You can't assure safety even while walking across the street. 1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle. And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration. Admittedly, the statistical tools used have come a long way from those described in Feynman's appendix to the 51-L accident investigation, but there will always be known-unknowns and unknown-unknowns, no matter how smart the people who draw up the PBRAs.I'm not foolhardy, and frequently tell my own children that life is basically one big risk-benefits analysis. Either traveling to orbit is worth assuming a 0.5-1% or so risk of death, or it isn't. It will be a long time before we demonstrate space travel as being much safer than that.
This may be a naive question, but why don't they stick some hi-def cameras around the heat shield and check for MMOD damage visually?
Quote from: su27k on 08/23/2016 02:11 pmThis may be a naive question, but why don't they stick some hi-def cameras around the heat shield and check for MMOD damage visually? A MMOD hit on the heat shield is not the only place or way damage that would cause LO(M,C,V) could occur. The pressure vessel itself is not invulnerable. And as the article noted, a hit on a coolant loop could cause LOM during the shuttle days; fuel cells caused early EOM as well a couple of times. I believe the vehicles that visit ISS will be inspected for external damage before departure (or did I imagine seeing that?) but that only helps some of the cases. And suppose you take a hit on the heat shield after you jettison the service module following the deorbit burn, when no inspection would help. Welp. Woods170 was right. The complexity of the risk analysis requires it to always be changing, and you would hope that you are able to reduce some of the risks as you gain more knowledge of your vehicle and its environment. NASA is terribly risk-averse, for understandable reasons; but at some level, the only truly 100% risk-free spaceflight is no spaceflight at all.
And suppose you take a hit on the heat shield after you jettison the service module following the deorbit burn, when no inspection would help. Welp.
1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.
Quote from: jgoldader on 08/23/2016 11:32 am1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.Has Orion in fact met this standard or is it "going" to meet the standard? (Not to mention the missions are so different that a comparison doesn't make sense, really).Somehow Soyuz has managed to muddle through things so far. In fact I don't think they've ever lost a Progress to MMOD. Between the two that's a lot of flights. Unless we're saying we can't build a vehicle as safe as a Soyuz I have to think this is all a little bit overblown.
Quote from: jgoldader on 08/23/2016 11:32 amAnd the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.Has Orion in fact met this standard or is it "going" to meet the standard?
And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.
Quote from: abaddon on 08/23/2016 03:13 pmQuote from: jgoldader on 08/23/2016 11:32 am1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern. But NASA has dumped truckloads of money into Orion, more than Boeing and SpaceX combined have spent on their vehicles (I wonder how the expenditures on Orion/MPCV compare to what SpaceX has spent in its entire existence as a company). It strikes me as odd to expect SpaceX and Boeing to meet a standard set by NASA's own, better-funded, safety-first vehicle.And the 1/270 is a paper standard for a vehicle that has flown once, in what was more or less a boilerplate configuration.Has Orion in fact met this standard or is it "going" to meet the standard? (Not to mention the missions are so different that a comparison doesn't make sense, really).Somehow Soyuz has managed to muddle through things so far. In fact I don't think they've ever lost a Progress to MMOD. Between the two that's a lot of flights. Unless we're saying we can't build a vehicle as safe as a Soyuz I have to think this is all a little bit overblown.Let me see...After these crewed flights:Vostok 6Voskhod 2Soyuz 130Mercury 6Gemini 10Apollo 15Shuttle 135Shenzhou 5Total 304 flightsThere has been 0 losses due to MMOD. But let's add the robotic crafts:Progress 150Dragon 11TKS 9Cygnus 6ATV 5Total 181HTV 5Also zero losses due to MMOD.May be it is because no spacecraft has been in space long enough? Shuttle definitely never stayed too long. But Soyuz and Progress have stayed a lot up, but at 270 flights including short trips and failed launches, they haven't actually done 270 210-day stays. That's 155 years of orbit time, btw.
No mission has ever been lost due to MMOD. ISS and MIR both huge, neither had major accident due to MMOD. I bet you could reduce this risk to very low levels if you blocked up the windows.
And 65,000 pedestrians are hit by a car every year just in the US. It's always something, and not even hiding in bed can eliminate risk; gas furnaces and water heaters go boom, you could throw a blood clot, etc.No one gets out of life alive. Get on with it....
Quote from: docmordrid on 08/23/2016 05:09 pmAnd 65,000 pedestrians are hit by a car every year just in the US. It's always something, and not even hiding in bed can eliminate risk; gas furnaces and water heaters go boom, you could throw a blood clot, etc.No one gets out of life alive. Get on with it....That's not a very good comparison. The risk of having a lethal car accident is .01%/yr in the US. Not many civilian activities carry a 1% risk of dying.
