“Certifying” Space Shuttles

A minor row seems to have broken out in comments at this post, at which an obviously frustrated “Habitat Hermit” thinks he’s living in the twilight zone. It’s an important enough point that it’s worth breaking it out in a separate post. I first responded to his comments on certification thusly:

Certification is very well defined for aviation. You can go look up in a book what is required, per FAA procedures. Such a book has never been written for the Shuttle, and it’s not a simple matter of transferring the procedures from aviation, because Shuttle has many systems that don’t even exist in an aircraft, with no experience of how long they can really safely go without refurbishment or replacement (one of the reasons that it would be extremely premature to put a certification process on the space transport industry). It is not an aircraft, except for a brief period of its mission, and it remains an experimental system.

Estimates of what “recertification” would cost for Shuttle are based on the costs of doing a full OMDP for whichever of the orbiters (Discovery I think) is due for one, and perhaps a lesser one for Endeavor (which is a newer vehicle, and again, where that term isn’t well defined, though I suppose that it could be sort of equivalent to a D check). But no one has ever discussed “certification” of Shuttles, as far as I know, prior to the CAIB, and the CAIB had no special insight into what would be involved in it, other than what they gathered by talking to NASA personnel, who probably had given it little thought. The fact remains that the 2010 date was driven by need to complete ISS, and had nothing to do with when the Shuttles were “due” for “recertification.”

To which he responded:

Your reply amazes me. I do realize that I’m beating a dead horse but I (and everybody else) should continue doing that as long as people try to operate space transportation systems upon the carcass.

The Shuttle components were manufactured to specifications.

Those specifications were whatever NASA deemed sufficient.

Certification obviously means ensuring that the Shuttle components still meet those specifications and requirements (including any later changes) for every part of every Shuttle.

This is not being done in full according to every source I have. No one has come forward with sourced information to the contrary.

This issue is dead simple yet the replies are a buffet of avoiding the topic and arguments made, obfuscation, nonsense, repeating or introducing small pieces of information I would hope would be obvious to most interested bystanders with some knowledge (including me) and in general adding absolutely nothing at all.

In other words you are obviously and most likely consciously arguing against common good practice and minimum standards.

My reply:

Certification obviously means ensuring that the Shuttle components still meet those specifications and requirements (including any later changes) for every part of every Shuttle.

No, that is not what “certification” means (at least for aviation), “obviously” or otherwise. No matter how much you want it to mean that, it doesn’t. The word for that is “verification.” There is no established procedure to certify a Shuttle Orbiter, regardless of how upset that reality makes you. And absent such a defined procedure, the Shuttle cannot be either certified, or recertified.

In other words you are obviously and most likely consciously arguing against common good practice and minimum standards.

No one is arguing, or has argued against that. But that’s not certification, either. Words really do mean things.

The reason that we insist on not misusing the word “certification” is because of the potentially dire implications it would have for the fledgling space transport industry should the FAA take it into its head that spacecraft require it. It would likely strangle it in the cradle.

[Late afternoon update]

I have received an excerpt of a document from a very reliable source at NASA that may shed some light on this subject. Alternatively, it could simply further confuse.

The Columbia Accident Investigation Board (CAIB) addressed certification of the Space Shuttle beyond 2010 in Recommendation 9.2-1 of their report. The recommendation states that prior to operating the Shuttle beyond 2010, the Shuttle Program should develop and conduct a vehicle certification at the material, component, subsystem, and system levels. When built, each Orbiter was certified to 10 years and 100 missions. While each Orbiter has flown less than half of its certified number of flights, some have been operational for as much as 25 years. The Orbiter Project developed a plan that meets the intent of the CAIB recommendation by ensuring that Orbiter materials and components are not operating outside of their certification limits. The work already accomplished in support of this effort can be expanded to support extension of Shuttle operations to 2015.

Orbiter Certification Verification Aging Vehicle Assessment (AVA)

The Orbiter Project initiated the Verification Aging Vehicle Assessment (AVA) project in June of 2003 to determine if Orbiter hardware was being processed and operated within qualification and certification limits. However, the Orbiter Project determined that the original certification did not in all cases encompass the true operating environment for the Orbiter. In some cases, current understanding of Shuttle operational environments differed from the original certification assumptions. Further, some components were operated more frequently than originally envisioned. As a result, Orbiter’s reassessment of its certification limits addressed these issues.

