25 thoughts on “Cost Versus Safety”

  1. There is a trivially easy solution to the “safety” problem. Let the government set an insurance requirement that operators must meet. The insurance marketplace can then set rates. if that marketplace is comfortable with the approach the operator is taking, the rate will be low, and thus likely affordable. If not, then insurance may not be available at any price.

    Of course, the reason why this won’t be done is it doesn’t provide employment for legions of bureaucrats.

    1. Upon closer examination I don’t agree with your proposal.

      “Future space tourists can select from the range of insurance plans offered on the exchanges. Make no mistake. These plans will offer better benefits at lower prices than existing ones. But if you like your current space flight insurance plan, you can keep it. Period.”

    3. “Let the government set an insurance requirement that operators must meet.”

      Isn’t that a regulation still?

      1. Are you a moron who imagines that we are opposed to all regulation?

        Again, that was a rhetorical question, because it is well understood around here that you are our village idiot.

          1. dn-guy, do you have anything substantive to say ever?

            Stop being a child and debate the points like an adult. Quit the sloganeering for once.

          2. Stop being a child and debate the points like an adult. Quit the sloganeering for once.

            someguy, you’re putting unrealistic expectations on the troll. He’s too stupid to hold an adult conversation. If it wasn’t for talking points, he wouldn’t have anything to say.

    4. No way man. Insurance rates for a market which does not exist yet or is in the process of being created are going to be outrageous. Have you heard how much a satellite owner pays for in launch insurance? They determine their rates on launch costs/historical flight reliability. Which is something you do not have if you never actually flew the thing to begin with. Why do you think Ariane 5 had to launch a governmental payload and blow up, then launch a dummy payload, then launch another governmental payload? No one in the commercial market wanted to touch it with a barge pole before it was proven safe enough.

  2. Yes, you can in fact be too careful if your demand for safety is so extreme that it cripples you from doing anything. How much safety is enough, 99% reliability (better than any NASA manned program to date)? 99.9%? 99.99% Each additional 9 adds not only a great deal of cost, it likely is illusionary. The Shuttle was promoted as being very safe but killed two crews out of 135 flights. NASA has spent billions on Orion and is currently spending about $1 billion a year for a system that’s years from carrying a human crew. That’s an absurd amount for a system whose expense is so high that the flight rate will of necessity be very low, leading to lower safety ultimately. If crew safety is truly the number one priority at NASA, they should abandon manned spaceflight altogether. It isn’t safe out there. Better hide under our beds instead.

  3. Instead of ‘Insurance’, you can use the more self-directed risk sharing methods.

    Make a ‘Dead Pool’. If you want to fly, you have to chip in, say $10,000 to the non-profit endowment of the fund. Total liability limited (in advance, in writing, on videotape, with a lawyer, signed in blood etc.) is the contents of the pool divided by the number of deaths and also capped at, say, $10 million. The money is non-refundable, and just accumulated until there -is- a death (or deaths).

    It’s -effectively- an on-the-spot life insurance policy, -without- requiring actuarial tables and costly exhaustive analysis. Or an existing insurance company willing to accept the risk.

  4. Rand (or anybody else), are there data on how much each “9” in reliability costs? For example, to go from 0.9 reliability to 0.99, does that cost, say, 4 times as much as the first “9”? And of course this is all from PRA’s, which can’t include Unknown Unknowns, or just the effects of bad decisions.

    There has to be a “sweet spot,” probably between reliability of 0.95 and 0.99, where an acceptably high probability of success is achievable at a cost that can be reasonably borne.

    1. Rand (or anybody else), are there data on how much each “9″ in reliability costs?

      Not really. Sorry. It would make an interesting PhD thesis, but I’m not sure how credible it would be. There are no controlled experiments.

    2. While it isn’t the same, sewer treatment plants face a similar dilemma. It is relatively easy to purify water to the extent you can dump it in a river and not harm anything but it is exponentially expensive the more pure you want the water to be especially if you want people to drink it. Perhaps there are some similarities between the two industries that could be used to develop our understanding of safety and space flight?

      I used to be able to throw out some numbers on how much it costs to purify water but that class was soooo long ago now and the numbers have probably changed.

      2. I liked Hoover. My dad campaigned for him. My best friend’s wife sometimes goes shooting with Grover Norquist. I might be your worst nightmare.

