Risk Management Techniques for Satellite Programs
Successfully placing a satellite into space requires many elements of a very complicated process coming together, to allow for an on-schedule launch, and nominal operations of the system once on-orbit. Modern day government organizations and private sector companies have become adept at this process, as space launches occur with regularity all over the world. Despite the high success rates seen in the launch and operation of modern satellite systems, risk still pervades these programs, from writing requirements to the ready-for-launch’ command. This paper will discuss Risk Management Techniques associated with the Technical Management Processes in regards to satellite programs. Additionally, those principles will be described with real-world satellite program examples pertaining to aspects that surround Risk Management processes.
In order to understand how to face risk in complex satellite programs, it is important to first define what risks are and what risk management is. Risks are opportunities that create or suggest a hazard, where there is the potential for loss of something of value. In projects, it the possibility of something having a negative or positive effect on meeting project objectives. It is important to keep in mind that, while there are occasional positives risks, the majority are usually negative. In costly satellite programs, this essentially encompasses the entirety of the program, from start to finish, as no satellite program is ever a small financial undertaking. On average, these programs range anywhere from $5 million on the lower end for smaller satellites, to multi-billions of dollars for far more advanced Department of Defense satellites. Risk management is art and science of identifying, analyzing, and addressing risks throughout the life of a project to meet end objectives.
When analyzing risks, it’s imperative that uncertainty is also taken into account. It is also important to understand the difference between risk and uncertainty. Uncertainty is essentially a lack of certainty. That is, outcomes or consequences are unknown or can’t be measured because there is no background information or context. With risk, one can analyze potential outcomes or consequences, and determine the likelihood that a specific outcome or consequence occurs. An example of risk vs. uncertainty can be modeled through two football teams that are going to play each other. For this example, say the Miami Dolphins and the New England Patriots. While no one will ever be able to say who will win with 100% confidence, one can make an educated guess based on past performances against one another, where they’re playing, and who the top players are on each team. A person analyzing these teams could say there is a XX% chance the Miami Dolphins win because of reasons a, b, and c, or a XX% chance the Patriots win because of reasons x, y, and z. This type of situation is called risk. Now, changing the scenario, say that two football teams were going to play against each other, but no players were named for either of the teams, and no one knew who would be home or away. Any person trying to guess the outcome would be fairly unsure because they have no contextual information or background on who’s playing and where. They would not be able to make an educated guess on who will win and why. This type of scenario models uncertainty.
When working through risk and looking at ways to “”burn down”” risk, there are a number of well-understood techniques that are used, not only in satellite program management, but in project management everywhere. Generally speaking, four of these techniques are used in earnest. These four are: risk avoidance, risk mitigation, risk acceptance, and risk transference. Risk avoidance is finding a way to circumvent or evade a presented risk altogether. Risk mitigation is working to find ways to reduce the likelihood of a risk occurring, or working to lessen the severity of a consequence. Risk acceptance is simply taking on a risk as part of the project, and moving forward in the project lifecycle with that risk understood to exist. Risk transference is shifting risk to a third party to be responsible for, thereby absolving oneself and their team of a specific risk or set of risks.
Understanding the foundational aspects of risk, uncertainty, risk management, and risk management techniques are imperative in understanding how these relate in the realm of satellite programs. With these tenets now established, let’s look at different types of satellite systems. These systems are many and diverse, with different functions and missions. A few types of these satellite systems are communications satellites, precision/navigation/timing satellites (like GPS), remote-sensing satellites, and exploration satellites. Additionally, these types of satellites will reside in one of four orbital domains. These domains are: LEO (low-Earth orbit – 100 to 1,600 miles from Earth), MEO (medium-Earth orbit – 1,600 to 21,000 miles from Earth), and GEO (includes both geostationary and geosynchronous –22,000+ miles from Earth). In these domains, satellite orbits can be circular or elliptical. Depending on a satellite’s mission, what orbital domain it’s in, and how long it’s supposed to remain on-orbit, different types of risks will present themselves throughout the system lifecycle. Let’s discuss some of these risks and associated risk management techniques, which will use not only historical or current day examples, but hypothetical cases, as well.
At the start of any satellite program, a mission is defined through an end user (or customer) requirement. The mission determination will drive many factors that will dictate how and where the satellite is constructed, operated, and who will perform these functions. Let’s look at a satellite series that is researched, developed, and built at the U.S. Air Force Academy (USAFA) in Colorado Springs, Colorado. The system’s name is FalconSat, and USAFA recently launched FalconSat-6 as part of this series. The satellite is a “”multi-mode flight experiment to prove and provide the most fuel-efficient changes in orbit which are available, and to test low energy ion head thrusters, testing the effectiveness of wireless versus wired telemetry, and measuring changes to the local ionospheric environment.”” The satellite is an R&D system that will reside in low-Earth orbit. As it is an R&D satellite, it will be testing new technologies in space that may or may not have been tested before, in ways it may or may not have been tested before. Additionally, because the system is being developed at a university, much of the R&D is being performed by cadets (Air Force Academy students) instead of an experienced private industry partner like a Boeing or Lockheed. It is easy to see how multiple risks present themselves just in the discussion of what the satellite is supposed to do and how it is being developed. Let’s start with who is developing it.