AVA began by evaluating Orbiter’s Criticality 1 systems: the components that are zero-fault tolerant. To date, Orbiter has completed review of over 700 Criticality 1/1 and 1R2 component certification packages. The remaining 2,245 certification packages are for lower risk components such as criticality 2 or criticality 3 systems that are necessary for mission success and not crew safety. The Orbiter Project’s review of each certification package consists of an in-depth assessment by the individual subsystem’s Problem Resolution Team (PRT). The PRT consists of the subsystem manager as well as flow processing engineers, design engineers, mission operations engineers, and safety and mission assurance engineers. The PRT contains the technical expertise on how the components of a certain subsystem are operated on a day-to-day basis on the ground as well as in flight. Inconsistencies between the original certification requirements and the current operational requirements were documented as findings. Of the 700 certification packages reviewed to date, 1,876 findings have been reported. Findings were dispositioned by the PRT and reviewed by the AVA Horizontal Integration Panel for adequate flight rationale.

AVA has also verified all hardware inspection frequency criteria and compliance with the criteria. The AVA PRTs also assessed materials and processing inspections for their ability to address aging vehicle concerns. Twenty-three potential inspection modifications or additions were identified. Of these 23, four were mandatory for Return to Flight (RTF) (prior to STS-114 flight). Many of the remaining items were not related to a Crit 1/1 failure but were identified due to their increased sensitivity to aging aircraft issues.

The AVA effort identified over 500 Orbiter parts with potential age-limited soft-good components. Of these, 230 were determined to be good through 2010. Of the original set of 500 parts, 66 were given expiration dates between 2011 and 2015 and will be reviewed in further detail as part of the Shuttle extension AVA activity. A preliminary assessment of the remaining 200+ parts revealed no age-life limitation.

Extending Shuttle beyond 2010

The Orbiter Project will use the AVA results to help assess the potential of extending the SSP through 2015 as illustrated in Figure 1. First, the PRT’s will assess components for possible certification issues through 2015. This will include components that were assessed during the AVA effort. Closed findings will be validated to ensure the closure rationale is applicable through 2015. If the rationale is inadequate, additional analysis or testing may be required. Next, all the open findings will be re-evaluated to determine if they need to be further addressed to 2015. The approximately 300 soft goods that are due to expire prior to 2015 will be evaluated and prioritized by the criticality of their function. Materials of concern will be recommended for testing or additional analyses to ensure continued safety of flight.

Figure 1: Certification Verification Schedule FY09 – FY10

To assure continued operations within certification, the Space Shuttle Program will need to retain certain critical skills and facilities at the following locations: White Sands Test Facility (WSTF) for thrusters and Orbital Maneuvering System pod recycling, troubleshooting and testing; Palmdale for coldplate manufacturing capabilities; and Lockheed-Martin for wing leading edge reinforced carbon-carbon panel manufacturing. The Space Shuttle Program will also need to retain the NASA Shuttle Logistics Depot (NSLD) for sustaining engineering of the avionics components and other critical components to assure safe flight through 2015. Fleet-leader testing of critical components, including thrusters and Space Shuttle Main Engines would need to be continued beyond the current cessation dates.

The Shuttle program will also be able to reduce risk by improving our understanding of the Shuttle’s operation. If Shuttle operations are extended, NASA will retire OV-104 Atlantis in 2011, and continue operating with two Orbiters. Should the decision be made to extend Shuttle operations, the Shuttle Program will dismantle and inspect certain subsystems on OV­104 that have never been dismantled in the history of the Space Shuttle Program. For instance, the hydraulic actuators in the fleet have been in place since the original assembly and have not been taken apart to determine the relative condition. No other hydraulic system in aviation history has flown for the amount of time that is on our Orbiters without being dismantled for inspection.

