In 2013, Rand Simberg published “Safe Is Not an Option: Overcoming The Futile Obsession With Getting Everyone Back Alive That Is Killing Our Expansion Into Space.” This article from Mike Fodroci is a response to the author.

Safe Is Not an Option: Overcoming The Futile Obsession With Getting Everyone Back Alive That Is Killing Our Expansion Into Space by Rand Simberg Interglobal Media LLC, 2013 softcover, 240 pp., illus.

Safe Is Not an Option: Overcoming The Futile Obsession With Getting Everyone Back Alive That Is Killing Our Expansion Into Space
by Rand Simberg
Interglobal Media LLC, 2013
softcover, 240 pp., illus.

Rand Simberg thinks we’re wimps. Or at least the people in charge of space exploration, who, he implies, should be willing to accept a higher body count in the name of expanding the space frontier. In “Safe is Not an Option” he lays out the case that our experience in human space exploration to date has led us to a point where we are unwilling to accept the risks we will encounter in advancing the human exploration of the solar system. His premise is that we have become “obsessed” with safety, and are unwilling to accept that, for instance, a mission to Mars might carry risks that we are unwilling to face.

He begins by walking us through the hazards of exploration, starting with Magellan, and then discusses the early days of the space age. He recites a veritable litany of NASA disasters, (which hardly bolsters his argument that we are obsessed with safety.) He devotes a chapter to the “irrational” approach to International Space Station (ISS) safety, and concludes by providing recommendations for space vehicle design and certification for operations beyond low Earth orbit.

Simberg correctly notes that American culture is far less risk-tolerant than it once was – Think of settlers heading west by the thousands from St. Louis with virtually no idea of what lay before them, but willing to risk their lives and the lives of their families. He also gives a nod to purpose as a reason for accepting more risk. In war, for example, we are willing to accept far more risk than we are in peacetime. Again though, far less than previously. This year marks the 100th anniversary of the beginning of WW I. During the battle of the Somme alone, more than a million men were wounded or killed. Would any belligerent in a modern war be prepared to absorb such horrific casualties?

A family poses with the wagon in which they live and travel daily during their pursuit of a homestead. - Credits: NARA - ARC Identifier 518267.

A family poses with the wagon in which they live and travel daily during their pursuit of a homestead. – Credits: NARA – ARC Identifier 518267.

The Cost of Accidents

The US was willing to press on with the Apollo program after the loss of three crewmembers in the Apollo I fire, because the purpose of the program, the reason they were flying, was considered sufficient to justify the risk. However, after the loss of the Space Shuttle Orbiter Columbia there was much discussion regarding the risks that had been taken during that mission simply to perform microgravity experiments. This purpose was considered insufficient to support further missions of this sort, and as a result, all subsequent Shuttle missions, with the exception of the final Hubble Space Telescope repair mission, were directed toward the assembly of the ISS, after which the Shuttle program was terminated.

Simberg also notes both the high cost and high visibility of NASA programs as reasons why special care is taken with crew safety. Fatalities during military training exercises, while tragic, seldom see wide reporting, even when multiple lives and expensive hardware are lost. But for programs like the Shuttle, where the cost of an Orbiter replacement ran into the billions, or the ISS, where the international partnership has invested over a hundred billion dollars, it’s another thing entirely. Due to the open nature of our programs we receive wide reporting as a matter of course. The loss of an Orbiter was a major news event for months. The loss of the ISS could be the story of the century.

Some of Simberg’s observations are sound, but others strike one as far-fetched. For instance, he questions why we need a launch abort system (LAS) for our future manned space vehicles, and asserts that this mitigates only a fraction of the total risk associated with only one mission phase.While true, the actual situation here is complex, and involves societal expectations for risk mitigation, the human perception of risk, as well as aspects of liability in our litigious culture. But the short answer is that having killed seven crewmembers during the Shuttle Program through lack of an escape system, NASA is not about to design a manned space vehicle without an LAS. While Mr. Simberg argues that the cost and weight of an LAS outweigh the risk reduction achieved, humans are not robots, nor are we Vulcans, operating purely on logic. Emotional and political considerations make it a certainty that such a ship will never be built by a Government agency.

