because of additional spacecraft failures or other problems.
Additional abort modes should be provided where intact vehicle recovery is not possible but which place the vehicle in a position for safe operation of the crew escape system.
There are no abort modes envisioned for SS and CRV cases.
BEO missions require unique abort and survival modes. These include but are not limited to: powered return, free return, pre-positioning capabilities, and safe haven. The history of exploration contains numerous examples where access to energy for transportation and crew support were critical to the success of the mission and the survival of the crew. Therefore, missions designed for BEO should have sufficient power and utilize trajectories to maximize abort capabilities to ensure crew survivability. In general, this requires the spacecraft and its propulsion system to have sufficient power and flexibility to fly off-nominal trajectories. Critical systems should also be designed to degrade gracefully in the event of failures. As a last resort, when abort modes are not feasible, a safe haven capability should be provided to ensure that minimum survival capability and consumables exist to return the crew to a position from which a normal recovery or rescue can be conducted. Consideration should be given to pre-positioning consumables, spare parts, and other critical logistics and services to improve abort and safe haven capabilities.
Requirement 8:
For ETO vehicles, abort modes shall be provided for all phases of flight to safely recover the crew and vehicle or permit the use of the crew escape system.
For BEO missions, spacecraft and propulsion systems shall have sufficient power to fly trajectories with abort capabilities and provide power and critical consumables for crew survival. Trajectories and propulsion systems shall be optimized to provide abort options. When such options are unavailable, safe haven capabilities shall be provided.
2.3 Flight Termination
A flight termination (range safety) system will be required for ETO vehicles (including BEO vehicles launched intact) that cannot demonstrate aircraft-like reliability in the launch phase. However, current range safety policies contain provisions for tailoring flight termination requirements for manned space vehicles to permit alternative methods for ensuring public safety. In the event that a flight termination system is required, it should be designed to work in concert with the crew escape system to ensure the safe return of the crew without endangering civilians on the ground.
Requirement 9:
If a flight termination (range safety) system is required for ETO vehicles, the vehicle design shall provide for safe recovery of the crew.
2.4 Failure Tolerance
System design for reliability is a definitive element of spacecraft design. Aerospace hardware is designed for inherent reliability at the component level, but the architecture of the vehicle systems must also protect against random failures and minimize the probability of loss of mission, vehicle, or crew. In systems with relatively short periods of operation or where dynamic flight modes (such as powered ascent) are involved, installed redundancy is the principal means of assuring the system’s reliability. In vehicles with longer missions and more time for recovering from failures, maintenance and logistics resupply are the keys.
Fault tolerance is a term frequently used to describe minimum acceptable redundancy, but it may also be used to describe systems that are able to cross-link functions to compensate for failures. It is highly desirable that vehicle performance degrade gracefully when experiencing multiple failures. Where possible this should include cross-linking functions to compensate for failures.
For ascent and descent vehicles, the time constraints of the dynamic flight modes preclude the opportunity to utilize in-flight maintenance and system reconfiguration to recover from failures. Therefore, two-fault tolerance is a critical element in ensuring adequate vehicle reliability and should be incorporated whenever possible. When two-fault tolerance is either impractical or may have a negative impact on overall vehicle reliability, single fault tolerance will be provided wherein no single-failure will result in the loss of the crew.
For long duration missions such as on Station or a BEO vehicle, fault tolerance is not sufficient. For these missions, multiple failures are expected, and the response must include maintenance and system reconfiguration to restore the failed functions. In the case of the Station, the maintenance capability and associated logistics inventory need only support critical systems until the arrival of the next resupply vessel. This is likely to be a period of a few weeks to a month or two.
In the case of BEO vehicles, it is unlikely that resupply vehicles can supplement the resources aboard the vehicle unless that capability was planned for in advance via pre-positioned spares. Therefore, safe operation of the vehicle requires that sufficient reliability be achieved through a combination of reliable hardware design, installed redundancy, and logistics capability to support maintenance.