Obsolescence and vendor issues will drive continued certification testing regardless of when the Shuttle Orbiters are retired. With every mission, we learn something new about the operating environment and the response of the vehicle to that operating environment. For this reason, the Space Shuttle Program remains a vigilant and learning organization. This will always be the case and we will learn something new on the last mission whenever that may come. For example, the Space Shuttle Program tested the Space Shuttle Main Engines (SSME) at severe off-nominal conditions to evaluate the ability of an SSME to be used in the Ares program. This off­nominal testing led our Shuttle engineers to upgrade the SSME models to reflect new conditions at which we tested. The model upgrade and testing allowed our engineers to refresh their design knowledge of the SSME and gain test data which improved insight into SSME engine margins. This type of testing and analysis, although not part of a formal certification, provides valuable insight which allows us to understand real margins and ultimately improves safety.

Another example of how we keep our engineers’ skills sharp is the case where we endeavored to improve our External Tank manufacturing process. In this case, we focused in on the replacement of certain Aluminum Lithium (Al 2195) components that were introduced as a part of the Super Light-Weight Tank for weight reductions. The previous material, Al 2219, is easier to work with and costs much less to produce. The External Tank Project was able to reduce the membrane size and maintain the required factor of safety. For now, we have exchanged Al 2219 for Al 2195 on the liquid oxygen dome gores, the liquid hydrogen dome gores, and the liquid oxygen forward ogive. In the liquid hydrogen barrels one and two and in liquid oxygen dome cap, the External Tank Project has reduced the existing stiffener and membrane thicknesses to improve productivity and reduce weight. The level of certification testing and analysis offers the benefit of keeping our engineers sharp, thus improving the overall system.

In addition, the Space Shuttle Program is testing our older composite over-wrap pressure vessels to failure to gain insight into aging and manufacturing issue with this type of tank. Knowledge gained will be very useful for future program. We routinely ground test new hardware planned for use in our Reusable Solid Rocket Motors. In some cases we introduce flaws into the hardware, such as cuts in primary o-rings, with the goal to gain improved understanding of where the edge is and what margins our design offers. If we fly beyond 2010, we will continue to implement these types of programs to gain understanding of the real capabilities the Shuttle possesses.

Conclusion

In summary, a complete recertification of the Orbiter is not necessary; however, the Space Shuttle Program will reassess the certification packages and material review of the critical components on the Orbiter to ensure there are no time and cycle or material age-related issues. The program will also assure that the vehicle continues to operate within the constraints and requirements defined by its current certification. Required inspections and testing during Orbiter processing provide opportunities to constantly monitor the health of Orbiter systems and to mitigate any performance degradation before it becomes a safety of flight concern.

Emphasis mine. I don’t believe it’s correct to say that it was “certified for ten years and a hundred flights.” It would be more accurate to say that it was designed and built to that specification and the specification was validated and the hardware and software verified. The language here is confusing — what is a “certification verification”?

To me, it is a response to the CAIB’s request for “certification” information on the Orbiters, that they came up with ad hoc (without providing the exact source, I can say that it is part of an appendix to a very recent, but still-to-be-released document). This is not a criticism, but I think that it’s a valid interpretation. Note that in reference to the 2003 activity (in the summer after Columbia) it only talks about “Aging Vehicle Assessment” with no mention of “certification.”

Again, I don’t believe that “certification” was a standard term within NASA, at least with regard to the Shuttle, prior to the CAIB, but if someone has information to the contrary, I’ll stand corrected. Basically, as I said already, what is being described here is a reverification, not a recertification, particularly since I still await evidence (other than the wording in the first paragraph — I mean historical evidence, like, you know, a certificate…?) that it was ever “certified” in the first place.

13 thoughts on ““Certifying” Space Shuttles”

  1. For even a two-seat private plane that wants to fly under Part 91 rules, certification is a long and expensive process. First, the plane design itself must be certified (I’ve also read the term “certification” for the process). Next, the production facilities must also be certified. For even that 2 seat plane, this can cost tens of millions of dollars. The more complicated the plane (e.g. retractable landing gear, constant speed prop, etc), the more expensive the process.

    If FAA certification rules were applied to a vehicle such as SpaceShipTwo, the costs would rise so sharply as to doom the project. First, you’d have to certify the White Knight Two mother plane including engines, instruments, structure, and subsystems. Next, you’d have to do the same with SS2. The SS2 design itself and everything used in it including the engine would have to pass rigorous certification procedures. That would add several hundred million dollars to the project and almost certainly contribute nothing to safety.

