Introduction

Space safety includes the protection of human life, the safeguard of critical and/or high-value space systems and infrastructures, as well as the protection of Earth, orbital, and planetary environments.

Space safety is necessary for the sustainable development of space activities. Space safety actually covers many diverse areas that are discussed in this chapter. Space safety can be defined as freedom from or mitigation of human or natural harmful conditions. These conditions can cause death, injury, illness, damage to or loss of systems, facilities, equipment or property, or damage to the environment. The term “safety” refers to threats that are nonvoluntary in nature (design errors, malfunctions, human errors, natural hazards, etc.), while “security” refers to threats which are voluntary (i.e., of aggressive nature such as use of anti-satellite weapons). In some languages, a single term is used for both, which may sometimes lead to confusion. Space safety thus covers many different areas as shown in Fig. 1. This figure shows the various fields of space safety, the relevant interest scope (national, international, or global), and the preferred processes used for risks mitigation, risk-based design, and operational hazard controls, although a mixture of the two is generally used.

Fig. 1
figure 1

Space safety fields – Credit: IAASS (International Association for the Advancement of Space Safety)

Full size image

Space safety can refer to human crew and passengers, personnel directly involved in system integration and operation, personnel not directly involved but co-located, as well as the general public – whether on land, the oceans, or aloft. In the case of unmanned systems such as robotic satellites or high altitude platforms, etc., space safety refers also to (non-malicious) external causes that lead to degradation or loss of mission objectives. For example, it could include such matters as the collision between two operational satellites, or the collision of an operational satellite with space debris.

Absolute freedom from harmful conditions (i.e., safety) is impossible to achieve. To be absolutely safe, a system, product, device, material, or environment should never cause or have the potential to cause an accident. In the realization and operation of systems, the term safety is generally used to mean acceptable, or mitigated, risk levels, not absolute safety. The increasing level of activities in the stratosphere, subspace, or what is sometimes called the proto-zone (i.e., 21–160 km), is an area that will increasingly be considered as an area of concern under space safety as well.

Acceptable risk level is not the same as personal acceptance of risk, but it refers to risk acceptability by stakeholders’ community or by society in a broad sense. Acceptable risk levels vary from system to system and evolve with the passing of time due to socioeconomic changes and technological advancement. Implementing proven best practices at status-of-art is a prerequisite for achieving an acceptable risk level, or in other words to make a system “safe” or “safer.” Safety best-practices are usually established by government regulations and norms, or by industrial standards, and enforced through authoritative organizations (e.g., government bodies or delegated independent organizations). Without enforced regulations, norms, or standards, the term safety (i.e., acceptable risk) becomes meaningless. In other words, compliance with regulations, norms, and standards represents the safety yardstick of a system.

Firstly, the chapter introduces the many facets of safety and discusses acceptable safety levels. Then, we address the risks inherent to each flight phase, from launch to on-orbit and reentry safety risks. Finally, human spaceflight safety considerations are described.

The Many Facets of Space Safety

A total of 23 astronauts and cosmonauts have lost their lives since the beginning of human spaceflight. The count includes four casualties on ground during training and the most recent casualty during flight test on the part of Michael Alsbury. Alsbury died on October 32, 2014, in the crash of the suborbital Virgin Galactic SpaceShipTwo “Enterprise.” The first casualty on ground was the soviet cosmonaut trainee Valentin Bondarenko who died in a pressure chamber fire during training in March 1961. Few years later, three American astronauts were killed by a fire during training inside an Apollo capsule. There have been in total three accidents during reentry: Soyuz 1 in April 1967, Soyuz 11 in June 1971, and Shuttle Columbia in February 2003. In the latter case, in addition to the loss of crew, the public on ground and the passengers travelling by air were subjected to an unprecedented level of risk due to the US continental-wide path of falling debris, with a projected 1% chance that a fatal collision with aircraft would occur (Helton-Ingram et al. 2005).

Although a rare occurrence, space accidents are not perceived by the public simply as caused by random or unfortunate circumstances, but as the dramatic demonstration that human spaceflight programs and the entire organizations behind them failed their core mission. The risk of loss of life in human spaceflight is currently around 1 in 100 flights! Enormous, if we compare with accident rates in commercial aviation which is around 1 in 10 million flights in the USA. Although high in percentage, the loss of life in human spaceflight is still very low in absolute terms due to the low number of flights per year. Nevertheless, the entire human spaceflight program is putted in question following an accident. The reason is that the ultimate purpose of the program is the achievement of safe (and routine) physical human access to space. An accident makes clear to the public (and to political representatives) that such objective is far from being achieved. Furthermore, there is no sign of convinced effort by the cost-conscious emerging commercial human spaceflight industry in learning the lessons from 60 years of government program. They seem to prefer pursuing the development of obsolete rule-based consensus standards based on future data instead of modern techniques of risk-based design based on proven performance requirements.

Improving the safety culture of the companies, building robust safety organizations, and promoting safety education and research is paramount to maintain and expand public support for human spaceflight.

Space safety is not only about astronaut safety. Unmanned space access has become increasingly important to the great majority of countries worldwide. Upon achieving the status of a spacefaring nation, however, a key responsibility that devolves is to establish the technology and processes to protect (national and foreign) life and property against the consequences of malfunctioning rockets and reentry space systems (e.g., satellites, rockets upper stages). Safety risk in space missions also includes general public safety (on ground, on air, and at sea) and safety of launch site personnel. Space safety in a wider sense also encompasses the safeguarding of strategic and costly systems on orbit (i.e., satellites, international space station, and global utilities), valuable facilities on ground (e.g., launch pads), as well as the protection of the orbital space and of the Earth environment.

Acceptable Safety Level

The safety level achieved by a system can be objectively determined by data; however, defining an acceptable level of safety is not a simple job. The definition of acceptable safety level is based not only on technical state-of-the-art considerations but also on a number of nontechnical factors such as cultural, economic, market, or political assessments. For such reason, the safety acceptability level in any field, from drinkable water to toys or nuclear power plants, is generally established by national regulations. They may differ from country to country and also evolves with time and public expectation. When international commerce is involved, such rules need necessarily to be harmonized. An example are the international safety standards for air navigation issued by the International Civil Aviation Organization (ICAO), which represent one of the most clear-cut successes in the field of international safety cooperation.

Due to the fact that there is nothing as “absolute safety” and given that the “acceptable risk” is usually a critical balance of industrial interests and public rights, the lack of national or international regulations as currently the case in the USA for the commercial human spaceflight industry represents a business survival risk, beyond the legal protection afforded by the “informed consent” approach. This is to say that without a government-defined safety standard (i.e., acceptable level of safety), an operator would have a hard time defending the vehicle actual risk level after an accident. Indeed following a fatal accident, it seems likely that the operator’s fleet would be grounded and perhaps made obsolete by newly issued (and likely strict) standards in the emotional wake of the accident. We can say that obtaining a certification of compliance with safety regulations serves the interests of the customer but at the same time also protect industry from (unbounded) tort liability by implicitly or explicitly defining the acceptable risk level at the current state of art.

For instance, in 2008, the US Supreme Court ruled in favor of a manufacturer of a balloon catheter that burst and severely injured a patient during an angioplasty. The Court wrote that the Food and Drug Administration (FDA) spent an average of 1,200 h reviewing each device application and granted approval only if found there was a “reasonable assurance” of its “safety and effectiveness.” The manufacturer argued that the device design and manufacturing had been in accordance with FDA’s regulations and that FDA and not the courts was the right forum on imposing requirements on cutting edge medical devices, arguing that “nothing is perfectly safe.”

Safety Standards and Compliance Verification

In the safety field, it is an axiom that safety rules and compliance verification are under a single authority. There is no industry in which this principle is not applied. Usually such single authority is vested into a dedicated government organization (e.g., the Federal Aviation Administration (FAA) in the USA or the European Aviation Safety Agency (EASA) in Europe). The rapid advancement of technologies, however, pose a problem of staying abreast of technical advances. Government agencies have difficulty in keeping up with the pace of accelerating technical and scientific knowledge. One concept that is taking hold is the establishing of intermediate organizations, funded and supported by industry, i.e., so-called safety institutes, which are being tasked to develop and maintain safety standards and to verify compliance. However, care must be exercised to prevent that under the pressure of economic interests, such “self-controlling” safety-standards processes become ineffective or unduly influenced by industry interests.

The Presidential Commission that investigated the Deep Horizon oil drilling platform disaster in the Gulf of Mexico in 2011 clearly made the point about what a safety Institute should be, and how to ensure that it can effectively contribute to the continuous improvement of safety for the benefit of industry and society. The Commission identified in particular three elements: (1) commitment of companies CEOs; (2) involvement and cooperation among the best technical experts from industry (on the basis of the principle that “safety is not proprietary”); and (3) distancing these Institutes from industrial advocacy/lobbyist organizations. In this respect, the Commission noted that an organization that works as the industry’s principal lobbyist and public policy advocate cannot serve as a reliable standard-setter, because it would regularly resist anything that could make industry operations potentially more costly. Such organization would fail to reflect “best industry practices” and would express instead the “lowest common denominator.” “In other words, a standard that almost all operators could readily achieve.”

