Anonymous Documents Describe Shuttle Hubble Mission Risks

Editor’s note: the following two documents “Applicability of CAIB Findings/Recommendations to HST Servicing” and “Risk Considerations for HST and ISS Flights” are presented anonymously.

These documents have been circulating on Capitol Hill and the astronomy community and were the subject of articles in the New York Times and elsewhere.

While the specifc author(s) of these two documents are not presently known, I am more or less certain that these documents had their distribution origin within senior management at the Space Telescope Science Institute – specifcially, from personnel employed by the Association of Universities for Research in Astronomy (AURA). If true, it would be nice if the STScI and AURA would come forth and stand behind the material contained within these documents. Discussions on this matter need to be totally out in the open and not done by anonymous proxy.

For what it is worth, a simple check of the “properties” associated with the Word files that I (and others) have received in the past few days shows ‘wsmith’ as the author. The Space Telescope Science Institute is staffed by AURA, the Association of Universities for Research in Astronomy. AURA’s president’s name: William S. Smith. Either Smith is the author (or source) or someone is trying to pin these documents on him. Either way, given the wide distribution these two documents now enjoy, I would hope that Smith would make a statement on this matter – one way or the other.

In responding to a request for comment, Dr. Smith said:

“In today’s edition of NASA Watch, you refer to two documents dealing
with the safety issues surrounding SM4. You asked in your editiorial
note that I respond regarding the authorship. As you point out, the
“properties” function in the word document show that I opened then saved
these documents. I did not however author them nor do I know who did.
AURA was in the process of putting together an informational website to
compile all available information. I had considered posting these but
elected not to due to the difficulty in attribution such an anonymous
document.”

“The important issue, however, is not who wrote them but what they
actually say. I believe they do state a position that I hope is taken
into consideration in any final decision.”

Editor’s note: I have subsequently learned that Dr. Smith personally distributed these documents to Congressional staffers.

Applicability of CAIB Findings/Recommendations to HST Servicing

EXECUTIVE SUMMARY

The final planned HST Servicing Mission, SM4, will be at least as safe as shuttle flights to the International Space Station (ISS). If shuttle return-to-flight occurs prior to the full implementation of an autonomous inspection and repair capability, the overall risks during a flight to Hubble would be comparable to those associated with an ISS flight in which the shuttle failed to reach ISS. Ultimately, when an autonomous inspection and repair capability is implemented, a mission to Hubble will then be as safe as any mission to ISS. Thus, an HST flight requires few, if any, unique capabilities to ensure safe flight beyond those developed for flights to the ISS. NASA plans to provide a Shuttle rescue capability for all flights. The flexibility to schedule SM4 immediately prior to one of the ISS flights provides a ready capability to mount a rescue mission if needed. Risks of micrometeoroid and orbital debris damage to shuttle on ISS flights exceeds that on flights to HST, given the flexibility in the latter to place the shuttle in a protective orientation.

A) RESCUE OR REPAIR

The CAIB Report addresses the possibility of rescue or repair in section 6.4 “Possibility of Rescue or Repair.” In this section, recommendation R6.4-1 contains four specific components:

1. For missions to the International Space Station, develop a practicable capability to inspect and effect emergency repairs to the widest possible range of damage to the Thermal Protection System, including tile and Reinforced Carbon-Carbon, taking advantage of the additional capabilities available when near to or docked at the International Space Station.

Currently, testing and analyses of the thermal protection system (TPS) is underway to determine failure modes and associated on-orbit inspection criteria. NASA plans to define damage thresholds below which no repair is required as well as thresholds above which repair is deemed unfeasible. For return to flight (RTF), NASA plans to perform inspections via ISS and demonstrate concepts for inspections and repair. For the next flight, full inspection of the TPS will be accomplished using the ISS as support. Design and simulations are underway for autonomous inspection (separate from ISS) utilizing a boom extension to the Shuttle remote manipulator system (SRMS).