    3. There are so many different ways of adding a nine that I think you’d have to be quite specific.

      The Falcon 9’s multiple engine approach adds quite a lot of safety because they add greater redundancy and flight reliability, and as we’ve seen, the mission can continue even after an engine failure (even an explosion of sorts). I did some pretty simple statistics to show that as your number of engines goes up, you can carry on with two or even three engines out, yet for a given reliability figure for the engines, the odds of such high-number multiple failures shrinks to almost nothing. If your engine costs are primarily a function of total lift-off thrust, as opposed to the total number of engines, then this added reliability comes at almost no cost.

      Having the engines themselves become more reliable due to higher production, experience, and not pushing them to the margins, likewise adds reliability at very little cost, perhaps even at lower costs. As the launch reliability goes up and up, you should start hitting a situation similar to an airliner, where they’re so reliable during flight that no complicated escape system is even contemplated, other than perhaps what the Dragonrider already intends with its abort/landing system, which is using the landing system to double as an abort system with no real weight penalty.

      The added benefit of that configuration is that the abort system will in effect be getting tested on every landing, unlike systems like the SLS where the system will never be used until it’s needed, and will only have been tested in flight a few times at most.

      In contrast, with the SLS, no matter how many safety reviews they conduct, the low flight rate guarantees that pretty much every one of those safety reviews is absolutely required because people forget things, and they’ll be changing configurations and obsoleting parts faster than real-world safety statistics can build into a sufficient database to rely on.

    4. Like Rand says, I don’t know of any analysis to answer your question. A big part of it depends on what you have to do to increase reliability of the entire system instead of just the component parts. There’s also the question of mission failure verses crew loss. If the rocket fails to put the crew into orbit but they survive, then your system as a whole didn’t completely fail. The Soyuz program provides some cases in point. The first Soyuz mission killed the cosmonaut. While the rocket functioned well, the capsule was a mess. The first Soyuz mission to a space station killed three cosmonauts when the capsule depressurized at separation. They weren’t wearing space suits so they all died. Later, there were two launch failures, one on the pad and the other in flight. In both cases, the crew survived. The missions were failures but overall, the system kept the crews alive.

      George Turner made an excellent point about how the Falcon’s proven ability to survive the loss of an engine (and even multiple engines later in flight) adds to reliability. They already have a redundant flight control system (I don’t know for sure the level of redundancy but IIRC, it’s triple redundant). In theory, adding more redundant units would increase reliability but only of hardware, not of software. If they’re running the same software on each unit and there’s a bug in the program, it’ll impact all units regardless of how many you have. That’s why in some mission-critical systems, they actually have two different sets of software developed from the same specifications but by different teams so the code is different.

      In every system, there will be single point failures. For example, on the Falcon booster, there’s only one engine on the second stage. If it fails, your mission fails but that should be survivable by the crew via an abort. The key thing is to design systems to fail as gracefully as possible. Total loss of electrical power would cause mission failure, so you design your systems to make that kind of failure highly unlikely. Lather, rinse and repeat for each system. Test, learn, refine and test some more until you get it right and your list of “unknown unknowns” gets small, then fly.

  5. Our practical experience at XCOR across 66 flights of two manned rocket planes is that lowering costs can directly improve safety. Case in point, we design our engines with chamber-saddle-jacket construction which makes them slightly heavier than a plated-closeout design, but also eliminates thermal cyclic fatigue. Without that wearout mechanism we do not need to disassemble and inspect the engines frequently, so mechanic-induced failures are less likely. (One of the more notorious cases was the landing leg extension failure on DC-X, caused by a tired mechanic forgetting to hook it up.) Back in the 1990’s at Rotary Rocket I once managed to assemble an engine without an important o-ring, distracted by a helpful coworker. Fortunately the metal-to-metal contact of the face seal held up for the brief test run, but man was I embarrassed at the post-run teardown.

    The point is, every time you apply wrenches to the hardware, there’s an opportunity to err. The leak check ports on the Shuttle’s SRBs were intended to check that the o-rings were sealing- but the design actually caused the upstream o-ring to be forced to the wrong side of its gland and made a catastrophic leak on motor start *more* likely.

    Inexpensive design requiring less maintenance and adjustment allows more frequent operations so that crew proficiency builds up and checklists get refined. Thus spending *less* money can make a system MORE safe.

    The best way to operate safely is to be competent. The best way to be competent is to have experience. And the only way you will ever get enough experience is for mission costs to be low enough allow frequent operations.

