University of Southern California Dissertations and Theses

Risk transfer modeling among hierarchically associated stakeholders in development of space systems

(USC Thesis Other)

Risk transfer modeling among hierarchically associated stakeholders in development of space systems

PDF

Download a page range

Download transcript

Copy asset link

Request this asset

Transcript (if available)

Content RISK TRANSFER MODELING AMONG HIERARCHICALLY ASSOCIATED
STAKEHOLDERS IN DEVELOPMENT OF SPACE SYSTEMS

by

Thomas Grove Henkle III

A Dissertation Presented to the
FACULTY OF THE GRADUATE SCHOOL
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF PHILOSOPHY
(INDUSTRIAL AND SYSTEMS ENGINEERING)

August 2007

Copyright 2007 Thomas Grove Henkle III

ii
Table of Contents

List of Tables.........................................................................................................................................iv
List of Figures.........................................................................................................................................v
Abstract............................................................................................................................................... viii
Chapter 1: Introduction...........................................................................................................................1
Chapter 2: Statement of Problem and Purposes......................................................................................3
2.1 Problem ....................................................................................................................................3
2.2 Purpose.....................................................................................................................................5
2.3 Aspects of Current Applications...............................................................................................6
Chapter 3: Background of Study...........................................................................................................10
3.1 Overview ................................................................................................................................10
3.2 Categories of Risk Associated with the Reference Field ........................................................11
3.3 Conventional Uncertainty and Risk Assessments...................................................................16
3.4 Current Trends in Risk Management......................................................................................23
3.5 Risk Analysis and Decision Structures ...................................................................................32
3.6 Quantitative Risk Research.....................................................................................................40
3.7 Space Insurance Applications.................................................................................................48
3.8 Causes of Risk Aversion.........................................................................................................51
Chapter 4: Critique of Past Approaches................................................................................................56
Chapter 5: Hypothesis...........................................................................................................................59
Chapter 6: Methodology.......................................................................................................................60
6.1 Overview ................................................................................................................................60
6.2 Risk Events.............................................................................................................................61
6.3 Underwriter Utility .................................................................................................................66
6.4 Client Utility...........................................................................................................................69
6.5 Builder Utility.........................................................................................................................72
6.6 Statutory Underwriter and Client Utilities..............................................................................74
6.7 Hierarchical Risk Transfer Model ..........................................................................................76
6.8 Statutory Risk Sharing Model ................................................................................................79
Chapter 7: Space Risk Data ..................................................................................................................81
7.1 Raw Data Elements ................................................................................................................81
7.2 Preliminary Trends .................................................................................................................86
7.3 Launch Events ........................................................................................................................88
7.4 In-Orbit Events.......................................................................................................................96
7.5 Third-Party Loss and Government Range Damage Events...................................................101
7.6 Underwriter Model...............................................................................................................104
Chapter 8: Risk Transfer and Risk Sharing Analysis..........................................................................115
8.1 Hierarchical Risk Transfer ...................................................................................................115
8.2 Statutory Risk Sharing..........................................................................................................126
iii
Chapter 9: Evaluation of Results ........................................................................................................132
9.1 Hypothesis Evaluation..........................................................................................................132
9.2 Model Validation..................................................................................................................133
9.3 Modeling Error and Sensitivity ............................................................................................134
Chapter 10: Conclusions, Recommendations, and Future Work.........................................................142
10.1 Conclusions ..........................................................................................................................142
10.2 Recommendations ................................................................................................................145
10.3 Additional Research .............................................................................................................146
Glossary..............................................................................................................................................148
Bibliography .......................................................................................................................................151
Appendix 1: Monetary Context from Past Space Forecasts................................................................159
Appendix 2: System Architecture Reference Field.............................................................................162
Appendix 3: Some Risk Management Heuristics................................................................................170
Appendix 4: Estimation of Technology Readiness .............................................................................173
iv
List of Tables

