by Douglas Messier
NASA’s plan to send astronauts back to the moon continues to make steady progress but faces significant challenges in manufacturing, flight control, software and other key areas as a crucial test of an abort system looms this spring, according to a new report released on Friday.
A section of the NASA Aerospace Safety Advisory Panel’s (ASAP) Annual Report examined progress with the Space Launch System (SLS) rocket, Orion crew vehicle and Exploration Ground Systems (EGS) programs. An uncrewed flight of SLS and Orion known as Exploration Mission 1 (EM-1) is scheduled for next year.
“[SLS] Core stage manufacture and qualification tests and the ESM [European Service Module] propulsion system continue to raise issues that affect both safety and schedule,” the report said. “In addition, flight control and ground system software has been a continuing concern and risk throughout the Program and remains an element on the critical path to EM-1 and later launches.
“While progress is being made, software validation remains a considerable technical risk until completed,” the report added. “Software validation and verification is required before declaring the software operational, and it is not uncommon during this process to discover issues that need correction.”
ASAP is also concerned about Orion’s heat shield, which was significantly altered after an Orion spacecraft was launched on a flight test in December 2014. The new heat shield consists of blocks of heat-resistant materials with filler in between them. The report said the heat shield could fail if the blocks and gap filler ablate away at different rates during reentry.
The panel is concerned that NASA could launch the EM-1 flight test even if avionics box designed to collect data about the heat shield’s performance isn’t functioning properly. ASAP said such a move would compromise a key objective of the mission.
NASA’s alternative actions, which include recording the heat shield during reentry and examining it after Orion is recovered, might not be sufficient to validate the new design, ASAP said.
“This approach is driven by the desire to avoid a launch delay in order to roll back the system to the Vehicle Assembling Building for avionics box replacement,” the report stated. “While we understand the reticence to accept such a delay, neither option guarantees enough information will be gathered to provide the needed understanding of heat shield performance.”
ASAP also expressed reservations about a number of elements with the European Service Module (ESM) that will provide power and life support for the Orion capsule.
“We remain very concerned and have reservations about the ESM propulsion system’s serial propellant system design, along with several of the zero-fault-tolerant design aspects of this system,” the report stated. “We understand the rationale and constraints that drove the decision for a serial system in the initial stages of the Program.
“Several additional failures related to valve performance and integrated system behavior, in addition to the existence of the single-point failures, have only served to underscore the inadvisability of relying on a single-feed system for crewed missions to deep space for the longer term,” the document added.
NASA is planning to shift from a serial to a parallel design for the propulsion system after the third SLS/Orion mission. However, ASAP said it was concerned the space agency is reconsidering that decision.
The panel is also worried about whether Orion’s environmental control and life support systems (ECLSS) will be fully tested in time for Exploration Mission 2 (EM-2), which would be the first crewed mission.
“Although NASA has informed the Panel about ECLSS testing, which is currently scheduled in 2021, we have not seen the plan for validation of the entire integrated system,” ASAP said. “While some components of the system are being operated on the ISS for microgravity experience, this component work does not substitute for integrated system operational validation.”
ASAP said that SLS, Orion and EGS programs each has a risk management process that elevates the highest risks to NASA Headquarters for review. However, the panel questioned whether the risks are being sufficiently integrated across the three programs.
“We do not yet know enough about how these elevated risks are integrated across all three programs in order to analyze their interdependencies,” the report stated. “Risk integration—and the evaluation of those integrated risks—is a critical portion of risk management.”
As NASA deals with these technical issues, the space agency is preparing for a crucial test of Orion’s abort system, which would blast the capsule away from the SLS in the event of a booster failure. An Orion capsule with an abort motor will be launched on a small booster from Cape Canaveral this spring.
“The ASAP strongly supports this test and the decision to gather the data as early as possible,” the report said.
The relevant section of ASAP’s annual report follows.
