Tag Archives: risk

Human Rating A Spacecraft

Posted on by .

Recently you may have heard about former astronaut Scott Parazynski’s adventure to climb Mt. Everest.  He carried a sliver of a moon rock from Apollo 11 with him, and then picked up a sliver of a rock from the top of the highest mountain in the world.  These two rocks were encased in plastic, handed over to NASA, and flew aboard the space shuttle to be installed in the new Tranquility module of the International Space Station.  All very inspiring and good. 

 

Now for the rest of the story. 

 

All items to fly aboard the shuttle and/or reside on the station have to go through a safety review process.  One of NASA’s early and painful lessons was the Apollo 1 fire.  Fire in space could clearly be catastrophic, and the oxygen content of the atmosphere of both the shuttle and the station has some variability – and can be higher than normal earth atmospheric oxygen content.  It turns out that the plastic which the two rocks were encased in has bad properties in a fire situation.  To their credit, the new NASA safety organization attitude is no longer “No because” but “Yes if”.  The memento could be flown and displayed on the ISS if it were encased in another transparent, fire safe material.  If you see it today on the ISS, the rocks are doubly enclosed, once in “bad” plastic, and over that a layer of “good” polymer. 

 

Now, is this bureaucratic overkill?  Would you have fire safety disregarded?  How would you handle this situation if you were in charge?  Just take the risk?  Or do the bureaucratic thing and apply another layer of safety?  Careful with your answer.  I’ve had to face crewmember’s families after their loved one perished.  That experience makes you think very hard about these kinds of decisions.

 

There is a debate going on about human rating spacecraft – making them safe enough for people to fly on.  It is really a debate about safety and how much NASA will be involved in ensuring that commercial providers of space transportation services are safe.  There has been a lot said about human rating space vehicles lately, much of it confusing.  Read NASA’s requirements document for yourself at this location:

http://nodis3.gsfc.nasa.gov/displayDir.cfm?t=NPR&c=8705&s=2B

 

Even if you read it thoroughly you willnot understand what is really being said unless you understand the context and the NASA culture in which it resides.  Just reading the document without understanding the organization will lead you to wildly erroneous conclusions.  Let me try to put this document in perspective and plain language.

 

The first conclusion is obviously this document was written for a government run program in the style of Shuttle or Station.  The underlying assumption is that the NASA Program Manager makes the decisions within the framework of the NASA management structure.  So to apply this document to commercial human spaceflight will take a re-writing.  In fact, a committee is already working on a new version which would apply to vehicles on which NASA might buy seats. 

 

The second conclusion is illustrated by the drawing on page 2. 

 

Standards Figure 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So the Human Rating Requirements “NPR 8705.2B” is only a small selection of the standards and processes that go into human rating a spacecraft.    As the document says early on “  . . . complex space hardware requires all missions to meet high standards . . . This NPR is to define and implement additional processes . . . necessary to human-rate space systems . . .  this NPR is linked to, and depends upon, many of the requirements . . .  contained in other NASA directives.” 

 

Are you getting the picture?

 

When I was shuttle program manager, I asked how many standards were levied on the shuttle program.  The answer was in excess of 40,000.  How can that be, you might ask.  Easily, I would reply.  There are all kinds of standards:  welding standards, parts standards, cleanliness standards, fracture control standards, vibration standards, EMI standards, wiring standards, mil standards and mil specs, software design and testing standards, and on and on and on.    

 

For a short list of some of NASA technical standards – all of which are likely to be applied to commercial human spaceflight – visit this page:  http://standards.nasa.gov/documents/nasa

 

But wait, that’s not all!  Each of these documents requires the use of more reference standards.  Let me give you an example of further standards referenced from a NASA parent standard; this from a recent presentation:

 

“NASA-STD-4003 September 8, 2003  Electrical Bonding for NASA Launch Vehicles, Spacecraft, Payloads, and Flight Equipment (25 pages)

            + Mil – C-5541, Rev E 11/30/1990 Military Specification, Chemical Conversion

                        Coatings on Aluminum and Aluminum Alloys

            + SAE-AMS-M-3171 4/01/1998  Magnesium Alloy, Processes for Pretreatment

                        and Prevention of Corrosion on

            +  SAE-ARP-5412 11/1/1999 Aircraft Lightning Environment and Related Test

                        Waveforms”

 

That is a short standard with a short subsidiary list.  Remember that if your electrical equipment is not well bonded (grounded), you are likely to have a serious problem.  This is precisely an example of the care and expertise that goes into aerospace vehicles to make them successful – and safe.  Norm Augustine’s book declares “the $5000 dollar electronic component will always fail so as to protect the 50 cent fuse” (Electronics boxes were cheaper in his day).  Even better to remember is Michelangelo’s famous dictum:  “Trifles make perfection, but perfection is no trifle.” 

 

There are a variety of standards available in the world, and I was very un-amused one day to be drawn into a debate by two technical warrant holders over which welding standard was superior:  the ANSI or the ASME.  The ISS organization has cheerfully adopted European or Japanese standards for the components built overseas.  But whether the spacecraft was built in the USA or overseas, at every step in the design, testing, and production of a space vehicle, there is some NASA organization or person who has been invested with the power to enforce those standards. 