Table 1. Example Matrix for Decision Alternatives and States of Nature for Decisions in Complete
Uncertainty.............................................................................................................................17
Table 2. Example of Likelihood Ordinal Scale....................................................................................20
Table 3. Examples of Consequence Ordinal Scales.............................................................................20
Table 4. Primary Types of Space Insurance ........................................................................................50
Table 5. Summary Critique of Risk Management Literature Categories .............................................58
Table 6. Launch Vehicle Types and Service Years Considered ..........................................................89
Table 7. Summary of World-Wide Fatalities and Range Damages Associated with Launch
Activities ..............................................................................................................................102
Table 8. Empirically Determined Time Varying Function of Client Utility ......................................114
Table 9. Sum-Squared Estimation Error for Candidate Demonstrated Underwriter Utility
Functions ..............................................................................................................................137
Table 10. Year 2000 Forecast of Satellite Launches Summarized by Payload Type.........................160
Table 11. Examples of Common Satellite Networks .........................................................................165
Table 12. Comparison of Some Technology Maturity Metrics..........................................................174
Table 13. Example of Development Difficulty for Stated Level of Technical Maturity....................175
v
List of Figures

Figure 1. Organizational Hierarchy of Complex System Development and Deployment......................4
Figure 2. Categories of Risk in System Development..........................................................................12
Figure 3. Example Risk Rating Diagram Based on Ordinal Scales .....................................................21
Figure 4. Risk Management Needs Hierarchy .....................................................................................25
Figure 5. Generic Risk Management Process ......................................................................................28
Figure 6. Possible Expansion of Risk Assessment Using Ordinal and Cardinal Methods ...................30
Figure 7. More Detailed Risk Management Process with General Project Applicability ....................31
Figure 8. Example Decision Diagrams with One Attribute..................................................................34
Figure 9. Example of Risk Neutral, Risk Averse, and Risk Prone Utility Functions ...........................38
Figure 10. Basic System States for a Cycle of Operation ....................................................................44
Figure 11. Narrowed Focus for Model Development ..........................................................................60
Figure 12. Range for Potential Underwriter Utility on a Single Satellite Project ................................68
Figure 13. Example Classes of Client Utility Curves...........................................................................70
Figure 14. Potential Range for Client Utility for Time Period T
n
........................................................72
Figure 15. Example Construction of Builder Utility Function.............................................................73
Figure 16. Potential Range for Statutory Underwriting Utility............................................................75
Figure 17. Demonstrated Launch Reliability for Satellite Payload Delivery.......................................81
Figure 18. Approximate Premiums Collected and Claims Paid for Space Insurance ..........................83
Figure 19. Total Annual Insurance Capacity .......................................................................................84
Figure 20. Approximate Average Premium Rates for Space Insurance...............................................85
Figure 21. Aggregate Premium-Revenue Trend in Space Insurance Industry over Eighteen Years ....86
Figure 22. Indication of Local Risk Aversion for Annual Aggregates of Space Insurance Data .........88
Figure 23. Sample of Constituent Launch Data ...................................................................................91
Figure 24. US Aggregate Launch Vehicle Demonstrated Reliability ..................................................92
Figure 25. Close Up of US Launch Vehicle Performance ...................................................................93
vi
Figure 26. Europe Aggregate Launch Vehicle Demonstrated Reliability............................................94
Figure 27. CIS Aggregate Launch Vehicle Demonstrated Reliability .................................................95
Figure 28. Rest of World Aggregate Launch Vehicle Demonstrated Reliability.................................96
Figure 29. Annual Reported In-Orbit Anomalies Worldwide..............................................................97
Figure 30. Worldwide Reported Service Times to In-Orbit Anomaly.................................................98
Figure 31. Annual Reported In-Orbit Anomalies for US Client Missions ...........................................99
Figure 32. Reported Service Times to In-Orbit Anomalies for US Client Missions............................99
Figure 33. Demonstrated Rate of First-Year Critical Anomalies.......................................................100
Figure 34. Empirically Derived Upper Bound on Third-Party Loss and Range Damage Launch
Events ...............................................................................................................................101
Figure 35. World-wide Empirical Distribution for Liability and Range Property Damage When
Incident Occurs.................................................................................................................103
Figure 36. Comparison of Premiums and Expected Loss from US Launch Operations by Year
(1984–2001) .....................................................................................................................105
Figure 37. Comparisons of Premiums and Expected Loss from US Launch and Anomaly