Individuals flying on private carriers are, of course, free to accept whatever risks they mutually deem acceptable, something which Mr. Simberg spends considerable time on, but which I believe to be a red herring: The exploration of the solar system will almost certainly be carried out by international partnerships, not by daredevils, and they will insist on a methodical approach to risk identification and mitigation.

Loading...

The failed launch of Soyuz T-10 (1983), which ended in a fiery explosion. The crew was brought to safety by the Soyuz Launch Escape System.

Mr. Simberg also questions the need for a lifeboat for each crewmember on the ISS – here it’s impossible not to imagine the fun headline writers would have comparing the ISS to the Titanic – and suggests as an alternative that we could use a co-orbiting platform of some sort as a temporary safe haven. How this would benefit someone suffering from a heart attack, a ruptured appendix, or the bends, he doesn’t say. Nor does he address the cost of such a venture.

He spends an entire chapter on how NASA was ready to “abandon” the ISS after the loss of the 44P Progress cargo mission (August 23, 2011). It’s true that NASA did proceed with planning on how they would de-crew the station if the Russian Soyuz booster was unable to return to service after a certain point in time. But this was only prudent, and had they not done so I would assert that they would have been negligent. What he omits to say is that in all of their planning their foremost concern was with protecting the ability to reoccupy the station. Abandoning the ISS was simply never discussed.

Mr. Simberg proposes that we could have flown an empty Soyuz vehicle up to replace the one on orbit that was about to exceed its certification limit, but he omits one slight obstacle to this plan: NASA doesn’t own the Soyuz vehicle, nor the Soyuz launcher, nor are we responsible for determining when these vehicles are ready to fly. While the Russians engaged with NASA to an almost unprecedented degree in the evaluation of the root cause of the loss of 44P, the decision as to when they would fly again was theirs and theirs alone.

But again, NASA never envisioned anything more than a temporary decrewing of the ISS. They are, after all, sensible of the fact that they are protecting a $100 billion investment, thirty years in the making. As Frank Culbertson remarked to me once (and he was in a unique position to do so, having been both a Shuttle Commander and an ISS Commander, as well as a naval aviator), “When you have a fire in an airplane, you head for the ground. When you have a fire on a ship at sea, you head for the fire.” NASA recognize that on the ISS they are a ship at sea, and act accordingly. They operate in degraded modes. They perform contingency EVA’s with suits that are not pristine. They are constantly engaged in a complex process of trading risks against benefits, and risks against risks. But they will not sacrifice crew safety just to maintain a record string of “days in space.”

This image of the International Space Station with the docked Europe's ATV Johannes Kepler and Space Shuttle Endeavour was taken by Expedition 27 crew member Paolo Nespoli from the Soyuz TMA-20 following its undocking on 24 May 2011 (Credits: ESA).

This image of the International Space Station with the docked Europe’s ATV Johannes Kepler and Space Shuttle Endeavour was taken by Expedition 27 crew member Paolo Nespoli from the Soyuz TMA-20 following its undocking on 24 May 2011 (Credits: ESA).

Failing to Make a Point

Ultimately, I think Simberg fails to make his case, and there are a couple places where I think he gets it dead wrong. In the first place, although they may struggle with what exactly it signifies in terms of the likelihood of loss of crew or loss of mission, safety is not given “an almost infinite value” in NASA spaceflight programs, as Mr. Simberg repeatedly alleges. No such program could exist, and none do. Safety, cost, schedule, and functionality are routinely traded against one another. As for an “obsession” with safety, one could argue that in large, complex, integrated programs, an obsession with safety is both necessary and healthy. Here Simberg indulges in setting numerous straw men alight, alleging that an excessive focus on safety is counterproductive, because, “spaceflight isn’t safe.” He states, “…the culture of the S&MA community in the space industry believes…that safe and unsafe are absolute states, rather than degrees along a continuum.” This is utter nonsense. It is well known that spaceflight is not safe. No one at NASA says otherwise. In fact, they know it’s downright dangerous. Their focus is on identifying, character- izing, communicating, and mitigating risk to the greatest extent practical, so that risks are accepted with eyes wide open. Their goal is to make it “safe enough” after hearing all arguments, understanding the trade space involved, and placing the particular subject of discussion in the context of other spaceflight risks. Mr. Simberg seems to think that “Safety First” is a bad notion somehow. I’d be interested in an example of a successful program where this was not held to be the ideal.