As we will see later, the risks related to space activities (e.g., launch and reentry) are often of international nature; however, currently there are no international regulations but only few national regulations, which are often scattered among different government agencies and organizations or not applied in a uniform manner by key players. To explore the different facets of space safety, the next sections will discuss the safety risks associated to the different flight phases, from launch to on-orbit safety (e.g., space debris-related hazards) and reentry. Then, the risks inherent to human spaceflight will be introduced, both for orbital and suborbital flights.

Launch Safety

Launch Site Ground Safety Risk

On August 22, 2003, at 13:30 h (local time), a massive explosion destroyed a Brazilian Space Agency VLS-1 rocket as it stood on its launch pad at the Alcantara Launching Center in northern Brazil. Twenty-one technicians close to the launch pad died when one of the rocket’s four first-stage motors ignited accidentally. The investigation report established that an electrical flaw triggered one of the four solid fuel motors while it was undergoing final launch preparations. The report said that certain decisions made by managers long before the accident occurred led to a breakdown in safety procedures, routine maintenance, and training. In particular, the investigation committee observed a lack of formal, detailed risk management procedures, especially in the conduct of operations involving preparations for launch. As of today, there have been nearly 200 people killed on ground by rocket explosions during processing, launch preparations, and launch. In the last 10 years, there have been also at least six launches which have been terminated by explosion commanded by the launch range safety officer to prevent risk for the public. There have been also several more cases of launchers that did not make to orbit, exploded on the pad, or came back prematurely to Earth in an uncontrolled fashion.

The main ground hazards during launch are explosive, toxic, or radioactive hazards. Explosive hazards (overpressure and fragments thrown by an explosion) are an important component in the launch area. Toxic hazards from the rocket’s exhaust products and meteorological conditions are often an additional consideration in defining so-called exclusion areas. Additional sections of the launch complex may be restricted to protect against the kinetic energy of inert debris (i.e., spent stages) or radiation from radars and other support instrumentation. During preparation for launch, a very common issue that the ground processing safety community encounters is lack of recognition of the need for detailed ground safety documentation and rigorous technical safety reviews. Many hardware and mission designers assume that if the hardware is safe to fly, it will also be safe during ground processing. Some also assume that the industrial safety processes used during development and manufacture are sufficient for use at the launch and landing sites.

When an exclusion area is defined, each country has its own procedures for communicating the boundaries of the area. On land, this is commonly through sign postings and guards. Formal notices are frequently used to communicate with operators of ships and aircraft. Moreover, the degree of compliance varies with location and time. When the exclusion area is near the launch complex, ranges frequently employ different forms of surveillance to determine whether any vessels have intruded into the hazardous area. When intruders can be identified, the ranges may request them to depart, passively wait for their departure, or proceed with the launch, based on the decision that the risk to the vessel is sufficiently small.

Nowadays, international commercial spaceports are proliferating, and the growing need is felt to equally and uniformly protect worldwide the local personnel as well as the foreign teams which participate to launch campaigns. When in October 2002 a Russian Soyuz exploded at launch killing a young Russian soldier who was watching the launch from the first floor of a building, it was by pure luck that no one was injured of the large international support team on site which was watching the launch from a closer location.

Launch Flight Safety Risk

Knowledge of best practices and techniques in launch safety and risk assessment are not widespread and may vary greatly from country to country. Furthermore, currently during launch, a country may take risks on the population of a foreign country that even if equal to that for their own population is a unilateral decision and not the outcome of consultation. Space treaties define liabilities, but they neither define nor require uniform risk assessment and management methods and standards.

The way of achieving public protection from launch activities is by isolating the hazardous condition from populations at risk. When this is not feasible, launch vehicle performance and health is monitored for automatic or manual flight termination. Flight termination strategies are meant to limit rocket excursions from planned trajectory. The residual risk is evaluated with reference to where people may be at risk because of debris generated by flight termination.

Identification of high-hazard areas may range from simplistic rules of thumb to sophisticated analyses. When simple rules are applied, they commonly specify a hazard radius about a launch point and planned impact points for stages, connected by some simple corridor. More sophisticated analyses attempt to identify credible rocket malfunctions, model the resulting trajectories, and determine the conditions that will result in debris such as exceeding the structural capacity of the rocket or a flight termination action by a range safety officer. These analyses typically include failure analyses to identify how a launch vehicle will respond under various failure scenarios. This will include failure response analyses to define the types of malfunction trajectories the vehicle will fly. The vehicle loads are assessed along the malfunction trajectory to determine whether structural limits will be exceeded. Vehicle position and velocity may be compared against abort criteria to assess whether the vehicle should be allowed to continue flight, terminate thrust, or be destroyed. Debris-generating events then become the basis for assessing the flux of debris falling through the atmosphere and the impact probability densities. The debris involved may be screened by size, impact kinetic energy, or other criteria to assess which fragments pose a threat to unsheltered people, people inside various types of buildings, people on ships, and people in aircraft. The resulting debris impact zones are then commonly used as part of the basis for defining exclusion areas.

Although full hazard containment is considered to be the preferred protection policy, it is not always possible. The next line of protection after defining exclusion areas is real-time tracking and control of the rockets. Range safety systems are used for this purpose. They include a means of tracking a launch vehicle’s position and velocity (tracking system) and a means of terminating the flight of a malfunctioning vehicle (flight termination system).

Flight termination criteria are customarily designed based on the capability of the range safety system to limit the risk from a malfunctioning launch vehicle. Frequently, ranges assume that they can reliably detect a malfunctioning launch vehicle and terminate its flight whenever good quality tracking data is available. This assumption is based on high-reliability designs customarily used for range safety systems. At present, however, there are no international design standards for range safety systems. Moreover, efforts to assure that the design standard does, in fact, achieve the intended reliability levels are rare.

The final tiers of protection are risk analysis and risk management. Residual risks from the launch are quantified and assessed to determine if they are acceptable. This step involves an extension of the model outlined above for assessing hazardous areas. It is common to perform these protection steps in an iterative manner, using the results of each step to adjust the approach to the others until the desired level of safety is achieved with acceptable impacts on the proposed launch. The current practice is to assess risks for each launch and to approve the launch only when risk levels are acceptable. Unlike most other activities, annual risk levels are addressed by exception.

A proper risk analysis addresses the credible risks from all launch-related hazards. These may include inert debris, firebrands, overpressure from exploding fragments, and toxic substances generated by normal combustion as well as toxic releases from malfunctions. When assessing launch risks, as it occurs for reentry, it is important to account for all exposed populations: people on land, people in boats, and people in aircrafts. Proper consideration must be given to the effect of sheltering (i.e., type of construction and materials of houses, buildings) on the risks. It is often assumed that neglecting sheltering will overstate the risk. When sheltering is adequate to preclude fragment penetration, this assumption is valid. When fragments are capable of penetrating a structure, debris from the structure increases the threat to its occupants. As launch vehicles proceed downrange, they typically leave the territorial domain of the launching country and begin to overfly international waters and the territory of other countries.

Tolerable risks for a launch are commonly expressed in terms of a collective or societal risk level and risk to the maximally exposed individual (individual risk). Collective risk is commonly expressed as the number of individuals statistically expected to be exposed to a specified injury level. Individual risk is commonly expressed as the probability that the maximally exposed individual will suffer the specified injury level. The two most commonly used levels of injury are fatality and serious injury. When it is difficult to quantify risk directly, impact probability for specified classes of debris is often used as a proxy measure. Thus, for example, it is customary to protect people on ships or people on airplanes by creating exclusion zones based on impact probabilities.

Outside of the immediate launch area, surveillance is more difficult and more costly. Consequently, most ranges use surveillance very selectively outside of the immediate launch area, typically restricting surveillance to planned impact areas for spent stages and other planned jettisons. As a result, publishing exclusion areas at these distances is much less effective. More efficient tools for surveying these remote locations and communicating with intruders would enhance the effectiveness of protecting ships and aircraft in these areas.

Launch Risk for Maritime and Air Transportation

Controlling risks to seafaring vessels from space launch activities is most successful when mariners are notified about hazard areas and when the responsible launching agency surveys the potentially affected areas to detect intruders and to warn them to leave the exclusion area. Following a mishap, communication with these vessels to proceed at maximum speed in a prescribed direction to minimize impact probability is essential to control undue risks. Currently, costs and technology limit surveillance and communication to locations near land.