Operations by Year (1984–2001) .....................................................................................106
Figure 38. Determination of Long-Term Underwriter Utility (linear scale) ......................................107
Figure 39. Determination of Long-Term Underwriter Utility (logarithmic scale) .............................107
Figure 40. Comparison of Candidate Underwriter Utility Functions.................................................109
Figure 41. Comparison of Capacity for Accepting Risk Against Cumulative Income.......................111
Figure 42. Comparison of Average Premium Rates and Cumulative Income....................................112
Figure 43. Effect of Insurance Premium on Risk-Neutral Client .......................................................118
Figure 44. Preference of Insured Risk-Averse Client to Risk Neutrality ...........................................120
Figure 45. Preference of Insured Decreasingly Risk-Averse Client to Neutrality..............................122
Figure 46. Decision Regions for Decreasingly Risk-Averse Class of Client .....................................123
Figure 47. Preference of Insured Increasingly Risk-Averse Client to Neutrality...............................125
Figure 48. (Lack of) Preference of Insured Risk-Prone Client to Neutrality .....................................126
Figure 49. Expected US Government Utility for Ranges of Risk-Sharing Thresholds (Large Cost
Penalty).............................................................................................................................129
Figure 50. Expected US Government Utility for Ranges of Risk-Sharing Thresholds (Unity Cost
Penalty).............................................................................................................................130
vii
Figure 51. Example of Risk Sharing Utility for Large Underwriter Growth Coefficient...................131
Figure 52. Upper Bound on Estimation Error for Probability of Mission Success............................135
Figure 53. Scaled Covariance for Demonstrated 1st-year Critical In-orbit Failure Rates..................137
Figure 54. Residual Errors from Underwriting Utility Function........................................................138
Figure 55. Parametric Sensitivity of Constantly Risk-Averse Client Utility Function to Risk
Transfer.............................................................................................................................140
Figure 56. Comparison of Empirical and Analytic Distributions on Damages for Potential Risk-
Sharing Events ..................................................................................................................141
Figure 57. Primary Physical Segments of a Satellite Communications Architecture.........................163
Figure 58. Simplified Communications Payload Model ....................................................................167
viii
Abstract
Research develops an empirically derived cardinal model that prescribes handling and
transfer of risks between organizations with hierarchical relationships. Descriptions of mission risk
events, risk attitudes, and conditions for risk transfer are determined for client and underwriting
entities associated with acquisition, production, and deployment of space systems. The hypothesis
anticipates that large client organizations should be able to assume larger dollar-value risks of a
program in comparison to smaller organizations even though many current risk transfer arrangements
via space insurance violate this hypothesis. A literature survey covers conventional and current risk
assessment methods, current techniques used in the satellite industry for complex system development,
cardinal risk modeling, and relevant aspects of utility theory. Data gathered from open literature on
demonstrated launch vehicle and satellite in-orbit reliability, annual space insurance premiums and
losses, and ground fatalities and range damage associated with satellite launch activities are presented.
Empirically derived models are developed for risk attitudes of space system clients and third-party
underwriters associated with satellite system development and deployment. Two application topics for
risk transfer are examined: the client-underwriter relationship on assumption or transfer of risks
associated with first-year mission success, and statutory risk transfer agreements between space
insurance underwriters and the US government to promote growth in both commercial client and
underwriting industries. Results indicate that client entities with wealth of at least an order of
magnitude above satellite project costs should retain risks to first-year mission success despite present
trends. Furthermore, large client entities such as the US government should never pursue risk transfer
via insurance under previously demonstrated probabilities of mission success; potential savings may
reasonably exceed multiple tens of $millions per space project. Additional results indicate that current
US government statutory arrangements on risk sharing with underwriting entities appears reasonable
with respect to stated objectives. This research combines aspects of multiple disciplines to include
risk management, decision theory, utility theory, and systems architecting. It also demonstrates
development of a more general theory on prescribing risk transfer criteria between distinct, but
ix
hierarchically associated entities involved in complex system development with applicability to a
variety of technical domains.
1
Chapter 1: Introduction
The research herein develops a model that describes risk transfer between organizations in
the process of developing a large complex system. More specifically, the application under
examination is risk transfer via insurance and its application in acquisition, production, deployment,
and operation of satellite systems. This research differs from previous research in that it examines
risks that are shared or transferred between multiple stakeholders rather than looking at how a single
organization would handle risks with internal technology and investment plans. It is significant in at
least two ways: it develops a quantitative theory that builds on existing literature, and the application
of this theory involves improving the allocation of very large costs, potentially on the order of
hundreds of millions to billions of dollars (US) per year.
Typical risk assessment methods associated with engineering of with large systems still
