NASA/SP–2010–578

NASA Astronauts on Soyuz:

Experience and Lessons for the Future
OSMA Assessments Team
Johnson Space Center, Houston

National Aeronautics and

Space Administration

Johnson Space Center

Houston, TX 77058

August 2010
 NASA STI PROGRAM ... IN PROFILE

Since its founding, NASA has been dedicated to conferences, symposia, seminars, or other
the advancement of aeronautics and space meetings sponsored or cosponsored by
science. The NASA Scientific and Technical NASA.
Information (STI) Program Office plays a key
part in helping NASA maintain this important  SPECIAL PUBLICATION. Scientific, technical,
role. or historical information from NASA
programs, projects, and mission, often
The NASA STI Program Office is operated by concerned with subjects having substantial
Langley Research Center, the lead center for public interest.
NASA’s scientific and technical information. The
NASA STI Program Office provides access to the  TECHNICAL TRANSLATION. English-language
NASA STI Database, the largest collection of translations of foreign scientific and
aeronautical and space science STI in the world. technical material pertinent to NASA’s
The Program Office is also NASA’s institutional mission.
mechanism for disseminating the results of its
research and development activities. These Specialized services that complement the STI
results are published by NASA in the NASA STI Program Office’s diverse offerings include
Report Series, which includes the following creating custom thesauri, building customized
report types: databases, organizing and publishing research
results . . . even providing videos.
 TECHNICAL PUBLICATION. Reports of
completed research or a major significant For more information about the NASA STI
phase of research that present the results Program Office, see the following:
of NASA programs and include extensive
data or theoretical analysis. Includes  Access the NASA STI Program Home Page at
compilations of significant scientific and http://www.sti.nasa.gov
technical data and information deemed to
be of continuing reference value. NASA’s  E-mail your question via the internet to
counterpart of peer-reviewed formal [email protected]
professional papers but has less stringent
limitations on manuscript length and extent  Fax your question to the NASA Access Help
of graphic presentations. Desk at (301) 621-0134

 TECHNICAL MEMORANDUM. Scientific and  Telephone the NASA Access Help Desk at
technical findings that are preliminary or of (301) 621-0390
specialized interest, e.g., quick release
reports, working papers, and bibliographies  Write to:
that contain minimal annotation. Does not NASA Access Help Desk
contain extensive analysis. NASA Center for AeroSpace Information
7121 Standard
 CONTRACTOR REPORT. Scientific and Hanover, MD 21076-1320
technical findings by NASA-sponsored
contractors and grantees.

 CONFERENCE PUBLICATION. Collected

papers from scientific and technical
NASA/SP–2010–578

NASA Astronauts on Soyuz:

Experience and Lessons for the Future
OSMA Assessments Team
Johnson Space Center, Houston

National Aeronautics and

Space Administration

Johnson Space Center

Houston, TX 77058

August 2010
 Intended Audience

This document is intended for Johnson Space Center (JSC) employees and contractors and other NASA
centers and contractor groups participating in the development, use, study, and human-rating of crewed
spaceflight systems.

Questions about this document should be directed to:

Mr. David F. Thelen, NASA, Manager, Safety and Mission Assurance Flight Safety
Office, JSC Safety and Mission Assurance Directorate, Email: [email protected]

Mr. Bill M. Wood, SAIC, Flight Safety & Integration Manager, Science Applications
International Corporation, Email: [email protected]

Available from:

NASA Center for AeroSpace Information National Technical Information Service

7115 Standard Drive 5285 Port Royal Road
Hanover, MD 21076-1320 Springfield, VA 22161
Phone: 301-621-0390 or 703-605-6000
Fax: 301-621-0134

This report is also available in electronic form at http://ston.jsc.nasa.gov/collections/TRS/

Foreword
The chief of the NASA Headquarters Office of Safety and Mission Assurance (OSMA), Bryan O’Connor,
requested that the NASA Johnson Space Center (JSC) Safety and Mission Assurance (S&MA) Director,
Terrence Wilcutt, convene a team to report on NASA’s experience working with the Russians and lessons
on astronaut safety assurance of the Soyuz spacecraft. This report on Soyuz history was conceived as a
possible analogy relevant to domestic commercial spaceflight vehicles.

On behalf of the JSC S&MA Directorate, David F. Thelen (Manager, Flight Safety Office), and SAIC’s
[Science Applications International Corporation] Gary W. Johnson were assigned to lead this task. Gary
is the former NASA Chairperson of the Shuttle/Mir Joint Safety Assurance Working Group and the Inter-
national Space Station (ISS) Joint American Russian Safety Working Group. He was also a member of
the Apollo-Soyuz Test Project.

Acknowledgements
Contributors to this report included:

Richard K. Fullerton of NASA Headquarters OSMA Mission Support Division who also
served as the Phase 1 Program co-chair of Working Group 7 Extravehicular Activity

Nathan J. Vassberg of NASA JSC who is the ISS Program’s Safety Review Panel chair,
and who was a safety, reliability and quality assurance engineer with SAIC supporting
the Assured Crew Return Vehicle (ACRV) Project Office

John K. Hirasaki, senior engineer, Ares Corporation who currently supports the ISS
Program and International Partner Element Integration Office, and who previously
supported the ACRV Project Office as an operations integration engineer with Eagle
Engineering

Michael R. Barratt M.D., flight surgeon and astronaut, who launched on Soyuz TMA-14
on March 26, 2009, to the ISS during Expeditions 19 and 20

Kenny L. Mitchell, NASA Marshall Space Flight Center retiree, who was manager of the
Moscow Space Station Program Office, Moscow Technical Liaison Office from July
1994 to July 1996

George K. Gafka of NASA JSC’s S&MA Office, and who is the ISS Chief Safety and
Mission Assurance Officer

Chrystal L. Hoelscher, information/data administrator and technical editor of SAIC’s

Flight Safety Office

Dennis W. Pate, senior human factors engineer of SAIC’s Flight Safety Office

David M. Salvador, lead systems engineer of SAIC’s Flight Safety Office

i
Contents
1.0 Executive Summary ............................................................................................................ 1

2.0 Scope ................................................................................................................................... 2

3.0 Apollo-Soyuz Test Project .................................................................................................. 2

3.1 Apollo-Soyuz Test Project organization and management ................................................. 3
3.2 Apollo-Soyuz Test Project mission objective ..................................................................... 3
3.3 Apollo-Soyuz Test Project joint safety assessments ........................................................... 4
3.4 Apollo-Soyuz Test Project unilateral system safety reports................................................ 5
3.5 Apollo-Soyuz Test Project conclusion ................................................................................ 5

4.0 NASA Assessment of the Soyuz Spacecraft for Space Station Freedom
Assured Crew Return Vehicle ............................................................................................. 6
4.1 Soyuz/assured crew return vehicle general lessons learned ................................................ 8
4.2 Soyuz/assured crew return vehicle conclusion .................................................................... 8

5.0 Shuttle/Mir Program ............................................................................................................ 8

5.1 Joint safety policy................................................................................................................ 9
5.2 Statement of safety policy ................................................................................................... 9
5.3 Guidelines............................................................................................................................ 9
5.4 Risk assessment of the U.S. astronaut on the Soyuz/Mir .................................................... 9
5.5 Risk assessment for the joint Shuttle/Mir mission .............................................................. 9
5.6 Shuttle/Mir Safety Integration Assessment Criteria ............................................................ 10
5.7 Shuttle/Mir organization...................................................................................................... 10
5.8 Shuttle/Mir conclusion ........................................................................................................ 10

6.0 Phase 1 International Space Station (NASA/Mir) ............................................................... 10

6.1 Phase 1 Program objectives ................................................................................................. 11
6.2 Phase 1 Program organization ............................................................................................. 11
6.3 Comparison of NASA and Russian quality, reliability, and safety assurance..................... 11
6.4 Russian process for flight readiness .................................................................................... 12
6.5 Russian process for hardware acceptance ........................................................................... 12
6.6 NASA safety process for Norman E. Thagard’s launch on Soyuz ...................................... 13
6.7 Soyuz TM assessments by safety working group................................................................ 13
6.8 Soyuz TM training............................................................................................................... 13
6.9 Soyuz landing rocket failure................................................................................................ 15
6.10 Phase 1 Program conclusion................................................................................................ 15

7.0 International Space Station Program ................................................................................... 15

7.1 International Space Station Program U.S./Russian organization and management ............ 16
7.2 Soyuz safety assurance for the International Space Station Program ................................. 17
7.3 Probabilistic risk assessment of Soyuz ................................................................................ 17
7.4 Soyuz flight experience ....................................................................................................... 18
7.5 International Space Station Program Safety Review Panel ................................................. 18
7.6 Soyuz TMA upgrade ........................................................................................................... 19
7.7 NASA astronaut and flight controller training on the Russian segment ............................. 19
7.8 Crew health and medical ..................................................................................................... 19
7.9 Certification of flight readiness ........................................................................................... 20
7.10 Independent assessment organization.................................................................................. 20

ii
7.11 Additional assurance examples ........................................................................................... 20

8.0 Lessons Learned .................................................................................................................. 20

9.0 Conclusions ......................................................................................................................... 22

10.0 References ........................................................................................................................... 23

Appendix A: Uncrewed Development, Tests and Flights...................................................................... 26

Appendix B: Crewed Soyuz Flights....................................................................................................... 27

iii
Acronyms
ACRV assured crew return vehicle
ASTP Apollo-Soyuz Test Project
CoFR certification of flight readiness
CSM command and service module
DDT&E design, development, test, and evaluation
DM descent module
EVA extravehicular activity
FRR Flight Readiness Review
GCTC Gagarin Cosmonaut Training Center
GDR General Designers Review
IBMP Institute of Biomedical Problems
IED interacting equipment document
ISM instrument service module
ISS International Space Station
JARSWG Joint American Russian Safety Working Group
JSAWG Joint Safety Assurance Working Group
JSC Johnson Space Center
MCC Mission Control Center
MMOD micrometeoroid orbital debris
MOU memorandum of understanding
MSC Manned Spacecraft Center
NCR noncompliance report
NPR NASA Procedural Requirement
OM orbital module
OSMA Office of Safety and Mission Assurance
PRA probabilistic risk assessment
PRCB Program Requirements Control Board
RF radio frequency
RSA Russian Space Agency
RSC Rocket Space Corporation
S&MA safety and mission assurance
SAIC Science Applications International Corporation
SM service module
SORR Stage Operations Readiness Review
SR&QA safety, reliability, and quality assurance
SRM&QA safety, reliability, maintainability, and quality assurance
SRP Safety Review Panel
SSF Space Station Freedom
SSP Space Station Program
TIM technical interchange meeting
TM transport module
TMA transportation modified anthropometric
Vdc volts, direct current
WG working group

iv
1.0 Executive Summary
The question of how to human-rate new spacecraft has been asked many times throughout the history
of human spaceflight. The U. S., Russia, and, now China have each separately and successfully addressed
this question. NASA’s operational experience with human-rating primarily resides with Mercury, Gemini,
Apollo, Space Shuttle, and the International Space Station (ISS). NASA’s latest developmental experience
includes Constellation, but also encompasses X38, X33, and the Orbital Space Plane.

If domestic commercial crew vehicles are used to transport astronauts to and from space, the Soyuz
vehicle would be another relevant example of the methods that could be used to human-rate a spacecraft
and how to work with commercial spacecraft providers.

As known from history, the first U.S. astronaut to orbit on a Soyuz spacecraft was Thomas P. Stafford
on July 17, 1975, during the Apollo-Soyuz Test Project (ASTP) mission. Norman E. Thagard was the
first U.S. astronaut to launch on a Soyuz launch vehicle, Soyuz TM-21, on March 14, 1995, on a flight to
the Russian Mir Space Station. This flight was associated with the U.S./Russian - Shuttle/Mir Program.
The first Soyuz launched to ISS included astronaut William M. Shepherd, Soyuz TM-31, on October 31,
2000. Prior to this, NASA studied Soyuz as an assured crew return vehicle (ACRV) for Space Station
Freedom (SSF) to be launched on the Space Shuttle. Presently, in preparation for Space Shuttle retire-
ment, all U.S. astronauts are being transported to and from ISS in the Russian Soyuz spacecraft, which
is launched on the Soyuz launch vehicle.