For launch preparations, the management of airspace must also consider aircraft traffic. At present, there are limited capabilities for addressing this issue. The Federal Aviation Administration (FAA) has begun an initiative to address these concerns for US operations. It should be noted that the current practice is for each launch range to manage risks on a mission-by-mission basis through Launch Collision Avoidance (LCOLA) processes. Minimal attention is paid to annual risks generated by the range’s launch operations. There is no agency – national or international – that monitors and controls risk posed to overflown populations. A city may be placed at risk by launches from multiple launch sites without the performance by involved launching nations of any coordinated assessment to assure that the risk levels are acceptable.

Citizens of all countries should be equally protected from the risk posed from overflying by launch vehicles and returning spacecraft(s). The common practice is to make these determinations on a launch-by-launch basis with no consideration of previous, planned, or future launches.

Air-Launch Safety

Launching from ground means that the first stage of the rocket will be traveling through the denser layers of the atmosphere where drag is a significant issue. The launchpad is at a fixed location, selected to meet logistics, safety, and environmental constraints, not always the most favorable one to reach orbit. What if one could do away with the first stage and replace it with a high-altitude platform, such as an aircraft or a balloon? Compared with ground launch, air-launch provides flexible and reusable “first stage” and a lighter expendable rocket.

To place a satellite on low Earth orbit, let us say at 300 km, you need to reach a velocity of about 9.4 km/s. Because the starting velocity is zero, we can also talk of it as difference of velocity, or delta-V, of 9.4 km/s. The delta-V depends on several parameters, like initial altitude, speed, and angle of attack. If we launch, for example, from a balloon at 15 km, with zero launch velocity and 0° angle of attack, the required delta-V is 8.8 km/s. If we launch from an aircraft flying at 1.200 km/h, the delta-V drops to 8.5 km/s. It further drops to 8.3 km/s if the launch angle of attack is 30°. Delta-V reductions translate into lighter rocket, less fuel, and lower cost.

On 13 June 1990, Pegasus of Orbital Sciences Corporation became the first commercial air-launch vehicle. Released from a modified Lockheed L-1011 airliner, Pegasus can put a satellite of 450 kg in low Earth orbit.

In the past, the market of small satellites (100–500 kg) and miniature satellites, which comprises microsatellites (10–100 kg) and nanosatellites (1–10 kg), was small. They were usually launched as secondary payloads on larger launch vehicles. Nowadays, the commercial and military market of small and miniature satellites is the fastest growing segment of the space launch business, and several companies are developing air-launch vehicles specifically targeted to such market. Ability to “launch on demand” at low cost will allow launch operators to offer unprecedented flexibility for schedule and orbital placement. Several air-launch systems are under development as adaptation of commercial and military airplanes or as dedicated systems. Any country or operator with experience of military supersonic aircraft has the potential to develop its homegrown micro- and nanosatellites air-launch service.

In July 2012, Virgin Galactic announced that their rocket called LauncherOne would be air-launched from the same WhiteKnightTwo aircraft carrier they developed for suborbital human spaceflight. Later a Boeing 747, called Cosmic Girl, has been adapted for the purpose. Air-launch operations will start in 2019.

Stratolaunch Systems is developing a gigantic new air-launch system. The project comprises three main components: the carrier aircraft being built by Scaled Composites, a multistage rocket, and a mating and integration system. Stratolaunch’s carrier aircraft has wingspan of 117 m and a weight of over 540.000 kg including the fully fueled launch vehicle. The test flights of the carrier aircraft are planned in 2019.

The diffusion worldwide of air-launches raises the issue of safety. The record of current spacefaring countries in performing traditional ground-based launches is not uniform. It may seriously worsen for air-launches because of lack of experience of newcomers. Most of what we know about air-launch safety comes from Orbital ATK Pegasus and from supersonic air-launches performed by USAF and NASA. As of 2018, Orbital ATK Pegasus was launched 44 times safely, but in two cases the rocket veered off course and was destroyed by command sent by range officer. Orbital ATK Pegasus launches are performed under safety oversight of one of the US launch ranges. Some key points:

  1. (a)

    Rocket assembly and payload integration processes are identical to those followed for traditional expendable rockets. Safety rules are identical.

  2. (b)

    Integration of rocket on aircraft carrier is performed on an isolate runway section, subjected to safety rules similar to pad operations. Safety requirements for barriers to prevent inadvertent rocket ignition are identical with those for ground launches, but arming is done in flight close to launch time.

  3. (c)

    Aircraft flight to reach the launch location is subjected to constraints. For example, it is forbidden to overfly populated areas.

  4. (d)

    Launch is performed following a countdown process with teams and equipment on-board the aircraft carrier and remotely at the range.

  5. (e)

    Rocket flight is redundantly tracked. Manual commands are sent for flight termination, if it leaves the planned trajectory (use of mobile range equipment). Special procedures are defined for the case of launch abort.

  6. (f)

    Air traffic is cleared in advanced from launch location, but procedures are not tightly enforceable, as for launches from ground. In the latter case, the spaceport and the airspace overhead can be “sealed.” For air-launches, which usually take place from the international airspace therefore outside national authority, only advisory NOTAMs can be sent to alert the air traffic.

On-Orbit Safety

Orbital Debris

Space is not an empty vacuum but contains both natural debris (i.e., micrometeoroids, interplanetary dust) and human-made space debris. Humans generally have no involvement in natural debris; thus, here we will concentrate exclusively on human-made debris. Orbital debris generally refers to any human-made material on orbit which is no longer serving its intended function. There are many sources of debris. One source is discarded hardware such as upper stages of launch vehicles or satellites which have been abandoned at the end of their operational life. Another source is spacecraft items released in the course of mission operations. Typically, these items include launch vehicle fairings, separation bolts, clamp bands, adapter shrouds, and lens caps. Various shapes and sizes of debris are also produced as a result of the degradation of hardware due to atomic oxygen, solar heating, and solar radiation and also from combustion of solid rocket motors. Examples of such products are paint flakes, aluminum oxide exhaust particles, and solid motor-liner residuals.

Fifty years of spaceflight have cluttered the space around the Earth with an enormous quantity of human-made debris. Scientists assume that there are approximately 500,000 objects in orbit whose sizes are above 1 cm. Currently, about 22,000 of such objects (i.e., 10 cm in diameter or larger) are being tracked by the US Space Surveillance Network (including about 1,000 objects representing functional satellites). The number is expected to rise significantly as new large-scale satellite constellations are deployed in the future to provide communications, remote sensing, and other services such as frequency monitoring.

When the new S-band radar “Space Fence” is fully operational, this number will increase to a much larger number and will be able to track objects down to the size of a marble in Low Earth Orbit (LEO). Among the tracked pieces of debris, there are about 200 satellites abandoned in Geostationary Earth Orbits (GEO) occupying or drifting through valuable orbital positions and posing a collision hazard for functional spacecraft(s). The survival time of the debris can be very long. Objects in 1,000 km orbits can exist for hundreds of years. At 1,500 km, the lifetime can go up to thousands of years. Objects in geosynchronous orbit can presumably survive for one million years.

The future population of orbital debris will depend upon whether the creation or removal rate dominates. Currently, the only mechanism for removal of debris is orbital decay through atmospheric drag, which ultimately leads to atmospheric reentry. This mechanism is only effective in a restricted range of low Earth orbits (LEO). At higher orbits, it takes hundreds to thousands of years for objects to reenter the Earth’s atmosphere. Consequently, there is no effective removal mechanism. Historically, the creation rate of debris has outpaced the removal rate, leading to a net growth in the debris population in low Earth orbit at an average rate of approximately 5% per year. A major contributor to the current debris population has been fragment generation via explosions. As the debris mitigation measure of passivation (e.g., depletion of residual fuel) comes to be implemented more commonly, it is expected that explosions will decrease in frequency. It may take a few decades for the practice to become implemented widely enough to reduce the explosion rate, which currently stands at about four per year.

Several environment projection studies conducted in recent years indicate that, with various assumed future launch rates, the debris populations at some altitudes in LEO will become unstable. Collisions will take over as the dominant debris generation mechanism, and the debris generated will feed back into the environment and induce more collisions. The most active orbital region is between the altitudes of 900 and 1,000 km, and even without any new launches, this region is highly unstable (Liou and Johnson 2006). It is projected that the debris population (i.e., objects 10 cm and larger) in this “red zone” will approximately triple in the next 200 years, leading to an increase in collision probability among objects in this region by a factor of ten. In reality, the future debris environment is likely to be worse than was suggested, as satellites continue to be launched into space.

Collision Risk with Orbital Debris

Orbital debris generally moves at very high speeds relative to operational satellites. In LEO (i.e., altitudes lower than 2,000 km), the average relative impact velocity is 10 km/s (36,000 km/h). In the geostationary orbits, the relative velocity is lower, approximately 2 km/s, because most objects move in an eastward direction orbit. At these hypervelocities, pieces of debris have a tremendous amount of kinetic energy. A 1 kg object at a speed of 10 km/s has the same amount of kinetic energy that a fully loaded truck, weighing 35,000 kg, has at 190 km/h. A 1-cm-sized aluminum sphere at orbital speed has the energy equivalent of an exploding hand grenade. A 10 cm fragment in geosynchronous orbit has roughly the same damage potential as a 1 cm fragment in low Earth orbit.