appear to be primarily qualitative or based on ordinal evaluations. Numerous texts provide basic
guidance on risk management processes and categories for handling risks [Kerzner, 1995], [DoD
4244.7-M]. The general process involves sequential steps of risk planning, assessment and analysis,
risk handling, and documenting lessons learned after the fact. A significant portion of the risk
management literature describes variations of this process as applied to specific programs. Typical
assessments of technology risks place system aspects into bins associated with “high”, “medium”, or
“low” risk, often with little additional quantitative definition of likelihood or consequences of
performance outcomes. Cost and schedule risk assessments and analyses may have more quantitative
qualities since cost and schedule estimation models often include random variables with accepted
statistical distributions. Risk handling falls into fundamental categories of avoidance (e.g., not
selecting an alternative associated with a risk), reduction (e.g., mitigation activities and contingency
plans), assumption (e.g., proceeding with an alternative despite possible consequences should they
occur), and transfer (e.g., share the possible consequences of a risk with others). Lessons-learned case
studies regarding specific program failures and successes also are documented in numerous published
papers and company-internal memoranda. In contrast, papers on cardinal methodologies of risk
2
handling techniques in the engineering literature are much fewer. While the number of these cardinal
papers has improved over recent years, emphasis on the interaction between distinct entities in
handling risks still appears lacking.
Decisions to use insurance in conjunction with satellite system deployment ostensibly are
made on an ad hoc system-by-system basis; however, a new approach to solving risk handling
incorporates dissimilar utility functions of hierarchically organized stakeholders to include a client, a
system builder, and insurance underwriters. Particular attention is devoted to deriving demonstrated
risk attitudes from open literature on mission success and insurance premiums and indemnifications
associated with space launch and operation. The research also examines a special case for risk transfer
between the US government and space insurance underwriters associated with statutory policies
intended to promote commercial growth in space industries. The execution of this research includes
development of a detailed cardinal models based on launch data, in-orbit satellite performance data,
and insurance costs, and ground-based damages associated with satellite launch activities. The model
includes demonstrated utilities of the different participating stakeholders, and validation results, and
an analysis of potential modeling errors.
3
Chapter 2: Statement of Problem and Purposes
2.1 Problem
Cardinal methodologies do not adequately allow modeling and assessment of risks
simultaneously for multiple hierarchically organized stakeholders associated with a complex system
development and deployment. Ordinal methods described in the following chapter have a historical
basis in risk management of engineering systems, but they do not capture cardinal measures of
probability and consequence for the occurrence of risk events. Ordinal methods also fail to indicate
potential trades among risk dimensions (cost, schedule, and performance), nor do they indicate
suitable conditions for selection of risk handling alternatives. Conversely, detailed models of cost and
schedule risk suitable for managing production of satellites do exist and can be effective; however,
their perspective is limited a single funding or bidding organization. Some journal papers produced in
the last few years develop cardinal models for technology investment and allocation of funds within a
organization involved in product development. These are also summarized in the following chapter.
A complication remains that systems, especially government space communications systems,
require development on behalf of a client organization, but that client organization has the
responsibility to remain responsive to demands of multiple stakeholders. The set of stakeholders may
include the client organizations, customer (or communication user) organizations, investors, third-
party underwriters, and the builders. The risk-taking attitudes of these stakeholders may vary
significantly. Thus, it is reasonable that a model that incorporates utilities associated with
stakeholders can be useful in identifying risk-handling alternatives or in identifying degrees to which a
risk handling decision is consistent with a stakeholder approach. However, a decision model that
accounts for multiple stakeholders in terms of handling project risks for space system developments
does not exist.
A simplified view of the primary stakeholders involved in a complex system development is
shown in Figure 1. Blocks representing the client, builder, system architect, and 3
rd
party risk sharing
4
organizations are highlighted because of their relevance to this research. However, the problem of
addressing shared risk is applicable in a broad sense to all organizations connected by solid lines.
Solid lines indicate potential flow of information, product and its performance, and money; therefore,
sharing or transfer of risks is particularly relevant to this relationship. By comparison, dashed lines
show stakeholder interest and influence but no direct financial association; program risks typically are
not directly transferable among these connected entities. The relationship between the architect and
the client, however, is distinctly indicated since this relationship aims, in part, to reduce program risks
and to facilitate satisfaction of client functional needs. Thus, risks and their financial impacts are not
necessarily transferred across the client-architect relationship, but the influence of risk handling
activities is part of the architect’s role.
Figure 1. Organizational Hierarchy of Complex System Development and Deployment
Customer
/User
Client
System
Builder
Sub-system
builder
Sub-system
builder
…
Customer
/User
Customer
/User
System
Architect
Sub-system
builder
Sub-
system
builder
…
Sub-
system
builder
Sub-
system
builder
…
Sub-
system
builder
Sub-
system
builder
…
Sub-
system
builder
…
3
rd
Party
Deployment/
Distribution
E.g., prime
contractor
E.g., launch provider
E.g., underwriters,
gov’t indemnification
3
rd
Party
Risk Share
E.g., sub-
contractors
OR
E.g., sub
to sub
…
…
OR

5
2.2 Purpose
Quantitative risk management clearly has applications for development of space
communication systems; these systems are characterized by very large development costs, historically
high per unit costs, and commensurately high performance expectations. Furthermore, with current
emerging commercial systems vying for market share, timely development and deployment of a
proposed satellite communication system is essential. Thus the client and the corresponding system
architect must manage risks that are incurred, and in some cases possibly induced by, a rapid
development process.
The research addresses the utility of insurance from the view of the system architect. The
distinction between architect and builder is important. The architect defines the system functions and
primary interfaces while working with the client who acquires and possibly operates the satellite
system. The builder performs implementation-specific development, system integration, and initial
deployment of the system for the client. Insurance utility, as an example, derives from the value of
transferring certain risks incurred on a project to a separate party, an insurance underwriter.
The cost of insurance can vary according to market conditions faced by underwriters. For
instance, launch insurance for a satellite may vary from 10%–20% of the satellite value depending in
part on the number of recent launch vehicle failures. This would translate to industry-wide costs
dedicated to commercial satellite insurance ranging from $5 billion – $10 billion over the next ten
years. On average, this is about $3.5 million to $7 million per satellite.
Therefore, a financial need exists for determining conditions when it is appropriate to insure a
system, the percent of coverage, and whether it is appropriate not to buy any insurance, i.e., self
insure, and what cost savings may be realized from this decision. A related need also exists for
facilitating structured, timely decision-making by a client and builder of a satellite communication
system. A structured decision-making methodology is typically difficult to derive in light of the large
size of project costs, multiple criteria to balance, and the potentially large consequences for a
performance failure during deployment and operation of the system.
6
Unfortunately, decisions regarding risk handling appear to be made on a predominantly ad
hoc basis. Much of this situation is reflected in the literature review summarized herein. While some
well-founded quantitative theories have been developed, they are typically not prescribed in a satellite
communications program development. Theories are sometimes developed after the fact to describe
what went wrong on a program.
During the period of concept development for a space system, a system architect or
architecting team attempts to assess the feasibility of including certain functions and attaining
associated performance levels in the proposed system. One method of testing the reasonableness of
architecture descriptions and the evolving requirements set is to develop point designs. At this point
the architecting team may identify potential technologies required to facilitate desired capabilities.
Such technologies, depending on their maturity, may make the system development appear to be “high
risk.” Alternatively, an architecting team may aim to develop a “low risk” system consisting of flight-
proven technology. The trouble is that current risk management processes, described later, appears
capable of merely identifying “watch items” for which rough order of magnitude risk events can be
assigned. The number of new technologies and the degree of maturity are handled heuristically.
2.3 Aspects of Current Applications
There remains debate among program planners on the degree to which insurance is
encouraged, or even allowed, for space systems, particularly if the system is deployed as part of a
government contract. However, there are several key US codes and regulations that apply to insuring
deployment of space systems. They codify required insurance for launch systems, financial
responsibility of liabilities, and limits on self-insurance. There has been debate whether these laws
should expire, but they appear to have been received favorably by some insurance brokers and launch
providers [Sietzen, 1999], [Duffy, 2003]. This may not be a surprise since the laws require two forms
of insurance while also allowing government assistance in the event of a catastrophic loss.
7
Foremost among these are U.S. laws and regulations associated with financial responsibility
for licensed launch activities. This is composed of three tiers [49 U.S.C. 701, 14 CFR 440, FAA
2002]:
Tier I: Maximum Probable Loss (MPL-) Based Financial Responsibility Requirements
Launch or reentry licensee obtains insurance to cover claims of third parties,
including government personnel, for injury, loss or damage, against launch or