 

Armchair authorities like to discuss the “big ticket” items in the Human Ratings Requirements:  redundancy requirements for fault tolerance, or minimum factor of safety for structures as examples.  Real rocket builders know while those are important, the real key to safety and success is very much more affected by the quality of parts and myriad individual steps in workmanship of the end product.  These are measured against thousands of individual checks against the appropriate standard.  So you must realize the vast majority of standards and requirements do not show up in the NPR 8705.2B Human Ratings Requirements document, they must be searched out in a hundred subordinate documents.

 

A third observation can also be made very early in the document.  NASA has “technical authorities” for safety, engineering, health/medical, and crew.  Following the Columbia Accident Investigation Board recommendations, the agency was reorganized so that the technical authorities do not work for the program but maintain independence to ensure that NASA programs are executed safely.  In fact, if a technical authority disagrees with the program manager, it is the program manager who must comply or appeal to a higher authority.  This is designed to ensure that cost and schedule pressures do not lead to unsafe decisions. 

 

Transparency in government:  the NASA governance model can be read at:   http://nodis3.gsfc.nasa.gov/npg_img/N_PD_1000_000A_/N_PD_1000_000A_.pdf

 

Here is an interesting and operative paragraph:

 

“3.4.2.1.4 Authority Roles Regarding Risk

Decisions related to technical and operational matters involving

safety and mission success risk require formal concurrence by the

cognizant Technical Authorities (Engineering, Safety and Mission

Assurance, and Health and Medical). This concurrence is based on

the technical merits of the case and includes agreement that the risk

is acceptable. For matters involving human safety risk, the actual

risk taker(s) (or official spokesperson[s] and his/her/their supervisory

chain) must formally consent to taking the risk; and the responsible

program, project, or operations manager must formally accept the

risk.”

 

What does that mean in plain language?  Basically the builder must comply with what the independent technical expert requires. 

 

I can remember one shuttle issue with the agency tribology expert (that’s lubrication to most folks).  The technical expert would not budge a millimeter (0.254 inch) in requiring servicing of a part almost inaccessible deep in the bowels of the orbiter.  The agency technical experts have absolutely no incentive to back off on their standards.  They are independent of the program.  They are not concerned with cost or schedule, only with compliance.  Compliance brings about safety, why would we want them to do anything less?

 

How will that fit with a lean, entrepreneurial commercial organization with a profit/loss bottom line?  Heck if I know.

 

So on about the fourth page of the Human Ratings Requirements document you can read that before work starts on a spacecraft design, a meeting is convened of the technical authorities to tell the program manager what standards and specifications the new vehicle will have to meet.

 

Don’t forget the legend that is stamped on the top of the front page:  “Compliance is Mandatory”

 

That’s probably enough for an overview.  We may visit the in-depth requirements on another day. 

 

Remember that the requirements document for commercial services is being written and the NASA governance model can change at any time.  So this discussion serves as a background of where we are today and where we have been, not necessarily where we are going to go in the future. 

 

My takeaway? 

 

The agency tried really hard to be as safe as possible and we still had the Apollo 1 fire, close calls on several lunar missions – the most famous of which was Apollo 13 – and we lost Challenger and Columbia.  In spite of our best intentions and best efforts. 

 

I’ll quote myself from my blog post Sine Non Qua on Sept. 11, 2009:

 

“Six years after the loss of Columbia, I’m not sure that we can make a spacecraft safe, but I have empirical evidence that proves beyond a shadow of a doubt that we can make it expensive.”

Where is Delos D. Harriman when we need him?

Posted on by .

During my childhood, back in ancient times, science fiction was my reading material of choice.  Isaac Asimov, Arthur C. Clark and Robert Heinlein were first among the pantheon of science fiction writers in those days.

 

One of the best was Robert A. Heinlein’s 1949 story “The Man who Sold the Moon”.  A brilliant American businessman (today we would say entrepreneur, then Heinlien called him a robber baron) devoted his vast wealth to building a moon rocket.   Think Elon Musk but with Bill Gate’s fortune and Donald Trump’s ethics.  Of course he succeeded, despite of all the difficulties, including the roadblocks set up by the government.  At the end of the story Harriman famously tells his best friend: “I would cheat, lie, steal, beg, bribe — do anything to accomplish what we have accomplished”.

 

Where is Delos D. Harriman today?  We sure could use him.  “We” being all those folks who really really really want to humanity off this planet in a significant way.  And maybe not depending on the vagaries of politics and politicians. 

 

I spent too much time out in the soggy weather in Houston this afternoon at the memorial grove for fallen astronauts.  It was a sorry day to have an outdoor ceremony, but there was a big crowd despite the cold and damp.  There was a similar ceremony up at the Arlington National Cemetery, and another one at the Astronaut Memorial mirror at KSC, and other places, too.   The weather may have been better there, but I doubt that the mood was different. 

 

The price has been paid, we need to get on to Mars an the other places. 

 

Heinlein had Stevenson’s famous poem “Requiem” inscribed over Harriman’s lunar grave:

“Under the wide and starry sky,
Dig the grave and let me lie:
Glad did I live and gladly die,
And I laid me down with a will!
This be the verse you grave for me:
Here he lies where he longed to be;
Home is the sailor, home from sea,
And the hunter home from the hill.”

I believe Heinlein captured a better thought in his own words in another story, although the critics would probably say the poetry is worse:

“We pray for one last landing

On the globe that gave us birth

Let us rest our eyes on the fleecy skies

And the cool, green hills of Earth.”

 

If these somber thoughts are not enough to end this dreary January day, I leave you with the words of the plaque affixed to Launch Complex 34, which I visited two days ago:

 

“Friday, 27 January 1967

       1831 Hours

 

Dedicated to the living memory of the crew of the Apollo 1

 

U.S.A.F. Lt. Colonel Virgil I. Grissom

U.S.A.F. Lt. Colonel Edward H. White, II

U.S.N. Lt. Commander Roger B. Chaffee

 

They gave their lives in service to their country in the ongoing exploration of humankind’s final frontier.  Remember them not for how they died but for those ideals for which they lived.”

 

Culture Change at NASA

Posted on by .

According to the creation myth, in the beginning, NASA was full of young, cocky, innovative, hard charging folks who got us to the Gene Kranz's School for Young Gentlemen circa 1967moon inside a decade.  They were brash, confident, and did not suffer fools gladly.  If they were worried, they didn’t show it.  Stories abound of 100+ hour work weeks end to end, almost impossible to believe.  Their theme -as posted on the factory walls – was ‘waste anything but time’.  Going to the moon was the cliché for doing the impossible and they were going to be the ones to do it.  They were the epitome of risk-taking, innovative, creative, flexible, nimble, achievers.

 

 

 

 

 

 

 

On the way to the moon, the Apollo 1 fire happened.  It was a tragedy.  It was beyond awful.  With 20-20 hindsight, the root cause of the fire was obviously sheer stupidity.  There were investigations and panels and recommendations.  As in every accident investigation, the investigation board found that communications between people and organizations were faulty.  Management culture was poor.  And the safety organization was strangely silent on dangerous situations which they had been warned about.  So the recommendations, in additional to technical things, included improving communications, changing management culture, and reinvigorating the safety organization.  And even though everybody at NASA believed the fire was a one-time thing, NASA tried to improve.  Some bureaucratic checks took a little of the nimbleness out of the system in the name of safety, but mostly NASA got a pass because we had to beat the Russians.  The Eagle landed, the mission was accomplished, and time passed.

One the way to exploiting the space frontier with our new space shuttle, 19 years and one day after the Apollo 1 fire, the Challenger and her crew were lost during launch.  It was a tragedy.  It was beyond awful.  With 20-20 hindsight, the root cause of the accident was obviously sheer stupidity.  There were investigations and panels and recommendations.  As in every accident investigation, the investigation board found that communications between people and organizations were faulty.  Management culture was poor.  And the safety organization was strangely silent on dangerous situations which they had been warned about.  So the recommendations, in addition to technical things, included improving communications, changing management culture, and reinvigorating the safety organization.  And even though everybody believed that the accident was a one-time thing, NASA tried to improve.  More methods to communicate were added, more bureaucratic checks were added, the system slowed down and became more costly in the name of safety, but mostly NASA got a pass because we still had to beat the Russians, this time to build a permanent space station, and they were ahead of us.  The Hubble was launched, the assembly of the Space Station started, and time passed.

17 years and three days after the loss of Challenger, Columbia disintegrated during reentry and her crew was lost.  With 20-20 hindsight, the root cause of the accident was obviously sheer stupidity.  There were investigations and panels and recommendations.  As in every accident investigation, the investigation board found that communications between people and organizations were faulty.  Management culture was poor.  And the safety organization was strangely silent on dangerous situations which they had been warned about.  So the recommendations, in addition to technical things, included improving communications, changing management culture, and reinvigorating the safety organization. 

This time, nobody inside or outside of NASA believed that the Columbia accident was a one-time thing.  So we tried to change the very root culture at NASA.  Strangely, I found myself at the epicenter of the culture change; one of the least likely managers ever to participate in touchy-feely human relations changes.  We got trained by professional councilors on how to play nice and communicate affirmingly. At the end of seven years, some change is evident.  Safety is reinvigorated; the management culture has bent toward more safety; and  communications, well, need more work and probably always will.  Dissenters must be heard and understood, and mostly placated; much more bureaucracy has been added in the name of safety, and everybody now has a “stop work” card to play if they have a concern.  NASA did not get a pass, the Russians are no longer our competition but our partners, and the debate intensifies as to whether America should send humans into space.  Meanwhile, the Space Station has nearly been completed, the shuttle is about to be retired, its mission accomplished, and time has passed.

Now conventional wisdom says NASA is risk averse.  Afraid of failure, afraid to take risks, requiring draconian and expensive safety insight for even mundane tasks.  They say that NASA depends too much on extensive testing and expensive analysis to prove that every operation is as safe as humanly possible before undertaking it.  That is the conventional wisdom proffered by the media, the pundits, and those who want to be in the space business. To be successful in space, we hear, risks must be taken, fear must not inhibit innovation.  The possibility of failure must be deeply discounted and the consequences of failure should not be contemplated very hard lest we waiver from our goals.  We need organizations that are nimble, flexible, innovative, and risk taking to be successful in space. 

In short, NASA should turn to private enterprise for a ride to space.

So how can a staid, grey, old, inflexible bureaucracy approve flying its people on somebody else’s rocket?  Experience has been a hard teacher; everybody at NASA has been instilled with a great personal responsibility for safety; the knowledge that if the widget that they are responsible to monitor causes failure it will be their own personal fault.  Do you untrain the culture of the last seven, no –  forty, years as drilled into every NASA engineer and manager?  Probably not.  But if American astronauts are to ride to the international space station on a rocketship that NASA did not build, there will have to be a tectonic shift in NASA culture.  Regardless of who builds the ship or operates it or what shape it takes, one thing is certain; NASA’s role will have be different.  That will take a tremendous amount of energy, and time must pass.