Pieces or particles of debris smaller than 1 mm in size do not generally pose a hazard to spacecraft functionality. Debris fragments from 1 mm to 1 cm in size may or may not penetrate a spacecraft, depending on the material composition of the debris and whether or not shielding is used by the spacecraft. Penetration through a critical component, such as the flight computer or propellant tank, can result in loss of the spacecraft. NASA considers pieces of debris 3 mm in size and above as potentially lethal to the retired Space Shuttle and the International Space Station. Debris fragments between 1 and 10 cm in size will penetrate and damage most spacecraft. If the spacecraft is impacted, satellite function will be terminated, and at the same time, a significant amount of small debris will be created. If a 10 cm debris fragment weighing 1 kg collides with a typical 1,200 kg spacecraft, over one million fragments ranging in size from about 1 mm and larger could be created. Such collisions result in the formation of a debris cloud which poses a magnified impact risk to any other spacecraft in the orbital vicinity (e.g., other members of a constellation of satellites).

Certain regions of the debris cloud are constricted to one or two dimensions. Such constrictions do not move with the debris cloud around its orbit. They remain fixed in inertial space while the debris cloud repeatedly circulates through them. In many satellite constellations, there are multiple satellites in each orbital ring. If one of these satellites breaks up, the remaining satellites in the ring will all repeatedly fly through the constrictions. If many fragments are produced by the breakup, the risk of damaging another satellite in the ring may be significant. If satellites from two orbital rings collide, two debris clouds will be formed with one in each ring. The constrictions of each cloud will then pose a hazard to the remaining satellites in both rings.

In February 2009, a nonoperational Russian satellite, Cosmos 2251, collided with Iridium 33, a US commercial telecommunication satellite, over Siberia at an altitude of 790 km. This collision, the first of its kind, was the worst space debris event since China intentionally destroyed one of its aging weather satellites during an antisatellite missile (ASAT) test, in 2007. The Iridium satellite that was lost in the collision was part of a constellation of 66 low Earth-orbiting satellites providing mobile voice and data communications services globally. As expected, the risk of collision of other Iridium satellites in the same plane dramatically increased with daily announcements of possible collisions (i.e., conjunctions) with Iridium 33 debris. Fig. 2 presents the evolution in time of the number of human-made debris objects, which highlights the increasing problem impacting the sustainability of the space environment.

Fig. 2
figure 2

Catalogued human-made space objects in Earth’s orbit (Credit: NASA)

Full size image

In general, orbital debris collision is among the top risk for human spaceflight. The 2003 Shuttle risk assessment performed after the Columbia accident, the first one that incorporated the threat posed by orbital debris, determined that the likelihood of orbital debris bringing down the Shuttle was far greater than that of the widely feared failures of main engines, solid rocket boosters, or thermal protection. Orbital debris colliding with different spots of the wing flaps was the most likely catastrophic failure. Damage would have rendered the wing flap (elevon), unable to steer and slow the Shuttle during the reentry phase.

Orbital debris collision is the primary source of risk for the International Space Station (ISS). To minimize such risk for the crew, the ISS is shielded. The ISS is indeed the most heavily shielded spacecraft ever flown. All together there are 100 different shields protecting the ISS. Critical components such as habitable compartments and high-pressure tanks will be able to withstand the impact of debris as large as 1 cm in diameter.

Controlling Orbital Debris Risk

Orbital debris risk is best controlled by limiting creation through a number of design and operational measures, like “passivation,” collision avoidance maneuvers, and end-of-life disposal.

Passivation is the term used to describe the prevention of satellite and upper-stages explosions by controlled removal of stored energy at the end of useful life. For example, propellant in upper stages and satellites can be eliminated by either venting or burning to depletion. This process is applied primarily to low earth orbit satellites. Batteries can be also designed to reduce risk of explosion.

Spacecraft maneuvers, when possible, can also mitigate orbital debris risk of collision. The International Space Station has maneuvered on several occasions to avoid collisions with orbital debris. Also, in the case of satellite constellations, because a potential collision will lead to the creation of a debris cloud that may result in damage to other members of the constellation, collision avoidance maneuvers may be necessary. Another means to reduce the risk of collision is to remove satellites and upper stages from mission orbits, the so-called protected orbits, at the end of operational life. Currently, UN guidelines and other internationally agreed standards (e.g., ISO 24113) recommend that a space system should not remain in its mission orbit for more than 25 years. Such objective is met either by lowering the orbit such that residual atmospheric drag is sufficiently strong to cause decay and reentry or by moving the spacecraft to a “graveyard orbit” outside of protected regions. At orbits above 2,000 km, it is not economically feasible to force reentry within 25 years. Spacecraft operating in the geosynchronous orbits are routinely boosted into a higher disposal orbit at the end of their mission life, except in case of malfunction. Propellants need to be reserved to perform the disposal maneuvers. There are penalties in the form of reduced performance and/or mission life linked to the disposal of space systems. Estimates of the amount of “lost” lifetime for geosynchronous satellites vary between 6 months and 2 years. For example, it has been calculated that if a typical commercial communication satellite that has 24 Ku-band and 24 C-band transponders with bandwidths of 36 MHz has to be boosted into a higher disposal orbit at the end of its mission life, this maneuver would cause the satellite operator an average loss (in terms of how much longer the satellite could have continued commercial operations) of as much as 1 year’s profit. This problem can be mitigated by employing the so-called inclined orbit operation so as to preserve fuel since North–South station-keeping requires more than ten times more fuel than East–West station-keeping.

Orbital Debris Remediation: Active Debris Removal

In view of the massive amount of debris already in existence in Earth orbits, growing consensus among experts suggests that an active process for the removal of existing debris from space is required, as mitigation is no longer sufficient to ensure the long-term sustainability of outer space activities. Active debris removal (ADR), specifically the removal of nonfunctional spacecraft and spent upper stages, requires the development of advanced technologies and concepts (Fig. 3). Their implementation also raises a number of difficult technical, economic, strategic, institutional, legal, and regulatory challenges that must be addressed at the very outset. For such on-orbit services to become available, the following elements need to be in place: service at the lowest possible cost, spacefaring countries committing to gradually remove their own debris, and new national licensing regulations mandating removal (autonomous or enforced) at the end of mission.

Fig. 3
figure 3

Active debris removal concept (Credit: DRL)

Full size image

To achieve the lowest possible service costs, international technological cooperation, high rate of missions per year, and possibly multiple service targets per mission would be needed at least for an initial period of operations. The international technological cooperation would serve the purpose of making available all existing technologies and share the cost of new developments. Servicing with a single flexible system multiple (international) customers and perform multiple removals within the same mission would also substantially contribute to lower the operational costs. To a certain extent, the same path used once for the development of the satellite telecommunication industry may be repeated with the establishment of an intergovernmental organization on the model of the early International Telecommunications Satellite Organization (INTELSAT) which would later evolve into full commercial services. Another alternative would be to create an international fund for debris removal. Such a fund could start as national and/or regional cooperative and evolve into an international fund supported by all spacefaring nations. The problem with all such plans or concepts is that the current provisions of Article VII of the Outer Space Treaty of 1967 as well as those of the so-called Liability Convention of 1972 structure “liabilities” associated with such removal activities in such a way as to give little incentives for countries to actively remove debris from orbit.

The development of new technological capabilities, in the area of active debris removal and possible repurposing of the defunct spacecraft, continues apace. There have been a series of projects sponsored by the U.S. Defense Advanced Research Projects Agency (DARPA), by NASA, by DLR of Germany, and by private companies such as McDonnell Detwiler, Vivasat, and Conesat. On June 20, 2018, the “Remove Debris” proof of concept small satellite was launched through the Kaber Launch facility operated by Nanoracks from the International Space Station. This small satellite with a mass of only 100 kg will be able to test a range of possible removal techniques. It was constructed by Surrey Space Technology Ltd. and after some 5 years of development is now testing these removal strategies. (“NanoRacks Deploys Largest Satellite from International Space Station to Date,” July 2, 2018. https://mail.aol.com/webmail-std/en-us/suite).

Reentry Safety Risk

As previously mentioned, nonfunctional satellites, spent launch vehicle upper stages, and other orbital debris do not remain in low Earth orbits indefinitely but gradually return to Earth due to residual atmosphere drag. In low Earth orbits, natural orbital decay can take place within few months or requires hundreds or even thousands of years to happen depending on the altitude.