The current NASA plan to satisfy CAIB Recommendation 6.4-1 (TPS inspection and repair capabilities) is to use a combination of an instrumented boom “carried” by the Shuttle Remote Manipulator System and inspection capabilities of the ISS crew to inspect for damage to the thermal protection system (TPS), which includes the tiles and the reinforced carbon carbon (RCC) wing leading edge. This inspection would identify any TPS areas that require repair prior to reentry.

Development activities associated with tile repair techniques are currently further along than RCC repair techniques. Because the RCC repair techniques are currently at a relatively low level of technology development (technology readiness level (TRL) 2 as defined by NASA standards), NASA anticipates that RCC repair will not be ready for the RTF mission. NASA is developing a Shuttle rescue flight concept in the event that the ISS becomes a “safe haven” for a Shuttle crew. The Shuttle rescue concept includes plans for a non-ISS orbit rescue capability. Both concepts appear feasible.

For the first several flights to the ISS after the RTF mission, the repair techniques would be accomplished using the Space Station Remote Manipulator System (SSRMS) holding the Orbiter and the Shuttle RMS (SRMS)-with-boom to take the astronaut and repair tools to the area on the Orbiter needing repair. Inspection and repair techniques that are executed from the ISS will become increasingly complex as the assembly progresses and physical interferences become more challenging. Eventually, unique solutions for ISS implementations will have to be developed.

2. For non-Station missions, develop a comprehensive autonomous (independent of Station) inspection and repair capability to cover the widest possible range of damage scenarios.

Before a non-station mission could be flown, the Shuttle program would have to develop an autonomous (free from Station) inspection and repair capability using just the SRMS and boom. This autonomous capability would maximize the use of repair kits, techniques and procedures that are in development for use on Station missions. According to the Return to Flight Task Group Interim Report, NASA plans to implement autonomous inspection and repair capability.2 However, in the absence of an autonomous capability, the risks associated with a flight to a non-station orbit would be comparable to that for an ISS flight where the Shuttle fails to dock with the ISS.

3. Accomplish an on-orbit Thermal Protection System inspection, using appropriate assets and capabilities, early in all missions.

The implementation plan to perform inspections early applies to all missions, independent of destination.

4. The ultimate objective should be a fully autonomous capability for all missions to address the possibility that an International Space Station mission fails to achieve the correct orbit, fails to dock successfully, or is damaged during or after undocking.

Once the autonomous capability is implemented, the capability would exist to fly to non-Station orbits without requiring any unique inspection and repair capabilities.

B) MICROMETEOROID AND ORBITAL DEBRIS (MMOD)

The CAIB found that there was “little evidence that Columbia encountered either micrometeoroids or orbital debris on this flight.” The CAIB also “found markedly different criteria for margins of micrometeoroid and orbital debris safety between the International Space Station and the Shuttle.” The Board recommended:

R4.2-4 Require the Space Shuttle to be operated with the same degree of safety for micrometeoroid and orbital debris as the degree of safety calculated for the International Space Station. Change the micrometeoroid and orbital debris safety criteria from guidelines to requirements.

The odds of critical penetration due to MMOD for a typical Shuttle flight to the ISS of 11 days, 18 hours mission duration are 1 in 250. The odds of critical penetration due to MMOD for STS-109 (HST SM-3B) were calculated to be 1 in 414. Post-flight assessment of STS-109 yielded odds of 1 in 273. This agrees with the general trend of the MMOD models to slightly under-predict the odds of critical damage. While the odds of critical penetration for any one mission to either ISS of HST are of the same order of magnitude, the odds of critical penetration on ISS flights will be higher because the ISS does not have the flexibility that a HST mission has in accommodating MMOD protective attitudes. It is noteworthy to observe that the collective odds of thermal control system critical damage for the remaining 25 flights to complete the assembly of the ISS are not significantly increased with the addition of one HST Servicing Mission from the current value of 1 in 11.6.

C) LAUNCH and ASCENT CONSIDERATIONS

The CAIB determined that insulating foam that separated from the Shuttle’s External Tank during the STS-107 ascent to orbit caused catastrophic damage to the Orbiter’s reinforced carbon-carbon (RCC) on the leading edge of the left wing. The Board recommended:

R3.2-1 Initiate an aggressive program to eliminate all External Tank Thermal Protection System debris-shedding at the source with particular emphasis on the region where the bipod struts attach to the External Tank.

The NASA External Tank (ET) Project has developed a three-phase approach to complying with this recommendation. In Phase 1, they plan to develop, design, certify and implement the required modifications to the ET that will allow for a safe RTF. In Phase 2, they plan to implement additional enhancements to reduce debris risk. In Phase 3, they plan to develop, design, certify and implement modifications to the ET that will minimize debris sources in the critical debris zone. The Shuttle Program estimates that these improvements will reduce the current odds of damage from a debris strike during ascent of 1 in 300 to approximately 1 in 600. The improvement in the odds of incurring debris damage will apply to all missions.

D) DISCUSSION

CAIB recommendation R6.4-1 requires that autonomous TPS inspection and repair capability eventually exist for all Shuttle flights while not requiring the initial autonomous capability to be in place by RTF. Currently, NASA plans to comply with this recommendation. In the event that non-repairable damage is detected, NASA plans to develop a Shuttle crew rescue flight capability. NASA’s initial plans for this rescue capability included both Station and non-Station orbits. During launch, Shuttle abort risks are increased as the orbit inclination increases, and thus are more likely for flights to ISS than to HST.

The NASA Administrator has publicly stated “that a Hubble mission would require new and unique procedures that, taken individually, were surmountable but that in the aggregate were risks significantly higher than a shuttle mission to the space station.” The aforementioned data and references from NASA RTF plans demonstrate that this statement cannot be supported. Given that NASA’s plan is to be fully compliant with the CAIB recommendation to develop an autonomous inspection and repair capability, the aggregate risks are higher for ISS flights than for a flight to HST.

When looked at from a TPS survivability perspective, there is a good basis for concluding that HST missions are as safe as or perhaps safer than ISS missions conducted in the same timeframe. HST missions will have:

1. A reduction in the risk of debris damage during ascent after the ET and SRB are modified; equivalent to ISS missions.
2. Impact sensors to identify impact locations and to focus early and time efficient inspections; in common with ISS missions.
3. Inspection sensors that will allow for accurate and time efficient inspections; in common with ISS missions.
4. A tile repair capability; in common with ISS missions.
5. A rescue capability as readily implemented for an HST mission as for ISS, since the HST mission can be timed to be launched immediately before an ISS mission.
6. A better MMOD environment than an ISS mission and more flexibility than ISS flights to fly a protected on-orbit attitude.

The existence of or lack of a RCC repair capability will be a problem that is common to HST and ISS missions. While an HST mission will not have a safe haven capability, the risk associated with the absence of a safe haven is the same as ISS missions that fail to dock with the ISS.

Risk Considerations for HST and ISS Flights

SUMMARY

When looked at from a thermal protection system (TPS) survivability perspective, HST missions have a good basis for claiming that they are as safe as or perhaps safer than ISS missions conducted in the same timeframe. HST missions will have:

1. A reduction in the risk of debris damage during ascent after the external tank (ET) and solid rocket boosters (SRBs) are modified; equivalent to ISS missions.
2. Impact sensors to identify impact locations and to focus early and time efficient inspections; in common with ISS missions.
3. Inspection sensors that will allow for accurate and time efficient inspections; in common with ISS missions.
4. A tile repair capability; in common with ISS missions.
5. A rescue capability as readily implemented for an HST mission as for ISS, since the HST mission can be timed to be launched immediately before an ISS mission.
6. A better micrometeoroid and orbital debris (MMOD) environment than an ISS mission and more flexibility than ISS flights to fly a protected on-orbit attitude.
7. HST missions may not have a practical or comprehensive reinforced carbon-carbon (RCC) repair capability, but this will be a problem shared with ISS missions. A HST mission will also not have a safe haven capability, but this could be offset by the ability to launch with an ISS mission fully ready to launch (which would become the rescue mission).