In the middle of the last culture change I sent the following paragraph to the shuttle troops.  I still stand by it and it rings strangely true for the future, too.

Life is full of gray choices.  Deciding the work completed is good enough because more will not make it perfect.  Ten thousand gray choices; doing what we must do, and not a bit more because that would take away from other work that is absolutely critical to be done right.  When we have done what we can do, when we have driven the risk to the lowest practical level where it can be driven, then we have to accept the fact that it is time to make a decision and move on.  Because history is waiting for us.  But history will not wait forever, and it will judge us mercilessly if we fail to face tough choices and move ahead.

Thoughts on Commercial Human Orbital Spaceflight

Posted on by .

Shortly after I moved into the Shuttle Program office, I was very surprised to learn that NASA did not own the blueprints for the space shuttle!  The government never purchased the intellectual property and the design details of the vehicle.  The blueprints are all proprietary information belonging to Boeing.

 

NASA never really built any big rockets; NASA hires contractors to do that.  For example, the Saturn V was built in pieces, the mighty first stage by Chrysler (how times have changed!), the second stage by North American Aviation, the third stage by McDonnell Douglas, the lunar module by Grumman, and the command/service module by North American. 

 

North American Aviation was an innovative, nimble, flexible, efficient, small commercial aircraft company lead by the legendary “Dutch” Kindelberger.  NAA designed and built many classic aircraft including the P-51 Mustang.  After Kindelberger passed, corporate mergers changed NAA to North American Rockwell, then Rockwell International (which can claim credit as the designer and producer of the Space Shuttle orbiter), and now to merely a division of the Boeing corporation.  The historic site in Downey which saw production of the P-51 Mustang, the Apollo CSM, much of the Shuttle Orbiter was sold, sadly, to commercial interests who couldn’t turn a profit on the land as a strip mall but rent the property out for movie making.  Sic Transit Gloria Mundi.  After Boeing bought out RI, the workforce moved a few miles over to Huntington Beach.  It’s just business, as they say.

 

So I am quite amused by the current debate about whether or not NASA should build rockets or contract that work out to commercial firms.  NASA per se has never built rockets of any size.  But that statement is so simplistic as to be disingenuous.  There is a marked difference between the “old” way of doing business and what is being proposed as a “new” way of doing space business.

 

Simply put, in the old days (or even today’s days), NASA (the government) was in control; made all the big decisions, required complete insight into all the details of the design, manufacturing, testing, and production of the space flight vehicle.  Eye watering amounts of documentation were required for every step.  The contractor might do the detailed work, but the government folks got to see everything, review everything, and approve everything.  The contractors work on a “cost plus” basis and charged for every change.  Somewhere along the line, the small, nimble, flexible, innovative, efficient company that was North American Aviation became a cog in a bureaucratic, military-industrial, giant corporation (no offence, Boeing). 

 

The “new space” model is that one or more nimble, flexible, innovative, efficient commercial companies will provide a reliable, safe, economical launch vehicles and spacecraft that American astronauts can ride to the International Space Station.  Getting to low earth orbit is so easy that practically anybody can do it!  Large government programs are no longer required and NASA should concentrate its efforts on deep space exploration and doing the “hard” things like landing on the Moon or Mars.

 

Except that in the early part of the 21st century, getting to low earth orbit is neither routine nor easy.  Anybody that has really tried to do it – past the viewgraph engineering stage – can attest that getting to LEO is hard.  It requires precision, care, extremely good engineering, quality control, etc., etc., etc.  Landing on the moon may be “hard”, but getting to LEO and back is hardly a cakewalk.  Recently I have read several statements from some “new space” entrepreneurs concerning space flight safety.  They acknowledge that an accident would be devastating for the commercial crew launch business, so they profess that each of the companies attempting to put human spacecraft in orbit (or sub-orbit) is committed to safety.  I believe that statement.  However, intentions are not enough; remember whither the road leads which is paved with good intentions.  In my mind, I can hear entrepreneurial mortgage lenders claiming giving loans to people who cannot repay those loans is bad for business and could cause the mortgage company to fail.  Surely nobody would do that, right?  There are pressures to compromise safety everywhere and to think that a commercial business won’t be subject to those pressures is naive.  How do you know when you have gone from being “efficient” to having cut the corner too close?

 

I do believe that commercial human space flight can be accomplished much more economically and efficiently than the government and our “cost plus” contractors do it today.  And it can be done with a reasonable level of safety, even in this low margin, high energy, dangerous business.  But how to accomplish these competing goals is the question. 

 

It is entirely one thing for a wealthy adventurer to personally choose to go into space on a new and untried rocket.  After all, nobody stops you from climbing Mt. Everest or parachuting into the wild outback for a ski adventure on a pristine mountain, its your own skin, your own risk.  But if the goal is to put U. S. Government civilian employees who are on official U.S. Government business on a commercial rocket, it will be the responsibility of some government agency (NASA?  FAA?) to ensure that the “conveyance” is reasonably safe.  NASA knows only one way to attempt to ensure safety, and that is very invasive.  In this case, synonyms for ‘invasive’ include:  costly, slow, bureaucratic.  Won’t help the business to be nimble.

 

In the 1990’s, NASA turned over the management of the space shuttle subsystems to the Boeing contractor.  In effect NASA relinquished a modicum of control and insight, a huge change in NASA culture at the time.  Going to a commercial launch vehicle will require a bigger change NASA culture.  This level of culture change is not impossible, but it is hard.  We’re currently studying on how to make commercial human space flight work – safe and economical at the same time.  As always, the devil is in the details.  And the hardest part will be the culture change.  Changing NASA’s culture is a topic for another day.

Time to Closest Approach

Posted on by .

Being at a conference on Orbital Debris has turned my thoughts back to being a Flight Director and experiences I would rather forget.

There is a lot of junk in earth orbit, and some of it endangers our astronauts every day.  Paint flecks and particles of solid rocket exhaust are big enough to damage the shuttle windows.  We now replace the shuttle windows every flight because of the damage that these microscopic particles cause. 

At 5 miles per second, there is a lot of energy in “collisions” between orbiting objects.  Every bit of space junk packs the equivalent of 25 times its weight in TNT because of the extreme speeds of orbital encounters.  We cannot track the small stuff.  Even pieces as big as loose bolts are untrackable and potentially fatal.  A one inch bolt in orbit could punch a hole right through the shuttle or the station causing huge damage and explosive decompression.  You don’t even want to think about what it would do to a spacewalker in their fabric suit.

Larger items are tracked by NORAD (they have a new name but I never remember it).  We know where the big pieces and can avoid them.  Or so you might think.  There are limits to how accurately the trajectories of space junk can be determined.  Trajectories are affected by the solar wind, transient and unmonitorable variations in the upper atmosphere, and some objects even have propulsive vents so their trajectories are constantly and irregularly changing. 

The shuttle, of course, is always maneuvering and changing attitude.  The shuttle thrusters are not completely symmetric so there are small changes to the shuttle’s trajectory every time they fire. 

Orbital trajectories are predicted into the future assuming none of these variations.  Even so, the very small uncertainties in a trajectory  gets multiplied over hours of prediction and this leads to a grey zone surrounding its predicted future position where the space object may or may not be.

Nowadays this is a sophisticated science with much better tools.  Better radars and lots of mathematics and probabilities give a much more complete notion of where and when encounters may take place. 

In the early days of shuttle we just knew that anything predicted to come within a few miles could be a hazard.  Missing by inches is OK; missing by a mile is good; but it was all like Russian roulette in those days.

Knowing how to maneuver to avoid a predicted “conjunction” is critical.  If you guess wrong and maneuver to the part of the uncertainty box where the space junk actually is: POW.  Sometimes doing nothing is the best option.

Operationally there are other impacts.  Since shuttle maneuvers are initiated by the crew, obviously the crew must be awake to maneuver the ship.  If the crew sleep is interrupted, their performance the next day may be affected.  Think about being awakened in the middle of the night to do a precise task and then trying to go back to sleep, wake up the next morning at the regular time, and have a big work event that day.  Not really good.

So the early shuttle it was thought that we should not wake the crew up for debris avoidance maneuvers.  Even though space junk was predicted to be coming close by and could hit us, the odds were in our favor for a miss.  In the cold calculation of the risks involved it was thought better to let the crew sleep rather than wake them for something that might not happen.  We codified this in the Flight Rules.

On exactly three occasions I was the Flight Director on the crew sleep shift when we got the word a “conjunction” was imminent.  I remember each event like it was yesterday with crystal clarity.  Some things do not leave you.  I made all the appropriate notifications; phone calls to the management confirmed that we should follow the rules, let the crew sleep, and bet on the odds in our favor.

So GC would set a clock on the big board counting down to “TCA”.  Meanwhile we all tried to do the mundane work of monitoring the shuttle systems and planning the crew’s activities for the next day.   On the assumption that there would be a next day. 

 But as the clock counted down close to zero, Mission Control would get very quiet.  We all knew what might happen.  It’s tough to sit on your hands when your friends are in danger and you can’t do anything about it. 

In my imagination, the worst case scenario played out:  instantaneous cessation of telemetry transmission from the shuttle followed some time later by NORAD tracking confirming a multiple pieces in an orbit where only the shuttle had been before.  Then the notifications, the investigations, the whole drawn out parade of mourning and recrimination.  I could see it all. 

So as we waited for the clock to count to zero, there was plenty of time to contemplate metaphysical topics:  life, death, courage, risk, achievement, probability, dishonor.  They are all fellow travelers, intimately bound together.  No great accomplishment comes without difficulty or risk.  Miscalculation or failure results in death and dishonor.  But it is what it is; you do the best you can, make the best rational choice you can given what you know, and then wait for the result. 

Going to Las Vegas holds no enticement for me.

Sine Qua Non

Posted on by .

I have been pondering the Augustine report (at least the executive summary) which has been released.  There are a couple of sentences up front that have been on my mind:

 

“Human safety can never be absolutely assured, but throughout this report, it is treated as a sine qua non.  It is not discussed in extensive detail because any concepts falling short in human safety have simply been eliminated from consideration.”  As panel members commented (more than once) during the public sessions, ‘we assume NASA will build safe systems’.

 

I’m not a Latin scholar so I had to look it up.  Sine qua non means the something or someone indispensible.    So safety is indispensible.  I’d agree with that.  As a matter of fact, I have spent my entire career based on making spaceflight as safe as possible while still actually flying. 

 

Actually, the assumption that NASA will build safe systems is poorly demonstrated by our history.  Our failures are painful to enumerate.  Early after the Columbia accident, we engaged Dr. Charles Perrow of Yale University to talk to us about his book (and theory) titled “Normal Accidents”.  In summary, Dr. Perrow believes that accidents are unavoidable in complex systems.  Very depressing to read.  Nothing you can do will ultimately prevent a fatal flaw from surfacing and causing catastrophe.  Life is hard and then you die.  Not very motivational, but perhaps true.  So all of us who listened to Dr. Perrow determined to prove him wrong.

 

In any event, safety in space flight is a relative term.  A launch vehicle with a 98% success record is considered very safe, but you would never put your children on a school bus that only had a 98% chance of getting them safely to school.  It is a high risk, low safety margin endeavor.  Probabilistic Risk Analysis has made great strides in recent years but the only statistic I put any faith in is the demonstrated one.  The shuttle has failed 2 times in 125 flights.  That is not good enough.

 

Six years after the loss of Columbia, I’m not sure that we can make a spacecraft safe, but I have empirical evidence that proves beyond a shadow of a doubt that we can make it expensive.  The cynical part of me says that is what we do at NASA: demand extraordinary proof that things are safe.  ‘Proof’ means a series of tests -a large enough number of tests to be ‘statistically significant’- and/or very complex analysis which examines every facet of each part of a system in detail to demonstrate that in the worst possible set of circumstances the system will perform as required.  Trouble is, there is no end to imaginative tests, and there is always something else to throw into the analysis.  And it all must be extensively peer reviewed, debated at length, documented to the nth degree, briefed to multiple layers of management, and signed off by virtually everybody in

the organization.

 

This is a very expensive process.

 

History indicates that attention to safety doesn’t seem to last.  Sooner or later the people charged with making a system safe retire or die off, the bean counters get their knives out and the organization gets trimmed in the name of efficiency and cost savings, and somewhere along the way an invisible line is crossed.   And Dr. Perrow is proved right again. 

 

Not to be too depressed, but these report’s two sentences on safety are counterbalanced by many more sentences describing how space systems must be made cheaper and should accomplish its goals sooner.  ‘Faster, better, cheaper’ was the rallying cry of management over a decade ago.  The wags soon added ‘pick any two’.  My experience has been that a project manager is lucky to get two, and many projects end with having failed on all three counts.

 

I found another Latin phrase which may apply here, from Horace:  Splendide mendax.  It means ‘splendidly untrue’.  Safety at low cost, that is. 

 

So as we look to the future, it is going to take a great deal of careful management to ensure that commercially provided crew transportation systems are adequately safe and yet not drive the cost (and schedule) through the roof.  This balance is not easy to accomplish.  Careful and thoughtful management attention will be required.  No doubt you will hear some debate about this topic in days to come.

 

Which brings me back to sine qua non.  About a year after the loss of Columbia, NASA had a conference on risk and exploration.  A number of folks who do dangerous exploratory work talked with the NASA leadership about these issues.  Probably the most memorable thought of the whole conference came from James Cameron.  After almost two days of people repeating the phrase “safety first, safety is the most important thing”, Mr. Cameron made this observation:  “While safety is very important and must be considered at all times, in exploration safety is not actually the most important thing.  In exploration, the most important thing is to go.”

 

If I were writing the report, it would echo those words.  Actual exploration is not safe.  Actual exploration does not take place on powerpoint slides.  Actual exploration takes courage.  Actual exploration take action.  Actual exploration requires going.

 

Actually going is  sine non qua.

Risk Averse

Posted on by .

During my travels I always carry a paperback to read.  A book that I finished recently was a history (my usual subject) concerning some German emigrants to America in the 1840’s.  Their story was entirely typical:  conditions in their village had deteriorated and they were lured by glowing stories of the opportunities in the United States.  So they sold their houses and all their goods and made their way to the port at Antwerp.  Unscrupulous characters soon fleeced them.  Broke and alone in a country where they had no resources and did not speak the language, the putative emigrants were forced to beg for food and shelter.  Some died.  A shipowner agreed to provide them passage to the new world in exchange for indentured service upon arrival.  The ocean voyage was miserable, the crew was inept, they ran out of food, water, encountered storms, and about a third of the party died during the voyage.  Shortly after arrival in port, a smallpox epidemic took another third of the company.  The survivors were marched off to indentured servitude; the remnants of families torn asunder.  Only the strongest, or the luckiest, survived.

 

As I said, a story that was very typical.  Few people made it easily to the “land of opportunity.”

 

My great-grandfather was of German emigrant descent; that book could have been the story of his parents.  I never knew him since he died before I was born, but I knew my great-grandmother, and I’ve written about her before:

 

———————————

 

As a very young boy my parents would take me to visit her in central Oklahoma.  As a young girl, she had walked alongside the family wagon as they moved west to new territory in search of land and a better life.  Yet she lived will into her 90s and saw the beginnings of the space age.  

 

And I had to wonder, as I thought of her and of the difficulties, dangers, and hardships of the pioneers who made this country strong, affluent, and powerful, do we still have what our pioneer ancestors had?  My grandmother was old, small, and frail when I knew her.  What shone through during those visits was a strength of character, a clarity of purpose, and a directness in communication that made you forget the frailty of old age.  Her stark assessment of those pioneer days is still fresh in my memory:  “The cowards never started, and the weak ones died along the way.”  She faced that hardship and danger and had a better life than if her family had not taken the risk to move west.

 

What is it, I wonder, that has made America a great nation?  Abundant natural resources are part of it.  The availability of cheap labor was a factor.  But other peoples have had cheap labor and abundant resources and have not succeeded in building a strong nation.  I believe that it is due the American character; an innate optimism and the bold willingness to take on risks if they hold the promise of a better tomorrow.  We have become the envy and wonder of the world not because of our wealth and power, but because of our character.