    1. That reminds me of a paper someone wrote on rocket engine reliability.

      AIAA paper

      BTW, I could really use one of your igniters for a bizarre experiment to make a high-pressure high-volume pump with no moving parts (the only thing that actually has to go fast in a turbopump is the propellant, so accelerate it with rocket exhaust instead of an impeller).

      My sketch book for making a rocket engine by having a metal-foil chamber liner roll in and out between the chamber and the coolant (kind of like a conveyor belt) likewise dodges thermal stresses by only exposing the liner to combustion for a few milliseconds at a time, but I can’t say what kind of maintenance issues the mechanical complexities would cause. The only thermal cycling would be in the foil itself, but the bearing loads might be high and subject to wear from combustion pressure excursions. But my philosophy is that a rocket engine should ideally be designed like it was a fancy industrial burner, able to run for thousands of hours and be maintained by someone who works as a factory maintenance guy.

      Oh, and I am delighted to see someone in rocketry using a PLC. Debugging and maintaining C code on some custom microcontroller is nuts when it comes to basic machine control. I would guess 90 percent of a spacecraft’s I/O should be PLC driven, like lights, fans, valves, pumps, and switches. Almost all of industry has figured this out, especially for troubleshooting, upgrading, and modifying equipment.

    2. Your point about frequent flight rates is very true. Back in the 1960s in the ramp up to Apollo, Project Gemini gave NASA a wealth of experience both in flight operations and mission prep. They were flying a mission every couple months on average, dealing with anomalies and emergencies while learning how to operate in space. Without Gemini, I doubt Apollo would’ve been a success.

      SpaceX has a considerable commercial launch manifest. As they work their way through those launches, they’ll become more proficient and efficient at flying the Falcon 9 booster. They’re also scheduled to fly 2-3 Dragon missions to the ISS each year, giving them proficiency in building, preparing and flying their capsule as well. By the time they attempt their first manned Dragonrider mission, they will have flown Dragon many times. I don’t know if their first Dragonrider launch will be unmanned or will have a minimal crew on board. It wouldn’t surprise me either way.

  6. Rand, All,

    I will leave a comment on Transterrestrial similar to one I left over at Jeff’s site today.

    This month’s Mensa Bulletin has on its cover Night and Day: How sleeping less costs us our health, safety, and ability to function (and what you can do about it). The article inside is titled Zombie Nation. It is by Lisa Van Gemert.

    The people who decided to launch Challenger that last time were so sleep deprived that they should have been home sleeping instead of trying to decide whether to launch or not.

    Sleep deprivation affects us negatively in all sorts of ways. Thinking clearly and creatively, for example, also go out the window. It even affects how fast we can run a mile, a 10K or a marathon. It affects students in school. Teenagers who are hauled out of bed at 5:30 AM (or, even worse 4 AM) are far less able to learn and think well.

    Rand, I support your work to get us to think clearly and rationally about safety. We are not doing that in too many ways today. But we need to think clearly and rationally in lots of ways about lots of things. We need a healthier society in many ways. That doesn’t mean being obsessed with things like Challenger, but it does mean learning from accidents like that.

    1. I think a high flight rate would by happenstance be of help regarding issues like stress and sleeplessness. When flying is routine, people are more likely to notice things that are just a bit out of the ordinary, because they have a much better handle on what vehicle’s “ordinary” is. They should also be more resistant to the pressures to press ahead because a cancellation or delay in a heavy flight schedule isn’t as big of a deal. On a recent Falcon 9 flight some of the engineers saw a reading they didn’t like so they nonchalantly canceled the day’s operations and rolled the vehicle back to the hangar to borescope and engine.

      With a very low flight rate, each flight seems supremely important and massive expectations are thus laid upon each one. Engineers stay up all night trying to make sure the big event goes off. Managers get irritated and work the phones. People start reacting more to interpersonal and command pressures than to hard data. People start ignoring their instincts and give in to group consensus.

    2. It affects students in school. Teenagers who are hauled out of bed at 5:30 AM (or, even worse 4 AM) are far less able to learn and think well.

      I read those articles about teens sleep habits when I was teenager and believed them. Then I joined the Army. Funny thing, the very first morning when the drill sergeant woke us at Oh God Thirty, we were all instantly wide awake. When properly motivated, teens can wake at any time, just as when they’re tired enough, they can sleep any time, any where. DIs were and still are experts at both instilling motivation and making young people tired.

Comments are closed.