Bus429

This may not be the right forum for this but...

The reports into the Challenger and Columbia tragedies both refer to a culture of of real-time risk assessment that concluded that the "risk was was acceptable". These decisions seem to have been made by senior managers and appeared somewhat arbitary.
However, I've recently read a book describing a decision about a hazardous EVA during Gemini 9A in the 60s. Again, the term "acceptable risk" was used.
Has this culture been prevalent throughout NASA's manned space program, from Mercury through to the Shuttle?
When was NASA at its best?

john_tullamarine

Life involves risks. All of us make assessments every day of our lives as to what constitutes acceptable risks

... do we cross the road now ? or wait for the next car to pass first ?

... do we takeoff now ? or wait a little longer to provide more clearance from the cell which went through a while ago ?

... do we divert to A or B with an engine malfunction ?

The list is inexhaustable ..... but it follows that there is a set of risks which we consider acceptable for the situation at hand. Granted that, sometimes, we might not like the situation .. but we still have to evaluate the risk environment as part of our decision-making processes.

Secret is to balance risk and benefit sensibly, even if only to the extent which is available to us.

NASA is no different in principle.

As to whether we might chose to agree with the other fellow's decisions is an entirely different matter, of course ...

Bus429

Sorry, John, but I totally disagree with your remarks if taken in the context of NASA and manned spaceflight.
The dynamics of spaceflight are massive and the risks are therefore greater; our earthbound quantification and qualification of risk cannot apply in all cases.

mwaugh

I'm sorry - you think that risk, like gravity, changes in space?

Eliminating risk is either not possible or too expensive in many cases. Therefore in many activities there will be some element of risk. At some point that risk becomes acceptable and you move forward.

Bus429

NASA neglected to learn the lessons of "acceptable risk" after the Challenger's destruction. Reading the CAIB report into the Columbia's loss strengthens this notion.

john_tullamarine

There are some important points which need to be considered ..

(a) 20/20 hindsight is a wonderful thing.

(b) reports associated with post accident investigations are considered and detailed .. and hopefully proactive in respect of potential lessons to be learned.

(c) the "better" decision maker gets it right with a higher frequency than the "poorer" decision maker .. but there are few, if any, who can get it right all the time.

(d) while not having any specific knowledge or interest in the NASA circumstances, a general observation can be made that commercial (and quasi-commercial) pressures are a reality and have to be incorporated into the decision making process. The sort of idealistic position often espoused, in general, is unsustainable in the real world .. the reality is that the decision maker has to consider all the factors in the story. Often this doesn't make the process easier .. but it is the real world experience.

(e) if our decision making processes are flawed, for whatever reasons, we are at significant risk of embarrassment after the incident/accident

(f) many of us who have had brushes with the unpleasant consequences of decision making hold a view that part of the process ought to be to consider what one's answer to any relevant question might be during the subsequent inquiry ....

Bus429 obviously holds some strong views and his/her views are respected ... but they don't alter the way things are done in the real world ...

Bus429

I think we have strayed from the intent of my original post.
John, it's true I (a male) hold strong views but I am only seeking information as to the culture extant at NASA for the last forty years.

Lu Zuckerman

I spent six and one half years on the Saturn Apollo program and two years of that time was as senior project engineer on the Saturn S-IVB propulsion system based at Marshall Space Flight Center. Prior to each launch the prime contractors (McDonnell Douglas, Boeing, North American and IBM would meet at MSFC and make a presentation to Werner Von Braun. Each contractor would tell of all the testing during the time leading up to the launch and they would outline the failures during those tests and the corrective action taken to correct the problems. After the presentation each contractor would provide the reliability they predicted for their respective stages and they would then provide a level of confidence for achieving the predicted reliability.

Douglas consistently had the highest level of confidence and that level never went above 70%.

Everyone involved in the Saturn Apollo program was in attendance. Everyone that is except the Astronauts.

Does that answer the questions about acceptable level of risk?

john_tullamarine

Hence my comment ..

"As to whether we might chose to agree with the other fellow's decisions is an entirely different matter, of course ..."