In the case of Soyuz, NASA’s normal assurance practices have had to be adapted. For a variety of ex-
ternal reasons, NASA has taken a “trust but verify” approach to Soyuz and international cargo vehicles.
The verify approach was to perform joint safety assurance assessments of the critical spacecraft systems.
For Soyuz, NASA’s primary assurance was (and continues to be) its long and successful flight history. The
other key measure relied on diverse teams of NASA’s best technical experts working very closely with
their foreign counterparts to understand the essential design, verification, and operational features of Soyuz.
Those experts used their personal experiences and NASA’s corporate knowledge (in the form of agency,
program, center, and other standards) to jointly and independently assess a wide range of topics. These
assessments were enabled by open source data (e.g., flight history) and by design/operations documenta-
tion obtained through formal contracts or less formal working-level “protocol” exchanges. Further assur-
ance was provided by first-hand practical exposure to Soyuz training (using Russian facilities/instructors/
manuals) and crew medical practices. There were also tours of manufacturing, assembly, testing, launches,
and landings in progress. From this dialog and study, a picture was composed that focused on the core of
the Soyuz spacecraft, but also touched on the launch vehicle and its escape system. While more reliant on
the trust side of “trust but verify,” this defense in depth still culminates in Soyuz readiness reviews in which
NASA internally polls its responsible organizations and experts for their go/no-go recommendations
using limited, but best, available data.

Building on NASA’s Soyuz experience, this report contends that all past, present, and future vehicles
rely on a range of methods and techniques for human-rating assurance. The components of such assurance
include requirements, conceptual development, prototype evaluations, configuration management, formal
development reviews (safety, design, operations), component/system testing on the ground, integrated flight
tests, independent assessments, and a series of launch readiness reviews. For additional information, see
NASA Procedural Requirement (NPR) 7120.5, NASA Space Flight Program and Project Management
Requirements, and NPR 7123.1, NASA Systems Engineering Processes and Requirements. In addition,
the Arc of Acceptability, located in Section 9.0 of this report, illustrates the trade made between proven
flight experience vs. the assurance components mentioned above. This approach involves a multidisci-
pline team effort that is typically spread over an extended period of time. When various constraints (cost,

1
schedule, international) limit the depth or breadth of one or more preferred assurance means, ways are
found to bolster the remaining areas.

The body of this report provides information exemplifying the above safety assurance model for
consideration with commercial or foreign-government-designed spacecraft. The covered topics include
U.S./Soviet-Russian government/agency agreements and the engineering/safety assessments performed
along with other lessons learned in these historic U.S./Russian joint space ventures.

2.0 Scope
The scope of this report, because of history, primarily includes the orbital considerations for safe
human spaceflight aboard and/or in rendezvous with the Russian Soyuz spacecraft. It also covers the
safety considerations for a NASA astronaut to launch and return on a Soyuz spacecraft. It reflects the
related critical engineering and safety assessment elements used to determine an acceptable risk to U.S.
astronauts.

The report summarizes the safety assessments performed for the ASTP, the SSF ACRV, the Shuttle/Mir
Program, the ISS Phase 1 Program (NASA/Mir), and the present ISS Program. A presentation of inter-
government space agency policy is covered that addresses joint safety cooperatives, as well as policy
governing responsibilities on the ISS. These highlights reveal instrumental precedent setting and a
historic perspective on the continuing development of international human spaceflight safety.

3.0 Apollo-Soyuz Test Project

In July 1969, while on Air Force One flying toward the anticipated splashdown of Apollo 11, NASA
Administrator Thomas O. Paine discussed the future of human space exploration with President Richard
M. Nixon. Paine argued convincingly for NASA’s plans to seek increased multinational space ventures.
The President and his advisors agreed that this was a laudable goal and encouraged Paine to pursue his
contacts with the Soviets.1

The first step toward closer cooperation grew out of a formal exchange of letters between Administrator
Paine and the President of the Soviet Academy of Sciences, Mstislav Vsevolodovich Keldysh. President
Nixon formed an interagency committee to study the ramifications, both positive and negative, that would
arise relative to cooperative space ventures with the Soviet Union. The members of this committee favored
broader efforts toward cooperation. One suggestion for joint work concerned those areas of human space
activity affecting safety and common flight operations procedures (e.g., the development of compatible
docking hardware and the standardization of flight control and rendezvous systems to permit the creation
of a reciprocal space rescue capability).1

In support of their government leaders, joint technical meetings between Soviet engineers and NASA
engineers at the Manned Spacecraft Center (MSC) in Houston were conducted to reach agreement on the
feasibility and means of accomplishing a joint mission. With this technical foundation in place, an overall
formal agreement occurred at the U.S./Soviet Summit in May 1972 with President Richard Nixon and Gen-
eral Secretary of the Communist Party of the Soviet Union Leonid Brezhnev signing the Space Coopera-
tion Agreement. The agreement stated: “The US and USSR agree to enhance cooperation in outer space
by utilizing the capabilities of both countries for joint projects of mutual benefit. NASA and the Soviet
Academy of Sciences will oversee implementation of the agreement. The rendezvous and docking systems
of US and Soviet spacecraft will be made compatible so as to provide for joint missions and rescue
operations. The US and USSR agree to a joint, manned space flight in 1975 using Apollo-type and

2
Soyuz-type spacecraft. The two spacecraft will rendezvous and dock in space, and the cosmonauts
and astronauts will visit the respective spacecraft.”2

3 .1 Apollo-Soyuz Test Project organization and management

To implement the above government-level agreements, the number of U.S./Soviet technical meetings
increased and three working groups (WGs) were formed. Later, the ASTP WGs were expanded to six.
The WGs (all within NASA’s MSC organization – now the Johnson Space Center [JSC]) were as follows:

1. WG 0 - Technical Project Director (Apollo Spacecraft Program Office)

2. WG 1 - Mission Model (Flight Operations)
3. WG 2 - Guidance and Control Docking Aids (Engineering and Development)
4. WG 3 - Mechanical Design (Engineering and Development)
5. WG 4 - Communications and Tracking (Engineering and Development)
6. WG 5 - Life Support and Crew Transfer (Engineering and Development)

All WGs had a NASA MSC cochair and a Soviet cochair. These WGs jointly signed the meeting
minutes and developed formal technical ASTP documents. In addition to the technical documents,
safety assessment reports were jointly developed covering the safety hazards for Apollo and Soyuz for the
planned mission. Only an overview of these safety assessment reports is covered in this report.

The most difficult problem for the U.S. and Soviets was language and communications, which neces-
sitated the use of experienced professional interpreters and translators. This was a critical factor in the
success of the ASTP mission. Another complexity at that time was that the Soviets carefully monitored
the activities of their Soviet engineers while they were in the U.S. and the NASA engineers were closely
monitored while in the USSR. A related reason was that information exchange was strictly limited to the
accomplishment of the ASTP mission. The Soviet engineers had to get approval from their management
before providing information to NASA. NASA personnel had to internally justify a need to know
specific to the ASTP mission.

To achieve successful technical communication, it was best for NASA to provide the Soviets with in-
formation on their systems (Apollo electrical power system) before requesting the same information on
Soyuz systems (Soyuz electrical power system). In some cases, the Soviets, knowing that they would need
to provide the same detailed information in return (which they did not want to do), would not accept the
information from NASA. Technical data exchange and review was limited to the Apollo and Soyuz
spacecrafts and did not cover the Soyuz or Apollo launch vehicles.

To further improve working relations, the NASA WGs held informal gatherings at their homes.

3 .2 Apollo-Soyuz Test Project mission objective

Apollo-Soyuz was the first international crewed spaceflight. It was designed to test the compatibility
of rendezvous and docking systems for U.S. and Soviet spacecraft, and to open the way for international
space rescue as well as to future joint crewed spaceflights. Additional requirements to fulfill the ASTP
objectives for the Soyuz spacecraft were as follows:

1. Integration of compatible rendezvous and docking systems in the spacecraft (Soyuz passive)
2. Realization of the Apollo-Soyuz joint spaceflight
3. Pressure reduction in the living modules up to 520 ± 30 mmHg
4. Execution of joint experiments
5. Joint filming and TV transmissions

3
3 .3 Apollo-Soyuz Test Project joint safety assessments
To provide safety assurance, NASA and Soviet engineers collaborated to develop Safety Assessment
Reports on the Apollo command and service module (CSM) and the Soyuz spacecraft, which consisted of
a service module (SM), an orbital module (OM), and a descent module (DM). These reports were jointly
approved by the engineers and their program management. In addition to the safety assessment reports, a
large number of jointly signed design requirements and systems description, testing, and operations docu-
ments were developed. They were called interacting equipment documents (IEDs) with 50000 series numbers.
For example: The 50000 series was on the docking systems, the 50400 series addressed stabilization and
control, the 50600 series contained communications (IED 50601.5, ASTP Cable Communications Require-
ments, USA-USSR, August 15, 1974), the 50700 series was on atmosphere and environmental control,
etc. For a complete list of identified ASTP documents, see Reference 1, Note. The Soyuz safety assess-
ments covered below are limited to the safety hazards associated with rendezvous, docking, crew transfer
while docked, and undocking.

The Safety Assessment Report for the Soyuz Structural Ring Latches covered the hazard of
inadvertent release of the Soyuz structural ring latches, resulting in loss of pressure integrity. The con-
clusion stated: “The assessment given makes it possible to conclude that the latches’ design, logic and
electrical control diagrams are designed taking into account a sufficient number of structural, circuitry
and procedural features that prevent inadvertent release of the Soyuz structural ring latches at design
interface loads.”3

The Safety Assessment Report for Soyuz Propulsion and Control Systems covered the attitude
and translation control system of the Soyuz spacecraft and its associated instruments. The safety of the
attitude and translation control system was assured by

1. The redundancy of the attitude and translation control system modes.

2. Arranging the most important instruments of the system in a configuration yielding reliable
performance (triple redundancy).
3. The redundancy of command sensors (two complete sets), the thrusters (two complete sets), and
the corrective engines (two complete sets). The switching of these instruments and assemblies were
implemented either from the cosmonaut control panel or on a radio-link.
4. Monitoring, on the cosmonaut control panel, of the telemetry condition of the main and backup
corrective engine system, docking and orientation engine system, and operation of the system’s
engines. The propulsion system was also assured by monitoring the performance of commands and
software programs.
5. The selection of the sequence of commands and operations to eliminate any spurious inputs of
commands.4

To address Apollo 1 lessons, the Safety Assessment Report for Soyuz Fire and Fire Safety covered
the fire safety of Soyuz vehicles and the principles of Soyuz fire safety provisions. To control fire risks,
electronic equipment was placed outside the crew compartment and filled with an inert gas (nitrogen).
Additionally, the crew quarters used a mixed-gas atmosphere (nitrogen and oxygen) and controls to pre-
vent the oxygen percentage from exceeding 31%. All spacecraft components were checked under the
most severe temperature conditions, and maximum nominal current loads in the atmosphere with oxygen
content of 40% and total pressure up to 960 mmHg. Electric power was found to be based on a two-wire
circuit (power return isolated from vehicle ground or structure) and protected by circuit breakers and
fuses. Additional provisions and controls for nonmetallic materials were also covered in the report.5

The Safety Assessment Report for Soyuz Pyrotechnic Devices covered the pyrotechnic devices, elec-
tric circuitry, circuit protection, tests and checkout, and influence of radio frequency (RF) radiation on the

4
pyrotechnic devices. Results obtained from the analysis and testing, of a full-scale Soyuz mockup with
RF power, provided confidence that there was no danger of the Soyuz pyrotechnic device initiating
because of electromagnetic irradiation from on-board radio systems and ground stations.6

The Safety Assessment Report for Soyuz Habitable Modules Overpressurization and Depres-
surization concluded that, during joint flight, the Soyuz modules would not be overpressurized, there
would be no Soyuz failures leading to rapid gas leakage, and the pressurization system would maintain
the necessary atmospheric pressure up to equivalent leakage through a 5-mm-diameter hole.7

The Safety Assessment Report for Soyuz Manufacturing, Test and Checkout Flow provided a list
of the new and modified systems to support the ASTP mission (e.g., the androgynous periphery docking
system and the automatic control equipment for docking assemblies installed in the OM were on this list
along with the reason for the change). A description of the development tests and integrated ground tests
for this system were covered at the manufacturer, launch complex, and launch pad. They also performed
flight testing, covering all operations except for the actual docking with Apollo.8

The Safety Assessment Report for Soyuz Radio Command Systems described the radio command
system consisting of the Mission Control Center (MCC), ground tracking stations, and command system
on-board equipment. Inadvertent commands that could affect crew safety were covered in detail.
Information was provided on the following:

1. Protection against accidental commands

2. Measures against command distortion
3. Measures to exclude any accidental commands
4. Measures against operator mistakes
5. Measures against missing a command transmitted to the spacecraft9

3 .4 Apollo-Soyuz Test Project unilateral system safety reports

To provide detail on Soyuz systems not covered in the Joint Safety Assessment reports, the NASA JSC
Safety, Reliability, and Quality Assurance (SR&QA) Office developed unilateral System Safety Reports.