The United States Air Force Academy’s astronautics department uses the FalconSat project as part of the cadet’s capstone project. This capstone project relies on the cadet’s coursework to perform necessary research and calculations to ensure the system is developed appropriately and will function as intended once on-orbit. In addition, the assembly is also performed by the cadets. The lack of experience of these cadets (they are undergraduates) presents itself as a risk because, every year, the senior class graduates and the satellite work is left to the newer, more inexperienced cadets to perform. A calculation error or assembly process mistake could prove detrimental or even catastrophic to the system once on-orbit. It could be said that the lack of technical expertise of the cadets developing the satellite presents a risk. The Air Force Academy staff understands this, and, in order to burn down this risk (and also to ensure continuity of the program from class-to-class), USAFA has partnered with Air Force Research Labs, NASA, Air Force Institute of Technology, the National Reconnaissance Office, and Defense Advanced Research Projects Agency. By partnering with these experienced organizations, the risk management technique of risk mitigation is performed, as these partnerships are meant to lessen the likelihood that an error occurs as a result of a lack of technical expertise. These government agency partners work hand-in-hand with the cadets to ensure the system is developed in accordance with government standards and practices. They provide oversight to the project in its entirety.
Looking at this subjectively, other risk management techniques may or may not be a part of what goes into the FalconSat RMP. For example, risk avoidance is not an option, as the cadets must be a part of the development process as part of their capstone. The university cannot avoid this risk as it, as it would be contradictory to the purpose of having the satellite capstone program in the first place. Risk transference is not a technique that could be used either, as USAFA is a government institution, along with the other government agencies that they are partnered with. In any and all cases, should a something occur that impacts the system through a risk, the U.S. government is still the responsible entity, but more specifically, the U.S. Air Force. Therefore, it is not reasonable to think that this risk can be transferred. Risk acceptance, however, is a technique that is applicable in this instance. Despite governmental agency partnerships, there exists a resident amount of risk that remains by sheer virtue of having undergraduate cadets working on an experimental satellite system. Yes, it has been mitigated, but not entirely. The continued progress on the development of these FalconSat systems indicates that the government has accepted the risk of error from the cadets involved in the process and continues to field these systems with that risk understood.
Another risk that can be gleaned from this process is a risk that presents itself with any R&D system fielded anywhere. That risk is that the system fielded might not function as intended, or might not yield the results/meet the objectives the customer is looking for. FalconSat’s new technologies are, in some cases, first-of-kind technologies that will be tried for the first time. As such, it is assumed that risk acceptance that must come into play when this system is fielded in order to proceed forward. Additionally, risk mitigation can only be utilized to the extent that the already validated & verified aspects of the system (like COTS and GOTS) be fully understood to be performing to specification. Risk transference would likely not really be an option due to this being a government project in all aspects. Lastly, risk avoidance is not a factor, as the risk must be assumed to operate the R&D system on orbit and function to meet specified objectives.
The next portion of this paper will focus on the idea of risk transference, specifically. That is, the concept of allowing a third party to assume risk for part or all of a project. Risk identification, risk analysis, and risk control measures, with respect to space systems, are most often impacted by two factors: what type of rocket will place the satellite in orbit, and what is the intended mission of the satellite. When these factors have been determined, it is common for both government and private sector companies to look for space insurance. Insurance, in of itself, exists as a way to transfer risk from the purchaser of the insurance to the insurance company. That way, in the event of a catastrophic event, the individual or entity that was primarily responsible for the event occurrence can be absolved of some or all of the financial repercussions from the event. For space insurance, the period of which companies buy insurance for starts in the production phase and ends at the conclusion of the operations phase, and sometimes up to one calendar year after the operations phase. Analyzing this a step further, it is a smart move to buy insurance to protect one’s organization, whether that be governmental or private sector. Space system disasters, especially during launch, have the potential to have repercussions that affect not just the rocket and payload (satellite), but also potentially people’s lives, have environmental impacts, and affect other stakeholders that were reliant on that satellite to achieving orbit to utilize it for a business or other purpose.