As nonfunctional satellites, spent launch vehicle stages, and other pieces of debris enter denser regions of the atmosphere, they fragment and sometimes explode due to high aerodynamic forces combined with loss of materials strength due to heat caused by friction with air at high velocity. Heat would subsequently cause the demise of major portions of the hardware due to melting and vaporization. However, between 10% and 40% of the original mass will survive and reach Earth’s surface. In general, parts and components made of aluminum and similar materials with low melting temperatures do not survive reentry, while those made of materials with high melting temperatures, such as stainless steel, titanium, do survive. Also parts with low mass and large surface area, and therefore large aerodynamic drag, will survive due to slow down and related low heating. The surviving fragments represent a hazard to people and property on the ground. They also represent a potential serious risk to air and maritime traffic.

Due to variability of the atmosphere layers around the Earth, it is difficult to predict the exact reentry time of a randomly reentering satellite or upper stage. As a consequence, it is very difficult to predict where surviving fragments will hit the surface of the Earth. Over the last 50 years, more than 1,400 metric tons of materials are believed to have survived reentries. The largest object to reenter was the Russian Mir Space Station, which weighed 120,000 kg. Reentries are frequent, in particular upper-stages reentries. In 2011, launch vehicles upper stages reentered at a rate of 1 per week with a total mass that was five times that of uncontrolled spacecraft reentries for the same period (Figs. 4 and 5). Many of the reentered parts recovered on ground, including tanks up to 250 kg weight, belonged to rockets.

Fig. 4
figure 4

Stainless steel propellant tank of second-stage Delta 2 reentered launch vehicle (US, 1977) (NASA courtesy)

Full size image
Fig. 5
figure 5

Reentered titanium motor casting of third-stage Delta 2 (Saudi Arabia, 2001) (NASA courtesy)

Full size image

Currently, a number of countries prescribe that the risk of any personal casualty due to a single reentry event must be less than 1 in 10,000 reentries. France has the most conservative requirement of less than 2 in 100,000 reentries. Of particular concern, although very remote, is the risk for aviation and the emotional and psychological impact on the general public that a single accident with many casualties would cause (Ailor and Wilde 2008), as described in section “Risk for Aviation.”

Environmental Risk

There is health risk related to launch ascent failures and reentry of space systems (e.g., rocket bodies and nonfunctional space systems). During normal launches, stages separate sequentially and fall down to Earth. Most launch trajectories and spaceport locations are chosen to ensure that the impact areas are outside populated areas and mainly contiguous to the oceans. Nevertheless, there are inland spaceport locations and land overflying trajectories which lead to stages dropping to ground in sparsely inhabited areas with ensuing soil contamination. Approximately 9% of the propellant from a launch stage remains in the tank once it is dropped. The penetration of contaminants depends on the nature and properties of the soil and can lead to the contamination of groundwater as well as surface water. For example, hydrazine (UDMH) is often used in hypergolic rocket fuels as a bipropellant in combination with the oxidizer nitrogen tetroxide and less frequently with IRFNA (red-fuming nitric acid) or liquid oxygen. UDMH is a toxic carcinogen and can explode in the presence of oxidizers. It can also be absorbed through the skin. A tablespoon of hydrazine in a swimming pool would kill anyone who drank the water. In a study conducted by Vector, the Russian State Research Center of Virology and Biotechnology in Novosibirsk, health records from 1998 to 2000 of about 1,000 children in two areas in southern Siberia polluted due to launches from Baikonur spaceport in Kazakhstan were examined, comparing them with 330 records from a nearby unpolluted control area. Grouping all cases of disease together, the research team concluded that children from the worst-affected area were up to twice as likely to require medical attention for diseases such as endocrine and blood disorders during the 3 years studied and needed to be treated for twice as long. Contamination can be far worse and massive in case of launch failure. In September 2007, the explosion of a Russian Proton M rocket contaminated a vast swath of agricultural land in Kazakhstan with 200 t of toxic fuel.

Reentries may also cause concern because of the toxicity or radioactivity of materials on board. On 21 February 2008, an uncontrolled reentering satellite was shot down on grounds of public safety. The satellite was destroyed at an altitude of 247 km by a ship-launched missile. The malfunctioning spacecraft, a US spy satellite (USA 193), carried 450 kg of highly toxic frozen hydrazine fuel in its titanium fuel tank. In addition, it was expected that about 50% of the satellite’s mass of 2,270 kg would survive reentry, thus adding to public risk on ground.

Currently, there are 32 defunct nuclear reactors circling the Earth as well as 13 reactor fuel cores and at least 8 radio-thermal generators (RTGs). RTGs had been used six times in space missions in low Earth orbits up to 1972 and twice in the geostationary geosynchronous orbit up to 1976. Since 1969, another 14 reactors have been used on lunar and interplanetary missions. The total mass of RTG nuclear fuel in Earth orbit today is in the order of 150 kg. Another form of nuclear power source used in space activities is a nuclear reactor. Most of these reactors were deployed on Soviet radar reconnaissance satellites (RORSATs) launched between 1965 and 1988.

Among the space nuclear accidents (i.e., unwanted/unplanned release of radioactive material), two involved orbital debris, and a third was a close call. In 1978, the RORSAT COSMOS 954 failed to separate its nuclear reactor core and to boost it into a disposal orbit as planned. The reactor remained on board the satellite in an orbit that decayed until it reentered the Earth’s atmosphere. The satellite crashed near the Great Slave Lake in Canada’s Northwest Territories, spreading its radioactive fuel over an area of about 124,000 km2. Recovery teams swept the area by foot for months. Ultimately, they were able only to recover 12 large pieces which comprised a mere 1% of the estimated quantity of radioactive fuel on board. These pieces emitted radioactivity of up to 1.1 Sv/h. (It should be noted that usually a nuclear emergency is declared on ground at 500 μSv/h.) A few years later, in 1982, another RORSAT, COSMOS 1402, failed to boost the nuclear reactor core into a storage orbit. The ground controller managed to separate the core from the reactor itself to make it more likely that it would burn up in the atmosphere before reaching the ground. The reactor was the last piece of the satellite to return to Earth in February 1983 when its core fell into the South Atlantic Ocean.

Then, in April 1988, yet another Russian spacecraft, COSMOS 1900, failed again to separate and boost the reactor core into a storage orbit. However, later on, the redundant system succeeded in separating and boosting the nuclear core into a storage orbit, although lower than that originally planned.

Risk for Aviation

Many of the practices that apply to launch apply also to reentry, but the latter pose special issues because they are mainly random or related to unique behavior of the reusable vehicle during reentry.

The disintegration during reentry of the Shuttle Columbia on February 1, 2003, was a watershed moment in the history of launch and reentry safety analysis. It highlighted the need to select vehicle reentry trajectories which minimize the risk to ground populations and the need to take measures to keep air traffic away from falling debris if a reentry accident occurs. The Columbia accident initiated a chain of events that demonstrated the need for a deliberate, integrated, and, eventually, international approach to public safety during launch and reentry operations. This is especially true for the management of air traffic and space operations.

Shortly after the breakup of Columbia over a relatively sparsely populated area of Texas, dramatic images of the debris from the breakup were seen around the globe: an intact spherical tank in a school parking lot, an obliterated office rooftop, mangled metal along roadsides, and charred chunks of material in fields. The NASA Administrator testified before the US Senate that it was “amazing that there were no other collateral damage” (i.e., that no members of the public were hurt).

The Columbia Accident Investigation Board (CAIB) raised and answered many questions relevant to public safety during launch and in particular reentry. Given the available data on the debris recovered and the population characteristics in the vicinity, a CAIB study found that the absence of ground casualties was, in fact, the statistically expected result. Specifically, based on census data and modeling methods consistent with US standards and requirements set by other US agencies (e.g., the USAF in the Air Force Space Command Manual and by the FAA in the Federal Register), the study found that “the lack of casualties was the expected event, but there was a reasonable probability (less than 0.5 but greater than 0.05) that casualties could have occurred.” However, a similar event over a densely populated area such as Houston would almost certainly have produced multiple casualties among the public on the ground.

At the time of the Columbia accident, NASA had no formal policy regarding public risk during Shuttle reentry. Following the CAIB report, NASA established a new safety policy (NPR8715.5). The NASA public safety policy embraced many of the risk measures and thresholds already in use by other US agencies, such as individual and collective risk limits in terms of casualties. However, NASA’s public safety policy also putted forward innovative criteria for risk budgets governing distinct phases of flight which have gained broad acceptance. Therefore, the Columbia accident led to greater consensus and innovation in the management of risk to people on the ground from launch and reentry operations.

