NASA balancing the risk matrix

by Chris Bergin

Flying with risk is hardly anything new for any space vehicle, not to mention the Space Shuttle. Assessing such risk was highlighted during the weekend’s FRR (Flight Readiness Review) in which the “risk matrix” played a major role.

Shuttle managers have decided to press ahead with the July launch of Shuttle Discovery, despite misgivings from some areas of the NASA community, including documented protests at the “probable/catastrophic” evaluation, an evaluation which is technically a “no go” for launch.

L2, for expanded documents and insider information covering the space programs at work. To join L2, click the advert. Join soon, due to a pre-determined membership level.

Information collated from several PRCB and SICB documents, all documents on L2.

The main focus of the evaluations once again centered on the balance between modifying the External Tank to reduce foam loss – and the level of modifications carried out before the flight of STS-121. Shuttle manager Wayne Hale has previously stated the need to stage the modifications with the backing of the subsequent flight data.

The risk matrix, three columns across based on ‘Severity’ and four columns high based on ‘Likelihood’ is defined as follows:

Severity level is an assessment of the most severe effects of a hazard:

‘Catastrophic: Hazard could result in a mishap causing fatal injury to personnel and/or loss of one or more major elements of the flight vehicle or ground facility. Critical: Hazard could result in serious injury to personnel and/or damage to flight or ground equipment which would cause mission abort or a significant program delay. Marginal: Hazard could result in a mishap of minor nature inflicting first-aid injury to personnel and/or damage to flight or ground equipment which can be tolerated without abort or repaired without significant program delay.’

Likelihood of occurrence is completed for each cause by assessing the controls that are in place and documenting them as probable, infrequent, remote, or improbable:

‘Probable: Expected to happen in the life of the program. Infrequent: Could happen in the life of the program. Controls have significant limitations or uncertainties. Remote: Could happen in the life of the program, but not expected. Controls have minor limitations or uncertainties. Improbable: Extremely remote possibility that it will happen in the life of the program. Strong controls in place.’

The ‘probable/catastrophic’ evaluation is the worst rating on the risk matrix, yet this isn’t consistent with the documentation that followed through from last week’s PRCB meeting to the FRR. The full list of risks averaged ‘remote or infrequent/catastrophic’ ratings – as the ‘likelihood rationale’ in the External Tank Accepted Risk Hazard Analysis Report, with each of the 16 areas discussed having a ‘Severity Rationale: The worst case effect for this cause is catastrophic loss of life and/or vehicle.’

The key areas concentrated on the potential of foam liberation from the ice/frost ramps – which have been modified, but not to the extent wished for by some sections of the engineering community, most notably MSFC (Marshall Space Flight Center), who classed the tank as ‘unacceptable for flight’ after their call for further reductions and reshapes of the foam from the ice frost ramps was rejected. Other areas looked at the ability of an on-orbit repair of any damage incurred on ascent. **MSFC Claim – Article**

Another NASA document noted the ‘probable/catastrophic’ classification deemed the risk to be unacceptable for flight, while highlighting which departments of the Shuttle program disagreed with each other within NASA’s System Integration Control Board (SICB).

‘SICB Chairman (SE&I) recommended approval of IHR IDBR-01, including classification of IFR Body and IFR Acreage debris risks as Infrequent Catastrophic. After listening to SICB discussion, SICB Chair’s decision was based on interpretation of IFR guidelines for risk classification. Probable Catastrophic (red)-LOCV (loss of vehicle and crew) expected in life of Program. Risk unacceptable for flight (paraphrased). Infrequent Catastrophic (yellow)-LOCV could occur in life of Program. Risk accepted for flight (paraphrased).

‘The following SICB members concurred with this decision: Aerospace Corp, MOD, FCOD, USA, MK-SIO, KSC-PH, NA (MX non-concurs). The following members abstained from the polling: SRB, SSME, MSFC S&MA. The following members non-concurred: JSC Engineering, PSE&I, ET (incomplete review of IDBR-01). The following regular members were not present for polling: MSFC Engineering, RSRM, KSC technical authority.’

STS-121 Mission T-Shirt. Use discount code ‘nasaspaceflight’ when ordering from Countdown Creations & receive 5% off!


In what appears to be rationale for the risk to be classed as Probable/Catastrophic, the document noted the reasons for drawing such a conclusion.

‘Engineering Analysis/Engineering Division (EA) does not concur with describing the debris risk from Ice Frost Ramps as Infrequent/Catastrophic. For the following reasons EA considers the risk Probable/Catastrophic:

‘The risk assessment mass of 0.08lbm is several times larger than the orbiter tile impact and damage capability. Ground testing, ET-120 dissection, and stress analyses have all confirmed the constant, repeatable occurrence of the failure mechanism. Flight history confirms that releases occur every flight and includes masses up to and exceeding the risk assessment mass.

‘The release mechanism is not well understood which means time of release cannot be assured. There are no controls in place since the failure is a design flaw. Risk Assessment indices indicate a high probably (~ 1/100) of exceeding tile capability which depends on repair capability to not be catastrophic.’

As noted by NASA administrator Mike Griffin at the weekend, NASA would not be willing to fly STS-121 if there was such a level of risk as intimated by the risk matrix. The documents appear to point towards a need to find the correct classification of flying a shuttle with modifications which are yet to be tested in a full flight scenario.

Only a flight will allow managers to re-evaluate the next steps in finding the balance between improving safety and carrying out modifications that lack flight data.

** Job Opportunities**  New site design coming soon.

              LIVE UPDATE PAGES

Related Articles