NASA Aerospace Safety Advisory Panel
Annual Report for 2018
II. Exploration Systems Development
The Panel reviewed the Orion, the Space Launch System (SLS), and the Exploration Ground Systems (EGS) Programs at each quarterly meeting. All three Programs are progressing, but technical and managerial issues continue to be challenges and could impact schedule. Although Orion, SLS, and EGS are three separate Programs, they comprise a “system of systems.” When they are operated together as components of that system of systems, we have termed the overall operational entity the “ESD System” for convenience.
The nearest milestone critical to overall safety is the Ascent Abort-2 (AA-2) Test, scheduled for April 2019. This test will validate the crew module’s ability to safely separate during a launch abort and then subsequently maneuver the crew out of danger. The ASAP strongly supports this test and the decision to gather the data as early as possible.
The ESD Program has made significant progress in many areas. First is the continued successful execution of the full-scale structural testing. Full scale testing, where the real components are subjected to actual loads, is longer and more expensive than analytic approaches but provides more accurate data. Since the ESD system is to be NASA’s deep space transportation system for the future, this method provides the crucial data needed for both current and future structural assessments.
Other progress includes Orion initial power-on testing and successful structural qualification. The Orion Program has also successfully completed all eight of the scheduled parachute qualification tests. Finally, the European Service Module (ESM) was received in the U.S, which represents an important milestone for the ESD System as it works towards the EM-1 flight test.
However, technical challenges remain. Core stage manufacture and qualification tests and the ESM propulsion system continue to raise issues that affect both safety and schedule. In addition, flight control and ground system software has been a continuing concern and risk throughout the Program and remains an element on the critical path to EM-1 and later launches.
While progress is being made, software validation remains a considerable technical risk until completed. Software validation and verification is required before declaring the software operational, and it is not uncommon during this process to discover issues that need correction.
The continuous risk management process governs the entire safety environment. Throughout the year, the ASAP conducted a very extensive discussion of this issue. These discussions covered the identification of the top risks, their mitigation, and the adjudication by leadership. A clear, integrated risk management process—in a system development that entails three separate programs (SLS, Orion, and EGS)—is crucial for tracking and maintaining control of the ESD System overall risk.
We found that each of the key programs identifies, manages, and tracks risks in a similar fashion. The highest identified risks from each program are automatically elevated for review by NASA Headquarters. The Panel supports this chain of communication and the clear process to determine what risks are elevated and why.
However, we do not yet know enough about how these elevated risks are integrated across all three programs in order to analyze their interdependencies. Risk integration—and the evaluation of those integrated risks—is a critical portion of risk management. While we did not find any areas that were obviously being untreated, we will continue work in the upcoming year to better understand how NASA is integrating and controlling risk at the ESD System level.
In addition, the ASAP has observed that many of the risks automatically elevated to NASA Headquarters for review seem to be risks that are programmatically oriented (cost, schedule, funding) as opposed to technical risks that require engineering design or operationally targeted solutions for mitigation. While we have no doubt that the programmatic risks do indeed represent a risk to schedule progress, we feel that the technical risks can most directly affect safety.
Orion, the crewed vehicle being built to carry humans beyond LEO, continues to be a prime focus area for the ASAP. In addition, Orion has also emerged as a key element of the lunar Gateway. Gateway is being proposed to implement the directive issued by the Administration and National Space Council to establish operations in the Moon’s vicinity and facilitate ground or surface operations. Gateway is conceived as a near- and short-term, crew-tended platform, which may be human rated only when the Orion is docked. This plan further highlights the importance of establishing strong reliability, survivability, and safety systems on the Orion capsule.
During this year, the ASAP continued to review several areas of concern in the Orion Program. Overall, the ESD System was designed to methodically collect data and expand operational experience to build confidence in the integrated space system. Large scale integrated system tests, including the flight tests, were designed to ensure that important data and knowledge required to properly mitigate safety risk would be obtained before sending humans beyond LEO.
