The Pursuit of Occupant Safety in Commercial Human Spaceflight

Abstract

Safety is an attribute that is emphasized throughout the design, development, and operational phases of a spacecraft intended for human occupants, whether envisioned for government or commercial applications. Although no spaceflight can be assured to be completely safe, many engineering practices can be employed to identify and mitigate the ensuing risks to the extent practical to be deemed sufficiently “safe enough.” Research in this area conducted as part of the Federal Aviation Administration Center of Excellence for Commercial Space Transportation (COE CST) has examined the background, terminology, and current practices associated with risk mitigation and safety assurance from the perspective of historical space missions and anticipated future commercial opportunities, as summarized in this article. The COE CST work to date has evolved through a series of tasks aimed at reviewing prior space program safety practices, characterizing the process of human-rating within a risk scenario framework, assessing provisioning needs for medical care, exploring the concept of “how safe is safe enough?” and contrasting the safety records of spaceflight to more typical terrestrial transportation and adventure sport activities in a manner intended to facilitate effective risk communication to potential participants.

Introduction

Ensuring safety to the extent practical is an integral part of human spacecraft design and operations; however, the fact remains that spaceflight is inherently risky. NASA, the military, and the Federal Aviation Administration (FAA) recognize this intrinsic concern and offer considerable guidance and insight for protecting the onboard occupants as well as the uninvolved public from hazardous events.^1–3 This article presents an overview of research undertaken in support of the Center of Excellence for Commercial Space Transportation's (COE CST's) interests regarding commercial human spaceflight safety analysis and risk communication, primarily centered on aspects of vehicle design and operations. Related studies have addressed more specific medical concerns pertaining to the occupants onboard the vehicle.^4–6

Efforts to date in this area include reviewing prior space program safety practices,⁷ characterizing the process of human-rating within a risk scenario framework,^8,9 assessing provisioning options for providing medical care,¹⁰ exploring the concept of “how safe is safe enough?”^11,12 and contrasting the risk of spaceflight to more typical terrestrial transportation and adventure sport activities.¹³ Current efforts involve an ongoing review of the FAA's Recommended Practices for Human Space Flight Occupant Safety.³

Human-Rating

Unmanned launch vehicles of the early space age were generally considered too unreliable for human use, since they successfully reached orbit only around 80% of the time. To improve the likelihood of crew survival and mission success, redundancy began to be added to critical systems, reliability of components was increased, and launch escape systems were developed.⁷ These processes eventually came to be synonymous with the term “human-rating” (or its precursor “man-rating”), which originally appeared in the late 1940s to describe test aircraft that were deemed safe for human operation. The first vehicles found in the literature to be referred to as “man-rated” in this context were the X-series of experimental rocket planes. Subsequent use of the term evolved to differentiate between the earliest rockets that served as missiles and those intended to carry astronauts into space, where increased reliability was required.^8,9

Historically, the initial focus for spacecraft human-rating was primarily on safety; however, in subsequent decades, the term evolved to include aspects of crew performance and operations in addition.¹⁴ Although the human-rating process for the Mercury, Gemini, and Apollo Programs was centered on safety concerns, as the space program progressed into the later Apollo and early Skylab era, the concept of human-rating began to incorporate improvements to operability as well. The Skylab and Shuttle Programs later added emphasis on human performance and health management. Unlike safety, however, which can be quantified as a probabilistic risk to loss of life, crew performance, often referred to as “human-in-the-loop” or the “human-machine interface,” is less well characterized by such a single comprehensive metric and remains a related area of study.¹⁵

In 1988, a set of guidelines produced at the NASA Johnson Space Center (JSC) attempted to bring clarity to the term by defining a human-rated system as one that required an escape system or safe haven for the crew in the event of an emergency situation. Interestingly, based on this definition, the Space Shuttle was not considered by the JSC group to be human-rated; rather, it was referred to as “Highly Reliable.”¹⁶ It was not until 1992 that human-rating began to take its current role as a requirements-based methodology. That year, NASA formed a committee to develop a set of human-rating requirements,¹⁷ which eventually evolved into JSC 28354 Human-Rating Requirements¹⁸ and, ultimately, NASA NPR 8705.2C Human-Rating Requirements for Space Systems,¹⁹ the agency's current governing document.

The fundamental tenets of a human-rated space system can be summed up as accommodating the needs of the crew, effectively utilizing their capabilities to accomplish the mission objectives, and protecting the crewmembers, as well as ground teams and the uninvolved public, from hazardous events,^8,9 as summarized in Table 1.

Table 1.

Fundamental Tenets of Spacecraft Human-Rating: Accommodate, Utilize, and Protect

Accommodate can be described as what the vehicle does for the crew, such as provision of fundamental necessities through life support systems, as well as supporting other needs such as lighting, sleep stations, a galley, etc., as determined by the nature of the mission. These basic functions are integral to the vehicle design. A level of minimum functionality can be established that identifies specifically what is needed to meet the mission objectives, with additional desired features incorporated that serve to make the vehicle “nicer” considered for inclusion by trade study, typically in the human factors domain.²⁰

Utilize can be characterized as what the crew does for the vehicle/mission, that is, the operations. Various human performance metrics exist for assessing how accurately and efficiently the required tasks are carried out and how effective the vehicle's design is at ensuring the well-being of the occupants.¹⁵ Research suggests that these commonly used metrics can be coalesced to quantify overall well-being of a crewmember in terms of their cognitive, psychological, and physiological states. Measurable data can then be used to characterize these discrete states by assessing the extent to which each is depleted or replenished when conducting operations and/or through human interactions with the vehicle.²¹

Protect implies incorporating adequate safety attributes into the vehicle design as well as devising operational protocols intended to mitigate the risk of loss of life, which is the core of this COE CST research focus. The primary design metrics used to assess risk are defined as p(LOM), p(LOV), or p(LOC).^8,9 As with providing functionality beyond the minimum level needed to accommodate the crew's basic needs noted earlier, making the spacecraft “safer” is similarly determined by trade study of design and operational options.²⁰

COE CST, Center of Excellence for Commercial Space Transportation; p(LOC), probability of loss of crew; p(LOM), probability of loss of mission; p(LOV), probability of loss of vehicle.

This process of defining requirements and then identifying, quantifying, and mitigating risk is accomplished by using various standard techniques implemented throughout the systems engineering design process and/or through operational protocols and training.^22,23 Risk can further be defined in terms of technical, programmatic, schedule and budget goals as well, but these aspects are not addressed in the current effort. To begin with, high-level objectives are derived from mission goals and a baseline design concept can be established with the initial assumption made that everything will function as planned to accomplish the intended outcome.²⁰ From this starting point, a systematic risk analysis method is employed essentially along the lines of asking “what if this component fails?”; evaluating “what can cause it to fail?”; determining “what happens if it fails?”; and estimating “what is the likelihood of it failing?”.

As outlined in Table 2, a risk analysis process is used to address these outcomes by identifying all known inherent hazards and their resultant failure modes, analyzing the consequence of a given failure, estimating the probability and severity of the failure occurrence, and combining the individual failures in a fault tree analysis to identify and model co-dependent responses. From this information, increasing the degree of safety is then accomplished by prioritizing and mitigating the ensuing most “likely and severe” risks to the extent practical. In the event that all levels of fault tolerance provided by the vehicle are exhausted and a catastrophic event occurs, various means of crew survival methods (CSM) can be implemented. CSM approaches can include incorporating a launch abort system for ascent, wearing a pressure garment to protect against a cabin leak, enabling a bailout if an anomaly is encountered during reentry, etc., as a final attempt at preventing fatalities. Finally, as operational performance data are amassed, the model is updated to improve the statistical risk prediction accuracy and “lessons learned” from failures encountered over time are incorporated by modifying the design or operations to increase safety.

Table 2.

Risk Analysis Process Overview

Hazard analysis	Identifies those circumstances, either in the natural environment or from sources onboard the vehicle, that pose a potential for harm
FMECA	Defines the outcome and severity if the risk event is realized and causes a failure
Fault tree	Combines FMECA results, identifies co-dependent failures and common causes
MTBF/PRA	Approaches used to estimate probability (likelihood) of failure occurring
Risk matrix	Couples likelihood vs. severity
Risk mitigation strategies	Techniques such as added redundancy, factor of safety, design margin, incorporating operational workarounds, enabling repairs, increasing reliability and robustness, can be used to intervene allowing recovery from an off-nominal situation
Crew survival methods	Extends risk mitigation beyond expected vehicle design and operations (e.g., bailout, abort, etc.), keeps an emergency situation that results in a nonrecoverable LOM or LOV event from becoming LOC

FMECA, failure modes, effects, and criticality analysis; MTBF, mean time between failure; PRA, probabilistic risk assessment.

Although detailed implementation of risk reduction is unique to the specific vehicle being considered, more generally applicable design-independent considerations can be characterized by using a proposed hierarchal framework tentatively defined as a working concept for this research in terms of a “Good Day, Not so Good Day, and Bad Day”. Table 3 outlines a synopsis of example scenarios and mitigation strategies within each category.

Table 3.

Notional Framework for Characterizing Human Spaceflight Outcomes

Good day	A human-rated system that accommodates occupant needs, effectively utilizes human capabilities, controls hazards, and manages safety risks associated with the spaceflight, while providing, to the maximum extent practical, the capability to safely recover the crew from hazardous situations if encountered. From the “human subsystem” perspective, this can be similarly conveyed as preflight participant “fitness to fly” screening and a medical certification for the crew, with no occurrence of injury or illness during the flight. Essentially, the necessary elements are in place for a safe and successful flight to be conducted without experiencing any significant anomalies, or in NASA parlance, “performance nominal”.
Not so good day	In the event of a noncatastrophic, recoverable vehicle failure occurring or a minor (non-life-threatening) injury or illness experienced, a successful flight is still accomplished through adequate fault tolerance in the design, operational workaround employed, and/or appropriate medical “level of care” is provided for the occupants.
Bad day	In the event of a more serious, catastrophic, nonrecoverable vehicle failure or occurrence of a life-threatening illness or injury, a means for emergency survival is available to keep a “bad day” from getting “worse”. This translates into planned emergency scenarios such as aborts, bailouts, donning pressure garments, stabilization of medical trauma, etc. being carried out, while remaining within human tolerance limits associated with the potentially extreme environments experienced in the event of such emergency maneuvers, as well as ensuring appropriate medical care is on standby at the landing site. Implementing a crew survival method implies that all fault tolerance features of the vehicle have been expended and a resulting catastrophic failure has occurred or is imminent.

Essentially, human-rating can be considered as much a design philosophy as a product outcome. Whether an end qualification is established from a requirements verification process or an outcome-based product assessment, or whether it leads to formal certification or licensing,²⁴ the overarching intent of human-rating is to protect the crew and ground personnel, including the uninvolved public, to the extent practical, as well as to accommodate and utilize the crew in a manner that enables the mission objectives to be efficiently achieved. The engineering analysis, design, and operational approaches used to address vehicle safety concerns can also be extended to protecting occupant health by similarly considering medical care needs and outfitting options.

Medical Level of Care

The rigors of spaceflight present unique and particularly challenging physiological and environmental conditions that occur under very unforgiving operational circumstances. In this context, the potential for illness or injury can be considered a “human failure mode” of sorts for the occupants, and approached in an analogous sense to the vehicle risk analysis and mitigation process. Consequently, some form of onboard medical care equipment is likely to be included in addition to the typical risk reduction methods incorporated by vehicle design. This implies outfitting the vehicle with select medical care capabilities, which can be determined by prioritizing risks based on the likelihood and severity of potential impacts to health for a given flight profile, and includes proper medical training by onboard crew as well as positioning of personnel and facilities needed on standby at the landing site.²⁵

Lessons learned from past medical incidents in space along with review of existing commercial aviation standards offer valuable insight into determining appropriate medical care for the commercial space industry. Deciding on an acceptable “level of care” to provide for commercial spaceflights should take into account the unique risks and durations posed by different phases of suborbital and orbital missions, as well as the feasibility of effectively accommodating medical concerns that may arise in flight. In general, although existing NASA and civil aviation medical standards and practices may not be directly applicable to commercial human spaceflight, they do provide a benchmark that can be tailored to the different flight profiles and expected scenarios.¹⁰ Finally, some assessment of “fitness to fly” criteria^5,26 can be considered as warranted to identify any high-risk underlying health concerns for susceptible individuals as a preflight preventative measure.

Given the wide variety of anticipated commercial space flight vehicles and operational scenarios, it is not likely that a single, comprehensive level of care need will be defined. Rather, if an agreeable minimum standard set of guidelines can be established as a baseline of good practice, then individual companies will have the opportunity to offer medical levels of care, as well as additional design amenities—which translate into making the vehicle “safer” and/or “nicer”—as a discriminating feature of their business model.

How Safe is “Safe Enough”?

In light of the combined risks associated with the potential for space vehicle anomalies and human health concerns alluded to earlier, the question comes down to deciding how safe is safe enough within the constraints of “acceptable” and “achievable.”²⁷ Although no vehicle can be assured to be 100% reliable, a threshold of “safe enough” can be established and statistically analyzed with increasing fidelity as the design matures from concept to operations.¹¹ The question of acceptability must be determined by the stakeholders.¹² For government missions, this decision is made at a programmatic level, it becomes a business model determinant for industry, and for an individual deciding to fly, the answer represents a personal tolerance for risk. Informing this personal decision leads to the next objective of addressing how to effectively communicate the potential risks encountered by flying in space to candidate participants.

Risk Communication

Operators of commercial spacecraft are required to inform prospective space flight participants of the safety record of their launch and entry vehicles before receiving compensation or entering into an agreement to fly.²⁸ This information must be conveyed to an individual before he or she can legally consent to fly. Expressing what risk assessment outcomes such as “probability of loss of life is 1 in 270” really mean should be communicated to paying passengers in a comprehendible manner that facilitates realistic risk perception. To offer insight into potentially more effective ways to inform potential participants of the risks associated with spaceflight, space fatality data were contrasted with other transportation and adventure activities (e.g., flying, driving, mountaineering, etc.). For example, it can be shown that the actuarial risk of loss of life while flying in space on the Shuttle or Soyuz was roughly on par with climbing Mt. Everest in recent years, thus providing potential space flight participants with a more common terrestrial activity as a reference point for comparison when assessing personal risk tolerance.¹³

Summary and Next Steps

The research conducted to date under the auspices of the COE CST tasks 184 and 320 as described earlier has addressed the topics of human-rating, risk analysis including medical levels of care, and risk communication to help clarify understanding for informed consent of potential participants. A notional framework was established in terms of having a “good day, not so good day, bad day” to characterize degrees of successful flight scenarios. In addition to the cited publications resulting from this work as indicated throughout, contributions have been made to the FAA's Predecisional Human-Rating Ground Rules and Assumptions document prepared for discussion in 2012 (including associated terminology and definitions), the Draft Established Practices for Human Space Flight Occupant Safety,²⁹ and the Recommended Practices for Human Space Flight Occupant Safety.³ Ongoing work as part of current task 353 is aimed at providing suggested edits and/or additional subject areas to be included in the Recommended Practices for any future versions released, and compiling considerations for design and operational solutions that are capable of addressing the needs stated in each subject area referenced in the document's framework as a step toward identifying best practices and/or industry consensus standards. In support of these objectives, a road mapping workshop is planned (task 373) for mid-2018 to solicit input and discussion from colleagues across academia, government, and industry that will help shape future COE CST research directions in this area.

In summary, the human-rating process is used to determine those design features that are necessary to complete the desired objectives, to identify hazards to the crew along with their associated outcome severity and likelihood of occurrence, then to mitigate those risks to the extent practical, and, finally, to specify crew survival methods in the event a catastrophic failure should occur. By its nature, spaceflight is a risky venture, so regardless of the diligence pursued in designing such a complex system intended to safely operate in such an unforgiving environment, failures do and will occur. This residual risk must be communicated to participants. Ultimately, the decision to accept any degree of risk must be balanced with the commensurate reward, which, in this case, ranges from the often life-altering experience for an individual space traveler who sees the planet from this very unique vantage point, to helping advance humanity as a spacefaring species.

Footnotes

Acknowledgments

The following graduate students at the University of Colorado Boulder contributed substantially to various aspects of the work summarized here, participating at different points over a roughly 5-year period: Christine Fanchiang, Robert Ocampo, Stefan Neis, Christine Escobar (née Chamberlain), and Roger Huang.

The FAA has sponsored this project, in part, through the Center of Excellence for Commercial Space Transportation. However, the agency neither endorses nor rejects the findings of this research. The presentation of this information is in the interest of invoking technical community comments on the results and conclusions of the research.

Author Disclosure Statement

No competing financial interests exist.

References

NASA. ISS Crew Transportation and Services Requirement Document. 2012; NASA CCT-REQ-1130.

Air Force Space Command Manual, Range Safety User Requirements. AFSPCMAN 91-710V2 1 July 2004 (certified current 17 June 2013).

FAA Recommended Practices for Human Space Flight Occupant Safety. Version 1.0, TC14-003, August 27, 2014.

