I have been pondering the Augustine report (at least the executive summary) which has been released. There are a couple of sentences up front that have been on my mind:
“Human safety can never be absolutely assured, but throughout this report, it is treated as a sine qua non. It is not discussed in extensive detail because any concepts falling short in human safety have simply been eliminated from consideration.” As panel members commented (more than once) during the public sessions, ‘we assume NASA will build safe systems’.
I’m not a Latin scholar so I had to look it up. Sine qua non means the something or someone indispensible. So safety is indispensible. I’d agree with that. As a matter of fact, I have spent my entire career based on making spaceflight as safe as possible while still actually flying.
Actually, the assumption that NASA will build safe systems is poorly demonstrated by our history. Our failures are painful to enumerate. Early after the Columbia accident, we engaged Dr. Charles Perrow of Yale University to talk to us about his book (and theory) titled “Normal Accidents”. In summary, Dr. Perrow believes that accidents are unavoidable in complex systems. Very depressing to read. Nothing you can do will ultimately prevent a fatal flaw from surfacing and causing catastrophe. Life is hard and then you die. Not very motivational, but perhaps true. So all of us who listened to Dr. Perrow determined to prove him wrong.
In any event, safety in space flight is a relative term. A launch vehicle with a 98% success record is considered very safe, but you would never put your children on a school bus that only had a 98% chance of getting them safely to school. It is a high risk, low safety margin endeavor. Probabilistic Risk Analysis has made great strides in recent years but the only statistic I put any faith in is the demonstrated one. The shuttle has failed 2 times in 125 flights. That is not good enough.
Six years after the loss of Columbia, I’m not sure that we can make a spacecraft safe, but I have empirical evidence that proves beyond a shadow of a doubt that we can make it expensive. The cynical part of me says that is what we do at NASA: demand extraordinary proof that things are safe. ‘Proof’ means a series of tests -a large enough number of tests to be ‘statistically significant’- and/or very complex analysis which examines every facet of each part of a system in detail to demonstrate that in the worst possible set of circumstances the system will perform as required. Trouble is, there is no end to imaginative tests, and there is always something else to throw into the analysis. And it all must be extensively peer reviewed, debated at length, documented to the nth degree, briefed to multiple layers of management, and signed off by virtually everybody in
the organization.
This is a very expensive process.
History indicates that attention to safety doesn’t seem to last. Sooner or later the people charged with making a system safe retire or die off, the bean counters get their knives out and the organization gets trimmed in the name of efficiency and cost savings, and somewhere along the way an invisible line is crossed. And Dr. Perrow is proved right again.
Not to be too depressed, but these report’s two sentences on safety are counterbalanced by many more sentences describing how space systems must be made cheaper and should accomplish its goals sooner. ‘Faster, better, cheaper’ was the rallying cry of management over a decade ago. The wags soon added ‘pick any two’. My experience has been that a project manager is lucky to get two, and many projects end with having failed on all three counts.
I found another Latin phrase which may apply here, from Horace: Splendide mendax. It means ‘splendidly untrue’. Safety at low cost, that is.
So as we look to the future, it is going to take a great deal of careful management to ensure that commercially provided crew transportation systems are adequately safe and yet not drive the cost (and schedule) through the roof. This balance is not easy to accomplish. Careful and thoughtful management attention will be required. No doubt you will hear some debate about this topic in days to come.
Which brings me back to sine qua non. About a year after the loss of Columbia, NASA had a conference on risk and exploration. A number of folks who do dangerous exploratory work talked with the NASA leadership about these issues. Probably the most memorable thought of the whole conference came from James Cameron. After almost two days of people repeating the phrase “safety first, safety is the most important thing”, Mr. Cameron made this observation: “While safety is very important and must be considered at all times, in exploration safety is not actually the most important thing. In exploration, the most important thing is to go.”
If I were writing the report, it would echo those words. Actual exploration is not safe. Actual exploration does not take place on powerpoint slides. Actual exploration takes courage. Actual exploration take action. Actual exploration requires going.
I loved this post. It is a point I’ve been trying to get across for years!
I know the “Space Elevator” doesn’t rate really high in NASA circles (for good reason! It’s Technology Readiness Level is almost a negative number). That said, I have been talking for years about balancing risk against possible results. If our total program costs about $15B, then 3% of that should go into R&D to find out if it’s possible, feasible or smart. And if you make that 3% investment – even if the Elevator ultimately turns out to be “impossible”, then you still have a whopping big Return on Investment, because the Intellectual Property assets generated will more than offset your original capitalization of the R&D effort.
