Risk Concepts, Metrics and Definitions
Webster’s Unabridged Dictionary defines safety as “the condition of being free from undergoing or causing hurt, injury, or loss,” and risk as “the possibility of loss, injury, disadvantage, or destruction.” Thus, complete safety can be thought of as an abstract ideal that equates to a zero risk or absolute protection from any possibility of adverse consequences, such as injury or damage.
In technical terms, risk is a metric that accounts for both consequence and probability over a specified interval of exposure. Launch or re-entry safety analyses typically attempt to quantify two important types of risk: individual risk and collective risk (both terms are formally defined below) that are expressed on an annual, or more commonly for space operations, on a per-mission basis. A common individual risk is the risk of a person being killed by lightning worldwide, which can be estimated as the average number of people killed by lightning per year divided by the total population of the world. A launch risk analysis typically computes the maximum individual risk as the highest probability any given individual has of suffering a serious injury or worse (i.e. becoming a casualty) as a result of the launch. The consequence implicit in any individual risk is an adverse outcome for a single individual, thus individual risk is a quantity that is bounded by zero and one. In other words, the maximum individual risk from an event is always bounded between no possibility and absolute certainty of an adverse consequence. In contrast, collective risk is the risk of an adverse outcome among a group of individuals. Collective risk is often expressed in terms of expected values: the average (generally the mean) consequences that occur as a result of an event if the event were to be repeated many times. The collective risk of fatality posed by lightning on an annual basis is the average number of people killed by lightning each year. Collective risk on a per-mission basis is analogous to an estimate of the average number of people injured by an earthquake, while individual risk would be the likelihood of an individual in a given location being injured by the earthquake.
Individual and collective risk criteria can be defined based on the total risks (also referred to as the “aggregated risks”) or accumulated risks. “Accumulated” risk refers to the risk from a single hazard throughout all phases of a mission, i.e. accumulated over all phases of the mission. “Aggregated” or “total” risk refers to the accumulated risk due to all hazard sources associated with a mission, which includes, but is not limited to, the risk due to any debris impact, toxic release, and distant focusing of blast overpressure. When multiple hazards exist, the aggregated risks (individual and collective) can always be estimated conservatively as the sum of the accumulated risk from each hazard. More sophisticated methods to compute the aggregated risks may be used to eliminate double counting, which can occur if a mission simultaneously poses multiple hazards to the same exposed populations.
Individual risk is an important measure of risk to the extent that most individuals are primarily concerned with their chance of being hurt or killed by an activity. Safety requirements often limit the maximum individual risk to ensure that individuals have an acceptably low probability of serious injury (or worse).
The government typically sets collective risk limits to ensure that the chance of an adverse consequence is acceptably low given an activity that subjects a group of individuals to potential hazards. In establishing the first federal law to define acceptable flight risk limits for commercial launches, the Federal Aviation Administration (FAA) noted that “commercial launches should not expose the public to risk greater than normal background risk,” which the FAA defined as “those risks voluntarily accepted in the course of normal day-to-day activities.”1 Any discussion of the risk acceptability policies should clarify that no adverse consequences (e.g. serious injury or death) from a space operation will ever be “acceptable,” in the sense that a responsible authority would never regard such an event as routine or permissible. Thus, in an absolute sense, no adverse consequences as a result of a space operation are in fact “acceptable.” However, the possibility of accidents that might produce adverse consequences cannot always be entirely eliminated. The acceptable risks discussed here should be interpreted as “tolerable” risks. These are risks that society, via the authority vested in the government, tolerates to secure certain benefits from an activity with the confidence that the risks remain within well-defined limits and are managed properly using established procedures.
Risk measures for space operations often use one or two severity levels: casualties and fatalities. Casualties are people that suffer serious injuries or worse. Injuries severe enough to require hospitalization are commonly considered casualties. However, a precise technical definition of casualty is essential to enable quantitative launch and re-entry risk analyses. For the purposes of accident reporting, US federal law (49 CFR 830.2)2 defined serious injury as any injury that (a) requires hospitalization for more than 48 hours, commencing within 7 days from the date the injury was received; or (b) results in a fracture of any bone (except simple fractures of fingers, toes, or nose); or (c) causes severe hemorrhages, nerve, muscle, or tendon damage; involves any internal organ; or (d) involves second- or third-degree burns, or any burns affecting more than 5% of the body surface. Although that definition is useful for accident reporting, the US uses an Abbreviated Injury Scale (AIS) level 3 or greater as the standard for distinguishing casualties from injuries of lesser severity in public risk assessments for launch.3 The US National Highway Traffic Safety Administration (NHTSA) also uses AIS level 3 injuries as the metric evaluating the effectiveness of occupant safety measures for automobiles4 and for estimating the costs associated with automobile accidents.5 An AIS level 3 injury is one that is reversible but requires overnight hospitalization.
The AIS of the Association for the Advancement of Automotive Medicine provides a useful means to define casualties in a technical way by distinguishing between serious injuries and those of lesser severity. The AIS is an anatomical scoring system that provides a means of ranking the severity of an injury and is used widely by emergency medical personnel. The full AIS codes consist of seven digits representing the affected body region, the type of anatomic structure affected, the specific anatomical structure affected, and injury severity level. In the context of launch and re-entry safety analyses the right most digit is the AIS severity level, a digit between 0 and 6 as shown in Table 1.1.
Table 1.1
AIS severity levels
AIS severity level | Severity | Type of injury |
0 | None | None |
1 | Minor | Superficial |
2 | Moderate | Reversible injury; medical attention required |
3 | Serious | Reversible injury; hospitalization required |
4 | Severe | Life-threatening; not fully recoverable without care |
5 | Critical | Non-reversible injury; not fully recoverable even with medical care |
6 | Virtually unsurvivable | Fatal |
For launch and re-entry, individual risks are often defined as the maximum probability that any person will be a casualty or by the maximum probability that any person will be a fatality as a result of the operation. The computation of the maximum considers all persons who may be credibly affected by the operation. Collective risk is the total risk to all individuals exposed to any hazard from a launch. Collective risks are often defined by the mean number of casualties (or fatalities), EC (EF) predicted to result from the launch. Casualty expectation or expected casualties, EC, is the statistically expected number of casualties that would occur if the launch were repeated many times under virtually identical conditions (i.e. the same conditions based on the available data from various measurement instruments). Thus, for example, if the casualty expectation is EC = 30 × 10–6 (30 in a million) then if the launch were repeated under identical conditions a million times an average of 30 casualties would occur. Catastrophic risk refers to the potential for multiple injuries or deaths from a single launch or re-entry operation. Catastrophic risk is typically characterized by risk profiles. Risk profiles depict the probability of “N” or more casualties (fatalities) for all values of N. Risk profiles can be used to establish the amount of insurance an operator should carry, as discussed in Chapter 9. Appendix F describes how the probability of one or more casualties can be used as a good measure of collective risk, particularly for a re-entry where very little debris survives to impact.
Safety Risk Management Goals
The initial goal of space operations safety engineering is complete containment of all hazards. Complete containment provides absolute safety through physical limitations that totally isolate the hazards posed by an operation from all surrounding populations and assets. Complete containment satisfies the primary tenet of space operations safety risk management: no hazardous condition is acceptable if the mission objectives can be attained with a safer approach. If hazards cannot be completely contained, then the goal of safety risk management is to minimize the risk posed by an operation to a level below a de minimis threshold. A de minimis threshold has been defined as a level of risk below which a hazard does not warrant any expenditure of resources to track or further mitigate. The term “de minimis” is derived from a Latin phrase (De minimis non curat lex), which translates to “the law does not concern itself with trifles.” The highly energetic nature of space launch and re-entry, especially to and from orbital conditions, generally prevents risk reduction to a de minimis level. Thus, space operations generally employ the safety risk management process described below.
An integrated strategy to ensure space operations safety typically uses Quantitative Risk Assessments (QRA), also referred to as Probabilistic Risk Assessment (PRA), system safety processes, and operational restrictions to identify hazards and risk drivers, mitigate risks, and ensure that any residual risks are maintained at an acceptable level. QRA/PRA, system safety and operational restrictions are equally important and interrelated elements of a sound safety risk management approach. In the US, government agencies that oversee potentially hazardous operations “recognize that risk analysis is a tool – one of many, but nonetheless an important tool – in the regulatory “tool kit” and understand that the principles of risk management “are intended to provide a general policy framework for evaluating and reducing risk, while recognizing that risk analysis is an evolving process and agencies must retain sufficient flexibility to incorporate scientific advances.” QRAs/PRAs are best used to characterize the risks posed by a launch or re-entry in a manner consistent with the risk-informed approach to regulatory decision-making adopted by the Nuclear Regulatory Commission (NRC). In 1999, the NRC wrote that “a ‘risk-informed’ approach to regulatory decision-making represents a philosophy whereby risk insights are considered together with other factors to establish requirements that better focus licensee and regulatory attention on design and operational issues commensurate with their importance to public health and safety.”
QRA/PRA is also used in the International Space Station program to characterize the risks of on-orbit operations.