reentry participant. Participants include the licensee, its customer, and the U.S.
government and its agencies, and the contractors and subcontractors, of each or
them.
Launch or reentry licensee obtains insurance covering damage to U.S. government
range property.
The Federal Aviation Administration (FAA) sets insurance requirements based
upon the FAA’s determination of the MPL that would result from licensed launch
or reentry activities, within statutory ceilings, not to exceed the lesser of:
$500 million for third-party liability, or the maximum available on the
world market at reasonable cost,
$100 million for U.S. government range property, or the maximum
available on the world market at reasonable cost.
Participants enter into no fault, no subrogation reciprocal or cross-waivers of
claims under which each participant accepts its own risk of property damage or loss
and agrees to be responsible for injury, damage or loss suffered by its employees,
except that claims of government personnel are covered claims under the licensee’s
liability insurance coverage.
8
Tier II: Catastrophic Loss Protection
Subject to appropriations, the U.S. government may pay successful third-party
liability claims in excess of required MPL-based insurance, up to $1.5 billion (as
adjusted for post-1998 inflation) above the amount of MPL-based insurance.
(Government pays excess claims, known as indemnification, in Tier III)
U.S government waives claims for property damage above required property
insurance.
Tier III: Above MPL-Based Insurance plus Indemnification
By regulation, financial responsibility remains with the licensee, or legally liable
party, with the following exceptions:
The government does not indemnify a party’s willful misconduct,
The government may pay claims from the first dollar of loss in the event
of an insurance policy exclusion that is determined to be “usual.”
The law and regulation require financial responsibility for Tier I prior to a launch license
issued by the Associate Administrator for Commercial Space Transportation of the FAA. In this
context the maximum probable loss is the “greatest dollar amount of loss for bodily injury or property
damage that is reasonably expected to result from licensed launch activities” [14 CFR 440].
Probability thresholds for being reasonably expected are on the order of 1 in 10 million for losses to
third parties—persons not involved in a launch—and 1 in 100,000 for loss to government property.
Tier II allows the U.S. government to make payment on losses that exceed the Tier I coverage limits.
Some members of space industry favorably endorsed this particular aspect of government
indemnification [AIAA, 1988]. This law had been scheduled to expire in 2005 but has received a
subsequent extension by Congress [FAA, 2006].
Handling of voluntary insurance costs incurred by a satellite builder are less defined, but are
indeed allowable—even on government contracts—in accordance with Federal Acquisition
Regulations [FAR 28.3] and associated regulations on accounting for insurance costs [48 CFR
9
9904.316]. Fundamentally, the amount of insurance cost to assign to an accounting period is the
projected average loss for that period plus any insurance administrative costs (i.e., premiums) in that
period. In the context of launch and on-orbit insurance, one of three approaches can be appropriate:
For policy terms, premium costs are pro-rated across affected accounting periods
covered by the policy term.
For policies directly allocated to a single cost objective, premium costs do not have to be
prorated across accounting terms.
For self-insurance, contractor’s actual loss experience should be evaluated regularly, and
self-insurance charges for subsequent periods shall reflect this loss experience in a
manner as would be for purchased insurance
The result of these actions is that insurance costs, even related to deployment of space
systems, are allowable and can be reimbursable on cost-reimbursable contracts, reasonably as direct
costs. Conditions for gaining approval for insurance and self-insurance costs are also codified and do
not exclude such costs on government contracts. Conditions for selecting insurance or self-insurance
on commercial contracts would depend on the business case for the affected companies or
organizations.
We therefore have two dominant aspects of risk transfer to consider. The primary aspect, at
least in monetary value, concerns insurance against potential loss of mission operations, usually
considering survival of launch and initial in-orbit activities. Another interesting aspect, from a policy
perspective, concerns the suitability of US statutes that require transfer of financial risk of catastrophic
losses from space insurance underwriters to the US government. This latter aspect can be modeled as
a special case of hierarchical risk transfer where a government is a superior decision-making entity.