On a more mundane level, consider building the Golden Gate Bridge. It cost people their lives to do it. Now, they took care, and built special under-hanging safety nets to save as many as they could. They implemented new management procedures, and operational techniques. And in the end, they “did the best they could”. People died, anyway. But the point to take from that is simply this, the risk and the reward were worth the effort – nationally, locally, socially, corporately, and individually.
Space is the same way.
You had a terrific message. I’ll be repeating it. Thanks.
Take care. mjl
Wayne, truly a thought provoking entry. It is impossible to eliminate all risk from systems like this, so an “acceptable” level of risk has to be determined. Ideally, once we are at that acceptable level, we should be able to make incremental improvements as we gain information about the systems and their interactions, but some risk is always going to be present. The question in my mind is what do we do going forward to strike that balance and mitigate the risk?
I think of some of the early accidents that happened in the program, and while a lot of effort was expended getting to the root causes, it was always in the vein of how can we keep moving forward. I don’t see that very much these days.
Safety of commercial crew transportation is easy to solve. There isn’t going to be any commercial crew transportation. That was easy.
Don’t personally see commercial crew transportation materializing by 2020 if ever. It’s a myth, just like the 40 year old myth that housing can be funded purely by commercial banks.
The only commercial system likely to appear before 2020 would involve NASA spinning off the Ares 1 people into a private company, paying all the costs through contracts, & then saying it’s commercial.
As an engineer I was not happy to see the Augustine Summary report say safety was a ‘sine qua non’ issue and got on with the rest of its summary.
Spaceflight is about going safely. ‘Going’ and ‘Safely’ have to have a reasonableness test applied to them. I was hoping Augustine would explore what was reasonable in terms of safety for spaceflight, but they avoided the issue.
While Augustine was very informative on schedule, cost, mission, international partners, commercial opportunities, getting the public on board, it largely avoided the safety issue.
If safety didn’t matter, there would not have been an Augustine Committee as human spaceflight costs would have been substantially lower, successes much greater and dead bodies would be littering the solar system.
I think the Ares I & V approach is right for the present even if I questioned whether cheaper more effective first stages could have been derived from existing technology.
It is agreed that NASA’s role should be pushing the boundaries of R & D and spaceflight. No one said commercial operators could not buy, under licence from NASA, the developed Ares I and Ares V components off their makers and use them for commercial services. With some appropriate rules and procedures its possible to have the best of the Government/commercial worlds. I hope the politicians with vested interests in the Ares I program are successful in defending the Ares I jobs.
NASA HQ last month did a story on the solid rocket fuel ALICE. As its exhaust appears to be environmentally benign it would be interesting to hear more about its potential to power big launch vehicles. I can find very little reference to it in literature. If spaceflight to LEO is to be an everyday thing (even a once in a lifetime thing for the average citizen, it needs to be airline safe, much cheaper than at present and much more environmentally benign. So far ALICE and LOX/LH2 appear to be the only environmentally benign fuels for launches to LEO.
Mister Hale, this post or yours is probably the single most important thing that has to be said, aloud, over and over again until it becomes an undoubted truth, about exploration in any field or place. Exploration is not meant to be safe, it’s meant to find out for better or worst. Exploration is going to cost you, in bucks or blood, because you cannot make the unknown more efficient or economical. Exploration is also necessary, because only by exploring and knowing something you can make it and the exploitation of its potential safe, economical, and efficient.
I pray for the day that we can finally say that going into space is routine. I pray for the day that, in the same way that we have come to known and conquer the troposphere, we’ll have known enough of what there is to known about getting to and thriving in LEO, the Earth-Luna system, the entire Solar system, and we can finally sit down and make our space machines more efficient, more economical, more safe. Optimized.
But until then, we have to learn, and we have to learn to accept the price of that knowledge, and learn to teach the rest of the world to understand that price. Perhaps all of us who have stood in the middle of the night and watched the sky know that is well worth it, but not many people these days ever stop to watch the sky.
Wayne,
Speaking from the perspective of industrial safety, there are risks which you can control and those which you cannot. Therefore, it is only logical to focus your energies towards those risks you can control.
A short story will illustrate my point.
A local man was driving his car to work. It was a late model, with every safety device available. He lost his life when a tree fell as he was driving past. It was nighttime, so he never saw the tree which killed him.
Fact is, NASA does things no one else has ever done in human history with purpose-built equipment.