 

My great-great-grandparents certainly had some appreciation of the risks they incurred by moving west, but they could not have fully understood it.  They knew Risk in the Big Sense: danger, hardship, and death threatened their way:  accidents, disease, wild animals (wolves, bears, and snakes), hostile natives, terrible weather, and the difficulty of travel through the wilderness, all of these they must have recognized.  But the details would have been only vaguely understood.  The details of hardship were of secondary importance, they knew the Big Risk well enough.  They took what preparations they could, and they set out.

 

My great-grandfather made mistakes; he literally lost the ranch in the great depression.  But overall, they avoided the Big Mistake:  not taking a worthwhile risk.  Martin Luther once said “Sin boldly.”  That is not permission to do what you know is wrong, but it is an admonition not to be paralyzed to inaction by the prospect that you might be doing something wrong. 

 

Today we live in the luxury of their legacy.  Our greatest hardship may be mowing the grass; our greatest risk may be driving on the freeway.  These challenges just don’t compare with what our great-grandparents faced every day.  Have we lost the capability to weigh risk and reward, hardship and hope, difficulty and opportunity as they did?

So the fundamental question remains, do we have those qualities that made our ancestors successful?  Do we have the judgment to weigh it all in the balance?  Do we have the character to dare great deeds? 

 

History is watching. 

 

——————————————–

Recently, I was in a public meeting where NASA was castigated as being “risk averse”.  Is that a fair assessment, I wondered?  

 

Then I remembered the words of one of my heroes, Capt. John Young:  “We put seven people on top of 6 million pounds of high explosives and launch them into orbit at speeds six times faster than a rifle bullet.  What part of that sounds safe to you?”

 

Well said.  I couldn’t add to that statement.

 

It is easy to accuse someone of being risk averse when you personally don’t have to make tough decisions with real consequences.  At NASA we make hard decisions every day and the whole world gets to watch and see if we got it right.

 

I wouldn’t have it any other way.

 

I think my great-grandparents would have approved.

Why Climb the Highest Mountain?

Posted on by .

“But why, some say, the moon?  Why choose this as our goal?  And they may ask, why climb the highest mountain?  Why thirty five years ago fly the Atlantic?  Why does Rice play Texas?  We choose to go to the moon.  We choose to go to the moon.  We choose to go to the moon in this decade and do the other things, not because they are easy but because they are hard.  Because that goal will serve to organize and measure the best of our energies and skills.  Because that challenge is one we are willing to accept, one we are unwilling to postpone, and one we intend to win.”

This is the anniversary — you know I’m big on anniversaries — of the first ascent of Mt. Everest by Tenzing Norgay and Edmund Hillary.  Even JFK compared going into space with climbing the highest mountain.  Since a good friend and college, Scott Parazynski, just completed his personal conquest of that mountain, it seems timely to review the comparison.

DANGER: 

Not including 2009, over 4,100 successful summits of Mt. Everest have been made by 2,700 different people.  210 fatalities have occurred on the mountain with 120 bodies remaining unrecovered on its upper slopes.  Thus the overall fatality rate is about 5% on the world’s highest mountain.  But Mt. Everest it not the most dangerous high mountain.  Here are the top three:  Annapurna (8,091 m) 130 climbers have summitted Annapurna, while 53 have died. The overall fatality rate is thus 41%. Nanga Parbat (8,125m) 216 climbers have summitted Nanga Parbat and 61 have died. The overall fatality rate thus 28.24%. K2 (8,611 m) 198climbers have summitted the world’s second highest peak. 53 have died. K2’s overall fatality rate is 26.77%.

The total number of people who have been in earth orbit (including those who went to the moon):  465 individuals making just over 1000 total trips.  If suborbital flights are included, this number gets a bit larger.  Fatalities:  including Apollo 1 and the single fatality in the X-15 program, 22 people have lost their lives in space – or an overall fatality rate of just over 2%.

DIFFICULTY:  Both getting to earth orbit and climbing the highest mountains are incredibly difficult, right at limits of what we can do.

TEAMWORK:  Both ventures require large teams to plan, provide and coordinate logistics, and execute the plan — even when just a very few of the team members actually attempt the summit.

EXTREME ENVIRONMENT:  I recommend Ed Vestur’s excellent book “No Shortcuts to the Top” to explain the extreme environments encountered above 8,000 meters. 

SO . . . .that leads us to the question of how space exploration and mountain climbing are different.  That is a question that I would like you to comment on.  So take it away!

 

 

 

Lucky Tie

Posted on by .

Even though I’m far from home and even farther from LC-39, I’ll be wearing my lucky shuttle tie tomorrow.  That is a particularly silly thing to do since the tie isn’t even very lucky.  We had plenty of launch scrubs when I wore that tie on launch day in either Mission Control or Launch Control.

But its what I can do to show my solidarity with the team these days.  NASA is one of the few organizations that puts it all on the line in public.  Most organizations have some kind of cover, but when the launch doesn’t go right, there is no cover.  The OCO boys sweated over a great spacecraft but some glitch in the fairing separation circuit got them.  That hurts. 

Tomorrow evening we’ll try to launch seven folks into low earth orbit.  That may not sound like much of an achievement, but it is far from a guaranteed success.  So cross your fingers, get out your four leaf clover, or whatever it takes, and lets hope for success.  One more time.