Blue

, Bonato

, Seaton

, Bubka

, Vardiman

, Mathers

, Castleberry

, Vanderploeg

. The effects of training on anxiety and task performance in simulated suborbital spaceflight. Aerosp Med Hum Perform. 2017; 88(7):641–50.

Vanderploeg

, Davidian

. Space travel fitness: Who is healthy enough to go? (with participants: Clark JB, Antunano MJ, Jennings RT Blue RS). New Space. 2014; 2(3):112–9.

Pattarini

, Blue

, Castleberry

, Vanderploeg

. Preflight screening techniques for centrifuge-simulated suborbital spaceflight. Aviat Space Environ Med. 2014; 85(12):1217–21.

Ocampo

, Klaus

. A review of spacecraft safety: From vostok to the international space station. New Space. 2013; 1(2):73–80.

Klaus

, Fanchiang

, Ocampo

. Perspectives on Spacecraft Human-Rating. AIAA-2012-3419.

Klaus

, Ocampo

, Fanchiang

. Spacecraft Human-Rating: Historical Overview and Implementation Considerations. IEEE Aerospace Proceedings. 2014;978-1-4799-1622-1/14, no. 2272.

10.

Neis

, Klaus

. Considerations toward defining medical ‘Levels of Care’ for commercial spaceflight. New Space. 2014; 2(4):165–77.

11.

Ocampo

, Klaus

. A quantitative framework for defining “How Safe is Safe Enough?” in crewed spacecraft. New Space. 2016; 4(2):75–82.

12.

Ocampo

, Klaus

. Challenges of Determining “Safe Enough” in Human Space Flight. October 2017; Proceedings 9th International Space Safety Conference, Toulouse, France.

13.

Ocampo

, Klaus

. Comparing the relative risk of space flight to terrestrial modes of transportation and adventure sport activities. New Space. 2016; 4(3):190–7.

14.

Bond

. A Review of Man-Rating in Past and Current Manned Space Flight Programs. May 1988; Eagle Engineering/LEMSCO; Contract No. NAS 17900; Report No. 88–193.

15.

Fanchiang

, Marquez

, Gore

, Klaus

. Survey and Assessment of Crew Performance Evaluation Methods Applicable to Human Spacecraft Design. 2015; IEEE Aerospace Proceedings. Paper No. 2077 (8.0505).

16.

Cerimele

. Guidelines for Man Rating Space Systems. 1988:NASA JSC-23211.

17.

Zupp

. (ed.) A Perspective on the Human-Rating Process of U.S. Spacecraft: Both Past and Present. 1995;NASA SP-6104.

18.

Jenkins

. Human-Rating Requirements. 1998;NASA JSC-28354.

19.

NASA. Human-Rating Requirements for Space Systems, Effective Date July 10, 2017, Expiration Date July 10, 2022; NPR 8705.2C.

20.

Klaus

. Functional Integration of Humans and Spacecraft through Physics, Physiology, Safety and Operability. 2017; IEEE Aerospace Proceedings. Paper no. 2346 (8.0505).

21.

Fanchiang

. A Quantitative Human Spacecraft Design Evaluation Model for Assessing Crew Accommodation and Utilization. University of Colorado Boulder, Doctoral Dissertation, 2017.

22.

NASA System Safety Handbook: Volume 1. System Safety Framework and Concepts for Implementation. NASA/SP-2010-580, 2011.

23.

NASA Systems Engineering Handbook. NASA SP-2007-6105, Rev 1, December 2007.

24.

Nield

, Sloan

, Council

, Dunlap

. FAA safety approvals in commercial space transportation. New Space. 2016; 4(3):133–7.

25.

Law

, Vanderploeg

. An emergency medical planning guide for commercial spaceflight events. Aviat Space Environ Med. 2012; 83(9):890–5.

26.

Grenon

, Saary

, Gray

, Vanderploeg

, Hughes-Fulford

. Can I take a space flight? Considerations for doctors. BMJ. 2012; 345:e8124.

27.

Ocampo

. Defining, Characterizing, and Establishing ‘Safe Enough’ Risk Thresholds for Human Space Flight. University of Colorado Boulder, PhD Dissertation, 2016.

28.

Operator informing space flight participant of risk. 2016; 14 C.F.R. x 460.45.

29.

FAA. Draft Established Practices for Human Space Flight Occupant Safety (7/31/2013, with rationale added 9/23/13).