You also bring up a salient point about human nature and vigilance giving way to complacency. All you can do is to resolve “never again”, and raise your voice when things seem to be backsliding.
A good example would be the issue with the fill-and-drain valve on STS-128. Was NASA going to succumb to schedule pressures and just decide to ignore the issue, or were there people who could resolve this problem and stay within the FRR rules?
I monitored the conversation, and was pleased with the outcome: a better method of positively verifying the valve’s actual position was developed and implemented.
There would be no backsliding that day.
Dr. Parrow’s logic is sound. The more components something has, the more there is to go wrong. A chain is only as strong as its weakest link…even if that chain has only one link.
So, what do you do? You either accept the risks and move forward, or you don’t accept the risks and accomplish nothing.
“This is a very expensive process.”
To borrow from those credit card commercials…safety costs money.
Not having to add names to that granite wall in Florida…priceless!
Mr Hale, I could not agree with you more. I find it just a little frightening that we may be on our way to losing the understanding that exploration requires risk, but that exploration is required for us to grow.
I hold my breath and pray that we will continue to fund space exploration. Even in the worst of times, there is a need to invest in the future.
Beth
I knew I liked you, from the first time I saw you after the Columbia accident at the press conference. You say what you mean, and mean what you say in words everyone can understand. Thank you Mr. Hale
Hello Mr. Hale. Let me first off say that I feel that Nasa is a better place with your being there. I like the way you think and organize. It appears maticulate and concise.
This question could be viewed as on topic of safety in a sense. How much revenue of Nasa’s budget is spent toward the research of alternative methods or propulsion? Perhaps a safer means of propulsion?
Former Administrator Mike Griffin has gone a great job clarifying the issues before the House Committee yesterday (at least in his paper containing his opening remarks.
A case for a major change of direction to the HSF program has not been substantiated.
I’m pleased he said ISS should be kept aloft while it can do useful work – at least another 20 years surely unless insurmountable problems arise.
It is interesting to note that an ISS sized facility (450 tonnes) could be constructed with just 3 Ares V cargo flights.
There are a lot of off-the-wall ideas floating round for launching spacecraft to LEO and then elsewhere in space. Most will never be practical, but 99.99% of the world’s citizens don’t know that.
It would do NASA a lot of good to maintain a web page to which people could send their proposals and NASA would get and engineer/scientist (as appropriate) to do a short evaluation of the most common and less common with some merit. You could even invite the public to send in their analysis of proposals selected for the website.
Site maintenance would amount to a few hours a week. Obviously, a NASA engineer/scientist selected to do an evaluation could have to put a day or two of research into it.
The Augustine Committee recommended a $750 million p.a. technology budget. $50,000 p.a. to explain why some proposals are not in a technology program will be money well spent in terms of popular support for NASA. As evidence of the need for this idea, I note your(Wayne’s) recent little explanation of the energy differences between an object on earth and one in LEO said much about why it is possible for SpaceShip One to get into space for little effort while getting to LEO is a substantially more difficult task.
I note former Administrator Mike Griffin and former MSFC Director Dave King both live in Huntsville – interesting dinner party possibilities.
Wayne:
These are excellent points. I am currently working on the topic of safety culture for the nuclear industry. To address the points you make I have begun using the term “safety and performance culture” to convey the idea that both safety and performance must be valued.
A short excerpt from a recent presentation on this topic:
– Culture has the most meaning in the context of purpose and mission
– Safety culture programs are most effective in the same context
– Safety and performance are interdependent and mutually essential
– Safety by itself is like sitting on a bicycle with the helmet on
– Safety is not meaningful unless there is a destination for the ride
I think this idea might be relevant for NASA at this time.
Best regards,
Bill Nelson
Wayne,
Bill Nelson’s thoughts are relevant, but in today’s industrial safety context, a slight bit off-center.
“Safety by itself is like sitting on a bicycle with the helmet on”
Actually, it is a concept with metrics defined by what the concept is expected to accomplish.
“Safety is not meaningful unless there is a destination for the ride”
There is no “destination” for safety; it is a never-ending story and a work in progress.
“Performance” is best measured over time. It’s common to see signs touting “X Number of days since our last lost-time injury” at industrial sites, and for the general public and employees, it’s a goal to keep advancing that number…one day at a time.
One day at a time…the mantra of Alcoholics Anonymous, is it not? It also needs to be the safety mantra of every employee, or if carried farther, every person. Think about it.
How many of you readers wear ear, eye, foot, and leg protection when you cut the grass? How many of you regularly test the GFCI outlets in your home…how many of you KNOW what a GFCI outlet does?
You see, safety isn’t something that starts and stops at the factory gate, it is a continuous process that needs to be practiced every waking hour, no matter where you are or what you’re doing.
Think safe…act safe…be safe.
Always.
The price of safety, like the price of freedom, is eternal vigilance.
Bill Nelson makes some helpful suggestions about safety culture. He notes the importance of purpose. In doing so he has moved the discussion to social capital.
Social capital is a management theory aimed at getting people to focus on the things that matter for an organisation of any type to get results. I have found that the things that matter can be classified under four headings – common purpose, trust(created by delivery on explicit and implicit promises), reciprocity (often gets mixed up with implied promises) and meaningful decision making. To support trust and reciprocity society has created institutions (Congress, companies, political parties, etc.) and rules (laws, regulations, standards, procedures, etc).
Culture could be described as a collective knowledge of, and a collective following of, a set of common purposes, trusts, reciprocities and meaningful decisions. In all facets of life, when new or old members of a group don’t follow a given culture, it creates angst because it degrades social capital.
Not all social capital is good and it can always be improved. Social capital needs to be continually built or it degrades. Sometimes aspects of it need to be destroyed so that something better might takes its place.
This post brought tears to me eyes.
NASA is junking a reliable system from which 99.9% of the bugs have been eliminated and replacing it with one with a whole new set of unknowns. Sine qua non, indeed. Good luck.
Wayne,
Thank you for your message. I enjoy reading your blogs, and I hope that you and your family are doing well. I sincerely hope that those in charge will listen to points as strong as yours. Safety first, but we must explore.
and there, Wayne…is the new poster for my wall.
There will always be risk and a price to pay when going where no man has gone before. To continue the spirit of exploration is to cast off any restraint one might have due to staying “comfortable” and not risking ones safety. Of course using wisdom is always a necessity to keep you from danger as much as possible, but advancement in knowledge and exploration trumps that in my opionion.
Dave H.:
Thanks for your comments. I agree with all that you said in the context of industrial safety. However my comment about a destination was in a broader context – that of the overall mission (or destination) of the organization. In the NASA context safety is not the destination – it is an essential requirement for successfully reaching the specified destination – low earth orbit, the moon, Mars, or wherever.
It is possible to have a very successful safety program without going anywhere, but that is not NASA’s mission.
Regards,
Bill Nelson
Regarding the tension between safety and going somewhere, Wilber Wright wrote the following:
“There are only two ways of learning to ride a fractious horse; one is to get on him and learn by actual practice how each motion and trick may be best met; the other is to sit on a fence and watch the beast awhile, and then retire to the house and at leisure figure out the best way of overcoming his jumps and kicks. The latter system is the safer, but the former, on the whole, turns out the larger proportion of good riders. It is very much the same thing in learning to ride a flying machine; if you are looking for perfect safety you will do well to sit on a fence and watch the birds, but if you really wish to learn you must mount a machine and become acquainted with its tricks by actual trial.”
I think most of us in the Agency think it is important to actually get somewhere and learn something in the process than to watch birds do so. The question is whether we still live in a country that believes this is important.
Well i think that no one can make that 98% that you mention into the whole 100%.. Not in such an endeavour like space flights where a small bolt can cause an accident.. That book Normal Accidents, as depressing as it may be it is on the point.. Space flights are not yet something that is done all the time and that is why accidents will happen in the future(i sincerely hope not, but the probability is high) just because of the fact that you are still doing research and testing. And in this phase it is trial and error.. I hope there are not much errors..
to be honest i found one line in this artical that i dont agree with. the author states that the shuttle failed twice. the shuttle did not fail. challenger was a failure of the SRB, columbia was a failure of the foam on the ext. tank.. in neither case was there a failure of the shuttle itself
It absolutely astounds me how that after all the testing and spending it is still difficult to guarantee safety for our men and women working at NASA. But to have blind faith in the organization and to rule out any factors that may be unsafe because “NASA would not put us in harms way if this were dangerous” is a dangerous path to walk down itself. Both the Columbia and Challenger faced problems that were unforeseen and in space flight there will always be these factors that no one took into account.
I don’t think NASA is going to be admitting that their vessels are not safe any time soon. Of course the people who will be going up into space have to say they trust NASA and their work because they actually signed up to put their lives in harm’s way. I pray for them. This is an expensive and risky business.