    Yes, words mean things. Applying FAA certification requirements to a spacecraft would mean that non-government vehicles would never be allowed to fly commercially.

  2. Man what I wouldn’t do for real access to a legally enforceable cost/benefit challenge to regulatory agencies and their rules. The Judiciary has totally abdicated to the Administrative State however; you can’t even challenge the silliest of their rules, no matter how weak the justification.

  3. From what I’ve seen of the schedules, 2010 has to do with OMDP (Orbiter Maintenance Down Period), which use to take Orbiters out of the fleet for about a year and a half. STS-125 was OV-104’s last flight before the nominal OMDP. OMDP is based on number of cycles per vehicle. So if it had flown in 2008 (assuming 2010 end of program), it would have left the fleet after landing. That would leave 2 Orbiters flying more missions between them, so the next OMDP would come for OV-103 shortly. At that point, you can’t fly with just one vehicle and have another ready for emergency.

    The rest of the discussion is purely argumentative as to what constitutes certification and what is being done. For what it is worth, each launch goes through a Certification of Flight Readiness (CoFR) which is based on STS specifications. Each element (Orbiter, SRBs, ET, SSME) is certified by each each discipline (crew, operations, engineering, safety, etc).

  4. but again, that has nothing to do with 2010.

    Right, which is why I mentioned the OMDP first. Fair enough, you mentioned OMDP as the rationale for 2010 as well. OMDP is not a certification process by any stretch.

  5. OMDP is not a certification process by any stretch.

    I agree, but I suspect it’s part of what some talk about when they attempt to estimate what a “recertification” would cost, which was one of the issues confusing HH.

  6. Personally, I think the key is the wording “certified for manned flight” – that is not comparing parts to their specifications, but is rather comparing voodoo.

    I agree with HH, though, that verifying that the current parts still meet the original specs would be a good idea.

    Some 737s are getting that old – I wonder how deep their inspections go?

  7. B-52 may be a better example of a long-lived aircraft than 737. It’s way older and also the economics of its lifecycle are closer to a government ran space program.

  8. And like the Shuttle, the B-52 was never certified because it’s a government vehicle and doesn’t carry passengers for hire. A 737 is intended to carry passengers so it had a rigorous certification process. There is a civilian version of the C-130 known as the L-100. That plane had to be certified.

  9. I agree with HH, though, that verifying that the current parts still meet the original specs would be a good idea.

    No one has said otherwise, but that doesn’t constitute “certification.” Or “Recertification.”

  10. Larry J said: And like the Shuttle, the B-52 was never certified because it’s a government vehicle and doesn’t carry passengers for hire.

    I can’t say for sure about the BUF (before my time), but certainly military aircraft are certified – not by the FAA, but by the procuring agency. In order for them to fly in national civilian airspace, the procuring agency has to certify them as safe, and there’s a whole MILSPEC (MIL-HDBK-516) that exists to guide the process.

  11. Yes, military aircraft go through a formal evaluation process that can take years but they don’t have to meet FAA certification requirements. That’s why a surplus military plane has many restrictions on it if purchased by a civilian. Military requirements are onerous enough, though.

    As for “safe”, that’s a relative term. Most of today’s military aircraft are much safer (based on accident rates) than those of the 1950s with the possible exception of the AV-8B Harrier II. Still, based on the type of flying the military does, their accident rate is obviously higher than civilian aircraft. When you’re going very fast at low altitude or doing dogfight training, accidents will happen that don’t have anything to do with the aircraft design.

  12. I suggest listening to the MIT Systems Engineering lecture from 2005 by Sheila Widnal. She was on the Columbia board. She addresses the certification issue near the end of her talk; I don’t know how far in but it’s around the last 15 minutes:

    http://ocw.mit.edu/OcwWeb/Aeronautics-and-Astronautics/16-885JFall-2005/LectureNotes/

    some quotes, out of order:

    “They could not continue to operate the way they had been operating. That is the message.”

    The CAIB recommended creating a safety organization within NASA. To get the new safety office working with the shuttle office, they needed to give them a project: the recertification. They would be forced to work together to recertify the shuttle.

    When asked a question from the class about extending to, say, 2013, her answer:
    “NASA should come forward with a plan, at a minimum, with how they are going to operate the shuttle SAFELY through 2013”.

Comments are closed.