For example, JSC 09265, Unilateral System Safety Report for Soyuz Pyrotechnic Devices for the ASTP,
covered and documented the descriptions, locations, and characteristics of Soyuz pyrotechnic devices
including the safe no-fire power limits as compared to the similar provisions for Apollo (1.5 milliwatts/
50 milliamps for Soyuz vs. 1 watt/1 ampere for Apollo).10

Another unilateral report covered the Soyuz Electrical Power System (JSC 09267). This report doc-
umented the power system descriptions, locations, and power supply system schematic of the Soyuz
electrical power system, which was proven to be isolated from structure by means of high resistance.11
The report also concluded that at least two insulation faults are required (one positive and one negative)
before a Soyuz short can occur. Power and return are in separate connectors. Two out of three voting in
critical circuits provided series and parallel redundancy. Information for this report was obtained from
Soviet WG1 Chairman Vladimir Aleksandrovich Timchenko who provided “Lectures on the Soyuz Power
Supply System to be used for Joint Training of the Control Center Personnel,” USSR WG1-100.12

3 .5 Apollo-Soyuz Test Project conclusion

What made ASTP a success was formal top-level government agreements with a clear mission objective
and the knowledge that both countries would benefit from these agreements. Experienced and dedicated
personnel from both sides were assigned with clear responsibilities and reporting. Although this was during

5
the period of the “Cold War,” engineers on both sides worked together as a team to make sure ASTP was
a success.

From a technology perspective, NASA engineers initially were under the impression that the Soviet
spacecraft was not equivalent to NASA’s spacecraft, but became aware that the redundancy level was as
good as that of the U.S. spacecraft; indeed, in some critical control systems, the Soyuz had three strings of
redundancy vs. the two strings of redundancy for Apollo. Soyuz design was deemed to be robust with an
objective of being simple rather than complex. Its functions were primarily automated with some crew
manual backup vs. Apollo’s greater reliance on crew for spacecraft operations. One example of technical
innovation was the Soyuz electromechanical damper vs. the hydraulic damper on the Apollo docking
system, which required heaters to maintain temperature.

Although Soyuz and Apollo/Saturn launch vehicles were not formally reviewed or evaluated, the
Soviets did provide information on a Soyuz 18A, April 5, 1975, launch that had a problem during the
first and second stage that resulted in a successful ascent abort.

4.0 NASA Assessment of the Soyuz Spacecraft for Space Station

Freedom Assured Crew Return Vehicle
The SSF Program, ACRV Project Office, was directed by Congress to look at the Russian legacy space-
craft as an ACRV for SSF. The result was the initiation of a joint Scientific and Production Association
NPO-Energia and NASA analysis in March 1992.13

“In October 1991, during a meeting with Boeing representatives (the main station contractor) the head
of NPO-Energia Yuri Pavlovich Semenov offered the company’s Soyuz spacecraft to serve as a lifeboat.
In February 1992, the chairman of a congressional subcommittee on space Barbara A. Mikulski urged
NASA Administrator Richard H. Truly to evaluate the feasibility of employing Soyuz as a lifeboat. In
March 1992, Russian and US space officials discussed the possibility of cooperation in manned space
program, including ACRV. On June 18, 1992, after three months of negotiations, NASA Administrator
Daniel S. Goldin and Director General of the Russian Space Agency Yuri Nikolayevich Koptev, “ratified”
a contract between NASA and NPO-Energia to study possible application of the Soyuz spacecraft and
Russian docking port in the Freedom project. The agreement would also cover a study of the possible use
of the Mir space station for the US life-science research in support of the Space Station Freedom project.
The contract worth $1 million was expected to last a year.”14

As a result, in May 1992, the NASA Administrator delivered a preliminary feasibility assessment report
(JSC 34023) on the possible use of the Soyuz transport module (TM) as the ACRV for the SSF Program to
George E. Brown, Jr., Chairman of the House Committee on Science, Space and Technology. This report
was followed by a NASA feasibility study contract with NPO-Energia in June 1992. Phase A of the Soyuz
TM feasibility and definition study was completed in December 1992.15

The ACRV Project Office, on January 1993, requested that Langley Research Center conduct a study
to accommodate the Soyuz/ACRV. The objective of this study was to evaluate the technical impacts of
accommodating two Soyuz vehicles on SSF for assured crew return. The study was completed, and the
results were presented on March 4, 1993. The identified general issues included increased keep-alive
Soyuz power requirements, conversion of 120 Vdc [volts, direct current] to 28 Vdc power, and
communication/telemetry interfaces.16

6
NASA initiated a Phase B Soyuz ACRV definition study in March 1993 with NPO-Energia. This study
looked at extending the orbital lifetime using a NASA-compatible communication system, improved land
targeting, an androgynous docking system, Soyuz compatibility for launch within the Space Shuttle pay-
load bay, mission support architecture (MCC-Houston and MCC-Moscow), and Russian standards and
certification processes.13

On April 27, 1993, the ACRV Project Office identified the products of the Phase A technical feasibility
study of the Soyuz TM as a space station ACRV. This study included a safety, reliability, maintainability
and quality assurance (SRM&QA) analysis based on a review of the NPO-Energia specifications, standards,
and design requirements obtained during the technical interchange meetings (TIMs).

During the course of the TIMs, the Russians stated that the Soyuz vehicles supporting space stations
Salyut and Mir would always be docked for immediate return. Emergency evacuation procedures were
practiced and demonstrated as possible within 15 minutes. The Soviets had used emergency procedures
on their stations four times. Two were for medical evacuations, one was for contaminated atmosphere,
and one was for a damaged space station window.17

In June 1993, NASA JSC’s Space and Life Sciences Directorate evaluated the Soyuz TM spacecraft and
Kazbek launch and entry couch for the medical transport role. Due to Soyuz hatch and couch constraints,
essentially no medical restraint system was possible, each patient had to “bend in.” An ill or injured crew
member would need to be secured in the center couch for reach and vision. The report summary
concluded that Soyuz appears feasible for a medically critical but stable patient.18

The ACRV Project Office presentation, given on July 27, 1993, on the preliminary assessment of the
Soyuz TM system included a review of NPO-Energia engineering standards and procedures to assess their
differences and similarities with those of NASA. It asserted that Soyuz TM is a mature, proven spacecraft
designed, built, and certified to NPO-Energia engineering standards and processes that are similar but not
identical to NASA’s engineering standards and processes. A comparison of these standards was later doc-
umented in Space Station Program (SSP) 50094, NASA/Russian Space Agency (RSA) Joint Specifications
Standards Document for the ISS Russian segment. If the modified Soyuz ACRV had been implemented,
it was to be built and certified by the manufacturer, NPO-Energia, to the Soyuz ACRV Project verification/
certification requirements. Where mandatory, to accommodate unique requirements or environments of
the ACRV mission, these processes and appropriate standards were to be modified on mutual agreement
by NASA and NPO-Energia. NASA’s assurance that the Soyuz ACRV Project would meet the intent of
the SR&QA requirements was to be based on the following:

1. Successful completion of a system-level analysis designed to assess and demonstrate that the safety
and reliability of the Soyuz ACRV had not been compromised by modifications to the vehicle and
its mission environment
2. Successful completion of the NASA safety review process for Soyuz ACRV as Shuttle and space
station payloads and as an autonomous spacecraft13

The ACRV Project Office developed a NASA JSC document, JSC 34056, Soyuz ACRV Policy on
Standards, Certification and SR&QA, dated August 17, 1993. This document encapsulated the policy on
standards, verification, SR&QA, and rationale. The rationale within this document stated the following:

“Applying the NASA system of verification/certification and standards to an existing

flight-proven vehicle design would not only be prohibitively expensive, but would also
introduce changes to a successful DDT&E [design, development, test, and evaluation] pro-
cess. Applying the complete NASA SR&QA program of requirements and controls would
invalidate the previous flight history of the vehicle with respect to it’s [sic] Safety and

7
 Reliability. Alternatively, oversight of the DDT&E process would provide insight and a
method of assurance that the intent of the SR&QA requirements was being met. Safety
of the crew is considered to be an essential part of the Soyuz ACRV program, and since
there is not a formal Safety review process for the Soyuz TM, NASA is imposing its
Safety review processes and procedures.”19

4 .1 Soyuz/assured crew return vehicle general lessons learned20

1. Meetings with the Russians were highly dependent on the use of interpreters and required more
time than NASA expected.
2. Continuing relationships with particular specialists greatly improves communications. A level of
trust is established and seems to be very strong. Constantly changing personnel interfacing with the
Russians is counter-productive.
3. Word choice is important. Consistent use of agreed-to technical terminology is essential. NASA-
only terminology can cause misunderstandings.
4. There is very little empowerment in Russian industry. The transfer of Russian/Soviet information
required more management approval than NASA is used to in normal business operations.
5. The work done by NPO-Energia was more compartmentalized than that done by NASA. This
made it very important to have the particular expert present when discussing any given topic.
6. Protocols for meetings were very important to the Russians, and a signature on a protocol was
significant and treated as a binding commitment.

4 .2 Soyuz/assured crew return vehicle conclusion

Work with the Russians was easier in terms of obtaining information on the Soyuz spacecraft compared to
that on ASTP. The Russian company NPO-Energia, later changed to Rocket Space Corporation (RSC)-
Energia, wanted to market to NASA the use of the Soyuz as an ACRV for the U.S. space station. This
effort to use the Soyuz as an SSF ACRV ended when the Russian Federation became a partner on the ISS,
in December 1993. During this short period of time, March 1992 until December 1993, the ACRV Project
Office evaluated the Soyuz as an SSF ACRV, but no formal safety assessments were performed beyond
the establishment of a Policy on Standards, Certification, and SR&QA.

5.0 Shuttle/Mir Program

The Shuttle/Mir Program was formally initiated as a limited joint endeavor involving a single Russian
cosmonaut on the Shuttle and a single U.S. astronaut on Mir with one docking between the Shuttle/Mir.
On June 17, 1992, the U.S. President, George H. Bush, and the President of the Russian Federation, Boris
Nikolayevich Yeltsin, signed a formal agreement between the United States of America and the Russian
Federation concerning cooperation in the exploration and use of outer space for peaceful purposes.

Within this agreement, Article 1 stated

“Cooperation may include human and robotic space flight projects, ground-based
operations and experiments and other activities in such areas as:

- Monitoring the global environment from space;

- Space Shuttle and Mir Space Station missions involving the participation of U.S.
astronauts and Russian cosmonauts;
- Safety of space flight activities;
- Space biology and medicine; and

8
 - Examining the possibilities of working together in other areas, such as the
exploration of Mars.”21

5 .1 Joint safety policy

On March 18, 1993, the SSP Level II Program Requirements Control Board (PRCB) approved the
Change Request Number S052830 Safety Policy for the Joint U.S./Russian missions.

5 .2 Statement of safety policy

“It is the policy of NASA to maintain a comprehensive and effective system safety
program to ensure the safety of personnel and equipment. Risks associated with the joint
Shuttle/Mir Mission will be identified. Exposures to these risks will be eliminated or min-
imized to a level acceptable to both agencies. Accomplishment of these will rely on:

- Safety experience developed in support of Shuttle, payloads and space station efforts.
- Safety experience developed in support of Mir, Soyuz and Progress programs.
- Experience and knowledge acquired by Russia in support of Space endeavors.
- Assessment of docking system hardware, Shuttle/Mir interfaces, and Shuttle/
Mir normal and contingency operations to ensure that safeguards and controls are
documented and implemented.”

5 .3 Guidelines
 Mutual acceptance and trust of each country’s system safety program is the basis for system safety
efforts, recognizing the experience each country had with successful manned space programs.
 A mutual understanding of each country’s safety process is expected. Differences between the
Shuttle and Mir safety processes will be identified and resolved to the satisfaction of both countries.
 Detailed assessments may be performed for specific issues that were identified.
 Safety assessments of integrated operations will be performed to identify potential hazards and the
controls to mitigate these hazards.

5 .4 Risk assessment of the U.S. astronaut on the Soyuz/Mir

NASA will review and understand the Russian safety philosophy/process and astronaut training/
certification to provide a better understanding of the risk NASA is accepting for this mission.