Requirement 10:
All critical systems essential for crew safety shall be designed to be two-fault tolerant. When this is not practical, systems shall be designed so that no single failure shall cause loss of the crew. For the purposes of this requirement, maintenance can be considered as the third leg of redundancy so long as mission operations and logistics resupply permit it.
2.5 Reliability Verification
Verification of the reliability performance requirement by testing is preferred over analysis for all critical systems and will be accomplished to the maximum extent possible. When testing at the vehicle level is not feasible at a suitable test confidence and resource level, demonstration testing should be conducted on components, subsystems, and systems under operating and environmental conditions and conservative planning incorporated to protect against unexpected failures. Preflight readiness and authority to proceed with irreversible actions should be verified by a combination of system health checks, inspections, and prior flight history of components.
Requirement 11:
Vehicle reliability shall be verified by test backed up with analysis at the integrated system level prior to the first flight with humans on board and verified by flight-based analysis and system health monitoring for each subsequent flight.
2.6 Software Reliability
Software has become a key component in the reliability of today’s aerospace vehicles and as such all critical software must be tested to the same levels of quality as the hardware systems. Critical software is any software component whose failure or unanticipated performance could lead to the loss of the vehicle or crew. This includes the flight software as well as ground software that can affect flight safety.
Critical software must be tested across the entire flight envelope as well as mission functions and transitions. The testing facility must use a flight-equivalent avionics testbed operating in a real-time, closed-loop test environment. Ground software must be tested on the computer platforms that will be used to support actual flights.
The software industry has also evolved to the use of Independent Verification and Validation (IV&V) as a key method of assuring software safety. This requires the use of an independent organization to assure that the software requirements are consistent and complete, the scope of the test matrix covers all requirements, and that all discrepancies in the test results are resolved before flight.
Requirement 12:
The performance and reliability of all critical software shall be tested on a flight equivalent avionics testbed across the entire flight envelope. Independent Verification and Validation (IV&V) methods shall be used to confirm the integrity of the software testing process.
Human-in-the-Loop Requirements
3.1 Crew Role and Insight
The use of automation in aerospace vehicles is continually increasing. Correct implementation of automation has greatly improved human operator efficiencies by performing many time-consuming tasks such as system-monitoring functions, fault diagnosis, navigation, and precision flight path management. A prime example of the results of these efforts is in the reduction of the flight crew size on modern airliners from three to two. Building a fully automated vehicle that precludes the human-in-the-loop, while technically feasible, currently requires a significant reduction in real-time decision-making capability over that available utilizing the human-in-the-loop since the cognitive ability of the human brain has yet to be approached in machine-based decision-making.
The data base of successful autonomous vehicles designed to perform complex space missions is small. Industry experience does not support placing humans on board without the capability to intervene in the case of malfunction or other unanticipated events. History has shown that the overall contribution of the flight crew increases mission reliability since in addition to being available to respond to hardware failures and unanticipated natural events, a human can overcome many latent errors in hardware and software design given the opportunity and proper attention is paid to the human-machine interface. The contribution of the flight crew is maximized when it is provided with the proper insight, intervention capability, control over vehicle automation, authority to enable irreversible actions, and autonomy from the ground.
Insight: Insight is the ability to determine where the vehicle is, its condition, and what it is doing. Insight helps to build situational awareness (SA).
Good SA greatly improves the performance of the human operator and enhances the mission. Poor SA does exactly the opposite. The technology of displays and controls design has made tremendous progress in recent years, and the state of the art should be applied to the human interface to minimize crew workload and errors. It is crucial to use a team of human factors engineers with cockpit design experience, vehicle engineers, and crew members to develop the appropriate displays for each task to be performed during each phase of flight.
Intervention/Override Capability: This refers to the ability of crew to assert control over all vehicle functions in nominal and off-nominal situations
The presence of the flight crew and the provision for them to interact with the vehicle enables a wide variety of control functions. The use of fly-by-wire systems and hierarchical architecture for automation provide the technical means for the human to intervene at multiple levels within the navigation and control loop. This allows the crew to intervene for nominal and off-nominal situations and is absolutely required for any critical phase of flight. The design goal shall be to allow the human operator to bypass higher level software and automation and exert maximum feasible control without adversely impacting vehicle performance or system reliability. Override includes actions ranging from simply pushing an "emergency button" to hands-on control of the vehicle. To maximize crew performance, the vehicle should exhibit Level I flying qualities as measured using the Cooper-Harper Rating Scale (NASA TND-5153). To accomplish this, the human-machine interface (controllers, switches etc.) must meet applicable standards such as MIL-HDBK-1797 and other appropriate standards for each task identified (the landing task is one such task).
Control over vehicle automation: This is the active role of the crew in the decision process.
Automation of a process is only as good as the hardware/software developed for the task and can not take all eventualities into consideration. This requires the crew to be able to either inhibit, modify, consent, or initiate automated sequences.
Authority to enable irreversible actions: This is the mandatory crew role in enabling safety-critical irreversible actions.
Any safety-critical irreversible action, such as deorbit burn, rendezvous, or docking, must be enabled by the crew. The cognitive ability of the crew is essential to make the judgment call as to whether or not to proceed with the these critical events. A crew member on board the vehicle, with good insight into the state of the vehicle and an understanding of external factors supplied via vehicle sensors, personal observation, and ground control, is in the best position to weigh all the options and decide whether or not to proceed with a safety-critical irreversible action.
Autonomy from the ground: This is the ability of the crew to make decisions when input from the ground is unavailable, incomplete, or the situation is time-critical.
All critical phases of flight must provide human operator insight, intervention capability, and control over vehicle automation if there are people on board or when operating in close proximity to another manned vehicle (ISS). To operate a spacecraft without crew autonomy capability requires large investments in facilities, personnel training/certification, and provisions for guaranteed continuous communications. Time delay in receiving information from the vehicle, processing it, acting on it, and transmitting appropriate commands back to the vehicle make ground control-only architecture impractical. On the other hand, to implement the computational power and insight of ground controllers on board the vehicle required to safely accomplish a human mission would be prohibitive. Therefore, while the crew needs to be able to make decisions and select alternatives rapidly, or when ground control is unavailable, there are many functions that enhance safety and mission success that are more appropriate for ground control to accomplish.
Requirement 13:
The vehicle shall provide the flight crew on board the vehicle with proper insight, intervention capability, control over vehicle automation, authority to enable irreversible actions, and critical autonomy from the ground.
Requirement 14:
The flight crew shall be capable of taking manual control of the vehicle during all phases of flight. The vehicle shall exhibit Level I handling qualities as defined by the Cooper-Harper Rating Scale.
Requirement 15:
The spacecraft displays and controls design shall be based on a detailed function and task analysis performed by an integrated team of human factors engineers with spacecraft displays and controls design experience, vehicle engineers, and crew members.
3.2 Task Analysis
The unique elements of the space mission and the variability of human response to the space environment must be accounted for in the mission design. Since the human must be prepared to intervene in the loop at any time, the mission design must not adversely impact his/her ability to function in that capacity. Mission design must explicitly address such factors as crew rest, space adaptation, and deconditioning for all flight crew.
Guidelines exist which provide the required information to ensure mission success by providing a comprehensive health care program throughout all mission phases to optimize crew health and performance, and to prevent negative short and long term health consequences.
Requirement 16:
The mission design, including task design and scheduling, shall not adversely impact the ability of the crew to operate the vehicle.