The Columbia accident also promoted the development of improved methods and standards for aircraft safety during launch and reentry. Following the release of the final report of the CAIB, the FAA funded a more detailed aircraft risk analysis that used the actual records of aircraft activity at the time of the accident. That study found that the probability of an impact between Columbia debris and commercial aircraft in the vicinity was at least one in a thousand, and the chance of an impact with a general aviation aircraft was at least one in a hundred. The analysis used the current models which assume that any impact anywhere on a commercial transport with debris of mass above 300 g produces a catastrophic accident: all people on board are killed. Current best practices are captured in RCC 321–07 “Common Risk Criteria for the National Ranges,” which provides a vulnerability model for the commercial transport class. In 2008, the FAA and USAF sponsored the development of vulnerability models for transoceanic business jets based on the same methods.

After the release of the CAIB report, the FAA investigated the need for new decision support tools to better manage the interface of space and air traffic. The relevant procedures were then developed, and they are currently in use as a real-time tactical tool in the event of a catastrophic event like the Columbia accident to identify how to redirect aircraft around a space vehicle debris hazard area.

Existing Regulations and Standards

The sections above have provided an overview of risks associated to launch, on-orbit operations, and reentry. As it has been illustrated, the issues raised above involve risks that are national and/or international in nature. For launch and reentry activities, national regulations exist in some spacefaring nations; however, no international regulation applicable worldwide has been agreed. There have been ever-increasing safety concerns that are now posed by the pollution of the orbital environment (i.e., orbital debris) to operational spacecraft and the international space station. After many years of debate, international space debris mitigation guidelines have been worked out by the Inter-Agency Space Debris Coordination Committee (IADC), and these have been agreed as voluntary standards within the umbrella of the United Nations Committee of Peaceful Usages of Outer Space Activities (UN COPUOS). In addition, the International Organization for Standardization (ISO) has published a standard on space debris mitigation (i.e., ISO 24113) to put forward design and operational practices for implementation in future space systems to minimize the generation of orbital debris.

However, no remediation activities are yet internationally agreed, and therefore, neither standards nor regulations exist in this field. In addition, although different countries have the observational assets to perform space situational awareness services, currently, there are no agreed space traffic management regulations. Clearly these two issues, i.e., space debris mitigation and space traffic management, will constitute the two most important international space safety standards and regulatory issues to be faced in the next few years.

Human Spaceflight Safety

In the following sections, the risks associated to human spaceflight will be presented. Firstly, the concept of system safety for crewed systems would be introduced. Then, the value of regulations and safety standards would be illustrated by real examples in different fields, and a case study based on the emerging industry of commercial suborbital transportation will be examined. Then, the historical and latest developments for human-rating space systems would be presented, and finally, a selected number of risks associated to human spaceflight will be covered.

System Safety

Prior to the 1940s, flight safety consisted basically of trial and error. The term fly-fix-fly was associated with the approach of building a prototype aircraft, fly it, and repair/modify if broke, and fly it again. For complex and critical systems, such approach is simply impossible. From 1952 to 1966, the US Air Force (USAF) lost 7,715 aircraft in noncombat operations, in which 8,547 persons were killed. As reported by Olsen (2010), “most accidents were blamed on pilots, but many engineers argued that safety had to be designed into aircraft just as any other functional or physical feature related to performance. Seminars were conducted by the Flight Safety Foundation, headed by Jerome Lederer that brought together engineering, operations, and management personnel. At one of those seminars, in 1954, the term ‘system safety’ was first used in a paper by the aviation safety pioneer C.O. Miller.”

In the 1950s, when the Atlas and Titan ICBMs were being initially developed, there was no safety program. Within 18 months after the fleet of 71 Atlas F missiles became operational, 4 blew up in their silos during operational testing. The worst accident occurred in Searcy, Arkansans, on August 9, 1965, when a fire in a Titan II silo killed 53. The US Air Force then developed system safety assessment and management concepts. Such efforts eventually resulted into the establishment of a major standard, MIL-STD-882D, and System Safety Engineering as a discipline (Leveson 2003).

Commercial Suborbital Regulatory Safety Framework: A Case Study

One of the areas of space safety regulation that has received the most attention in recent years has been with regard to overseeing the safety of commercial spaceflights – particularly in the form of suborbital flights.

A suborbital flight is defined as a flight up to a very high altitude beyond 100 km above sea level but in which the vehicle involved does not go into orbit (i.e., does not attain an orbital speed exceeding 11.2 km/s). A suborbital trajectory is defined under US law as “The intentional flight path of a launch vehicle, re-entry vehicle, or any portion thereof, whose vacuum instantaneous impact point does not leave the surface of the Earth.” Unmanned suborbital flights have been common since the very beginning of the space age. Sounding rockets covering a wide range of apogees even well above the altitude of the Shuttle and ISS orbits have been routinely launched. Nowadays, suborbital human spaceflight is gaining popularity as demonstrated by the increased interest in space tourism. Still in its nascent phase, the space tourism industry proposes new commercial vehicles which have configurations and operational mode very similar to some early government programs, namely, capsules (e.g., Mercury Redstone) or winged-rocket system (e.g., X-15 aircraft). It should be noted that the two configurations drive very different safety requirements. Safety requirements for the launcher/capsule configuration have been in place for more than 40 years and have been successfully proven, mainly during the performance of (more challenging) orbital flights. The safety requirements for the aircraft-type configuration have a well-established technological basis in the aeronautical engineering field, although they are not reflected in any current civil aviation-type regulation. The experimental aircraft X-15 flew 199 times flights before program cancellation in 1968. The X-15 suffered four major accidents (Fig. 6).

Fig. 6
figure 6

X-15 crash (Credit: NASA)

Full size image

In 2004 and then in 2011, the USA passed the so-called Commercial Launch Amendments Act (CSLAA) and the “Commercial Space Launch Activities” Act that was signed into law in January 2012.

Most recently, the USA enacted H.R.2262 – U.S. Commercial Space Launch Competitiveness Act which has become Public Law No: 114-90 (11/25/2015. This law has four parts that include Title 1 (Spurring Private Aerospace Competitiveness and Entrepreneurship), Title II (Commercial Remote Sensing), Title III (Office of Space Commerce), and Title IV (Space Resource Exploration and Utilization). This new legislation has a variety of shorter term and longer term space safety implications and oversight and licensing arrangements for commercial space launches for manned and unmanned flights. (H.R.2262 – U.S. Commercial Space Launch Competitiveness Act).

The issuance of the new Space Policy Directive-3 in August 2018 that assigned to the new Office of Commercial Space the responsibilities of addressing for commercial space activities both responsibilities for improved space situational awareness and addressing space traffic management issues will the U.S. Department of Defense will address these issues for security and strategic purposes creates a new path forward for the USA. This Directive set for the problem and the way forward to achieve greater space safety in the following manner.

“The future space operating environment will also be shaped by a significant increase in the volume and diversity of commercial activity in space. Emerging commercial ventures such as satellite servicing, debris removal, in-space manufacturing, and tourism, as well as new technologies enabling small satellites and very large constellations of satellites, are increasingly outpacing efforts to develop and implement government policies and processes to address these new activities.”

“To maintain U.S. leadership in space, we must develop a new approach to space traffic management (STM) that addresses current and future operational risks. This new approach must set priorities for space situational awareness (SSA) and STM innovation in science and technology (S&T), incorporate national security considerations, encourage growth of the U.S. commercial space sector, establish an updated STM architecture, and promote space safety standards and best practices across the international community.”

“The United States recognizes that spaceflight safety is a global challenge and will continue to encourage safe and responsible behavior in space while emphasizing the need for international transparency and STM data sharing. Through this national policy for STM and other national space strategies and policies, the United States will enhance safety and ensure continued leadership, preeminence, and freedom of action in space.” (Space Policy Directive-3, National Space Traffic Management Policy, June 18, 2018. https://www.whitehouse.gov/presidential-actions/space-policy-directive-3-national-space-traffic-management-policy/).

It was suggested at the European Space Policy Institute Autumnal Conference in September 2018 that it might be possible for spacefaring nations to undertake a parallel approach to improved space situational awareness and space traffic management as outline in the U.S. Space Policy Directive-3 so that common and coordinated approach to these critical areas of space safety might be undertaken. The proposal made suggested the following: “U.S. Space directive 3 sets new U.S. objectives for ‘space situational awareness’, the need for an improved registry of space objects in Earth orbit, the need for better sharing of information with regard to operational spacecraft and space debris, the need for an improved space traffic management system and support for collision avoidance services.” If other spacefaring nations were to do the same, then a cooperative framework to cooperate in all these areas might be agreed. This could lead to improved security of space operations or space infrastructure security. (Joseph N. Pelton A Path Forward to Improved Space Security: Better Information Sharing, Space Situational Awareness, Space Traffic Management, and More” European Space Policy Institute Autumn Conference, Sept 28, 2018, Vienna, Austria)

The IAASS (International Association for the Advancement of Space Safety) has been particularly concerned with the safety of commercial space systems carrying passengers into space and has developed a safety certification standard that has now been published by the SAE as of July 2018. This standard addresses responsibilities, implementation, and mission safety risk. (SAE International to Publish New IAASS Standard for Commercial Space Travel and Exploration 2018-08-06 WARRENDALE, Pa. August 2018. https://www.sae.org/news/press-room/2018/08/sae-international-to-publish-new-iaass-standard-for-commercial-space-travel-and-exploration)

Self-Regulations: Safety as Business Case

An alternative to government regulations is self-regulations. They are essentially meant to promote a higher level of safety as a business case. Take the example of Formula 1 car racing. In the first three decades of the Formula 1 World Championship, inaugurated in 1950, a racing driver’s life expectancy could often be measured in fewer than two seasons. It was accepted that total risk was something that went with the badge. It was the Imola Grand Prix of 1994 with the deaths of Roland Ratzenberger and Ayrton Senna (as shown on direct broadcast TV) that forced the car racing industry to look seriously at safety or risk to be banned forever. In the days after the Imola crashes, the FIA (Fédération Internationale de l’Automobile) established the safety Advisory Expert Group to identify innovative technologies to improve car and circuit safety and mandated their implementation and certification testing. Nowadays, Formula 1 car racing is a very safe multibillion dollar business of sponsorships and global television rights, an entertainment for families that can be enjoyed without risking shocking sights.

Another example comes from the oil industry. The Presidential Commission that investigated the “Deepwater Horizon” disaster in the Gulf of Mexico in April 2010 (11 workers killed plus an oil spill that caused an environmental catastrophe) recommended the establishment of an independent safety agency within the Department of the Interior and that “the gas and oil industry must move towards developing a notion of safety as a collective responsibility. Industry should establish a ‘Safety Institute’ […] this would be an-industry created, self-policing entity aimed at developing, adopting, and enforcing standards of excellence to ensure continuous improvement in safety and operational integrity offshore.”

Nowadays, sophisticated techniques are available to remove or control hazards in new systems such to minimize the safety risk of new systems before they enter into operation. Such techniques go generally under the name of “safety case.”

Prescriptive Requirements Versus Safety Case

The RMS Titanic struck an iceberg on her maiden voyage from Southampton, England, to New York and sank in the early hours of 15 April 1912. A total of 1,517 people died in the disaster because there were not enough lifeboats available. During the Titanic construction, Alexander Carlisle, one of the managing directors of the shipyard that built it, had suggested using a new type of larger davit, which could handle more boats giving Titanic the potential of carrying 48 lifeboats providing more than enough seats for everybody on board. But in a cost-cutting exercise, the customer (White Star Line) decided that only 20 would be carried aboard thus providing lifeboat capacity for only about 50% of the passengers (Titanic 1912). This may seem as a carefree way to treat passengers and crew on board, but as a matter of fact, the Board of Trade regulations stated that all British vessels over 10,000 t had to carry 16 lifeboats. Obviously, the regulations were out of date in an era which had seen the size of ships reaching the 46,000 t of the Titanic.

The above accident illustrates at the same time what is a prescriptive requirement (i.e., an explicitly required design solution for an implicit safety goal) and how it can sometimes dramatically fail. Instead the safety case regime is based on the principle that the regulatory authority sets the broad safety criteria and goals to be attained while the system developer proposes the most appropriate technical requirements, design solutions, and verification methods for their fulfillment. In other words, the safety case regime recognizes that it is the regulatory authority’s role and responsibility to define where the limit lies between “safe” and “unsafe” design (i.e., the safety policy in a technical sense), but it is the developer/operator that has the greatest in-depth knowledge of the system design and operations.

A safety case is documented in the Safety Case Report that typically includes the following: (a) the summary description of the system and relevant environment and operations; (b) identified hazards and risks, their level of seriousness, and applicable regulatory criteria/requirements; (c) identified causes of hazards and risks; (d) description of how causes (of hazards and risks) are controlled; and (e) description of relevant verification plans, procedures, and methods.

The safety of the entire International Space Station (ISS) program is based on a process of incremental safety reviews by independent panels of safety case reports (called safety data packages) prepared by systems developers/operators in response to the (generic) safety requirements (NASA SSP 30599 2009). In the course of the operations, further submittals are made to account for configuration changes, previously unforeseen operations, and corrective actions from on-orbit anomalies.

Human Rating: A Historical Perspective

Since the first space programs that achieved human access to space, the identification of system requirements for crewed space systems has been a complex exercise. In the 1950s, the engineering efforts to maximize safety were built on the experience gained about the space environment from unmanned vehicles and experimental platforms with chimpanzees on board, which contributed to gather data for planned crew missions. The concept of human rating (also known previously as manned rated) was used to refer to systems designed to carry humans into space. However, a formal common process designated to grant human-rating certification did not exist at the time, as it is being used in current programs. In the past, the methods for implementing human rating varied as a function of program, across system and subsystems and sometimes across mission phases within a program.

In 1995, 14 years after the Shuttle had entered operations, an agency-wide committee was tasked to develop a human-rating requirements definition for launch vehicles based on conventional (historical) methods. After the revision of past programs both for launchers and spacecrafts such as Gemini, Apollo, and the Space Shuttle, the committee recommended the following definition of human-rating process, that is, “a process that satisfies the constraints of cost, schedule, performance, risk and benefit while addressing the three requirements of human safety, human performance, and human health management and care” in a document reviewing the historical perspective of human rating of US spacecraft (Zupp 1995). Historically, the human-rating process for Mercury, Gemini, and Apollo programs had been centered on human safety. The Skylab and Shuttle programs added to this an emphasis on human performance and health management. Further details on the history of these programs can be found in Logsdon and Launius (2008).

For Gemini as well as for other vehicles since then, an important part of assuring crew safety was the development of a crew escape system in case of abort scenarios. The escape system test program was also quite extensive, leading to the identification of improved designs throughout the testing phase and spanned a 3-year period, which lead to the development of a crew escape system, with an ejection seat qualified for flight crew space from pad aborts to 45,000 ft (Ray and Burns 1976). For the Apollo program, launch vehicles (i.e., Saturn IB and V) were designed for human spaceflight (given that no other launcher was able to deliver the required performance). These vehicles had additional redundancy and safety improvements as compared to its predecessors for Mercury and Gemini. Additionally, there was an extensive ground and unmanned flight plan to validate new design features and to certify the launch escape system uniquely developed for Apollo.

For the Space Shuttle, the considerations for crew safety were a tremendous challenge over previous programs mainly because with its configuration (where the Orbiter vehicle and the crew were much closer to the source of explosive yield of fire and overpressure than in the in-line series burn configurations used on the Mercury, Gemini, and Apollo launch systems). The most significant challenge was how to address the issue of abort during first stage. To enable the possible consideration of crew escape, crew ejection, launch pad ejection, or Orbiter separation and fly way, a method for thrust termination of solid rocket boosters (SRBs) had to be developed. It was a technology that was not proven. Various concepts for thrust termination were examined (i.e., pyrotechnically blow out the head end of the booster and neutralize thrust; another concept was to sever the nozzle to accomplish the same result), but all raised major concerns or introduced significant design challenges. Therefore, a decision was made that the additional safety risks and design complexities introduced by thrust termination were of greater concern that the presumed low failure rate of solid motors. For the areas of “high” risk, more stringent design requirements were derived to build in greater reliability for Shuttle SRBs (i.e., structural design factors of safety, case insulation, and segment seals). The Shuttle used a historical performance database to improve safety design and certified the vehicle to be human rated with no first-stage abort capability. The focus was on system-level integrated methodology.

The human-rating process builds upon data and knowledge acquired during development, manufacturing, and operations. The information derived from the evaluation and analysis of this data can only contribute to strengthening the understanding of failure mechanisms and identifying mitigation strategies to address them. Taking into account the lessons learnt from past programs as well as the technological developments of our time, the need for specific requirements for human rating a space system to enhance crew safety and incorporate the knowledge gained through more than 40 years of space activities materialized with the release of the NASA NPR 8705.2A “Human-Rating Requirements and Guidelines for Space Flight Systems” in 2003. In this first standard addressing human-rating certification, NASA proposed the following definition: “a human-rated system is one that accommodates human needs, effectively utilizes human capabilities, controls hazards and manages safety risk associated with human spaceflight, and provides to the maximum extent practical, the capability to safely recover the crew from hazardous situations.”

In 2008 and then in 2011, NASA reissued and updated these requirements (i.e., NPR 8705.2B) with slight modifications from its original version, document that was later updated in 2011. This document contains a set of programmatic and technical requirements that establish a benchmark of capabilities for human-rated space systems. It directs programs to perform human error analysis, evaluate crew workload, conduct human-in-the-loop usability evaluations, prove that integrated human-system performance test results are required to validate system designs, and establish a Human System Integration team to evaluate these activities (Hobbs et al. 2008). NASA Constellation Program (i.e., Ares launchers and Orion capsule) was the first program to incorporate these new human-rating requirements. In parallel, activities are undergoing by other agencies (e.g., ESA and JAXA) for the refinement of safety technical requirements for human-rated space systems (Trujillo and Sgobba 2011). In 2011, the Commercial Crew Program (CCP) issued the CCT-1100 Series that communicates roles and responsibilities, technical management processes supporting certification, crew transportation systems, and ISS-related requirements for potential commercial providers.