I’m out in Utah doing some management work for the agency, looking at the facilities which might be used for the next human carrying rocket.  It was particularly exciting because I got to walk right up to the first Orion Launch Escape rocket.  This beast will burn several thousand pounds of solid propellant in less than four seconds to get a crew out of trouble in a hurry.  Rocket serial number 00001 is out there on the factory floor ready to ship to White Sands Missile Range where it will be tested later this year. 

Overall, I saw lots of Ares 1 hardware.  The DM-1 (development motor) is a five segment giant that will be tested in late summer.  Everywhere I went we saw lots of new hardware coming together for the first time.  Progress is being made.

Sadly, I was in the refurbishment shop where they are working on the last set of shuttle booster hardware.  The old bird will be retired at the end of next year and any future refurbishments, if any, will be to make hardware available for the new Ares birds.

It has been particularly busy in space; a spacewalk today at the International Space Station was fully successful; the new Kepler telescope is being checked out after a successful delivery to space.   A few days ago there was a successful parachute test for the Constellation program.  Lunar Reconnaissance Orbiter is in final checkout on the ground.  Everywhere I go there is progress being made! 

But lets all watch tomorrow, because as we all know, its far from a sure thing.

Burning Rocks

Posted on by .

There is an apocryphal story in flight control.  Like many apocryphal stories there may have been a kernel of truth somewhere in the distant past, but the story has morphed over time.  Now the story has value for didactic purposes:  it has a moral or some teaching point.  That is why apocryphal stories persist.

 

Way back before the first moon landing in 1969, some senior planetary scientist published a theory that the lunar rocks were highly energized by the sunlight, the solar wind, or cosmic rays or something.  So highly energized is the dust and rocks that when the first lunar explorers would return to the lunar module, close the hatch, and – still encased in their now dusty space suits – repressurize the cabin of the lunar module to 5 pounds per square inch pressure of pure oxygen, the rocks and dust would spontaneously burst into flame.  Catastrophe.

 

This prediction came to light less than two weeks before the launch of the first lunar landing.

 

The leaders of NASA scratched their heads.  Obviously such a prediction by a senior scientist in the field must be considered seriously.  But on the other hand, how do you test that theory to see if it is true?  With no moon rocks there was no way to test the hypothesis.  Consulting other experts was inconclusive:  maybe yes, maybe no.  The entire space program had been straining for years to get to the first lunar launch; the Soviet Union was right on our heels, what should we do?  Stand down for months to send a robot to the moon to test the problem? 

 

They ignored it. 

 

Yep, that’s right, they ignored it.  Pressed on and launched.  If there was angst, they hid it.  Did their pulse rate quicken when the hatch closed on the LM?  They didn’t show it.

And, fortunately, the rocks did not spontaneously combust in the pure oxygen atmosphere of the Apollo modules. 

 

So the story entered legend.  Any type of issue which was discovered at the last minute, which fundamentally and monumentally challenged a space mission, and which could not be tested or analyzed in any reasonable time became known in the community as a “burning rocks” issue.

 

As Flight Director, it became part of my job assignment (other duties as assigned, I guess) to listen to burning rocks issues.  Without exception, on every flight, not one, not two, but several people would come to my office, quietly close the door, and confess the demons that were plaguing their souls.  Something that had been bothering them for months, but which had never been spoken aloud before.  Procedures that might not work, tests that had not been performed, uncertainties about parts of the mission ahead both large and small; the Flight Director becomes Father Confessor to all kinds of folks.

 

All of these issues had several characteristics in common.  First, they had been on the individual’s mind for a long time but had never been brought up anywhere, any time, to anybody before.  Second, they were all fundamental issues that, to deal with properly, would require months or years of testing, analysis, or redesign.  Third, the individual bringing them forward had no idea how to deal with the issues.

 

Why these issues were not brought up long before is a mystery to me.  There must be a psychological explanation, but I’m no psychologist.  If the individual had spoken up earlier, there might have been time to deal with the problem; get experts together, do some analysis, run some test, rework a crew procedure, something.  But these confession sessions always always always came just days before launch.  Too late for anything to be done but to have a session with Father Confessor and ask for absolution.

 

On a rare occasion, the Flight Director might deem the problem as worthy of bringing forward to Program Management, or at least of getting a team assembled to start working on potential solutions.  But mostly the Flight Director would determine that it was too late, the probability was too low, the consequences not high enough.  So the Flight Director would just listen, nod, tell the individual “I got it” and then quietly let the matter drop.

 

Does that sound horrible?  I have to tell you that most of these concerns were so far outside the realm of normal or even abnormal operations that the risk seemed very low.  But when we compared notes, it turns out that every Flight Director (and there are a lot of us) would get several of these sessions before launch.  And it had been going on since the  manned space flight started.  Maybe it works that way with robotic launches too, I don’t know.

 

And in every case, the confessing individual went away, much relieved that his or her conscience was clear because somebody in authority (the Flight Director) had been told.  Having done the very littlest, minimal thing they could do, they could believe they were off the hook if the bad thing really happened.  Management had been informed.  Yep.

 

And, other than the fact the Flight Director did not sleep well on those last nights before the launch, none of those burning rocks issues ever came true.  In my experience, we have had plenty of other problems and issues, large and small, but not the ones that were ever the subject of the last minute confession by worried engineers.

 

And OK, the Flight Director isn’t going to sleep well that last couple of nights before launch anyway.  What are a few more demons to face at 3 AM?

 

And the moral of this particular story?

You want to put people into space? 

 

You better learn to sleep with burning rocks.

Page 1 of 212