Summary
General Requirements:
|
1. |
The vehicle shall be designed, built, inspected, tested, and certified specifically addressing the requirements for human-rating. |
|
2. |
The vehicle design, manufacture, and test shall comply with JSCM 8080.5 and applicable military standards. Where alternative approaches are employed, verification shall be provided that the alternative approaches meet or exceed the performance of accepted approaches. |
|
3. |
The vehicle crew habitability and life support systems shall comply with NASA Standard 3000 and NASA Space Flight Health Requirements for crew habitability and life support systems design. |
|
4. |
A successful, comprehensive flight test program shall be completed to validate analytical math models, verify the safe flight envelope, and provide a performance database prior to the first operational flight (flights other than for the specific purpose of flight test) with humans on board. |
|
5. |
Spacecraft operations in proximity to or docking with a crewed vehicle shall comply with joint vehicle and operational requirements so as to not pose a hazard to either vehicle. Provisions shall be made to enable abort, breakout, and separation by either vehicle without violating the design and operational requirements of either vehicle. Uncrewed vehicles must permit safety critical commanding from the crewed vehicle. |
Safety and Reliability Requirements:
|
6. |
The program shall be designed such that the cumulative probability of safe crew return over the life of the program exceeds 0.99. This shall be accomplished through the use of all available mechanisms including mission success, abort, safe haven, and crew escape. |
|
7. |
A crew escape system shall be provided on ETO vehicles for safe crew extraction and recovery from in-flight failures across the flight envelope from prelaunch to landing. The escape system shall have a probability of successful crew return of 0.99. |
|
8. |
For ETO vehicles, abort modes shall be provided for all phases of flight to safely recover the crew and vehicle or permit the use of the crew escape system. For BEO missions, spacecraft and propulsion systems shall have sufficient power to fly trajectories with abort capabilities and provide power and critical consumables for crew survival. Trajectories and propulsion systems shall be optimized to provide abort options. When such options are unavailable, safe haven capabilities shall be provided. |
|
9. |
If a flight termination (range safety) system is required for ETO vehicles, the vehicle design shall provide for safe recovery of the crew. |
|
10. |
All critical systems essential for crew safety shall be designed to be two-fault tolerant. When this is not practical, systems shall be designed such that no single failure shall cause loss of the crew. For the purposes of this requirement, maintenance can be considered as the third leg of redundancy so long as mission operations and logistics resupply permit it. |
|
11. |
Vehicle reliability shall be verified by test backed up with analysis at the integrated system level prior to the first flight with humans on board and verified by flight based analysis and system health monitoring for each subsequent flight. |
|
12. |
The performance and reliability of all critical software shall be tested on a flight equivalent avionics testbed across the entire flight envelope. Independent Verification and Validation (IV&V) methods shall be used to confirm the integrity of the software testing process. |
Human-in-the-Loop Requirements:
|
13. |
The vehicle shall provide the flight crew on board the vehicle with proper insight, intervention capability, control over vehicle automation, authority to enable irreversible actions, and autonomy from the ground. |
|
14. |
The flight crew shall be capable of taking manual control of the vehicle during all phases of flight. The vehicle shall exhibit Level I handling qualities as defined by the Cooper-Harper Rating Scale. |
|
15. |
The spacecraft displays and controls design shall be based on a detailed function and task analysis performed by an integrated team of human factors engineers with spacecraft displays and controls design experience, vehicle engineers, and crew members. |
|
16. |
The mission design, including task design and scheduling, shall not adversely impact the ability of the crew to operate the vehicle. |
Bibliography
"Advanced Avionics Architecture & Technology Review – Phases 1 & 2", Joint Aeronautical Commanders Group, AAATR811, 21 January 1997.
"Appendix K of the Space Shuttle Crew Procedures Management Plan", JSC 22359, Rev. B, January 1992.
"Department of Defense Design Criteria Standard – Human Engineering",
MIL-STD-1472E, 31 October 1996.
Flight Crew Emergency Egress Escape and Rescue, QS-22A-LSK.
"Guidelines for Assessing the Toxic Hazard of Spacecraft Chemicals and Test Materials", JSC 26895, October 1997.
Health Stabilization Plan for the Space Shuttle Program, JSC-22538.
Interface Definition Document (IDD) for International Space Station (ISS) Visiting Vehicles (VVs), SSP 50235, January 1998.
"JSC Design and Procedural Standards Manual", JSCM 8080, 1 April 1991.
"Man-Systems Integration Standards", NASA-STD-3000 Volume I - VI, Rev. B,
July 1995.
"Military Interface Standard – Aircraft Display Symbology", MIL-STD-1787B,
5 April 1996.
NASA Medical Operations Readiness Review Plan, JSC 16785.