5 .5 Risk assessment for the joint Shuttle/Mir mission

Mating system hardware will meet current Shuttle/Orbiter system safety requirements. Any devia-
tions from NASA requirements and hazards associated with the hardware procured from Russia (the
androgynous peripheral docking assembly, including avionics and ground support equipment) will be
identified to the Program for resolution.

Payloads and experiments will meet current Shuttle requirements as applicable.

Risk assessments of hazards affected by joint integrated Shuttle/MIR operations will be provided through
integrated hazard analyses and safety assessment reports. Integrated hazard assessment criteria will be per
the attached appendix.

The System Safety Assessment methodology will be developed to determine the level of detail required to
assess the risks associated with these operations.

9
5 .6 Shuttle/Mir Safety Integration Assessment Criteria
The Shuttle/Mir Safety Integration Assessment Criteria, dated February 12, 1993, was baselined by the
Shuttle PRCB. These criteria were derived from existing program requirements (Vol. X, NSTS 1700.7B,
etc.) and were tailored for minimum operational impact while maintaining the level of safety consistent
with manned Shuttle flights.

These criteria were not intended to impose redesign requirements for existing Shuttle/Mir hardware,
but were instead used as a basis for evaluating and defining the acceptability of those risks unique to the
Shuttle/Mir mission.22

5 .7 Shuttle/Mir organization
As was done during ASTP, it was agreed to organize this program’s work into six WGs. These were:

1. WG 0 - Joint Management
2. WG 1 - Public Affairs
3. WG 2 - Safety Assurance
4. WG 3 - Flight Operations and Systems Integration
5. WG 4 - Mission Science
6. WG 5 - Crew Exchange and Training

The WGs consisted of experts from RSC-Energia, NASA, RSA, the Institute for Biomedical Problems,
Gagarin Cosmonaut Training Center (GCTC), and other organizations and companies. The WGs pre-
pared the organizational and technical documentation and carried out the flight plans. Each country des-
ignated a cochair for each group. The cochairs conducted joint meetings and were empowered to sign
protocols that documented agreements made within their discipline.

5 .8 Shuttle/Mir conclusion
Before this program was fully enacted, it was greatly expanded in scope to include more Shuttle flights to
Mir with more cosmonauts to fly on the Shuttle. The following pages expand on the resulting lessons.

6.0 Phase 1 International Space Station (NASA/Mir)

U.S. Vice President Albert A. Gore, Jr. and Russian Prime Minister Victor Stepanovich Chernomyrdin
issued a joint statement on expanded cooperation in space on September 2, 1993. The first phase was
planned to use the Russian Mir Space Station and the U.S. Space Shuttle in the multiple missions that
would prepare both nations for further joint activities in a unified ISS. This expansion from one to multiple
missions to Mir was called NASA/Mir. This joint statement asserted that the inclusion of Russia in ISS
would offer significant advantages to all concerned, including current U.S. partners from Canada, Europe
and Japan.23

On December 6, 1993, a formal invitation was extended by the Government of Canada, the European
Governments, the Government of Japan, and the Government of the United States to the Government of
the Russian Federation to become a partner in the detailed design, development, operation, and utilization
of the space station within the framework established by the Space Station Agreements.24

On December 17, 1993, the Government of the Russian Federation gave a positive response to that
invitation and agreement. The management portion of this agreement (article 7) stated that NASA, in

10
accordance with the memorandum of understanding (MOU), was to be responsible for the establishment
of overall safety requirements and plans.25

In this context, the Phase 1 Program represented the building blocks used to create the experience and
technical expertise for the ISS. This preparatory program brought together the U.S. and Russia in a major
cooperative and contractual program to take advantage of both countries’ capabilities.

6 .1 Phase 1 Program objectives

1. Learn how to work with International Partners.
2. Reduce risks associated with developing and assembling a space station.
3. Gain operational experience for NASA on long-duration missions.
4. Conduct life science, microgravity, and environmental research programs.

The Phase 1 Program management plan was established on October 6, 1994 by the NASA Head-
quarters Associate Administrator for Spaceflight. This plan established a program manager and program
organization.26

6 .2 Phase 1 Program organization26

The Phase 1 Program organization used the same Shuttle/Mir WGs and added three additional Shuttle/
Mir WGs for a total of nine WGs. These were:

1. WG 0 - Joint Management
2. WG 1 - Public Affairs
3. WG 2 - Safety Assurance
4. WG 3 - Flight Operations and Systems Integration
5. WG 4 - Mission Science
6. WG 5 - Crew Exchange and Training
7. WG 6 - Mir Operations and Integration
8. WG 7 - Extravehicular Activity (EVA)
9. WG 8 - Medical Operations

6 .3 Comparison of NASA and Russian quality, reliability, and safety assurance

The RSC-Energia’s Reliability Laboratory provided NASA with a briefing on Mir/Shuttle Project quality,
reliability, and safety assurance. The Russians mentioned that they did not have a safety program require-
ment. Instead, they have a Quality and Reliability Program Requirement. In Russian standards, quality
encompasses a very broad range of factors that defines the consumer value of a product. Quality includes
reliability, safety, and a set of other factors described as fabrication quality, documentation quality, work-
manship, etc. While reliability and safety relate to a significant extent to vehicle characteristics, other aspects
of quality can describe both the hardware and other elements of the vehicle development process.

Of the two concepts, “reliability” and “safety,” the RSA narrowed the definition most for vehicle re-
liability. In its general meaning, dependability includes the following properties: reliability, longevity,
preservability, and maintainability. Reliability is analyzed primarily by performing quantitative analysis
on probability parameters.27

Russian experts indicated that they rely on four levels of technical standards. At the top level are RSA
and government standards. The second level defines the enterprise Rocket Space Technology. The third
level is composed of standards from facilities such as NPO-Energia. The fourth level is product standards.28

11
Safety means roughly the same thing to RSA and NASA; specifically, it is the capability to prevent
damage to the health of the crew and service personnel, along with major losses of material and property.
The relationship between reliability and safety can be illustrated by an expression often used at RSA:
“safety is assured primarily by reliability.” Those safety assurance facilities and procedures with no rela-
tion to reliability are primarily geared toward controlling contingency (hazardous) situations, e.g., situations
that arise due to a lack of hardware reliability. Russia makes far less use of quantitative indices for safety
than for dependability (e.g., crew hazard probability, specific contingency occurrence probability).

The Russians consider this approach to reliability and safety as being close to the one taken by NASA.
One of the main differences is in the methods and forms of reliability and safety analysis. For example,
NASA emphasizes measures to prevent hazardous situations from arising in its safety analysis. The RSA
essentially examines those measures as part of a reliability analysis, while focusing most of its attention
on measures to control off-nominal situations in its safety analysis.

NASA and the RSA have roughly identical principles for safety and reliability assurance to include:
development in stages; establishing, implementing, and monitoring compliance with requirements; re-
dundancy principles, etc. They also have similar approaches to problem resolution to include: tasks are
similar in terms of goals and content; methods and procedures for task resolution vary; and there are
significant differences with respect to formats for analyses and reports generated on their results.

6 .4 Russian process for flight readiness28

Although the final decision to launch is made by the assembly company (General Designer), there is
a Space Committee (approximately 20 people) headed by a 3-Star General for Air and Space with the
following representation:

 RSA
 NPO-Energia
 General Designer
 Central Institute of Machine Building
 Ministry of Defense
 Physicians
 Baikonur

When different countries/companies are involved, (e.g., Ukraine), they will have representation on the
Space Committee. At NPO-Energia’s final report before a mission, the Ministry of Defense representative
states that everything has been checked. For Soyuz launches, the Ministry of Defense still signs the flight
readiness document verifying that an independent check of the crewed requirements are met. All prepara-
tions for flight at Baikonur are performed by the military. Independent assessment is performed by the
Central Institute of Machine Building for every flight. Overall check for compliance with requirements
is process oriented, but assessment is not done on an item-by-item basis.

6 .5 Russian process for hardware acceptance

Institutions designing hardware have an organization representing the Ministry of Defense. This
organization does inspections and checks on hardware being built to requirements for all phases of
production. All design changes have to be agreed to with this organization. Two signatures are required
for hardware acceptance (General Designer and Ministry of Defense). The General Designer can overrule
the Ministry of Defense representative’s position, but this almost never happens.

12
Every piece of measuring equipment must have a stamp from the manufacturing facility with an as-
sociated stamp from the Central Institute of Machine Building (independent assessment of equipment).
This type of equipment undergoes receiving inspection/control. For equipment to be used in space, high-
level sample testing is performed to obtain a number certifying the equipment. Electrical components do
not carry a “Manned Flight Certificate,” but are part of the military standard process. Any instrument/
assembly has to have a report that identifies that it is “Good for Manned Flight.” The certificate is called
a “Passport” and has the information regarding the testing and acceptance of that hardware.28

6 .6 NASA safety process for Norman E. Thagard’s launch on Soyuz

The Russian Flight Readiness process, described above, was used to certify astronaut Norman E. Thagard
for launch on Soyuz TM-21 on March 14, 1995. NASA astronaut Bonnie J. Dunbar, who was the backup
to Thagard for the mission, went through the same certification for launch on the Soyuz. The NASA JSC
Space and Life Sciences Flight Surgeon Michael R. Barratt’s role was to get Thagard, and later other Phase 1
astronauts, past the Russian Medical Commission so they could be presented by the Institute of Biomedical
Problems (IBMP) and GCTC at the Flight Readiness Review (FRR). Michael R. Barratt stated he had
sporadic involvement in the overall safety and risk issues for the first mission. This meant that IBMP
counterparts would address the safety and risk issues with JSC Space and Life Sciences representatives
at dedicated medical meetings. This did improve over the course of the Phase 1 flights, but Thagard’s
flight differed greatly from the follow-on missions, as he was being launched on a Soyuz to Mir.

Attendance at the various review meetings was as follows:

The final medical review meeting was attended by Michael R. Barratt, David C. Leestma, the Director of
Flight Crew Operations, and William F. Readdy, the Star City Lead astronaut.

At the Star City crew training final review meeting, Leestma and Readdy, along with the Phase 1 Deputy
Program Manager, Frank L. Culbertson, Jr., and the Manager of the Moscow Space Station Program Office,
Kenny L. Mitchell, were in attendance.

The NASA Phase 1 Program Manager, Tommy W. Holloway, and the Deputy Program Manager, Frank
L. Culbertson, Jr., attended the General Designer Review (GDR) held at NPO-Energia. The GDR is what
NASA refers to as the FRR.

The NASA Associate Administrator Space Flight Office Dr. Jerrell Wayne Littles, Director Space Station
Wilbert C. Trafton, Associate Administrator Life Sciences & Microgravity Harry C. Holloway, Chief
Health & Medical Officer Arnauld E. Nicogossian, JSC Center Director Carolyn L. Huntoon, Flight Crew
Operations Director David C. Leestma, Phase 1 Program Manager Tommy W. Holloway, Deputy Program
Manager Frank L. Culbertson, Jr., astronauts William F. Readdy and Ronald M. Sega, Soyuz TM-21
backup Bonnie J. Dunbar, Moscow Technical Liaison Office Manager Kenny L. Mitchell, and Deputy
Manager David G. Herbeck were present at Baikonur for pre-launch meetings and the launch.

6 .7 Soyuz TM assessments by safety working group

The safety assessments and hazard reports that were developed were for the Shuttle docking mission to
Mir; they did not cover the Soyuz TM. The joint agreement was that the Russians were responsible for
the safety of U.S. astronauts being transported to and from Mir.

6 .8 Soyuz TM training
U.S. astronauts went through the same level of training as the cosmonauts did on the Soyuz. Classroom
training was done on Soyuz systems and required crew operations. Passing an oral test on the material

13
presented was required for certification as a Soyuz crewmember. Training was also done on Soyuz mock-
ups and simulators. Two weeks before launch, after passing all the tests, the crew is flown to Baikonur to
participate in a test at the launch site to go through all of the steps associated with a launch. The Soyuz
instructor during training becomes what NASA calls a capsule communicator (Cap Comm) for launch
through the first couple of orbits before it is turned over to MCC-Moscow. Norman E. Thagard, who
was launched on a Soyuz TM, received training for returning on a Soyuz during which, he flew a manual en-
try in the landing simulator located in the centrifuge; however, he returned on the Space Shuttle (STS-71).29

This training is also conducted for the NASA astronauts on the ISS Program. Such training adds to the
knowledge gleaned by the technical WGs. As an ISS example, NASA astronaut Kenneth D. Bowersox,
who launched on the Space Shuttle STS-113 on November 23, 2002, and was the first NASA astronaut
along with NASA astronaut Donald R. Pettit to return on a Soyuz spacecraft, Soyuz TMA-1, May 3,
2003, provided the following information on the training he had received:

Climbing out of the Soyuz is the prime mode for emergency egress until about T-15
minutes when the abort system is armed. Probably possible to arm up before that, but do
not have any data to support the assumption. Did not receive much more detail than that
during training. There are three hatches that must be opened to egress; believe all three
hatches can be opened by the crew, but do not remember how the fairing hatch works. The
orbital module hatch opens inward, as does the hatch between the descent and orbital mod-
ules. Believe the fairing hatch opens outward. Once out of the Soyuz would anticipate
using the stairs as the most reliable emergency egress option, but do not know for sure.
Our Russian partners worry much less about egress than we do here in America.30

On the question of is a safe abort capability retained for all launch trajectory deviations, Bowersox says:

Do not believe guidance is smart enough to ensure all aborts will be safe during ascent,
no data to confirm that though. The ascent abort system has six modes, depending on
time since liftoff, and various discretes in the system. Depending on the mode, booster
engines may be shut down, and different sequences of solids can be fired to for the abort.
The abort tower is jettisoned shortly after the strap-ons separate. After tower jettison, but
before fairing jettison, small solids on the sides of the fairing can separate the Soyuz and
fairing from the stack. After fairing jettison, the abort system shuts down the booster
engine, and Soyuz pretty much falls off the stack for a ballistic entry.30

On the question of how a launch abort is initiated, Bowersox says:

Do not know all of the abort triggers for Soyuz. From my limited training, it is a pretty
simple system, mostly cued off of acceleration (a drop in axial acceleration), rates, and a
rough attitude error. The crew does not have an abort command capability, but the system
has an auto mode, and the ground can send an abort command. If the auto system or ground
command an abort, the crew gets a light. Crew has very little data to judge an abort, just
a clock, and seat-of-the-pants estimate of vehicle vibration/ acceleration - no altitude or
vehicle performance information, just some information on life support systems, propel-
lant tanks, and a rate gyro read out if [crewmembers] want to call it up. The crew could
call the ground and request an abort, if the radio link was working. As far as I know, the
auto abort coverage goes all the way to the end of powered flight, and only relies on the
escape tower for part of the trip. The flight crew has no control of the ascent stack during
powered flight, so engine shutdown has to be auto or ground commanded. At least they
never taught the Americans about a way to shut down the booster during ascent....30

14
On the question of what the wind constraints and redundancy of the parachute system are, Bowersox says:

Do not have any info on abort or launch wind constraints. If the wind is blowing very
much at landing, the vehicle will end up on its side, and the chute will drag it. The com-
mander controls chute jettison with a switch mounted where he can reach it while strapped
in the seat. Depending on the wind, if the main chute is not jettisoned, the Soyuz and crew
get [dragged] along until they reach the nearest obstacle, or the wind stops. The para-
chute hatch has pyrobolts that sound like a machine gun firing when they go off. If the
main parachute has a problem, then the reserve comes out - based on descent rate
going through a pre-set altitude band.30

6 .9 Soyuz landing rocket failure

On one of the Mir return missions, August 14, 1997, the Soyuz TM-25 landing rockets fired prematurely
when the system was armed at heat shield jettison, resulting in a harder-than-normal landing. Failure
analysis indicated that moisture had gotten into the connectors, causing a short that bypassed the gamma-
ray sensor that detects distance from the ground.

The Russian cochair of the Joint Safety Assurance Working Group (JSAWG) provided information to
NASA on the failure and corrective action. He also gave a detailed briefing on the design of the Soyuz
landing system and the inhibits to prevent the hazard of firing rockets with the heat shield in place.31

6 .1 0 Phase 1 Program conclusion

The NASA/Mir Program gave NASA crewmembers and ground teams their first direct, in-depth look at
the full scope of Soyuz operations. In all areas of engagement, the program established the joint personal
relationships and trust that made the ISS Program possible and successful. The WGs that retained NASA
and Russian chairpersons throughout the Phase 1 Program developed a high degree of trust and were the
most successful. The Russians maintained the same chairperson, but high turnover of the NASA chairper-
son in some WGs resulted in those WGs being less effective. During this time, Russian and U.S. practices
were found to be more similar than different. The experience and knowledge that each earned over mul-
tiple decades proved essential to having mutual assurance in the safety, reliability, and success of their
combined endeavors. This expertise, added at this time, became embedded in ISS practices via the team
members who subsequently took up active positions in the ISS Program and/or institutionalized their
lessons in ISS documentation (requirements, flight rules, etc). For more information on this era of space-
flight, refer to the final joint report, the illustrated official history book, and NASA’s collection of oral
histories available at

http://spaceflight.nasa.gov/history/shuttle-mir/welcome/w-jointreport.htm

http://spaceflight.nasa.gov/history/shuttle-mir/welcome/w-book.htm

http://spaceflight.nasa.gov/history/shuttle-mir/people/oral-histories.htm

The Phase 1 Program officially ended with the STS-91 OV-103/Discovery landing in June 1998.

7.0 International Space Station Program

At a U.S./Russian Joint Commission on Economic and Technological Cooperation, on June 23, 1994, a
definitive contract agreement was signed between NASA and the RSA for $400M of goods and services

15
to be provided during Shuttle/Mir operations and during the early ISS assembly phase.32 The MOU
between NASA and RSA concerning cooperation on the civil ISS, dated April 21, 1997, defined both
work and respective responsibilities.33 For example: Article 6, Respective Responsibilities, 6.1 NASA
Responsibilities, item 6 stated: “Conduct, together with RSA and the other partners as necessary: overall
Space Station technical reviews, including integrated design, critical design, design certification, safety
and mission assurance, operations, readiness and FRRs, in order for NASA to certify that the RSA’s
elements are acceptable for on-orbit assembly and orbital operations.” Section 6.2 identified the RSA
responsibilities.

7 .1 International Space Station Program U.S./Russian organization

and management
The ISS Program technical teams were structured the same as they had been with the other space station
International Partners. Several of the Mir groups remained intact into the ISS era and, in fact, worked
simultaneously on both programs to their benefit. Institutionally oriented experts in mission operations,
EVA, and safety exemplified this corporate knowledge approach. For example, the JSAWG in Phase 1
became the Joint American Russian Safety Working Group (JARSWG) for ISS. The name change was
due to the change in the Russian cochair for ISS. Now, Soyuz interactions tend to be led by NASA’s
launch package manager with augmented aid from the ISS Mission Management Team and the ISS
Program Manager during readiness reviews.

On the ISS Program joint work with the Russians was conducted in TIMs. Technical teams were iden-
tified in February 1994 and, as work progressed, more teams were added. These teams were as follows:

1. Team 0 - Technical Management

2. Team 0A - Schedules
3. Team 1A - Assembly Configuration
4. Team 1B - Integrated Performance
5. Team 2A - Functional Cargo Block
6. Team 2B - Interfaces
7. Team 3 - Russian Vehicle
8. Team 4A - Service Module
9. Team 5A - Control and Data Handling
10. Team 5B - Communications and Tracking/Electromagnetic Interference
11. Team 5C - Approach Rendezvous and Docking
12. Team 5D - Guidance, Navigation, and Control
13. Team 5E - Power
14. Team 6A - Life Support
15. Team 6B - Crew Health Care System
16. Team 6C - Thermal Control
17. Team 6D - Propulsion
18. Team 7A - EVA
19. Team 7C - Airlock
20. Team 8A.1 - Structures
21. Team 8A.2 - Micrometeoroid Orbital Debris (MMOD)
22. Team 8A.3 - Loads and Dynamics
23. Team 8B - Materials and Processes
24. Team 9 - Test and Verification
25. Team 10 - Safety and Risk
26. Team 11 - Crew Rotation
27. Team 11A - Command and Control Center

16
 28. Team 11B - Crew/Flight Training
29. Team 11C - Tactical Planning
30. Team 11D - Logistic and Maintenance
31. Team 12A - Requirements
32. Team 12B - Interface Control Document

Currently, WG arrangements are described in the NASA/Roscosmos Joint Technical Team Structure as
established in SSP 50200-01, Station Program Implementation Plan, Volume 1, Appendix I, NASA/Roscosmos
Bilateral Processes, and maintained via SSP 50123, Configuration Management Handbook, Appendix I,
NASA/Roscosmos Bilateral CM Processes.34 The team numbers were changed to V, V-0 Team Manage-
ment to V-15 Cargo Certification (see reference 34 for the complete listing). This ISS technical team
structure is presently not well known, as a present member of the JARSWG said he/she was not aware
and had not heard of this team structure. It was stated that safety is known as JARSWG, not as Team V-10.

7 .2 Soyuz safety assurance for the International Space Station Program

In the ISS era of Soyuz, assurance confidence was jointly captured in multiple documents [e.g., ISS
Russian Segment Specification (SSP 41163), NASA/RSA Joint Specifications Standards Document for
the ISS Russian Segment (SSP 50094), NASA/RSA Bilateral S&MA [Safety and Mission Assurance]
Process Requirements for the ISS (SSP 50146), and the review and approval of Soyuz hazard reports at
the ISS Program Safety Review Panel (SRP) per the ISS Program Safety Requirements Document (SSP
50021)]. Although these efforts are applicable to more than just Soyuz, they served as a means of jointly
understanding and recording the similarities and differences between NASA and Russian design require-
ments and meeting ISS safety requirements. It turned out that, because of basic physics and hard-won
experience, Russian design principles were not very different from NASA. In some areas such as structure,
their designs were very robust because, as with the Shuttle, their vehicles could readily accommodate the
needed mass associated with design margins and redundancies (like and unlike) for human spaceflight.
Soyuz reliance on automation was greater than that of Apollo and was less on manual control by the crew.
Soyuz Control and Command System failure tolerance was two of three voting vs. the Apollo CSM dual
redundancy (two systems plus manual backup). By analogy, the ISS visiting vehicle requirements were
similarly negotiated and customized for commercial off-the-shelf cargo purposes and their safety aspects
were verified by the SRP.

7 .3 Probabilistic risk assessment of Soyuz35

Building on the 1993 ACRV efforts, the ISS Program in 1997 assigned a task to access the adequacy
of Soyuz reliability as the ISS ACRV using a quantitative probabilistic risk assessment (PRA). The
objective was to obtain confidence in the design and operations that principally contribute to loss of
vehicle function.

From this study, details were compiled on Soyuz design history, reliability, and performance. It was
confirmed that the Soyuz TM had gone through three major design changes since 1967, but remained the
same basic three modules: the instrument service module (ISM), the OM, and the DM. Since the vehicle
is largely automated, the crew does very little to interfere in its normal operation. The Soyuz spacecraft
contains power and life support for up to 5 days. If required, the DM/ISM could separate from the ISS
without the OM and still complete a successful entry and landing. During entry, a failed control system
defaults to a zero-lift resulting in a continuous roll ballistic entry. Ballistic loads are 8-g to 10-g vs. the
nominal 4-g to 5-g. Parachute deployment is completely automated (main plus a smaller backup chute).
The crew cannot manually deploy the chutes. The success criterion for this assessment was the safe re-
turn of crewmembers with medical conditions. Ballistic entry was considered a failure because the
high-g exacerbates the medical condition.

17
In terms of overall integrated operations, it was learned that Russian claims the Soyuz’s reliability as an
ACRV at 0.98 to 0.99 (from a 1992 NPO-Energia report). While investigating this conclusion, researchers
found that contingency evacuation procedures have been used at least four times in the history of Salyut/
Mir space stations, two of which were medical conditions or 0.062 per year (JSC 26770, Mir Hardware
Heritage, October 1994).

At the time of this assessment, April 1997, the history of 186 separate Soyuz spacecraft flights was
known with most of the major failure events occurring early in the Soyuz history. Of the 175 undockings,
two failures occurred, the last in 1976. Of the 98 module separations, one failure occurred in 1969. Of
the 111 crewed and uncrewed spacecraft landings (including entry and parachute deploy), eight failures
occurred. Of the eight failures, all but one landing occurred in the first 5 years of flight operations, with
the last one in 1980. During the approximately 80 crewed Soyuz missions since 1967, at least three have
been ballistic high-g entry and one medium high-g entry, none in the Soyuz TM. Note: As we now know
from the ISS Program, we had two Soyuz TMA ballistic entries, both separation (DM/ISM) failures,
Soyuz TMA-10, April 7, 2007, and Soyuz TMA-11, October 10, 2007.

When this 1997 assessment was complete, it showed the reliability of Soyuz TM used as an ACRV
during any given mission at approximately 0.991 (or a failure frequency of 1/111 ACRV missions).
These results were consistent with the NPO-Energia claims for Soyuz TM as an ACRV.

To further augment overall confidence in Soyuz, in 2001 NASA contractually obtained a detailed report
on Soyuz spacecraft reliability as a part of the ISS Program (S. P. Korolev, RSC-Energia, ISS Russian
Segment Reliability and Maintainability Assessment Report, DID R-10-R02, Version 8, dated February
2001).36 This report covered the Russian Segment elements; i.e., the functional cargo block, SM, science
power platform, docking module, Soyuz, and Progress. In terms of loss of crew, Soyuz safety was again
confirmed by the dozens of flights since the late 1960s (including successful crewed launch aborts). Us-
ing such information, NASA’s PRAs of Soyuz have since been updated for Constellation-comparative
purposes.

7 .4 Soyuz flight experience

While this wealth of Soyuz flight experience cannot be readily afforded by those starting from scratch, it
does exemplify the importance of sufficient integrated flight tests as a major element of safety assurance.
The proper number of such flights is debatable but, based on Russian experience, is more than zero and more
than likely closer to a handful (given that Russia’s success is founded on multiple uncrewed precursors to
Vostok, Voshkod, and Soyuz as described in Volume 3 of the Boris Chertok history series).

See Appendix A for a list of Uncrewed Development, Tests and Flights and Appendix B for Crewed
Soyuz Flights. Appendix B is up to date as of February 5, 2010.

7 .5 International Space Station Program Safety Review Panel

All ISS elements are required to present to the ISS Program SRP their safety hazards and associated
safety hazard reports. Any noncompliance reports (NCRs) must be approved by the ISS Program Man-
ager. When the NASA governance model was implemented in 2008, it stated that NCRs must now be
approved by Headquarter representatives from the Chief Engineering and Chief Safety and Mission
Assurance Offices.

RSC-Energia developed hazard reports on the Soyuz spacecraft; these were reviewed and presented to
the ISS Program SRP by the Russian chairperson of the JARSWG and the Soyuz spacecraft designer.
The scope of the safety assessment was the on-orbit phase of approach, docking, docked, undocking, and

18
separation from ISS. This was done in accordance with SSP 50021. The Soyuz hazard reports were
approved along with three NCRs that were presented with rational for acceptance. The NCRs were
as follows:

1. NCR-RSCE-0029, Noncompliance with the requirement regarding the docking mechanism drive
failure
2. NCR-RSTV-02, Rationale of Soyuz TM vehicle design decisions to assure pressurization
3. NCR-ISS-0301, Protecting the Soyuz Transport Vehicle from Meteoroids and Orbital Debris

Beyond the hazard analyses provided by Russian personnel, NASA personnel performed their
own internal assessments of Russian vehicle MMOD risks. This dual-verification path is common
for understanding/accepting such significant threats.

7 .6 Soyuz TMA upgrade37

Based on issues identified during the Mir Program, Soyuz for ISS was modified from the TM config-
uration to the TMA [transportation modified anthropometric] model to accommodate larger and smaller
crewmembers. The work was funded by NASA and enabled the following:

1. Cosmonaut panel reduced in size (“glass cockpit”)

2. Cooler/dehumidifier unit redesigned (smaller)
3. Valves relocated inside DM
4. Various hardware modifications (more powerful entry computer, new three-axis accelerometer,
improved soft-landing jets)
5. Landing impact testing in Russia using JSC-provided crash dummies (report delivered
contractually)
6. Access to Soyuz manufacturing and assembly facilities in Russia

Russian representatives also presented information on the TMA modifications to the SRP, and none of the
changes were found to require new or modified hazard reports beyond showing TMA effectivity.

7 .7 NASA astronaut and flight controller training on the Russian segment

Training and flight control systems have been further critical constants during all periods of NASA’s
engagement with Soyuz. Intimate familiarity with nominal and off-nominal Soyuz operations (as a full
crewmember and not just a passenger) has always been irreplaceable via theoretical training, hands-on
training, procedures, simulations, etc. NASA, although not directly in control, has long benefited from
having a small team of its flight controllers embedded in MCC-Moscow during joint operations. They
provide real-time feedback to NASA’s program management, flight directors, and other experts while
encouraging implementation of NASA’s expectations (captured in joint flight rules and procedures)
by their Russian team mates.

7 .8 Crew health and medical

Crew health care through all phases of Soyuz flight has been a further assurance measure. NASA’s
medical doctors shepherd their assigned crewmembers through all mission phases, including training,
medical exams, pre-launch suit-up, and post-landing recovery. These doctors are so essential they are
always first on scene for landing. If crewmembers were not mentally and physically healthy, their nom-
inal and emergency interactions with the vehicle might be fatally compromised.

19
7 .9 Certification of flight readiness
SSP 50322, ISS Vehicle Office CoFR [certification of flight readiness] Implementation Plan,38 states
that International Partners/Participants will certify the flight readiness of their ISS vehicle systems in
accordance with SSP 50108, Certification of Flight Readiness Process Document,39 and their associated
Joint Management Plans. The ISS Program will conduct the Stage Operations Readiness Review (SORR),
chaired by the ISS Program Manager, 1 week prior to the Joint Shuttle/Station FRR. The primary pur-
pose of the SORR is to determine the operational readiness of station elements, personnel, and facilities
for launch and on-orbit operations.

The RSA ISS CoFR Process in Appendix G of SSP 50108 documents the requirements that support the
ISS CoFR Process as agreed to by NASA and RSA. Details of the Joint Safety Process are contained in
SSP 50146, NASA/RSA Bilateral S&MA Process Requirements for the ISS. The Joint Safety and
hardware/software certification processes are executed to support the CoFR process.

These processes have been developed to be consistent with the standard Russian certification process
for certifying their modules/vehicles or deliverable cargo and to allow the ISS Program (NASA) to have
access to the data and insight for integration of all hardware/software supporting the ISS. The Russian
process will follow the standard timeline and procedure for certifying their modules/assembly stages or
deliverable cargo. The NASA ISS Program Manager (or authorized representative) will report on ISS
readiness for a particular launch during the FRR of the Russian module at the GDR. RSA presents its
complete certification in support of the NASA SORR.

For launch of Russian elements, the RSA Program Manager, or designee, will serve as a Co-deputy Chair
of the ISS SORR Board, and representatives from RSC-Energia and Khrunichev will serve as members
of the ISS SORR Board and will participate in the ISS SORR process. If the RSA Program Manager, or
designee, wishes to send a representative in his/her place, a letter delegating authority will be required for
the RSA representative. Likewise, the NASA ISS Program Manager, or his/her designee, may participate
in all Russian vehicle FRRs, or relevant meetings, such as the GDR or the InterState Panel Meeting. This
CoFR process is separate from the independent preexisting Russian launch vehicles certification process.

7 .1 0 Independent assessment organization

The NASA Headquarters S&MA organization will sign the CoFR certificate for each flight during
the assembly phase and participate in the process through the ISS Independent Assessment Office. The
Independent Assessment CoFR procedures are defined in JSC 27771, Independent Assessment CoFR
Implementation Process Plan.

7 .1 1 Additional assurance examples

Further examples of the diversity of Soyuz assurances can be found in the records offered by flight
readiness data packages, joint management/technical protocols, joint WG documents, contract deliver-
ables, jointly negotiated technical requirements, oral/written lessons learned, and the other data that
remains stored at JSC.

8.0 Lessons Learned

NASA experts, using Soyuz as an example in retrospect, effectively satisfied the vast majority of the
subsequently defined top-level human-rating requirements found within NPR 8705.2 by sufficiently
confirming its satisfaction of failure tolerance, aborts, failure intervention, human factors, autonomy,
manual control, flight testing, and appropriate “referenced” technical design standards. Given this

20
history, it may be possible for other groups with sufficient independent resources, motivation, and knowl-
edge to eventually provide successful low-Earth orbit access. They will need help learning the ultimate
expectations and past experience that can be communicated via clear and timely requirements along with
constructive insight/oversight during the spacecraft development and operation life cycle. Because various
contractors and subcontractors have always done most of the heavy lifting for NASA’s human spacecraft,
it would not be totally unprecedented for nontraditional contractors/partners to provide similar services.
By creatively adapting and rebalancing a wide range of proven assurance methods, private ventures may
yet succeed in applying their own resources and assuming more initial risk while leveraging NASA’s
experience and satisfying NASA’s expectations. Early and ongoing communication is important
along with attention to the following specific lessons:

1. Have relationships/partnerships authenticated with formal documents/memoranda of agreement,

etc. signed by high-level management or government officials.
2. Understand and be aware of the diversity of NASA’s human spaceflight requirements (and their
rationale) as evolved from past practical experience. No single source is sufficient alone, so rele-
vant generic requirements and standards should be understood and negotiated from agency, direc-
torate, center, program, and discipline-specific sources. These sources should also be augmented
with applicable military, industry, and international standards. Ignoring the breadth, depth, and
intent of these lesson sources risks costly and hazardous repetition of past mistakes.
3. Use case/vehicle-specific “situational awareness” to determine an appropriate tailoring strategy for
requirements definition, equivalence determination, targeted process insight/oversight, deliverables,
decision-making, and milestones.
4. For strong insight, establish appropriate, experienced, and credible technical WGs and forums for
information exchange and strategy implementation.
5. Joint technical WGs that retained the same cochair or had low turnover developed a high degree of
trust and were the most successful.
6. Develop close relationships with technical and systems experts and document exchanged informa-
tion in such a way that it is accessible to other technical forums (e.g., the "engineering" community
has made use of system schematics and drawings originally acquired by the “operations” community
in their “operations/training” forums).
7. Establish clearly understood and agreed-to expectations early. Agreements subject to broad
interpretations can become disconnects during implementation.
8. Think “long-term” relationships and partnerships. The knowledge, experience, and attitude of
personnel representing all parties are important to success.
9. Strict compliance policing of NASA requirements and processes/practices is less valuable than a
mentality of experience and seasoned risk assessment.
10. To minimize spacecraft complexity, weight, cost, and schedule the level of redundancy should be
determined based on the following factors: criticality, flight experience, and technology maturity
[Technology Readiness Level]. An overall requirement to be two-fault tolerant or “fail-operational/
fail-safe” could increase spacecraft complexity and, in some cases, result in the spacecraft being less
reliable. For example, the level of redundancy varied on the Apollo spacecraft. The fuel cell was a
new technology for aerospace applications while the electrical power buses and power contactors
for switching were a proven technology. Therefore, the level of redundancy for the fuel cells was
three and for the main buses was two. If the function was Criticality 1 (Crew Safety), the design
could have no single-point failures; it had to be fail-safe.40

21
 11. For high-risk areas (e.g., launch, staging, MMOD, entry and landing), NASA is wise to conduct
independent analyses and tests that confirm or question the conclusions of its hardware providers,
unless the hardware (e.g., the Soyuz) has extensive flight experience. Alternate informed opinions
are essential to avoid inadvertent errors.
12. As an ultimate safety assurance method, there is no substitute for conducting realistic, high-fidelity,
pre-flight testing of components/systems and fully integrated flight tests using production-quality
vehicles. Confidence increases as successes accumulate in a no-crew environment. Based on Soyuz
flight tests in the 1960s, three to five flight tests with no crew are recommended for nominal launch/
orbit/landing conditions along with several tests of launch abort cases.

9.0 Conclusions
While the general perception is that NASA has always tightly managed all aspects of its human space-
flight programs, there have been good reasons for that approach as well as prominent and subtle exceptions.
The space environment is harsh and unforgiving; therefore, the comparatively low production/flight rates
and correspondingly high costs of human spaceflight are not easily achieved. This is why only three
wealthy nations and no other organizations (including purely private enterprises) have so far
demonstrated the ability to achieve Earth orbit. Only the U.S. has left Earth orbit.

With Soyuz at one end of the spectrum, the following graphic conceptually illustrates and compares
the range of safety approaches to human spaceflight. It is intended to show that multiple solutions that fit
along a trend arc have been successful. For others to succeed, they should strive to balance their assur-
ances to fit somewhere along this historic path to avoid risks failures that cost time, money, and lives.

Soyuz (Launch Vehicle)

Soyuz (Spacecraft)
Redstone Mercury

Apollo
Atlas
Proven Reliability

Gemini
Performance - Flight History

Titan
Saturn IB

Placement also influenced by: Saturn V

Launch Vehicle
NASA Technical Requirements
NASA Management Oversight Spacecraft
NASA Safety Assessments
Uncertainty
NASA Technical Insight
Other Safety Standards
STS

B Wood ‘10

Process Confidence
Insight - Influence - Control - Oversight - Test & Verification

22
This report demonstrates that space vehicles rely on a range of methods and techniques for human-rating
assurance. It shows that the components of such assurance include requirements, conceptual development,
prototype evaluations, configuration management, formal development reviews (safety, design, operations),
component/system testing on the ground, integrated flight tests, independent assessments and a series of
launch readiness reviews. This defensive, in-depth approach involves a multidiscipline team effort that
is typically spread over an extended period of time. It works well when those involved are highly ex-
perienced and able to focus on new challenges without having to slow down to relearn past lessons.
When various constraints (cost, schedule, international) limit the depth or breadth of one or more
preferred assurance means, ways can be found to bolster the remaining assurances.

10.0 References
1. NASA SP-4209 The Partnership: A History of the Apollo-Soyuz Test Project by Edward Clinton
Ezell and Linda Neuman Ezell. Available online at: http://history.nasa.gov/SP-4209/cover.htm.

Note. A Complete List of Identified ASTP Documents, Attachment 1, is available at the following
Website: http://www.hq.nasa.gov/office/pao/History/SP-4209/source.htm.

2. Foreign Relations, 1969-1976, Volume XIV, Nixon at the Summit, May 13-May 31, 1972, 224
Memorandum of Conversation, page 13.

3. ASTP 20201.1, Safety Assessment Report for the Soyuz Structural Ring Latches, December 20,
1974.

4. ASTP 20202.1, Safety Assessment Report for Soyuz Propulsion and Control Systems, May 1, 1975.

5. ASTP 20203.1, Safety Assessment Report for Soyuz Fire and Fire Safety, May 1, 1975.

6. ASTP 20204, Safety Assessment Report for Soyuz Pyrotechnic Devices, February 10, 1975.

7. ASTP 20205, Report on the Soyuz Habitable Modules Overpressurization and Depressurization
Safety Assessment, October 12, 1973.

8. ASTP 20206, Safety Assessment Report for Soyuz Manufacturing, Test and Checkout Flow, May 1,
1974.

9. ASTP 20207, Safety Assessment Report for Soyuz Radio Command Systems, January 24, 1974.

10. JSC 09265, Unilateral System Safety Report for Soyuz Pyrotechnic Devices for the ASTP, November
1974.

11. JSC 09267, Unilateral System Safety Report for Soyuz Electrical Power System for the ASTP,
January 17, 1975.

12. USSR WG1-100, Lectures on the Soyuz Power Supply System to be Used for Joint Training of the
Control Center Personnel, by WG1 Chairman Timchenko.

13. Soyuz ACRV Preliminary Assessment of Soyuz TM System, JSC ACRV Project Office Manager,
Jerry Craig, July 27, 1993.

23
14. Advanced Crew Transportation System Website: http://www.russianspaceweb.com/soyuz_acrv.html.

15. Memorandum from NASA Administrator, Daniel S. Goldin to the Honorable George E. Brown, Jr.,
House of Representatives, Washington, D.C., May 19, 1992.

16. Accommodation of Soyuz as ACRV, Langley Research Center, Jonathan N. Cruz, Marston J. Gould,
& Michael L. Heck, March 4, 1993.

17. Soyuz TM as a Space Station ACRV, JSC ACRV Project Office Manager, Jerry Craig, April 27-30,
1993.

18. Evaluation of the Soyuz TM Spacecraft and Kazbek Launch/Entry Couch in the Medical Transport
Role, JSC Space and Life Sciences, Mike Barratt, June 29, 1993.

19. JSC 34056, Soyuz ACRV Policy on Standards, Certification and Safety Reliability and Quality
Assurance (SR&QA), August 17, 1993.

20. Participation in the Development of the Soyuz ACRV for the Space Station, JSC ACRV SR&QA,
Jim Schornick and Nathan Vassberg, November 12, 1993.

21. Russian Federation Agreement between the United States of America and the Russian Federation
Concerning Cooperation in the Exploration and use of Outer Space for Peaceful Purposes, June 17,
1992; available online at: http://www.jaxa.jp/library/space_law/chapter_4/4-2-2-6_e.html.

22. Space Shuttle Program Change Request S052830A, Safety Policy for the Joint U.S./Russian
Missions, February 25, 1993.

23. Office of the Vice President, Joint Statements on Space Cooperation, Aeronautics and Earth
Observation, September 2, 1993.

24. Joint Statement of the Space Station Partnership, December 6, 1993; available online at:
http://clinton2.nara.gov/WH/EOP/OSTP/other/spstpart.html.

25. Agreement Among the Government of Canada, Governments of the member States of the European
Space Agency, the Government of Japan, the Government of the Russian Federation, and the Govern-
ment of the United States of America Concerning Cooperation on the Civil International Space Station,
December 17, 1993.

26. NASA Headquarters Memorandum M-7, Phase 1 Program Management, from M/Associate
Administrator for Space Flight, October 6, 1994.

27. English translation of RSC-Energia report on comparison of RSA Safety, Reliability, Repairability,
and Quality Assurance Program to NASA (E3221/TTI), February 28, 1996.

28. Russian Quality Assurance Program for Manned Flight presentation by Gary W. Johnson Deputy
Director, NASA/JSC SR&QA, April 20, 1994 (information provided by Boris I. Sotnikov, Manager
Safety Group of NPO- Energia).

24
29. Shuttle-Mir History/Shuttle Flights and Mir Increments, Thagard Increment: First Astronaut on Mir:
Norm Thagard Oral History, NORMAN E. THAGARD, September 16, 1998, Interviewers: Rebecca
Wright, Paul Rollins, Carol Butler; available online at: http://spaceflight.nasa.gov/history/shuttle-
mir/history/h-f-thagard.htm.

30. ISS Expedition 6 Commander Ken Bowersox.

31. E-mail: Subject - Soyuz Soft Landing Rockets, from JSAWG engineer James Seastrom to NASA
ISS Phase 1 Program Manager Frank Culbertson, October 21, 1997.

32. U.S.-Russian Joint Commission on Economic and Technological Cooperation; Joint Statement on
Space Station Cooperation, signed on June 23, 1994; available online at:
http://www.jaxa.jp/library/space_law/chapter_4/4-2-1-3_e.html.

33. Memorandum of Understanding between the NASA of the USA and the Russian Space Agency
Concerning Cooperation on the Civil International Space Station, April 21, 1997.

34. NASA/Roscosmos Joint Technical Team Structure is established in SSP 50200-01, Station Program
Implementation Plan, Volume 1, Appendix I, NASA/Roscosmos Bilateral Processes and maintained
via SSP 50123, Configuration Management Handbook, Appendix I: NASA/Roscosmos Bilateral CM
Processes, NASA/Roscosmos Joint Technical Team Structure (Draft) May 4, 2007.

35. Probabilistic Risk Assessment on Soyuz Spacecraft as an Assured Crew Return Vehicle, by
NASA/JSC Assurance Analysis Branch Jan Railsback, SAIC Advanced Technology Division, Joseph
R. Fragola and Gaspare Maggio, and Jim Oberg, April 8, 1997.

36. DID R-10-R02, Version 8, S. P. Korolev RSC-Energia, ISS Russian Segment Reliability and Main-
tainability Assessment Report, by V. V. Ryumin, B.I. Sotnikov, P.M. Vorobiev, A. F. Didenko and V.
B. Ainulov, February 2001.

37. Soyuz TMA Overview presentation by Vladimir Sukholutsky and Wes Penny, December 2, 2002.

38. SSP 50322, ISS Vehicle Office CoFR Implementation Plan, May 26, 1998.

39. SSP 50108 Certification of Flight Readiness Process Document, International Space Station Program,
Revision B, Attachment 1, April 2000.

40. Orion Standing Review Board Appendix, Spaceflight Lessons Apollo, Skylab & ASTP, Gary W.
Johnson.

25
 Appendix A: Uncrewed Development, Tests and Flights
Flight # Date Soyuz Variant Note
1 11/28/1966 Cosmos 133 7K-OK Attitude control system malfunction resulted in expenditure of fuel. Required
multiple attempts to initiate entry. Spacecraft overshot the programmed landing
location and likely initiated a self-destruct charge.
2 12/14/1966 7K-OK The first-stage (strap-on) motors shut down after the failure of an oxygen bypass
valve; however, the motors on the core (second stage) continued running but
lacked sufficient power to move the vehicle. The launch was aborted and the pad
flooded with water. When the gyroscopes of the launch escape system were
powered down the decrease in RPM results in the gyros moving enough to
activate the launch escape system. A fire was started when the 32 pyrotechnic
bolts fired to separate the crew module from the instrument module. The Soyuz
capsule pulled away from the rocket. The fire spread to the fueled third stage and
produced an explosion that killed several people on the ground and significantly
damaged the launch pad.
3 2/7/1967 Cosmos 140 7K-OK An attitude control problem occurred due to a faulty star sensor. This resulted in
excessive fuel consumption and difficulties in keeping the batteries charged with
the solar arrays. The crew module depressurized when it separated from the
instrument (service) module. The attitude control problem then led to a ballistic
entry. A 300-mm hole burned through the heat shield during re-entry. The recovery
system functioned properly, and the capsule landed in the frozen Aral Sea, 3 km
from shore and 500 km short of the intended landing zone.
4 4/8/1967 Cosmos 154 7K-L1 Trans-lunar injection stage failed to fire. Vehicle burned up when the orbit
eventually decayed.
5 10/27/1967 Cosmos 186 7K-OK Was to dock with Cosmos 188. Achieved capture but could not complete docking
due to incorrect attitude relative to each other. Star tracker failed, resulting in
ballistic entry.
6 10/30/1967 Cosmos 188 7K-OK Was to dock with Cosmos 186. Achieved capture but could not complete docking
due to incorrect attitude relative to each other. The ion orientation system was
used when the star tracker failed. However, it too was faulty and resulted in an off-
course entry. As a result of being too far off-course, the self-destruct system
destroyed the spacecraft.
7 4/14/1968 Cosmos 212 7K-OK Successfully docked with Cosmos 213 on first orbit. The entry and landing were
also successful.
8 4/15/1968 Cosmos 213 7K-OK Successfully docked with Cosmos 212 on first orbit. The entry and landing were
also successful; however, the capsule was dragged by heavy winds when the
parachute lines did not jettison at touchdown.
9 8/28/1968 Cosmos 238 7K-OK Not Applicable
10 10/25/1968 Soyuz 2 7K-OK Crewless docking target for Soyuz 3. Soyuz 3 crew failed to dock with Soyuz 2.
Entry and landing were nominal.

26
 Appendix B: Crewed Soyuz Flights
Flight # Date Soyuz Variant Note
1 4/23/1967 Soyuz 1 7K-OK Cosmonaut Vladimir Komarov perished due to failure of parachute
recovery system.
2 10/25/1968 Soyuz 2 7K-OK Unmanned docking target for Soyuz 3. Soyuz 3 crew failed to dock with
Soyuz 2. Entry and landing were nominal.
3 10/26/1968 Soyuz 3 7K-OK Fails to dock with Soyuz 2 due to crew error.
4 1/14/1969 Soyuz 4 7K-OK First crew transfer via EVA - launched with 1 cosmonaut, returned with 3.
5 1/15/1969 Soyuz 5 7K-OK First crew transfer - launched with 3 cosmonauts, returned with 1. Service
module failed to separate, resulting in nose first entry. Soft-landing
rockets failed to fire resulting in the cosmonaut fracturing several teeth.
6 10/11/1969 Soyuz 6 7K-OK Three vehicles in orbit. The capsule ended up landing "right beside a
children's school."
7 10/12/1969 Soyuz 7 7K-OK Three vehicles in orbit.
8 10/13/1969 Soyuz 8 7K-OK Three vehicles in orbit.
9 6/1/1970 Soyuz 9 7K-OK
10 4/23/1971 Soyuz 10 7K-OKS The probe-cone docking mechanism failed during docking with Salyut-1,
resulting in a captured but undocked module. The undocking command
failed to release the Soyuz. The crew jumped back and forth within the
capsule to rock the vehicle, which fortunately resulted in it being released.
While descending under parachute, the capsule was headed for a lake. A
last-minute breeze blew the capsule onland, where it landed 44 meters
from the shore of the lake.