Quote from: Hobbes-22 on 08/23/2016 06:53 pmQuote from: docmordrid on 08/23/2016 05:09 pmAnd 65,000 pedestrians are hit by a car every year just in the US. It's always something, and not even hiding in bed can eliminate risk; gas furnaces and water heaters go boom, you could throw a blood clot, etc.No one gets out of life alive. Get on with it....That's not a very good comparison. The risk of having a lethal car accident is .01%/yr in the US. Not many civilian activities carry a 1% risk of dying. Accidents of all types are 5% of US deaths.
QuoteAnd suppose you take a hit on the heat shield after you jettison the service module following the deorbit burn, when no inspection would help. Welp. And the time you are discussing is so small it will be measured in minutes. Not worth considering.
For those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction. We already know that the potential severity of a MMOD strike is that it could cause loss of vehicle or the crew, so that's a 10. We know that MMOD strikes occur on every spaceflight, so that's also a 10. The ability to detect MMOD strikes or prevent them from causing catastrophic failure is the key here. The Shuttle, for example, had multiple coolant loops in its radiators, so if one was damaged it could be shut down. NASA also installed additional layers of shielding over the main coolant loops to prevent or reduce damage in the event of a direct hit. However, even though the risk of damage is reduced, it still hasn't been eliminated, so it will always be higher than 1. I would say it can't be less than 5, which would be a moderate likelihood that current MMOD mitigation will prevent catastrophic damage. So based on the numbers 10, 10, and 5, the overall Risk Priority Number is 500. A high risk, and that's being generous, I'd guess that NASA has assigned an even higher risk level than this.
Quote from: Robotbeat on 08/23/2016 06:36 pmNo mission has ever been lost due to MMOD. ISS and MIR both huge, neither had major accident due to MMOD. I bet you could reduce this risk to very low levels if you blocked up the windows.You would think the skin of the ISS would show quite a record of MMOD damage after all these years in orbit.
Quote from: whitelancer64 on 08/23/2016 06:12 pmFor those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction. We already know that the potential severity of a MMOD strike is that it could cause loss of vehicle or the crew, so that's a 10. We know that MMOD strikes occur on every spaceflight, so that's also a 10. The ability to detect MMOD strikes or prevent them from causing catastrophic failure is the key here. The Shuttle, for example, had multiple coolant loops in its radiators, so if one was damaged it could be shut down. NASA also installed additional layers of shielding over the main coolant loops to prevent or reduce damage in the event of a direct hit. However, even though the risk of damage is reduced, it still hasn't been eliminated, so it will always be higher than 1. I would say it can't be less than 5, which would be a moderate likelihood that current MMOD mitigation will prevent catastrophic damage. So based on the numbers 10, 10, and 5, the overall Risk Priority Number is 500. A high risk, and that's being generous, I'd guess that NASA has assigned an even higher risk level than this.That's not how I was taught probabilities. In this particular case, they are worrying only about LOC. So you need to calculate P(MMOD) x P(LOC|MMOD) and minimize that. The critical part being, obviously, the second term. The way you propose overestimates risks with low LOC probabilities but high frequency.
Given that we have 50+ years of history in LEO, we should have a pretty good statistical model of the breakdown of the distribution of such events. Is this not being taken into the risk calculations?
Again, just because there haven't been catastrophic failures doesn't mean there is no risk.
The overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.
So if MMOD is so dangerous. How are Boeing and SpaceX expected to mitigate? Build armor against tank breaking ammunitions?
Quote from: whitelancer64 on 08/23/2016 05:34 pmAgain, just because there haven't been catastrophic failures doesn't mean there is no risk.Literally nobody is saying that. Why do you keep repeating it like someone is?QuoteThe overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.
It seems to me that the magnitude of the strike (size*mass*delta-v*burst-quantity) needs to be taken into account. Low delta-v, low size and mass strikes are probably a lot more common then higher magnitude strikes, and are easier to defend against and mitigate. Given that we have 50+ years of history in LEO, we should have a pretty good statistical model of the breakdown of the distribution of such events. Is this not being taken into the risk calculations?
MMOD is obviously a risk. But I doubt it's greater than risks we haven't fully characterized.
Quote from: Robotbeat on 08/23/2016 09:06 pmMMOD is obviously a risk. But I doubt it's greater than risks we haven't fully characterized.Such as?
For those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction.
We know that MMOD strikes occur on every spaceflight, so that's also a 10.
