What does getting “human-rated” mean in regards to NASA vehicles? originally appeared on Quora: the place to gain and share knowledge, empowering people to learn from others and better understand the world.
Answer by Robert Frost, Instructor and Flight Controller at NASA, on Quora:
The requirements for human-rating are lengthy and detailed and are determined by NASA in conjunction with the FAA (the FAA imposes these requirements on all commercial U.S. space endeavors). Below I will give an overview of some of the high-level requirements. Each of these would have its own detailed criteria and standards. Safety is a complex effort. For every new piece of spacecraft equipment, we go through arduous safety review panels (SRP) where the risks introduced by that equipment are analyzed mathematically, qualitatively, and experientially. I’ve spent many, many days at SRP as we help equipment manufacturers understand how even the seemingly slightest thing they neglected to account for can endanger the crew and/or mission. We look at collision hazards, explosive hazards, shock hazards, and so-on and so-on. We have acceptable levels of risk and we strive to bring the new equipment within those acceptable levels.
The vehicle shall provide a safe and habitable environment. That’s a broad requirement with many embedded requirements covering the internal inherent safety/habitability of the vehicle (e.g. no exposed sharp edges) and the ability of the vehicle to protect the crew from external hazards of space (e.g. vacuum and extreme temperatures).
The vehicle shall meet probabilistic safety criteria and thresholds. That means that NASA has determined acceptable levels of risk and uncertainty and the vehicle systems need to meet those constraints. Space travel is not a safe thing to do – some risk has to be accepted, but that risk is managed by analysis and limits. For example, vehicles are designed to have a PNP (probability of non-penetration) from orbital debris of 0.99995 over the expected duration of the mission. And, in general, uncrewed spacecraft are designed with a 1.25 factor of safety. With a few exceptions, crewed spacecraft are designed to a 1.4 factor of safety.
The vehicle shall provide adequate failure tolerance. We operate with levels of redundancy. A minimum is that a system be two-fault tolerant. That means that with a single failure, a system can still complete the planned missions and with a second failure, the system can still safely abort the mission and get the crew to safety. If a system cannot be designed with fault tolerance, it must be designed with very low probability of catastrophic failure. Another mechanism used is operational controls. For example, if the system cannot be designed to protect the crew from electrical hazard risk, during maintenance, then operational steps, such as inhibiting upstream power before maintenance, is taken.
The vehicle shall be designed to tolerate human error actions without catastrophic event or system loss. That means no single inadvertent action can jeopardize the health of the crew or integrity of the vehicle. This is managed by various mechanisms such as guarded commands that require confirmation before execution, covered hardware switches, and software inhibits. Systems are designed to meet must work and must not work conditions. If a single action can terminate operation of a subsystem, it must have a redundant subsystem that is present and ready to take over.
The vehicle software shall be designed to mitigate hazardous behavior. For example, certain functions that may be needed at some stage but are hazardous at other stages should not be executable or easily accessible during the inappropriate stages.
The vehicle shall provide some form of ECW (Emergency caution and warning) functionality that will detect faults and alert the crew of those faults. There are thousands of components that can misbehave in a spacecraft. When that misbehavior occurs, the vehicle control systems need to notice (they need to perform passive and active built-in tests) and need to provide clear indications to the crew of what has happened and how severe the incident is.
The vehicle shall provide fault isolation and recovery capabilities. Should a system/subsystem experience a failure, the vehicle should be able to isolate the failed components to prevent further harm and then, if possible, hand over the function to redundant equipment. For example, if a computer starts acting crazy, an external source should be able to disable that computer and bring the backup/standby computer to operational state.
The vehicle shall provide the capability for anomaly resolution facilitated by health and status data. That means that there should be telemetry on the performance of each system that the crew can review to determine what went wrong and what potential workarounds are available.
The vehicle shall provide the capability for autonomous function for all systems that are required to prevent catastrophic events. Essentially that means that systems can still do their job if we lose communications with the vehicle.
The vehicle shall provide reasonable crew access to all equipment required for emergency response. This means things like fire extinguishers and oxygen masks need to be accessible to the crew, even when strapped into their seats.
The vehicle shall provide the crew with the capability to monitor and control all systems/subsystems that are essential for mission success, mission safety, and abort functionality. For example, if a component of the vehicle must be jettisoned prior to re-entry, for safe re-entry, the crew need the capability to command that jettison in the event automated systems do not work.
The vehicle shall provide crew with the capability to override certain automatic actions. For example, some abort initiations.
The vehicle shall provide remote monitoring and control for functions necessary for mission success and safety. Essentially, this means that the flight control team on the ground needs insight and interface to critical vehicle systems.
The vehicle must provide some level of capability for crew to manually control the vehicle motion. This level of control must meet level one on the Cooper-Harper scale.
The vehicle must provide communication capability for its crew to communicate with vehicles in proximity (e.g. rendezvous).
The vehicle must provide emergency egress capability pre-launch and abort capability between launch and orbit and on-orbit (where applicable).
This question originally appeared on Quora. the place to gain and share knowledge, empowering people to learn from others and better understand the world. You can follow Quora on Twitter, Facebook, and Google+. More questions:
- NASA: Was there an abort option for a space shuttle after launch?
- Space Exploration: What are the greatest dangers to the ISS?
- Spacecraft: Is water a fuel for spaceships?