One could argue, on the aforementioned logic, that the final planned HST Servicing Mission, SM4, will be at least as safe as flights to the ISS. Finally, one can also conclude that no additional work needs to be performed over and above what must already be performed for ISS missions launched in the same timeframe.

Discussion

The following discussion attempts to describe all of the major issues one would face with a standalone HST mission as it relates to Shuttle TPS survivability. After some consideration it appears that ultimately there is a good technical case for the safety of such a mission. In fact, it would appear that it may have some advantage over ISS missions.

Implementation of the Shuttle’s TPS debris reduction and inspection and repair effort is rather complex and has a somewhat evolutionary nature so that not all of the various features that will protect the crew/vehicle will be available at the same time. As time progresses the system will become more capable.

The TPS survivability problem can be broken into the following categories:

1. Debris Reduction/Control
2. Ascent Imagery and other Impact Sensing
3. Damage Detection
4. Damage Repair
5. Safe Haven
6. TPS Hardening

The following discussion will briefly address each of these items as they relate to a standalone HST mission. The issue of MMOD is saved until the end because it is somewhat different from the ascent debris issue.

1. Debris Reduction

The ET is the primary, but not sole source of debris. Debris consists chiefly of ET foam and ice, but may also contain SRB TPS (cork) and occasionally metal. The ET foam and ice cannot be completely eliminated, but it may be possible to reduce them such that the ‘environment’ is safe. By this it is meant that if the ‘environment’ can be controlled such that it is not possible to sustain catastrophic damage to the Orbiter then one could argue that, at least for ascent debris, the mission would be safe without any further safety features, such as an inspection and repair capability. The Shuttle Program is working aggressively to minimize the debris environment so that it can be considered safe, but even if it is not possible to completely eliminate the hazard, the steps the Program has taken will greatly increase the safety of the Orbiter during ascent; a great deal of design, test, and analysis effort is planned to make the environment safe, or safer than the pre-STS-107 environment.

Key to this effort is certifying the debris environment such that the Orbiter TPS can survive any impact it may see and determining precisely what the Orbiter TPS can tolerate. The ET and SRB team have targets for foam (ET) and nose cone ablator (SRB) debris. Work will continue for some time on both sides (debris generators and Orbiter TPS tolerance), but it is not yet clear that an argument that the debris will be under control to the point were no additional protection is required will be successful. In fact, given that higher density ice (or metal) require less energy to do damage to Reinforced Carbon-Carbon (used on the leading edges) and tile, it may not be possible at all to take that position.

However, since an HST mission would be conducted 2 to 3 years from now it is reasonable to assume that the Shuttle ascent debris environment will be better than that for the RTF mission, which makes a strong point in favor of the safety of a standalone HST mission. It should be stressed here that no additional effort solely for the purposes of an HST mission would have to take place, since such actions would also be needed for ISS missions.

2. Ascent Imagery and other Impact Sensing

Ground, aerial, naval, and on-board (SRB, ET) cameras and ground and naval radar will be used to detect debris coming off the vehicle and striking the Orbiter. Additionally, an Orbiter-mounted camera will photograph the ET upon separation to identify missing foam that might have struck the TPS. These could be used to identify areas for inspection on the Orbiter; however, since they cannot sense all possible impacts during ascent, they cannot be used to rule out inspection of any of the TPS surface. In short, ascent imagery will provide interesting and useful data and provide some value to a mission in progress, but their most significant value is to subsequent missions where knowledge of the debris environment can be used to assess the vehicle. Although the cameras may be more capable during subsequent missions, no advantage to an HST mission relative to ISS missions will be realized.

A key feature of the RTF flight is that it will contain impact sensors on the wing leading edges. There will be 22 sensor packages per wing that will each monitor a 3-axis accelerometer and will sense high g-events (100’s of g’s) that will indicate a high-energy impact. The sensor will not be able to determine if damage has been done, but it will be helpful for identifying areas where one may wish to focus inspection efforts. For the RTF flights the system will be Crit 3 (not used for decisions that could lead to catastrophic failures), meaning decisions to not inspect an RCC surface cannot be made based on their data. However, by the time an HST mission would be mounted the planned Crit 1 version of the system would be instituted and would cover all leading edges and the belly tiles. In that case inspections could be rapidly focused on only those areas that registered an impact, permitting timely inspection of the TPS and critical decisions to be made early in the flight where consumables are still available, power- downs can be started effectively, and a rescue mission called up. Although the schedule for the Crit I version has not been formally developed, one could safely assume that it would be available for an HST mission and that no HST specific effort is required.

3. Damage Detection

The current approach to damage detection considers RCC and tile separately. The RCC will be inspected for the RTF mission using a laser scanner and Intensified Television Camera (ITVC). It is highly likely that this will not be the approach for very many missions; an Advanced TPS Technology Inspection Working Group (ATTIWG) has been formed to identify a second generation, more capable system for future missions, which one could safely assume will include the HST mission.

In the case of tile inspection the current approach uses ISS electronic still cameras to photograph the belly of the Orbiter. Clearly, this would not be possible for the HST mission; however, there are options that would work quite well. The best would be to take the visible and infrared spectrum cameras, in concert with the data from the impact sensors, and inspect the belly for damage. The ATTIWG has also been tasked with identifying sensors for belly inspection. DoD and NRO satellites could possibly provide adequate images of the belly tiles.

Inspection for an HST mission should not be a great challenge, particularly given the timeframe. Additionally, no additional effort beyond that which is necessary for ISS missions is required.

4. Damage Repair

Like inspection, repair must be broken down into RCC and Tile repair, which are radically different.

It is highly likely that tile repair will be ready for the RTF flight and the only issue that an HST mission would face would be worksite stabilization of an EVA crewman during the repair. The EVA crewmember would be on the end of a boom, which would be held by the SRMS, which has been shown to be insufficiently stable to support tile repair without some form of stabilization. Given the EVA hardware development skills at GSFC, providing the necessary stabilization should not be a great challenge. In fact, ISS missions need to solve this same problem before the 1-J mission, when the Tile/RCC repair option is no longer possible due to worksite blockage. For this reason, no additional tile repair effort for HST is necessary over what must be done to support ISS missions after 1-J.

In order to put the tile damage issue into perspective one must consider the likelihood of needing to do such a repair. The Orbiter has had ~3,300 damage sites of >1 inch diameter over the years without a burn-through, damage as large as approximately 10X20 inches has been tolerated, and tiles have been lost during ascent (early in the program). Although, not a justification for not repairing damage, the Soviet Buran Shuttle survived 6 burn-throughs, so a bum-though, which must be avoided at all cost, may not be catastrophic.

RCC damage repair may or may not be possible in the timeframe of the HST mission. The tile repair effort benefited from work in the late 1970’s; unfortunately the RCC effort had not begun until after the STS-107 disaster. The problems associated with RCC are much more complex since the thermal and structural environments are more demanding. It is highly unlikely that the RTF mission will have a practical RCC repair capability; it may require an additional 2 to 3 years to develop such a capability. Hopefully, a practical solution will exist at the time of the HST mission, but if it does not, it will be a drawback that will be shared with ISS missions of that period.

If no RCC repair capability exists for an HST mission, HST will be forced to justify its mission in one of four ways:

1. Pointing out that if HST doesn’t have a repair capability then neither does ISS, which will presumably be considered a safe destination based on a safe haven argument.
2. The environment has improved to the point that RCC damage is not possible during ascent (MMOD will be addressed later).
3. Probabilistic Risk Analysis (PRA) results – i.e., argue the risks are small.
4. The existence of a Shuttle rescue flight capability.