Quote from: Hobbes-22 on 08/23/2016 06:53 pmThat's not a very good comparison. The risk of having a lethal car accident is .01%/yr in the US. Not many civilian activities carry a 1% risk of dying. Accidents of all types are 5% of US deaths.
That's not a very good comparison. The risk of having a lethal car accident is .01%/yr in the US. Not many civilian activities carry a 1% risk of dying.
In fact, all Commercial Crew vehicles are docked with their heat shields pointed fore.
Quote from: whitelancer64 on 08/23/2016 06:12 pmFor those who don't know, the way engineers assess risk is with Risk Priority Number spreadsheets. Basically the risk is broken down into 3 parts: the possible Severity of the risk, the Frequency or Occurrence of the risk, and the ability to Detect or Prevent the risk. Each part is given a number between 1 and 10, one being the least and 10 the most. These numbers are then multiplied together, with the final number assessing the risk on a scale of 1-1000. Then risks with the highest numbers are given the highest priority for correction or reduction. Wow, that method is just wrong. The range should be from 0 to 10, with any real value in between (a mathematician would have any value between 0 and 1). A way better estimate of the risk isintegral from 0 to m_max integral from 0 to v_max S(m*v²/2)*A*T*P(m,v)*D(m) dm dvwhereA = cross sectional area of spacecraftT = time in orbitm = mass of debrism_max = maximum debris massv = velocity of debrisv_max = maximum debris velocityS(E) = severity as a function of impact energyP(m,v) = mass and velocity debris probability distribution per unit area and unit timeD(m) = Detect or Prevent as a function of debris massA good engineer should be able to come up with estimates of these functions.QuoteWe know that MMOD strikes occur on every spaceflight, so that's also a 10.That would result in an over estimation of the risk. Most impacts are very small which have almost zero risk.
Let's not forget that Soyuz are docked in aft of ISS, where they are more protected than the USOS fore side. In fact, all Commercial Crew vehicles are docked with their heat shields pointed fore.
Quote from: abaddon on 08/23/2016 08:26 pmQuote from: whitelancer64 on 08/23/2016 05:34 pmAgain, just because there haven't been catastrophic failures doesn't mean there is no risk.Literally nobody is saying that. Why do you keep repeating it like someone is?QuoteThe overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.Regrettably, that's not how statistics work. The fact that Shuttle had the failures that it had, and not MMOD, might have been by pure chance. There's not enough statistical samples in all Shuttle history to say otherwise.Challenger was a particularly bad example, because at those temperatures it was to fail. It was almost a certainty. Edward Tufte book is more than clear on that. You use statistics for things that are chance, but if you get out of the specified range, you might get into straight certainties.
You've never heard of Failure Mode and Effect Analysis (FMEA)?
So how far off are Dragon and CST-100 from the requested 1 in 270 number?
Quote from: baldusi on 08/24/2016 12:20 pmQuote from: abaddon on 08/23/2016 08:26 pmQuote from: whitelancer64 on 08/23/2016 05:34 pmAgain, just because there haven't been catastrophic failures doesn't mean there is no risk.Literally nobody is saying that. Why do you keep repeating it like someone is?QuoteThe overall risk level is still high because a MMOD strike to a critical system could easily cause loss of crew or vehicle.Actually, based on the number of LOV (zero) from MMOD damage on a rather large number of flights, this is provably wrong. Depending on your definition of "high", I guess. Certainly the risk level is high compared to flying in an airplane. Compared to the Shuttle risks not associated with MMOD I'd say they are rather low.Regrettably, that's not how statistics work. The fact that Shuttle had the failures that it had, and not MMOD, might have been by pure chance. There's not enough statistical samples in all Shuttle history to say otherwise.Challenger was a particularly bad example, because at those temperatures it was to fail. It was almost a certainty. Edward Tufte book is more than clear on that. You use statistics for things that are chance, but if you get out of the specified range, you might get into straight certainties.The statistical chance of a failure mode occurring can be very low, however, the amount of risk of that failure mode will remain the same, i.e., if a MMOD strike makes a direct hit on a critical system, then you're always going to have a bad day, even if that MMOD strike on a critical system only occurs once in a thousand spaceflights. That risk level can only be reduced by engineering solutions to reduce it. An example of this is where the Shuttle's radiator got additional MMOD shielding and that directly prevented a MMOD strike from damaging a coolant loop that would have caused a mission abort: research.jsc.nasa.gov/BiennialResearchReport/2011/265-2011-Biennial.pdf
You can't assure safety even while walking across the street. 1/270 is the standard, if I understood the article, because that's what Orion is supposed to have. That the CC contractors apparently haven't met that 1/270 PBRA is causing concern.
The key will be to refine the MMOD threat data, which is based on historical flight information and may be – due to NASA requirements – overly conservative.“The MMOD damage analysis depends on the modeling of the environment, which is in many aspects speculative and quite robust,” added the minutes (from ASAP).“There are discussions regarding gathering additional historical information to determine if the environmental model is perhaps too robust. All answers are yet to be determined.”
Quote from: whitelancer64 on 08/24/2016 03:13 pmYou've never heard of Failure Mode and Effect Analysis (FMEA)?Yes, I've heard of FMEA. If that's how its done with ranges of 1 to 10, then the method is mathematically flawed.
If NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.
Quote from: Robotbeat on 08/25/2016 08:44 pmIf NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.
Quote from: srtreadgold on 08/25/2016 09:46 pmQuote from: Robotbeat on 08/25/2016 08:44 pmIf NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.Another major one is loss of coolant. Why did you edit out the sublimator part?pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)
Quote from: Brovane on 08/24/2016 08:38 pmSo how far off are Dragon and CST-100 from the requested 1 in 270 number? I don't think you're going to find that information publicly available.
Quote from: SWGlassPit on 08/25/2016 02:35 pmQuote from: Brovane on 08/24/2016 08:38 pmSo how far off are Dragon and CST-100 from the requested 1 in 270 number? I don't think you're going to find that information publicly available.Why wouldn't it be publicly available?
Quote from: Brovane on 08/26/2016 03:29 amQuote from: SWGlassPit on 08/25/2016 02:35 pmQuote from: Brovane on 08/24/2016 08:38 pmSo how far off are Dragon and CST-100 from the requested 1 in 270 number? I don't think you're going to find that information publicly available.Why wouldn't it be publicly available? Maybe they don't have to.
One word: Proprietary.
Quote from: Robotbeat on 08/26/2016 01:41 amQuote from: srtreadgold on 08/25/2016 09:46 pmQuote from: Robotbeat on 08/25/2016 08:44 pmIf NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.Another major one is loss of coolant. Why did you edit out the sublimator part?pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)Pressure vessel penetration is probably not the biggest one. Pressure vessels tend to be well-protected. Other systems not so much. Spacecraft repair in-orbit is difficult.
This. Commercial crew and cargo are a new world. The companies involved in this aren't going to release technical information publicly unless either they are required to in their contract or they believe it will serve their interests. These aren't the Shuttle days anymore.
Quote from: srtreadgold on 08/26/2016 03:10 amQuote from: Robotbeat on 08/26/2016 01:41 amQuote from: srtreadgold on 08/25/2016 09:46 pmQuote from: Robotbeat on 08/25/2016 08:44 pmIf NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.Another major one is loss of coolant. Why did you edit out the sublimator part?pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)Pressure vessel penetration is probably not the biggest one. Pressure vessels tend to be well-protected. Other systems not so much. Spacecraft repair in-orbit is difficult....right, but we're talking loss of crew, not just "oh, my spacecraft is stranded, halp."Please give actual examples not "that's probably not the biggest one."
Quote from: Robotbeat on 08/26/2016 03:01 pmQuote from: srtreadgold on 08/26/2016 03:10 amQuote from: Robotbeat on 08/26/2016 01:41 amQuote from: srtreadgold on 08/25/2016 09:46 pmQuote from: Robotbeat on 08/25/2016 08:44 pmIf NASA gets uppity about it, say the astronauts have to remain suited the whole time. That'll get approval done for the early missions, then the astronaut corp would get mad and say they don't have to wear the suits.That only protects against LOC from pressure vessel penetration, other factors could also result in LOC that the suits wouldn't help.Another major one is loss of coolant. Why did you edit out the sublimator part?pressure vessel penetration is probably the biggest one, since if that happens, there's not a lot you can do if you're not suited up. With the other things, there are options, provided you're in a somewhat stable orbit (which you will be 99.9% of the time)Pressure vessel penetration is probably not the biggest one. Pressure vessels tend to be well-protected. Other systems not so much. Spacecraft repair in-orbit is difficult....right, but we're talking loss of crew, not just "oh, my spacecraft is stranded, halp."Please give actual examples not "that's probably not the biggest one."Damage they might not know about until too late. Columbia comes to mind.
...right, but we're talking loss of crew, not just "oh, my spacecraft is stranded, halp."Please give actual examples not "that's probably not the biggest one."
Quote from: woods170 on 08/26/2016 08:24 amOne word: Proprietary.This. Commercial crew and cargo are a new world. The companies involved in this aren't going to release technical information publicly unless either they are required to in their contract or they believe it will serve their interests. These aren't the Shuttle days anymore.
Okay, so damage to the heatshield. But the heatshield is protected by the trunk. And before departure (but after undocking), Station can take pictures of the rest of the craft to see if there's a major problem.
And to take Soyuz as an example, the capsule lands ~3 hours after undocking. The odds that dozens of Soyuzes have had no life-threatening MMOD after each spent like 6 months in orbit but that a Dragon has a significant chance of getting a life-threatening hit in just 3 hours after undocking seems very small... You're talking like 1/100,000. More like 1:million because something bad enough to severely damage the capsule but remain undetected is even smaller, especially since the trunk protects the heatshield.
This is why I think the main dangers are from things we haven't fully quantified, yet. MMOD LOC not due to pressure vessel rupture or loss of coolant seems remote. But spaceflight is NOT that safe. So the danger is probably something we haven't fully quantified.
Quote from: Robotbeat on 08/26/2016 03:01 pm...right, but we're talking loss of crew, not just "oh, my spacecraft is stranded, halp."Please give actual examples not "that's probably not the biggest one."A few examples, not based on any particular specific vehicles or scenarios:Crew pressure vessel penetrations of sufficient size to prevent successful emergency countermeasures (e.g., donning of pressure suits).
Damage to heat shields that allow sufficient hot gas intrusion during reentry to result in structural failure.
Damage to propulsion systems (including thrusters, propellant tanks, valves, feedlines, and control hardware) that could result in any of the following: inability to deorbit, inability to control attitude during reentry, leakage of thruster exhaust into spacecraft structure, leakage of unreacted propellant into structure (including potential for hypergolic propellants to mix in places they really shouldnt), bursting of propellant tanks.
Damage to reentry power systems (including batteries, cables, and control equipment) that results in any number of failures, including loss of reentry control and loss of recovery systems.
Damage to spacecraft command and data handling hardware that results in loss of control or loss of recovery systems.
Damage to recovery system hardware that prevents initiation of both primary and backup recovery system deployment.
Damage to cooling systems that results in coolant being released into crew pressure vessel, creating a toxic atmosphere.
There are no doubt several others I haven't thought of for this post. Not all of these are immediately detectable. Not all of those that are detectable are correctable after the fact.
Doesn't NASA set the standards for what goes into deriving the LOC number?
Again, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.
Quote from: Robotbeat on 08/26/2016 04:31 pmAgain, heat shield is protected by the trunk and damage could be spotted from Station shortly after undocking, and the odds of getting hit in the few hours between undocking and landing are ridiculously small.The backshell however is not protected by the trunk/service module and is exposed in a high threat region for long periods of time before reentry, and inspection might not catch the damage.
--snip--Basically they all are detectable. They basically are all correctable (via rescue) as long as you haven't done the deorbit burn yet (in which case you have only minutes of vulnerable time), but still have lots of redundancies even then.Again, this sounds like corner-cases of corner-cases.I sincerely, SINCERELY doubt it'll be MMOD that causes the next space disaster.EDIT:You repeated a lot of the same risks in order to make it sound like a long list. That's why I repeated my responses.
Quote from: Robotbeat on 08/26/2016 04:31 pm--snip--Basically they all are detectable. They basically are all correctable (via rescue) as long as you haven't done the deorbit burn yet (in which case you have only minutes of vulnerable time), but still have lots of redundancies even then.Again, this sounds like corner-cases of corner-cases.I sincerely, SINCERELY doubt it'll be MMOD that causes the next space disaster.EDIT:You repeated a lot of the same risks in order to make it sound like a long list. That's why I repeated my responses.A few points:The base heat shield is not the only heat shield. The backshell heat shield has no protection. Zero. None.
Sufficient penetration of the backshell heat shield is absolutely a LOC event.
That this is easily detected is only your assertion and is not necessarily borne out by facts.
It depends greatly on what structure and infrastructure exists behind the strike.
Not all failures are immediately detectable. This is undisputable fact, despite your assertions to the contrary.
Nobody is saying that MMOD is the cause of the next space disaster; that is a strawman argument.
Your impression that I simply repeated redundant items belies your failure to understand what I wrote and nothing more. The only thing that I repeated was that there was a strike.
The analyses cover as many corner cases as they can, including the likelihood of loss of redundant systems.
...If you read the ASAP report that drove this article, the total mention of MMOD amounts to less than a paragraph. This thread is getting wrapped around the axle on assumptions and incomplete/outdated information. That something is the "primary" threat does not mean the threat is "large." It just means that other identified and controlled threats are "smaller".
I have to agree with Robotbeat.This is just another example of NASA's long history of failing to adequately weight the "unknown unknowns" when doing risk assessment. The risk of some other failure mode being far more likely than expected in new vehicles dwarfs the risk of MMOD. For NASA to claim otherwise just makes them look foolish.
If damage detection doesn't work one could enclose the vehicles in some shielding after docking.
Mr. Justin Kerr provided a briefing on MMOD and reviewed the current situation. The Agency has a requirement to achieve a Loss of Crew (LOC) risk of no worse than 1 in 270(1:270) for MMOD. To encourage risk mitigation, the Program has been looking at different ways to approach that. MMOD is the number one contributor to LOC risk and the primary means by which to close the gap between where the Program is and where it wants to be. The strategy that is being taken is to back off to 1:200 for the spacecraft themselves, but to require that the design and vehicle capability be the sole means to achieve that level. Any potential inspections or operational workarounds will be put aside and left for later consideration. That strategy appears to be working well. Both companies are now looking at potential changes to their vehicles to address the MMOD risks.
Regarding the MMOD issue, a decision was made to reallocate the protection for MMOD, which required the providers to focus on the vehicle. Currently, this means that operational procedures must make up the difference. The good news is that the Program has identified operational changes that can do that, but those changes are not “free.” NASA has estimated that those changes will cost the equivalent of $10 million per year until the end of ISS. That begs the question: Can we use other techniques to incentivize the contractors to go beyond the 1:200 requirement? The Program is hoping that the contractors would do that. Mr. Frost opined that he would look very carefully at trying to buy some more protection from the equipment.
At least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.
Quote from: guckyfan on 08/28/2016 05:40 amAt least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.No spacecraft to date uses this.
Dragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.
Quote from: SWGlassPit on 08/29/2016 02:20 pmNo spacecraft to date uses this. And we all know that SpaceX never deviates from what all others have done before them, right?Edit: sorry but I really, really dislike the argument it has never been done.
No spacecraft to date uses this.
Remember that it was said an inspection of the spacecraft for departure would reach the value of 1/270. It would mean they don't depart with that vehicle but wait for a replacement. In the unlikely event of a Space Station evacuation they could very likely still use that vehicle, just with reduced safety and redundancy.A few sensors could reduce that inspection to cases where the spacecraft has actually been hit, not just as a mandatory precaution. The inspection could be performed to find out potential damage at the time of the incident. No need to wait for the planned departure time. So a replacement vehicle could be sent early.
Are you aware that you are talking about the people who actually wrote the book on handling risk in scenarios of uncertainty?
Quote from: SWGlassPit on 08/29/2016 02:20 pmQuote from: guckyfan on 08/28/2016 05:40 amAt least impact events should be easily detectable through vibration sensors. Remember how much data they got from that second stage disintegration? Enough to pinpoint the source of the failure. Any detected impact with some level of energy can then trigger a closer inspection.No spacecraft to date uses this.Oh? What about http://research.jsc.nasa.gov/BiennialResearchReport/2009/RASS-4.pdf ?
Quote from: Robotbeat on 08/29/2016 03:28 pmDragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....
Quote from: SWGlassPit on 08/29/2016 04:11 pmQuote from: Robotbeat on 08/29/2016 03:28 pmDragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.
Did you read the minutes? NASA wants the requirement to be met without requiring inspection.
Quote from: Robotbeat on 08/29/2016 05:13 pmQuote from: SWGlassPit on 08/29/2016 04:11 pmQuote from: Robotbeat on 08/29/2016 03:28 pmDragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.If a huge MMOD (hint: what does the first M stand for?)
That was used for ascent purposes and was designed [...]
your mass budget is much better spent making the vehicle itself less vulnerable to damage than it is trying to pinpoint where it did get hit.
Quote from: SWGlassPit on 08/29/2016 04:11 pmDid you read the minutes? NASA wants the requirement to be met without requiring inspection.I got that. Are you saying, NASA won't agree to inspections when they know, there is something wrong? Just insisting it is the sole problem of the contractor? Seriously?
Quote from: guckyfan on 08/29/2016 05:31 pmQuote from: SWGlassPit on 08/29/2016 04:11 pmDid you read the minutes? NASA wants the requirement to be met without requiring inspection.I got that. Are you saying, NASA won't agree to inspections when they know, there is something wrong? Just insisting it is the sole problem of the contractor? Seriously?I'm almost positive that they'll do inspections anyway. The inspections, however, can't be part of the path to meeting requirements. The vehicles have to do that by themselves.
Quote from: SWGlassPit on 08/29/2016 05:11 pmThat was used for ascent purposes and was designed [...]That's a lot of words rather than just admitting you're wrong. That doesn't mean it was perfect or even worthwhile, but a spacecraft has indeed used such a system.
Quote from: SWGlassPit on 08/29/2016 05:34 pmQuote from: guckyfan on 08/29/2016 05:31 pmQuote from: SWGlassPit on 08/29/2016 04:11 pmDid you read the minutes? NASA wants the requirement to be met without requiring inspection.I got that. Are you saying, NASA won't agree to inspections when they know, there is something wrong? Just insisting it is the sole problem of the contractor? Seriously?I'm almost positive that they'll do inspections anyway. The inspections, however, can't be part of the path to meeting requirements. The vehicles have to do that by themselves.So in other words, compound conservatism. Sounds like a good recipe to increase overall costs.
Quote from: Robotbeat on 08/29/2016 05:13 pmQuote from: SWGlassPit on 08/29/2016 04:11 pmQuote from: Robotbeat on 08/29/2016 03:28 pmDragon already contains strain gauges. Getting shot by a bullet should be detectable without 500lbs of wiring.Sure, if you hit really close to a strain gauge and do a lot of damage. Otherwise, they're useless for this....If a huge MMOD hit Dragon, enough to fatally damage it, it would ring like a bell, like getting shot be a gun. You would hear it, and sound waves can be (and are) picked up by strain gauges. It may not be precise, but knowing that it happened would be useful info.ISTR astronauts saying they could hear MMOD strikes on the ISS. That suggests non-fatal hits can be picked up by microphones. Spread a few along the main structures and triangulate to find the source, that should take far less than 500 lbs.
Then what?
Quote from: SWGlassPit on 08/29/2016 06:32 pmThen what?Look for it.
What's next after that?
Quote from: guckyfan on 08/29/2016 06:42 pmQuote from: SWGlassPit on 08/29/2016 06:32 pmThen what?Look for it.What's next after that?
So in other words, compound conservatism. Sounds like a good recipe to increase overall costs.
It's not the same system. It wasn't designed to be used to detect MMOD strikes, and -- surprise -- it didn't do a good job of doing so. No human spacecraft has flown with an MMOD strike detection system.
If that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?
Quote from: SWGlassPit on 08/29/2016 06:32 pmIf that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.
Quote from: A_M_Swallow on 08/30/2016 12:53 amQuote from: SWGlassPit on 08/29/2016 06:32 pmIf that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.More likely IMO send a replacement vehicle up and use the damaged one only in the very unlikely case of a ISS evacuation. BTW if the pressure hull is compromised it is not only quite easy to fix but will inevitably be detected.
Nothing is "quite easy to fix" in space. If the pressure shell is compromised that means there exists a hole in the back shell that would also need to be fixed. And these fixes would have to withstand reentry.
Quote from: srtreadgold on 08/30/2016 09:23 amNothing is "quite easy to fix" in space. If the pressure shell is compromised that means there exists a hole in the back shell that would also need to be fixed. And these fixes would have to withstand reentry. How do you get this idea? The backshell is very well protected by the trunk and protective coating. Anything penetrating the pressure hull will come from the side. A patch is easily applied from the inside.
The back shell is the side. You're thinking of the heat shield, which is mostly protected by the service module. The back shell also protects the vehicle from reentry gasses/temperatures.
Quote from: A_M_Swallow on 08/30/2016 12:53 amQuote from: SWGlassPit on 08/29/2016 06:32 pmIf that even works (signal-to-noise ratio issues abound here), what would that accomplish? You look at it and go, "yep, that's a strike." Then what?If pieced into the main room duck tape a patch across the hole to stop the air escaping. Pipes can be sealed with a plaster. Broken windows can be covered.Damage to outside parts of the spacecraft may have to be repaired by a robot or EVA. Such a repair was performed to the ISS solar panels on January 30, 2007. There may be a way to glue or weld heat shield material across a hole the size of Columbia's.Duct tape / plaster is not exactly what you want keeping reentry gasses/temperatures from breaching your delicate spacecraft.