In carrying out this approach, Exploration Flight Test-1 returned data that resulted in a completely different approach to the design and manufacture of the capsule heat shield. This new system relies on blocks of heat resistant material, joined to a backing with the inter-block spaces filled with a gap-filling compound. The new system has a potential failure mode that involves the differential ablation rate between the block material and the gap filler which could lead to heat shield failure.
Fully understanding this failure mode can only be achieved through full-scale flight test, because no ground facility can generate the extreme environmental conditions over a large enough area to fully validate the shield’s integrity. The acquisition of critical heat shield thermal performance data is required to ensure crew safety, and only flight test can obtain this data.
Despite this, ASAP has now learned that recent decisions about launch commit criteria could result in a situation where the EM-1 flight test could occur without the ability to obtain this data. This could be caused by the lack of a properly functioning avionics box that collects and stores the data from the heat shield instrumentation.
Without this critical data collection, one of the main objectives of the flight test could be compromised. If the avionics box fails, the back-up plan for heat shield verification is to visually examine the EM-1 heat shield for damage and/or potentially deploy an airborne asset during the re-entry phase to attempt to acquire infrared imagery of the Orion capsule as it returns to Earth.
This approach is driven by the desire to avoid a launch delay in order to roll back the system to the Vehicle Assembling Building for avionics box replacement. While we understand the reticence to accept such a delay, neither option guarantees enough information will be gathered to provide the needed understanding of heat shield performance.
The ASAP position is that NASA should aggressively research alternate means to collect the data onboard if the avionics box fails. Redefining flight test scope and requirements as important as these must only be done after an exhaustive search for alternatives and with a thorough understanding of the change in risk posture for subsequent human flights.
C. European Service Module
In the past, the ASAP has voiced concerns with several aspects of the ESM propulsion system. The Orion Program has been systematically evaluating and addressing these areas of concern over the last year. The amount of work involved in analyzing the system at a very detailed level to understand the flow paths, physics, and system behavior is very impressive. In many cases, the program has—through engineering analysis—achieved a greater understanding of the system that allowed it to retire risk, increase hardware inspections to understand reliability, or make modifications to increase performance. The Panel applauds these actions and feels comfortable with many of the resolutions.
However, we remain very concerned and have reservations about the ESM propulsion system’s serial propellant system design, along with several of the zero-fault-tolerant design aspects of this system. We understand the rationale and constraints that drove the decision for a serial system in the initial stages of the Program.
Several additional failures related to valve performance and integrated system behavior, in addition to the existence of the single-point failures, have only served to underscore the inadvisability of relying on a single-feed system for crewed missions to deep space for the longer term.
Our understanding—documented by a Program Manager memorandum—had been that the Program would move to a parallel system after the first three flights. However, during our fourth quarterly meeting, we received information that the Program may be reconsidering this approach. At this point, it is not clear to the Panel that the Program has developed a thorough understanding of the risk posture, reliability, and crew survivability with the current serial approach. The remaining single-point failures represent significant residual risk to the crew. The Panel sees no compelling reason to alter the initial documented approach that implements a parallel system at EM-3 and beyond.
D. Launch Preparations for Exploration Mission (EM)-1 and EM-2
The Environmental Control and Life Support System (ECLSS) is a principal EM-2 element that needs completion and qualification. The ASAP continues to be concerned about whether this system will be fully tested, qualified, and ready to support the crew launch for EM-2.
Although NASA has informed the Panel about ECLSS testing, which is currently scheduled in 2021, we have not seen the plan for validation of the entire integrated system. While some components of the system are being operated on the ISS for microgravity experience, this component work does not substitute for integrated system operational validation. We will continue to seek and request information on this plan in the upcoming year.
Similar to the Panel’s Recommendation (2018-04-01) on CCP, we feel that the Program should clearly identify which systems or components must absolutely be present on EM-1 for them to be considered qualified for operation on EM-2. Crew risk mitigation on EM-2 depends on the flight demonstration of some elements of various systems. It is our position that those components, parts, or systems need to be directly identified by the Program and those essential elements be incorporated before the EM-1 flight is launched.