Let’s use a hypothetical example of a rocket that has a commercial communications payload (satellite) on it. The communications satellite is for a satellite communications company that is looking to replenish its constellation because of older, obsolete satellites beginning to reach their end of design life and failing. Additionally, the U.S. government has brokered a deal to use the communications satellite to support its interests in a particular region of the world, in order to communicate with entities on the ground. Now, let’s assume the rocket carrying the satellite explodes on launch. This explosion then rains down debris from the sky. With this debris comes metal, fiberglass, chemicals (like the spacecraft propellant), and other items. With almost all spaceports all over the world launching over water, this normally wouldn’t be a concern for human safety. However, as witnessed by a 1996 launch catastrophe out of Xichang Launch center in China – where a rocket veered off course shortly after liftoff and impacted a nearby village, killing 10 people – this must be taken into consideration. With the explosion of this rocket, the hypothetical satellite is destroyed. From a subjective standpoint, it would be easy to think that the company that built the satellite would want compensation from the launch company for the loss of their system. The stakeholders relying on the satellite to perform its intended function would want compensation from any money they would have spent to help fund the satellite – if they did in fact help pay for it – or compensation for any profit they aimed to make off having that satellite in orbit. Risk transference by way of using space insurance would allow for those fiscal risks to be assumed by the insurance companies like Marsh, Starr Companies, Allianz Global, instead of NASA, DARPA or companies like Lockheed or Boeing. One thing that a risk management plan cannot plan for, however, would be the potential reputational impacts that come with the failure of the rocket from within government or private sector circles. Should a company develop a reputation of success with an occasional failure, this might not be so damaging. This is evidenced today by SpaceX. They continue to push the envelope on space launch technologies, and continue to reach success milestones, with occasional failures. On the other end of the spectrum, should a launch company continue to fail with occasional successes, external stakeholders will be much less likely to want to utilize that company/agency to transport their systems to orbit. This poses the risk of losing business, which then could put the company out of operations in its entirety, especially if this is compounded by fiscal responsibilities from subsequent failures. An example of this is the America Rocket Company, founded in 1985 that had numerous hybrid rocket motor failures, which led to the business shutting down in 1996.
Another aspect of satellite systems to examine when looking at risk management techniques is how risk is managed in the realm of satellite communications both during the development cycle and once on-orbit. The post-launch phase of a satellite’s insertion usually involves a separation from the launch vehicle, followed by a deployment of system components (if applicable), an initialization phase to perform end-to-end system checkouts, and a period of OT&E. A satellite will rely on ground relays or on-orbit communications relays (a relay is an antenna) that communicates with a ground relay. In any case, it is on the satellite operations crews that reside in satellite operations centers to perform the day-to-day mission execution of the satellite systems in their custody. There are two factors here that come into play: the ground relay architecture itself and humans that operate the satellite control systems. Starting with the ground relay architecture, a program manager for a satellite system needs to know how a satellite is going to communicate with the ground during the development cycle. There are times where a satellite will have a dedicated relay to itself, and there are times where satellites will share a ground relay. There are risks associated with both. For example, a risk associated with having a dedicated relay involves the building, operations, and upkeep of that relay for the duration of the satellite’s or constellation’s existence. A lot of relays reside in austere locations, where there is no obstruction to the antenna, to ensure integrity of signal. Should a project manager deem that a dedicated relay is a requirement, an assessment must be made from a financial standpoint as to whether it is financially sound to construct and maintain this dedicated relay. If project funding is an issue, then this dedicated relay becomes a risk. There are risks with placing the relay in the wrong location, as well. If the relay is placed incorrectly, the relay will not coincide with the satellite’s orbit and it could be lost. These are both financial and operational risks. Now, looking at it from the perspective of having a newly launched satellite leverage off an existing relay, there are risks that manifest itself from this approach as well. For example, if the relay is owned by another organization, the newly launched satellite will have to compete for relay usage with other space assets. Additionally, if the relay requires maintenance (and they all do at one point or another), the newly launched satellite is at the mercy of the maintenance schedule. These are risks that a program manager assumes when deciding upon using a pre-existing relay. An example of this shared relay concept is showcased in NASA’s Tracking Data Relay Satellite System it uses for contact with the astronauts aboard the International Space Station (ISS). NASA also allows a number of scientific R&D users to leverage its TDRSS relay for communication with their R&D satellite. One of the drawbacks these R&D users have to face is that they are subject to NASA’s communications schedule with the ISS. If NASA needs to communicate with the astronauts, the R&D users will get bumped off the relay and will have to reschedule. This could become a factor if there are health and safety concerns with the R&D satellite, but NASA has priority. It is a risk assumed by the R&D program manager that opted to use NASA’s satellite relay system as its means of communication.
How might a program manager manage risks when it comes to the communications aspect in the aforementioned scenarios? One approach would be to have multiple relays. That is, if the program calls for a dedicated relay due to mission constraints, a risk mitigation technique would be to broker an agreement with another organization to use their relay. The utilization of that other relay could be for day-to-day operations or just for emergency purposes.