Human Spaceflight Safety Risks

The principal safety issues related to orbital human spaceflight are protection from environmental hazards whether space weather (i.e., ionizing radiation) or space debris, the need to provide escape and safe-haven capabilities, and prevention of collision risk. Collision risk may be divided into (1) the risk of collision during proximity operations (i.e., rendezvous and docking) and (2) risk of collision with other space traffic.

Environmental Risk: Ionizing Radiation

The Earth’s magnetic field traps electrically charged radiation particles in two belts high above the Earth. The highest extends out to about 40,000 km, and the lowest belt begins at about 600 km above the surface. The intensity of radiation in these belts can be more than a million times higher than on the Earth. For several decades to come, commercial orbital human spaceflight will most probably be limited to low Earth orbit flights where the radiation level is small or negligible. Based on the experience of several decades of human spaceflight in low Earth orbit (Vetter et al. 2002), a safe level of radiation exposure has been defined as that which would increase the lifetime risk of cancer by 3%, and this translates into a total dose of 100–400 rem depending on age and gender (Cucinotta et al. 2011). For comparison, a maximum of 10 rem is the annual dose allowed for workers in occupations involving radiation. Since health risk increases with the total dose, it is important to monitor the dose and to establish norms for the retirement of (commercial) astronauts who reach that level (NRC 2012).

Space Safe and Rescue: Past, Present, and Future

The 1912 Titanic disaster, with a distress message telegraphed in Morse code, was a defining moment in starting the organization of search-and-rescue on a global scale. The shock of the disaster led to the establishment of means for constant distress surveillance on land and aboard ships. In 1914, the first International Convention for the Safety of the Life at Sea (SOLAS) made it an obligation for ships to go to the assistance of other vessels in distress. The system developed and matured gradually in the following decades, and in the early 1950s, it was extended to aviation, but it was only in 1985 that a well-organized international search-and-rescue (SAR) system came into force under the International Convention on Maritime Search and Rescue of 1979. The current international SAR system is based on close coordination between international maritime and aviation organizations and relies on uniform worldwide coverage and use of global space-based monitoring and tracking resources available on board GEO and LEO spacecraft (COSPAS-SARSAT Programme).

As with any comparable system, the safety of crew and passengers on board future suborbital and orbital commercial space vehicles will not depend only on design adequacy, robustness of construction, and the capability to tolerate failures and environmental risks but also upon special provisions which would allow escape, search, and timely rescue in case of emergencies. During a suborbital commercial human spaceflight, an emergency may lead to search and rescue operations at sea or on land not dissimilar from those of an aviation accident. The case of an on-orbit emergency is different, and for that special cooperation, provisions and interoperable means need to be developed. Here, the closest parallel is that of submarine emergencies. Many nations now regularly practice multilateral rescue exercises and coordinate their rescue means and capabilities through the International Submarine Escape and Rescue Liaison Office (ISMERLO).

Ascent Emergencies

During the ascent phase, a so-called abort scenario needs to be considered in order to safeguard the life of the crew and passengers on board a commercial space vehicle. Such scenarios apply to any type of space vehicle and would require also planning and cooperation with foreign countries.

Taking the experience of the Shuttle program as an example, depending on the time a malfunction would have occurred, there were Shuttle international launch abort sites at Halifax, Stephenville, St. Johns, Gander, and Goose Bay (all in Canada). There were also Shuttle transoceanic abort landing sites (TAL) at Ben Guerir Air Base, Morocco; Yundum International Airport, Banjul, The Gambia; Moron Air Base, Spain; Zaragoza Air Base, Spain; and Istres, France. Finally, there were 18 designated Shuttle emergency landing sites spread among Germany, Sweden, Turkey, Australia, and Polynesia, several of which are active international airports. For the purpose of providing the Shuttle program with the necessary assistance, access, and dedicated capabilities at those foreign landing sites worldwide, the US government had to negotiate a large number of specific bilateral agreements. In the future, when commercial human suborbital and orbital spaceflights become common, commercial entities will not be able to gain the same level of assistance on land or at sea and access to foreign facilities unless the necessary international civil space agreements and regulations are put in place by some sort of international space regulatory body similar to ICAO for aviation (Jakhu et al. 2010).

Crashworthiness

Additionally, from the lessons learned of the Columbia accident and based on the findings of the Columbia Accident Investigation Board (CAIB), tasked by NASA to conduct a thorough review of both the technical and organizational causes of the loss of the Space Shuttle Columbia. The CAIB recommended that future vehicles should incorporate the following: (a) a design analysis for breakup to help guide design toward the most graceful degradation of the integrated vehicle system and structure to maximize crew survival; (b) crashworthy, locatable data recorders for accident/incident flight reconstruction; (c) improvements in seat restraint systems to incorporate the state-of-the art technology to minimize crew injury and maximize crew survival in off-nominal acceleration environments; and (d) advanced crew survival suites (including conformal helmets with head and neck restrain devices similar to the ones used in professional automobile racing) and avoidance of materials with low resistance to chemicals, heat, and flames among others.

Orbital Rescue

In 1990, an International Spacecraft Rendezvous and Docking conference was held at the NASA Johnson Space Center. The purpose was to explore the need and international consensus to establish a set of common space systems design and operational standards which would allow docking and on-orbit interoperability in case of emergency. The attributes for such international standards were summarized as follows: (a) each party could implement them with their own systems and resources; (b) cooperation in such standards does not require subordination (i.e., one party does not have to buy parts of the system from another); (c) success of one project or project element is not required to insure success of the other; (d) no one standard requires subordination to another standard; and (e) the functional requirements of the standard can be implemented with a number of alternative technologies. Definition of the standards does not require the transfer of technology.

In 2008, the objective of developing orbital rescue capabilities was restated by the US Congress in the NASA Authorization Act of that year (H.R. 6063). In fact, Sect. 406, EXPLORATION CREW RESCUE, stated that: “In order to maximize the ability to rescue astronauts whose space vehicles have become disabled, the Administrator shall enter into discussions with the appropriate representatives of space-faring nations who have or plan to have crew transportation systems capable of orbital flight or flight beyond low Earth orbit for the purpose of agreeing on a common docking system standard.”

In 2010, the international docking system standard (IDSS), based on the original androgynous docking system (APAS) developed in the seventies as part of the Apollo-Soyuz Project, became finally a reality through the initiative of the countries participating to the International Space Station program. Although China was not involved in such standardization effort, the Chinese had already chosen as docking system for their Shenzhou vehicle and for the Tiangong-1 space station a docking system variant called APAS-89, which is the same used on the International Space Station (ISS) and is compatible with the new international docking standard. The Chinese docking system was successfully demonstrated on-orbit in 2011 with a robotic mission. In 2012, further dockings were performed by two Shenzhou (9 and 10), both of with crew board. Following Tiangong 1, a more advanced space laboratory, dubbed Tiangong 2, was launched in 2013 followed by Tiangong 3 in 2015. In the coming years, at least two space stations will be orbiting Earth, the ISS and the Chinese Tiangong, thus making possible for the first time an orbital rescue system. Even private space stations are now envisioned by Bigelow Aerospace with prototypes now in orbit.

In 2004, a cooperative program was launched to implement such capability on the model of the International Submarine Escape and Rescue Liaison Office (ISMERLO) to “establish endorsed procedures as the international standard for submarine escape and rescue using consultation and consensus among submarine operating nations.” As for submarines, also in space, the delay between an accident and rescue attempt must be short. Furthermore, the institutionalized contacts and increased transparency engendered by such cooperation orbital rescue would fit with broader trends toward increasing openness and could constitute an important confidence-building mechanism for wider cooperation in making space operations safe and sustainable.

Conclusions

This review has presented a wide variety of space risks. It has explored the safety risks that experienced space organizations and new spacefaring nations are facing. An in-depth understanding of these risks is important to fully comprehend the scope of the safety challenges ahead. Without such an understanding, it will be difficult if not impossible to mitigate them in an effective manner. Both unmanned orbital space systems and crewed vehicles are adversely affected by the growing amount of orbital debris. The cascading effect produced by space objects is a mounting concern. We must seek to minimize the impact of uncontrolled reentering objects that affect the safety of those on land, air, and sea. In addition, the proliferation of new commercial ventures indicates the need to promote space safety in the area of orbital and suborbital tourism and raises the question as how space traffic management might be addressed in future years. The complexity of space safety issues and the scope and nature of future safety challenges may well need to be tackled through an expanded international regulatory framework – one expanded to address the space safety risks that have been described in this chapter.