10
Chapter 3: Background of Study
3.1 Overview
This section summarizes risk management literature and current risk management activities
relevant to large-scale system development. Material in this section provides context to the
application domain of this research and a foundation on which to extend a cardinal risk modeling
theory. One should note the intent herein is to cover a broad range of risk management and decision
theory relevant to development of satellite systems and associated insurance, not to present the entire
scope of all risk management literature across for all application domains.
A brief description of the system architecture reference field, applicable to this research is
provided in an appendix. Aspects of this field can be found in [Henkle, 1999] and [Rectin, 1991].
While different project stakeholders may participate in the development activities, a few key
participants are described here according to their primary role. The client is responsible for
determining mission needs (e.g., desired types and amounts of communications services) and provides
the appropriate funding to run the acquisition. This research uses the term “client” for this acquisition
role, as opposed to “customer”, which herein refers to the actual user of a system. There may
realistically be multiple customer stakeholders that represent different organizations that intend to use
the delivered system. The architect approaches the system design according to the primary functions
is to perform, and works for the client with builders to determine a desired architecture [Rectin, 1991].
The builder in this model provides the system engineering and process execution for the client,
working with the architect. Realistically, the architect and the builder may work within the same
organization; however, the differing roles are highlighted here. Occasionally, a project may also
include “third party” stakeholders with financial interest, but may not necessarily be considered a
client, architect, or customer. Examples of this may be insurance underwriters who may be involved
in the transfer of risk associated with performance shortfalls or catastrophic failures.