11 6/6/1971 Soyuz 11 7K-OKS Crew (3) dies when crew module depressurizes on entry.
12 9/27/1973 Soyuz 12 7K-T Crew (2) now wears pressure suits on launch and entry.
13 12/18/1973 Soyuz 13 7K-T
14 7/3/1974 Soyuz 14 7K-T
15 8/26/1974 Soyuz 15 7K-T Soyuz failed to dock with Salyut 3 due to a Soyuz systems failures. The
mission was aborted. The crew returned at night and descended through
a thunderstorm.
16 12/2/1974 Soyuz 16 7K-T ASTP rehearsal flight to test mission specific hardware.
17 1/11/1975 Soyuz 17 7K-T
18 4/5/1975 Soyuz 18a 7K-T (aka Soyuz 18-1) A failure of staging resulted in need to use the launch
escape system. The crew endures high-G’s during the launch abort
followed by a 20 G landing in mountains near Chinese border. After
touch-down, the capsule slid down a slope towards a cliff. Fortunately the
parachute snagged on a tree and halted the capsule. One cosmonaut
suffered internal injuries that prevented further flights.
19 5/24/1975 Soyuz 18 7K-T
20 7/15/1975 Soyuz 19 7K-TM Apollo-Soyuz Test Program
21 7/6/1976 Soyuz 21 7K-T Emergency return from Salyut station due to acrid odor in space station.
The first attempt to release from the space station failed when the release
latches signaled they were "open" prior to being completely open. The
"open" signal triggered the firing of separation thrusters, which resulted in
jamming the partially open latches. Fortunately subsequent commands to
open the latches were successful and the Soyuz was freed.
22 9/15/1976 Soyuz 22 7K-TM

27
Flight # Date Soyuz Variant Note
23 10/14/1976 Soyuz 23 7K-T The crew landed in partially frozen Lake Tengiz approximately 2 km from
the shore. An electrical short caused the reserve parachute to deploy.
The deployed parachutes resulted in the capsule floating on its side,
which prevented hatch opening and blocked the fresh air intake. The
radio antennas were inoperable due to submersion. Ice formed on the
inner walls of the capsule and the crew struggled to survive while waiting
9 hours for recovery team. The recovery crew assumed the crew was
dead and dragged the capsule to shore and waited for a special team to
remove the bodies. The cosmonauts had to open the hatch themselves
11 hours after landing.

24 2/7/1977 Soyuz 24 7K-T Landed during a snowstorm. Search and rescue antenna was jammed
closed by impacted snow. Recovery crew could not locate the capsule
until one of the cosmonauts freed the antenna.
25 10/9/1977 Soyuz 25 7K-T
26 12/10/1977 Soyuz 26 7K-T
27 1/10/1978 Soyuz 27 7K-T
28 3/2/1978 Soyuz 28 7K-T
29 6/15/1978 Soyuz 29 7K-T
30 6/27/1978 Soyuz 30 7K-T
31 8/26/1978 Soyuz 31 7K-T
32 2/25/1979 Soyuz 32 7K-T
33 4/10/1979 Soyuz 33 7K-T Experienced high-G ballistic entry after unknown propulsion system
anomaly.
34 6/6/1979 Soyuz 34 7K-T
35 4/9/1980 Soyuz 35 7K-T
36 5/26/1980 Soyuz 36 7K-T Soft landing rockets failed to fire resulting in a 30-G impact force.
37 6/5/1980 Soyuz T-2 T
38 7/23/1980 Soyuz 37 7K-T
39 9/18/1980 Soyuz 38 7K-T
40 11/27/1980 Soyuz T-3 T
41 3/12/1981 Soyuz T-4 T
42 3/22/1981 Soyuz 39 7K-T
43 5/14/1981 Soyuz 40 7K-T
44 5/13/1982 Soyuz T-5 T
45 6/24/1982 Soyuz T-6 T
46 8/19/1982 Soyuz T-7 T Crew module rolled down hillside and came to rest on its side. Flight
engineer thrown from couch and landed on top of Commander.

47 4/20/1983 Soyuz T-8 T

48 6/27/1983 Soyuz T-9 T
49 9/26/1983 Soyuz T-10-1 T Fire prior to launch results in use of launch escape system to save crew.
50 2/8/1984 Soyuz T-10 T
51 4/3/1984 Soyuz T-11 T Experienced medium-high (5-6) G-forces during entry. Likely due to
partial failure of atmospheric entry control system.

52 7/17/1984 Soyuz T-12 T

53 6/6/1985 Soyuz T-13 T

28
Flight # Date Soyuz Variant Note
54 9/17/1985 Soyuz T-14 T
55 3/13/1986 Soyuz T-15 T
56 2/5/1987 Soyuz TM-2 TM
57 7/22/1987 Soyuz TM-3 TM
58 12/21/1987 Soyuz TM-4 TM Landing site was in area experiencing heat wave. Temperature was 42
deg C (108 deg F). Extreme heat had dried up the salt marsh the vehicle
landed in.
59 6/7/1988 Soyuz TM-5 TM The crew was nearly lost due to two fail de-orbit burn attempts. The first
firing was prevented due to a sensor glitch. The glitch cleared after seven
minutes and the firing then started. The crew manually halted the firing
after 3 seconds. A second firing was attempted 2 revolutions later, but
the firing was cut-off after 60 seconds (possibly 39 seconds) by the
autopilot. Had the crew not deactivated the landing sequencer the
descent - equipment module pyros would have fired. Since the de-orbit
engines are on the equipment module, the descent module would have
remained in orbit until atmospheric drag deorbited it, which would have
occurred long after all life support resources were depleted.

60 8/29/1988 Soyuz TM- 6 TM

61 11/26/1988 Soyuz TM- 7 TM Gusting winds at landing site resulted in a double-impact "hard landing".
One cosmonaut incurred a leg injury requiring medical treatment at the
recovery site.
62 9/5/1989 Soyuz TM- 8 TM Tipped over onto its side in a shallow snowfield.
63 2/11/1990 Soyuz TM- 9 TM
64 8/1/1990 Soyuz TM- 10 TM
65 12/2/1990 Soyuz TM- 11 TM
66 5/18/1991 Soyuz TM- 12 TM Hard impact on landing with the capsule ending up on its side. Television
crew reported that the capsule was "very dented".

67 10/2/1991 Soyuz TM-13 TM

68 3/17/1992 Soyuz TM-14 TM Hard impact on landing, probably due to high winds. Capsule ended up
on its side. Crew module hatch could not be opened by recovery crew.
Cosmonauts had to use tools to unstick the hatch.
69 7/27/1992 Soyuz TM-15 TM Rolled down a hill and stopped 150 meters from the shore of a salt marsh.
Capsule came to rest on its side.
70 1/24/1993 Soyuz TM-16 TM
71 7/1/1993 Soyuz TM-17 TM Missed landing aim point by 100 km.
72 1/8/1994 Soyuz TM-18 TM
73 7/1/1994 Soyuz TM-19 TM Rough landing (bounced) due to strong winds at landing site.
74 10/3/1994 Soyuz TM-20 TM
75 3/14/1995 Soyuz TM-21 TM
76 9/3/1995 Soyuz TM-22 TM
77 2/21/1996 Soyuz TM-23 TM
78 8/17/1996 Soyuz TM-24 TM
79 2/10/1997 Soyuz TM-25 TM Soft landing rockets fired prematurely (at time of heat shield jettison)
resulting in hard landing. Reported as one of the roughest landings
experienced by a returning Mir crew.
80 8/5/1997 Soyuz TM-26 TM
81 1/29/1998 Soyuz TM-27 TM
82 8/13/1998 Soyuz TM-28 TM

29
Flight # Date Soyuz Variant Note
83 2/20/1999 Soyuz TM-29 TM
84 4/4/2000 Soyuz TM-30 TM
85 10/31/2000 Soyuz TM-31 TM
86 4/28/2001 Soyuz TM-32 TM
87 10/21/2001 Soyuz TM-33 TM
88 4/25/2002 Soyuz TM-34 TM
89 10/30/2002 Soyuz TMA -1 TMA
90 4/26/2003 Soyuz TMA -2 TMA
91 10/18/2003 Soyuz TMA -3 TMA
92 4/19/2004 Soyuz TMA -4 TMA
93 10/14/2004 Soyuz TMA -5 TMA
94 4/15/2005 Soyuz TMA -6 TMA
95 10/1/2005 Soyuz TMA-7 TMA
96 3/30/2006 Soyuz TMA-8 TMA
97 9/18/2006 Soyuz TMA-9 TMA
98 4/7/2007 Soyuz TMA-10 TMA Service module fails to separate resulting in nose forward entry.
99 10/10/2007 Soyuz TMA-11 TMA Service module fails to separate resulting in nose forward entry. One
crewmember injured due to high loads.
100 4/8/2008 Soyuz TMA-12 TMA
101 10/12/2008 Soyuz TMA-13 TMA
102 3/26/2009 Soyuz TMA-14 TMA 18S
103 5/27/2009 Soyuz TMA-15 TMA 19S
104 9/30/2009 Soyuz TMA-16 TMA 20S
105 12/20/2009 Soyuz TMA-17 TMA 21S
106 4/2/2010 Soyuz TMA-18 TMA 22S
107 6/16/2010 Soyuz TMA-19 TMA 23S
108 9/31/10 Soyuz TMA-20 TMA 24S

30
 Form Approved
REPORT DOCUMENTATION PAGE OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including
suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302,
and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.
1. AGENCY USE ONLY (Leave Blank) 2. REPORT DATE 3. REPORT TYPE AND DATES COVERED
August 2010 Special Publication
4. TITLE AND SUBTITLE 5. FUNDING NUMBERS
NASA Astronauts on Soyuz: Experience and Lessons for the Future

6. AUTHOR(S)
OSMA Assessments Team*

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION

REPORT NUMBERS
Lyndon B. Johnson Space Center S-1076
Houston, Texas 77058

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSORING/MONITORING

AGENCY REPORT NUMBER
National Aeronautics and Space Administration SP-2010-578
Washington, DC 20546-0001

11. SUPPLEMENTARY NOTES

*NASA Johnson Space Center, Houston

12a. DISTRIBUTION/AVAILABILITY STATEMENT 12b. DISTRIBUTION CODE

Unclassified/Unlimited
Available from the NASA Center for AeroSpace Information (CASI)
7115 Standard
Hanover, MD 21076-1320 Category: 18
13. ABSTRACT (Maximum 200 words)

The U. S., Russia, and, China have each addressed the question of human-rating spacecraft. NASA’s operational experience with
human-rating primarily resides with Mercury, Gemini, Apollo, Space Shuttle, and International Space Station. NASA’s latest
developmental experience includes Constellation, X38, X33, and the Orbital Space Plane. If domestic commercial crew vehicles are
used to transport astronauts to and from space, Soyuz is another example of methods that could be used to human-rate a spacecraft and
to work with commercial spacecraft providers. For Soyuz, NASA’s normal assurance practices were adapted. Building on NASA’s
Soyuz experience, this report contends all past, present, and future vehicles rely on a range of methods and techniques for human-
rating assurance, the components of which include: requirements, conceptual development, prototype evaluations, configuration
management, formal development reviews (safety, design, operations), component/system ground-testing, integrated flight tests,
independent assessments, and launch readiness reviews. When constraints (cost, schedule, international) limit the depth/breadth of one
or more preferred assurance means, ways are found to bolster the remaining areas. This report provides information exemplifying the
above safety assurance model for consideration with commercial or foreign-government-designed spacecraft. Topics addressed
include: U.S./Soviet-Russian government/agency agreements and engineering/safety assessments performed with lessons learned in
historic U.S./Russian joint space ventures.
14. SUBJECT TERMS 15. NUMBER OF 16. PRICE CODE
PAGES
human factors engineering; human resources; commercial spacecraft; space
commercialization; assurance; redundancy; reliability 42

17. SECURITY CLASSIFICATION 18. SECURITY CLASSIFICATION 19. SECURITY CLASSIFICATION 20. LIMITATION OF ABSTRACT
OF REPORT OF THIS PAGE OF ABSTRACT
Unclassified Unclassified Unclassified Unlimited
Standard Form 298 (Rev Feb 89) (MS Word Mar 97) NSN 7540-01-280-5500
Prescribed by ANSI Std. 239-18
298-102