Bus429

Lu,
Just the answer I wanted. As part of research into a project, I am studying NASA and their culture.
The CAIB report into the Columbia loss cited another factor they noted: NASAs managment put the onus on those expressing concern to prove that the Shuttle was not safe rather than asking them to prove it was safe.

I've seen several letters about the Shuttle in a recent issue of Aviation Week and Space Technology: one expressing the view that...(the Shuttle) was designed to be reusable without regard to cost, performance, maintenance or safety."

I am currently reading Gene Kranz's "Failure is not an option"; Diane Vaughan's "The Challenger Launch Decision" (in which she puts forward an alternative view to the actions of NASA and Thiokol management teams) and Charles Perrow's "Normal Accidents". Any other suggestions would be welcome.

Lancelot de boyles

//NASAs managment put the onus on those expressing concern to prove that the Shuttle was not safe rather than asking them to prove it was safe.//

Is that not a valid course of action.

To prove that the shuttle is/was safe, the same basic studies and conclusions (or personal conviction) which put it into service would/could be utilised.
To prove something is unsafe against existing documentary evidence should generate new documents and studies, approached from a different viewpoint.

Different tack

The astronauts were pioneers.
Early pioneers settling in the americas would have done so without the benefit of knowledge of terrain, indiginous peoples, weather. They then build experience.
The same with any human endeavour.
There are few (If any)people who can predict all the risks and cater for them.

The important thing is to involve the broadest range of expertise.
And that means technical AND financial

If something were engineered for every perceived eventuality, it would be too heavy, and too expensive. And most likely, there would be things that still did not get included.

Lu Zuckerman.
Does that imply that the astronauts were unaware of (the risks)because they were actively excluded?
or
That they personally accepted the risk and had mentally chosen to go, and therefore they would be superfluous?

Lu Zuckerman

To: Lancelot de boyles

I'm sure they were well aware of the risks involved relative to the booster and orbital insertion stage. It has been told that the Astronauts resorted to gallows humor when approaching the stack of stages on the launch site stating," just think all of that was made by the lowest bidder".

The Astronauts had a lot of input on the Apollo capsule and the LEM and associated components but they had minimal input on the booster stages and the orbital insertion stage.

The very makeup of the Astronauts (The right stuff) prepared them for whatever problems could occur. They did however depend on the design engineers to minimize any risks.

I can't speak for the other stages but the S-IV B (Orbital insertion stage) was tested to the smallest part. If a part was near the completion of its' test program and it failed the part was redesigned and it entered the test program at the beginning and the test sequence began over again until the component passed.

I supervised the design of a simulator that functionally duplicated the entire S-IV B propulsion and electronic system. This simulator was used to develop the automatic checkout programs for both ground and on orbit situations. We detected several design errors that were not a part of the normal test program. The other stages did not have such a simulator. We could insert any number of faults to allow the programs to detect the errors in the system.

With all of this testing the Douglas engineering department could not offer Werner Von Braun any more than a 70% confidence level.

SLFguy

Not quite true... you need to substitute the word 'assess' for 'balance' for starters.

The 'balance' scenario fails insofar that any decision needs to contain an 'ethics' dimension which cannot be changed in it's 'weighting' as part of the equation.

Along the lines of you can't be 'a little bit pregnant' there are some downsides which cannot be accepted regardless of the magnitude of the upside.

john_tullamarine

SLFguy,

Yes and no.

(a) of course we ought to have lines in the sand from an ethical standpoint as that is the mark of a civilised society

however,

(b) if we are never prepared to risk life and limb (in a controlled manner) then, on occasion, there would be no progress at all.

I am not expressing a moral view at all here .. merely an observation.

... the real infamy is when the individual is denied reasonable understanding of the risks involved in his/her undertaking an activity ... along the lines of the medical profession's "informed consent" philosophy.

Bus429

Through reading Gene Kranz's book, it is obvious that the Apollo programme used extensive simulation. While it is likely that those travelling in Mercury capsules pushed into orbit by Redstone missiles were pioneers (to Alan Shepard is attributed the remark about the "lowest bidder"), it looks as if Gemini was a real leap forward in technology and Mission Control procedures.
Thanks for all replies so far.

Lu Zuckerman

Assessment of risk in the design phase is really the identification of those problems that if manifested would result in operational problems. This is done in the form of a FMECA (Failure Mode Effect Criticality Analysis).

Case in point: During the design of the solid rocket boosters it was determined in the FMECA that under certain cold conditions the “O” rings that sealed the connection point between motor segments would harden and result in a hot gas leak which could impinge on the oxidizer tank. The FMECA was submitted to the Solid Motor Branch at Marshall Space Flight Center (MSFC). It was reviewed by the NASA engineers and passed on to the Manager of the branch who concurred with all of the findings of the FMECA and he signed off in approval.

Fast forward to the Challenger launch. The cold conditions existed and were exacerbated by the cryogenic cooling effect from the fuel and oxidizer tank forming ice in the area of the seals on the motor segments. The manufacturer of the solid rocket motors stated emphatically that the launch should be scrubbed. The launch manager who was the same person that signed off on the FMECA when he worked as manager in the Solid Rocket Motor Branch at MSFC over rode them.

He and his cohorts assessed the risk while under the pressure to launch at that time which may have influenced their judgement. This is typical in the industry. An FMECA is prepared and from that the product assurance engineer will request a design change. It is very seldom that engineering will accept the recommendations of the product assurance engineer.

Engineering will in most cases reject the suggestion citing that it is too costly, too late in the design stage or in many cases the suggestion is rejected for NIH (not invented here). In any case the design managers have in effect performed a risk assessment even before metal is cut and rivets are shot.

This turns pilots into test pilots and Astronauts into test pilots.

Bus429

From that, Lu, we can extrapolate that every mission is a test flight, no matter how routine (in the case of the Shuttle) they become.

fullyestablished

The final report from the Columbia Accident Investigation Board (CAIB) explained that foam loss from the external tanks occurred in more than 80% of the 79 missions for which imagery is available. Foam was lost on 10% of these missions from the external tank bipod ramp that was the eventual cause of the loss of STS-107. In the case of STS-107 the piece of foam that impacted on the leading edge of the left wing was upto 27 inches long and upto 18 inches wide, spinning rapidly and have a relative velocity to the orbiter of between 400 and 600 mph.

Furthermore the Board holds the views
Flight and ground hardware and software are obsolete, and safety upgrades and aging infrastructure repairs have been deferred.
• Budget constraints have impacted personnel and resources
required for maintenance and upgrades.
• International Space Station schedules exert significant pressures on the Shuttle Program.
• Certain mechanisms may impede worker anonymity in reporting safety concerns.
• NASA does not have a truly independent safety function with the authority to halt the progress of a critical mission
element.

My point is that not only do the safety standards fall short of the heroism of the astronauts flying the craft, they seem to fall short of commercial aircraft maintenance standards. One cannot fail to be impressed by the work for the return to flight of the shuttle, and I do not doubt that STS-114 will be one of the safest missions. But we also said this after Challenger.

Lu Zuckerman

To: Bus429

Unlike an aircraft that has undergone heavy maintenance and had several test flights to verify the work done the Shuttle undergoes heavy maintenance after each flight but the repairs can not be verified until the next flight and then it might be too late.


There are many reasons for this and here are a few:

Quote:

Flight and ground hardware and software are obsolete, and safety upgrades and aging infrastructure repairs have been deferred.
• Budget constraints have impacted personnel and resources required for maintenance and upgrades.
• International Space Station schedules exert significant pressures on the Shuttle Program.
• Certain mechanisms may impede worker anonymity in reporting safety concerns.
• NASA does not have a truly independent safety function with the authority to halt the progress of a critical mission element.

On somewhat of a personal note Judy Resnick was killed in the Challenger accident. She was my niece’s roommate in college.

Engineering mindset. The biggest killer. I worked with a man that was a safety engineer on the Apollo capsule. Because of the high Oxygen environment inside the capsule he strongly recommended that the hatch be designed so that it could be blown off with a shaped charge (Detonation cord). Three Astronauts died before they modified the design.

Bus429

Quite a few good points in the last few postings. One factor could be that there is no independant regulator for space travel.