Item 2 has been discussed and item 1 will be discussed below. A PRA will be performed for ISS missions which could be modified slightly to analyze an HST case; earlier predictions for ascent debris placed the risk in the 1 in 300 range, which can be safely assumed to be an order of magnitude worse than one would expect in the future.

5. Safe Haven

The lack of an ISS safe haven option would appear to be a major drawback for an HST mission, however, this may not be as great an issue as some might think.

First, safe haven at ISS is by no means a reliable safety control. The period of time that the ISS could support the extra crewmen is a function of the Russian ECLS (Environmental Control and Life Support) system, which has not been shown to be very reliable. It is also a function of how quickly another Shuttle rescue mission could be executed. The Shuttle/ISS crew might have as many as 90 days at ISS if there are no failures. Although failures must be assumed, a Shuttle crew at ISS would have more consumables than an HST crew would.

In order to get around this problem, a rescue mission would have to be mounted very quickly, meaning that one would have to have another Shuttle stacked and ready for roll out when you launch. In this, HST has a significant advantage over ISS missions in that it would not be overly difficult to time the HST mission to launch just before an ISS mission that could be diverted to the HST inclination to rescue the crew. This is an advantage for an HST mission since ISS could not perform its operations with this kind of flexibility – imagine how difficult it would be to launch ISS mission A, but to have to have ISS mission B ready to launch at the same time, and then have to hold ISS mission B until ISS mission C was ready for launch, etc. Although this would be improbable for ISS missions, it could be done for a single HST mission. While the HST mission would not have a safe haven capability, the Shuttle rescue flight capability would exist.

The drawback to a rescue mission, to ISS or HST, is that the rescue crew would have to launch without having had time for any fixes to their vehicle based upon corrections to whatever damaged the previous Orbiter. This must be seen as nothing more than a theoretical problem since the likelihood of being able to correct whatever may have damaged another Orbiter (or even determining what caused the damage) before a rescue would have to be mounted would be near zero. No practical amount of safe haven time (ISS or HST) will permit changes to be made to make a rescue mission any safer. One could expect that every effort would be made to make corrections, but given how complex such problems are and how long it has taken in wake of the Columbia disaster to reach the point the program is currently at, there is virtually no chance of a safety-based change to the rescue vehicle. Any argument that NASA would not launch a rescue mission, even if there were risks, is not worthy of discussion.

One difference between an ISS rescue and HST rescue would be that the HST rescue would require EVA to transfer the crew. Although not trivial, the Space Shuttle Program Office has demonstrated the feasibility of this approach and was planning to implement the capability.

Although a safe haven capability would be attractive, the ability of an HST mission to be rescued by an already prepared ISS mission (possibly on the pad ready to go) may make the HST mission safer than an ISS mission that must rely on an unreliable ECLS system that was not designed for the extra loads safe haven would place on it, and on getting a Shuttle ready to launch that would be somewhere in its processing flow and not ready for launch.

6. TPS Hardening

The entire TPS hardening effort is under study at this time and it cannot be stated with certainty what changes would be in place in the HST mission timeframe. One could say that whatever is in place will equally benefit both the HST crew and crews to the ISS.

MMOD

The above discussion was based on an ascent debris argument; however, the dominant risk is MMOD, which can also damage the Shuttle’s TPS. The analysis for ISS missions indicates that there is an approximately 1 in 300 probability of loss of crew and vehicle due to MMOD. Of this, approximately 20% is associated with RCC damage, 60% is associated with other TPS-surfaces, and 20% is associated with crew compartment depress.

As mentioned above, the Shuttle will eventually have Crit 1 impact sensors on the leading edges (RCC) and belly. It his intended that these will be useful for sensing MMOD strikes as well as ascent debris; tests are planned to prove this in the coming months.

If the Shuttle flies an attitude that minimizes the MMOD risk and has the Crit 1 sensors impact sensors described above, the risks to an HST mission will in fact be less than a mission to ISS under the same assumptions.