In short, while there may be a perception that we have become more “risk averse”, I would assert that what we have become is more risk aware, particularly of those risks that spring from hubris, poor communication, and a lack of curiosity. Mr. Simberg may have a point, but he loses his way in trying to make it.

Michael Fodroci has 35 years of experience in human spaceflight safety and risk management working with academic, commercial, government, and international partners. Mr. Fodroci presented a keynote address incorporating the thoughts of this book review at the Seventh IAASS Conference in Friedrichshafen, Germany from October 20-22, 2014. He resides in Houston, Texas.

About the author

Guest Author

Email

Space Safety Magazine welcomes guest columns and contributions. Have an article to share? Get in touch!

3 Responses

  1. Chief Galen Tyrol

    Mr. Fodroci,

    Thank you for sharing your perspective. In your opinion, is Mr. Simberg correct in saying that the cost and weight of an LAS outweigh the mitigated risk? After reading that paragraph, I got the impression that emotion and politics trump engineering analysis.

    Reply
    • Andrea Gini

      Here is the response from the author:

      Mr. Tyrol,

      Thank you for your excellent question. You touch on an issue that is quite interesting.

      The short answer to your question is “No.” I do not think the cost and weight of an LAS outweigh the mitigated risk – and neither does any other current manned spacecraft designer (Soyuz, Shenzhou, Orion, Boeing CST-100, or Dragonrider.) The example that Mr. Simberg provides is for an LAS used in a lunar landing mission. He correctly asserts that the risk reduction achieved applies only to one small phase of the mission, and represents only a small fraction of the total mission risk. The money saved in forgoing an LAS could then be applied to other risk reduction efforts. Of course, on a different type of mission, such as crew delivery to the ISS, the launch phase risk constitutes a much greater portion of overall risk. Would you then add back the LAS for that mission? He also argues that an LAS introduces additional risk which is, of course, true, but it is true of many safety systems. If the airbag in your car deploys accidentally it could well cause a fatal crash, but we choose to incorporate airbags nonetheless, as they provide real protection during an accident. Which, if you think about it, is exactly analogous to the use of an LAS.

      Generally, in addressing risk reduction, we sacrifice safety systems or redundancy only where reliability is demonstrably high. For instance, the Soyuz descent module provides only one braking parachute and one main parachute, because the designers are confident in the proven reliability of their chute deployment system. It is (relatively) simple and robust. Now, compare that to a booster system during launch and ascent. Such a system is infinitely more complex, and thus far less reliable. Any of a myriad of failures can be instantly fatal. Without an LAS a launch phase accident can kill the crew. This is a risk that we deem to be unacceptable, and so we choose to expend scarce resources to mitigate it.

      And yes, there are trades that must be made. All risks are mitigated at the expense of other program needs (not just at the expense of other risk reduction activities.) Consequently, all risks must be evaluated and ranked. Loss of crew during ascent ranks very high, and therefore must be mitigated. There really is no serious discussion of doing otherwise.

      Finally, yes, there is, I believe, a political/social dimension to this. All risk mitigation activities (or the lack thereof) may one day be called into question in the event of a mishap. All decisions must then be defended. Some arguments are easier to make than others. The societal perception of risk is not always accurate, or we would probably derive far more of our power from nuclear plants than we do, as they are capable of operating quite safely (France, for example, derives almost 80% of its power from nuclear plants.) So. Given that we lost a crew during launch in the Challenger accident, if we lost a crew in another launch phase accident, in yet another vehicle without a viable crew escape system, do you think you could mount an argument in favor of that decision? I wouldn’t even want to try.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *