Demonstration of a New Dynamic Approach to Risk Analysis for NASA’s Constellation Program ∗ MIT CSRL Final Report to the NASA ESMD Associate Administrator March 2007 Dr. Nicolas Dulac 1 Brandon Owens 2 Prof. Nancy Leveson (PI) 1,2 Dr. Betty Barrett 2 Prof. John Carroll 2,3 Dr. Joel Cutcher-Gershenfeld 2,3 Stephen Friedenthal 2 Joseph Laracy 2 Prof. Joseph Sussman 2,4 Complex Systems Research Laboratory Massachusetts Institute of Technology 77 Massachusetts Avenue Cambridge, MA 02139 1 Department of Aeronautics and Astronautics 2 Engineering Systems Division 3 Sloan School of Management 4 Department of Civil and Environmental Engineering ∗ This research was supported by grants from ESMD, USRA/NASA APPL, and NSF. The NASA ESMD points of contact for this research are David Lengyel, Garry Lyles, and Dr. Fred Bickley CONTENTS LIST OF TABLES............................................................................................................................ iv ACKNOWLEDGEMENTS............................................................................................................... v EXECUTIVE SUMMARY ............................................................................................................... 1 1. INTRODUCTION ......................................................................................................................... 4 1.1 Research Objectives and Accomplishments ...................................................................... 4 1.2 Systems-Theoretic Accident Model and Processes (STAMP) .......................................... 6 1.3 System Dynamics............................................................................................................. 11 1.4 Previous System Dynamics and STAMP Modeling Effort on the NASA Independent Technical Authority ..................................................................................................................... 16 2. METHODOLOGY .................................................................................................................. 26 2.2 Additional Data Collection .............................................................................................. 32 2.3 System Dynamics Model Development, Testing, and Preliminary Utilization............... 32 3. THE MODEL........................................................................................................................... 36 3.1 Overview.......................................................................................................................... 37 3.2 Abstraction Level 1: Major Feedback Loops in the Model ............................................. 37 Loop B1 - Delays Cause Pressure:............................................................................... 39 Loop R2 - The Burnout Cycle: .................................................................................... 44 Loop R3 - The Burnout Rework Cycle:....................................................................... 45 Loops R1 and R1b - Safety and Integration: ............................................................... 48 Outer loops - Waivers, cost, and resources:................................................................. 50 3.3 Abstraction Level 2: Modules of the Model.................................................................... 51 4. PRELIMINARY ANALYSIS AND RESULTS ..................................................................... 59 4.1 Interpreting Results from the Model................................................................................ 59 4.2 Scenario 1: Workforce Planning...................................................................................... 61 4.3 Scenario 2: Investigating Management Reserves ............................................................ 66 4.4 Scenario 3: Effect of Schedule Pressure and Safety Priority........................................... 68 4.5 Scenario 4: Consequence of High Safety Influence and Power on Decision-Making .... 70 4.6 Scenario 5: Assignment of Highly Regarded Technical Leaders to Safety Engineering Roles ................................................................................................................................ 72 4.7 Scenario 6: Effect of Scope and Requirements Changes................................................. 73 5. CONCLUSIONS AND FUTURE PLANS.............................................................................. 75 APPENDICES ................................................................................................................................. 77 Appendix A: Acronyms ................................................................................................................... 77 Appendix B: Defining Safety Culture at NASA.............................................................................. 79 Appendix C: NASA’s Organizational Structure.............................................................................. 81 Appendix D: Abstraction Level 3 of the Model (Variables and Minor Loops)............................... 85 Appendix F: Interview Introduction Slides and Consent Form..................................................... 105 ii LIST OF FIGURES Figure 1. The general form of a model of socio-technical safety control......................................... 8 Figure 2. A control structure involving human supervision of an automated controller that can directly issue commands............................................................................................................ 9 Figure 3. The safety control structure in the Walkerton Water Contamination Accident. ............. 10 Figure 4. The three basic components of system dynamics models. .............................................. 12 Figure 5. An example of a system dynamics model and its output. ............................................... 14 Figure 6. Simplified model of the dynamics behind the Space Shuttle Columbia loss.................. 15 Figure 7. The hazard analysis process used in the study of the NASA ITA................................... 16 Figure 8. The effectiveness and credibility of the ITA function in a Monte-Carlo sensitivity analysis of ITA parameters. ..................................................................................................... 20 Figure 9. The level of risk in a Monte-Carlo sensitivity analysis of ITA parameters. .................. 20 Figure 10. Level of risk and outstanding accumulated waivers in the Space Shuttle Program over time as simulated by MIT CSRL. ............................................................................................ 21 Figure 11. The coincident increases in level of risk and number of incidents under investigation in the Space Shuttle Program as simulated by MIT CSRL.......................................................... 22 Figure 12. Screen image of the main interface menu. .................................................................... 23 Figure 13. Screen image of the first layer of the ITA model high-level structure.......................... 24 Figure 14. Screen image of the second layer of the ITA model high-level structure. .................... 24 Figure 15. Screen image of the final layer of the ITA model high-level structure......................... 25 Figure 16. Screen image of the variable plotting tool..................................................................... 25 Figure 17. Screen image of the 4 x3 risk matrix for tracking the risk scores of the leading indicators.................................................................................................................................. 26 Figure 18. NASA’s organizational control structure. ..................................................................... 29 Figure 19. The mapping of NASA's organizational structure to the generic STAMP structure of organizational control. ............................................................................................................. 34 Figure 20. The sections of the ESMD System Dynamics Model. .................................................. 35 Figure 21. The levels of abstraction for discussing the ESMD System Dynamics Model............. 37 Figure 22. The generic STAMP system development and system operation structures. ............... 38 Figure 23. Simplified structure (i.e., Level 1 abstraction) of the ESMD System Dynamics Model. .................................................................................................................................................. 39 Figure 24. Loop B1: “Delays cause Pressure”................................................................................ 40 Figure 25. Planned and actual fraction of completed development task assuming perfect and linear system development rates. ....................................................................................................... 41 Figure 26. The impact of a disturbance to the design task completion rate at time t = 30 months if P gain = 0. ................................................................................................................................ 42 Figure 27. The completion fraction over time with a disturbance at time t = 30 months and a P Gain greater than zero.............................................................................................................. 43 Figure 28. The completion fraction over time with a disturbance at time t = 30 months and nonzero P and I Gains.............................................................................................................