A couple of thoughts--Using accelerometers to detect impacts might work above some threshold. But how to remove the non-impact twitches? (E.g., collant flowing, astronauts shifting in seats, etc.). You can't have the master alarm going off every 10 seconds.-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.-There was a good point made above, that just because the analysis says MMOD is the risk driving the LOCV stats doesn't mean it's that much worse than any number of others. If MMOD is 1/1500, say, there may be a whole bunch at 1/1510. We will almost surely not be told thedetailed numbers for proprietary reasons. I doubt Contractor A wants Contractor B to know their numbers and be able to snipe at them in reports and future proposals.-The two losses with which I'm most familiar, the shuttles, were from what I think of as known-knowns that turned out to be what I might describe as unknown-knowns (to coin a Rumsfeldian variant). That is, both failure modes were recognized, but inaccurately characterized to the extent that they were judged as low risks, even though that did not turn out to be the case. It seems to me that mischaracterized risk is different than a known-unknown. Does that make sense?
Distinguishing a MMOD from normal station sounds is the easiest thing ever. It will have a very short sharp attack to identify. A very simple filter will do that. Even a hammer blow will be much slower.They have devised materials to repair the Shuttle heat shield to some extent. Finding materials to mend a small hull breach will be many orders of magnitude easier. We are not talking about large ones as they will be exceedingly rare.Others have already commented on triangulation. That may be somewhat tricky but once an impact is identified as MMOD it is worth the effort.
Emphasis mine.One word: accessibility
Quote from: jgoldader on 08/30/2016 11:11 am-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.Triangulation.The speed of sound in aluminium is 6320 m/s.Triangulation can work by differences in volume and the delay between sensors hearing the bang. To detect down to 1 cm 0.01 m (0.39 inches) the surface would have to be sampled 2*6320/0.01 = 1,264,000 times a second.There are many off the shelf analoge-to-digital chips that will sample 8 bits a million times a second; for instance the Texas Instruments ADS7040, temperature range –40°C to 125°C, which costs less than a dollar.To detect MMOD an accuracy of 5 cm may be sufficient. Aluminium is also a (near) worst case problem since it is a very good conductor of sound. At about 355 m/s air is an order of magnitude slower.A practical system would have to handle several different types of material and filter out false alarms such as astronauts bouncing off the walls. I suspect that liquids going though pipes sounds different from the bang of something hitting the outside of a capsule.
-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.
Others have already commented on triangulation. That may be somewhat tricky but once an impact is identified as MMOD it is worth the effort.
And you need a system that can handle that in near-real-time.
Quote from: A_M_Swallow on 08/31/2016 04:46 amQuote from: jgoldader on 08/30/2016 11:11 am-Triangulating sounds would probably be a nasty business of modeling, because the microphones are (presumably) attached to metal, and the sound waves would be propagating through the metal structures of the spacecraft. You'd need to have some sort of acoustical model (edit: which could well be very different than the one used to analyze launch noise) and pinpointing a hit for detailed inspection might not be possible. I could easily imagine saying, "Oh, we took a hit on the aft," but saying, "It's at PICA chunk 387" or whatever sounds like too much to ask.Triangulation.The speed of sound in aluminium is 6320 m/s.Triangulation can work by differences in volume and the delay between sensors hearing the bang. To detect down to 1 cm 0.01 m (0.39 inches) the surface would have to be sampled 2*6320/0.01 = 1,264,000 times a second.There are many off the shelf analoge-to-digital chips that will sample 8 bits a million times a second; for instance the Texas Instruments ADS7040, temperature range –40°C to 125°C, which costs less than a dollar.To detect MMOD an accuracy of 5 cm may be sufficient. Aluminium is also a (near) worst case problem since it is a very good conductor of sound. At about 355 m/s air is an order of magnitude slower.A practical system would have to handle several different types of material and filter out false alarms such as astronauts bouncing off the walls. I suspect that liquids going though pipes sounds different from the bang of something hitting the outside of a capsule.I understand triangulation. But you'd probably end up with diffraction effects, reflections, etc., and the speed of sound depends on the tension in the metal, and... And you need a system that can handle that in near-real-time. Hence the spirit of my comment.
Quote from: woods170 on 08/31/2016 08:53 amEmphasis mine.One word: accessibilityA hull breach would be mended from the inside.
Major damage is rare. You don't even have to mend them. Just keep the door closed and take a different vehicle down. The issue you're trying to address here is otherwise-undetected significant damage leading to loss-of-crew.We're worried about LOC. LOM is more acceptable (provided it's still rare).
Keeping the door (hatch) closed is a mitigation for PNP (where damage to the visiting vehicle creates a hazard to ISS), not LOC/LOM.
Quote from: SWGlassPit on 08/31/2016 03:55 pmKeeping the door (hatch) closed is a mitigation for PNP (where damage to the visiting vehicle creates a hazard to ISS), not LOC/LOM.What is PNP? Is it Probability of No Penetration?http://acronyms.thefreedictionary.com/PNP