NASA Medical Operations Requirements Document for Space Shuttle, JSC 13956, Rev. E, 1992. (Rev F, 1998 in signature loop.)
NASA Mission Operations Directorate Operational Flight Rules, Volumes A, B & C, 1996.
NASA Space Flight Health Requirements Document, JSC 26882, January 1996.
"A Perspective on the Human-Rating Process of U.S. Spacecraft: Both Past and Present" by George Zupp, ed. NASA Special Publication 6104, February 1995.
"Proposed Standards for Human-Rating Space Systems" by Mary Cerimele, et al. JSC 23211, October 1992.
"Range Safety Policy and Procedures", EWR 127-1.
Rendezvous and Proximity Operations Design Reference (RPODR) for the International Space Station, JSC 27240, January 1998.
"A Review of Man-Rating in Past and Current Manned Space Flight Programs" by Aleck C. Bond. Eagle Engineering/LEMSCO Report Number 88-193, Contract Number NAS 17900, 20 May 1988.
"Safety Requirements for Man-Rating Space Systems", NASA-TMX-65284,
8 November 1968.
Sleep Shift Support Operations Program, JSC 26882.
"Space Medicine Monitoring and Countermeasures Project Plan", JSC 27735, February 1997.
"Space Shuttle Manned Spacecraft Criteria and Standards", NSTS 08080-1,
30 June 1992.
Appendix 1
Requirements Matrix for Human-Rating
ETO = Earth-to-Orbit Vehicles
SS = Space Station
CRV = Crew Return Vehicle
BEO = Beyond Earth Orbit
|
General |
ETO |
SS |
CRV |
BEO |
|---|---|---|---|---|
|
Design for Human Space Flight |
A |
A |
A |
A |
|
Aerospace Design Practice |
A |
A |
A |
A |
|
Crew Habitability |
A |
A |
A |
A |
|
Flight Test |
A |
M |
A |
M |
|
Proximity Operations |
A |
A |
A |
A |
|
Safety & Reliability |
ETO |
SS |
CRV |
BEO |
|---|---|---|---|---|
|
Crew Survival |
A |
A |
A |
A |
|
Aborts |
A |
N/A |
N/A |
A |
|
Flight Termination |
A |
N/A |
N/A |
N/A |
|
Failure Tolerance |
A |
A |
A |
A |
|
Reliability Verification |
A |
A |
A |
A |
|
Software Reliability |
A |
A |
A |
A |
|
Human-in-the-Loop |
ETO |
SS |
CRV |
BEO |
|---|---|---|---|---|
|
Crew Role and Insight |
A |
A |
A |
A |
|
Manual Control |
A |
A |
A |
A |
|
Human-Machine Interface |
A |
A |
A |
A |
|
Task Analysis |
A |
A |
A |
A |
Key:
A = Applicable
M = Modified
N/A = Not Applicable
Appendix 2
Reliability Model
(Example Only)
|
|
Earth to Orbit System Failure - 100 Missions |
Space Station System Failure - 10 Year Mission |
Crew Return Vehicle System Failure - 10 Missions |
Beyond Earth Orbit System Failure - 1 Mission |
|---|---|---|---|---|
|
Critical System Reliability |
0.99 |
0.999 |
0.999 |
0.99 |
|
Probability of Catastrophic Failure |
0.001 |
0.1 |
0.0001 |
0.1 |
|
Abort Capability |
0.99 |
N/A |
N/A |
0.9 |
|
Crew Escape |
0.99 |
0.99 |
N/A |
N/A |
|
Safe Haven |
N/A |
0.9 |
N/A |
0.9 |
|
|
|
|
|
|
|
Total Mission Crew Safety Risk |
0.999989 |
0.99989 |
0.9989 |
0.99 |
|
Total Program Crew Safety Risk |
0.9989 |
0.99 |
0.9891 |
0.99 |
The values provided in this table are not specific requirements. They are shown to illustrate how reliability requirements can be allocated across critical functions to achieve the total program crew safety requirement. Actual requirements will be developed and iterated by the program based on their specific mission and design approach.
Space Transportation Architecture Main Page