11
3.2 Categories of Risk Associated with the Reference Field
Risk associated with system development consists of four main components for purposes of
this research as indicated in the following figure: cost, schedule, performance, and environment. The
system builder and system architect affect the first three components in response to the client’s
expressed needs. Cost risk relates the likelihood of events as they relate to consequences measured in
dollars. Schedule risk is similar except that the consequences directly affect schedule or delivery time
lines. Even though time measures such as days and weeks are appropriate for schedule consequences,
use of dollars can still be used as a surrogate measure of schedule consequences since schedule delays
often relate to financial consequences. An example of this is penalty fees for late delivery.
Performance risk is the uncertainty in the ability of the system design described in the concept to
achieve desired measures of effectiveness and the consequences thereof. These measures are derived
from performance requirements specified for the design of the satellite system. Identified risk items
tend to relate to the ability of specific technologies or assemblies to perform system functions as
anticipated. These identified risk uncertainties often are estimated via recent heritage for state-of-the-
art technologies. Finally, environment risk incorporates all events that are outside the direct influence
of the system developer. The client typically monitors and possibly attempts to influence theses risks
since they may affect the performance effectiveness or financial viability of the proposed system.
Such risk events may include weather effects, economic and market changes, and performance of
similar or competing systems.
12
Figure 2. Categories of Risk in System Development
Overview of Some Cost Risk Assessment Models
A variety of well-developed models describe cost estimation methods. Straightforward
approaches [Book and Smith, 1996; Kerzner, 1995] assess aggregated system cost estimates by first
estimating the cost of each work breakdown structure (WBS) element as a random variable. With
Book and Smith [1996] the distribution of the WBS element random variable is roughly the sum of a
deterministic best estimate and two random variables: one for the technology readiness level and one
for the estimation error. The random variable for each WBS element is lognormally distributed.
Statistical correlations for the WBS-element random variables also are constructed based on their
associated technology readiness levels. Sample calculations are provided to illustrate how not
accounting for correlations among WBS elements may lead to an underestimate or overestimate of
system cost.
A similar approach [Burgess and Gobreial, 1996] shows how one can incorporate NASA
technology-readiness levels into a cost estimation model. The technology-readiness levels range from
Level 1 (where basic principles are observed and reported on the ground) to Level 9 (where a system
is flight proven through successful mission operations in space). A right-triangle statistical
distribution is applied to an estimate of the technology readiness. In example distributions provided,
13
the most likely value always is 5, and the remaining corner varies according to the readiness level. For
example, a readiness level of 1 corresponds to a triangular distribution ranging from 5 to 50, and a
readiness level of 7 corresponds to a distribution ranging from 0.5 to 5. Readiness levels of 8 and 9
are not modeled. The authors then combine the distribution of the technology readiness with a
Gaussian estimating error to derive a lognormal distribution of the WBS-element.
Work by Book emphasizes potential logical and mathematical flaws in deriving a system cost
by calculating the sum of the “best estimates” that correspond to the system’s constituent elements
[Book, 1994]. Part of the problem stems from possible statistical definitions of “best estimate”: it
could mean mode, mean, median, or some other percentile. Thus, rolling up the estimates into a single
number results in a meaningless statistical value unless the best estimate measure happens to
correspond to the mean. Correct cost measures are derived by summing the statistical distributions of
WBS-element cost elements via analytical methods or Monte-Carlo simulations. Sample calculations
with Gaussian and triangular distributions illustrate this point.
Additional models can account for correlation among random variables in a cost model that
assigns a cost random variable to WBS element in a system [Book, 1997]. A number of relations for
variance and covariance between random variables are derived. Examples are provided that indicate
the potential for overestimation or underestimation of program cost by not properly accounting for
statistical correlation among WBS elements.
Once their cost probability distributions are derived, Abramson and Young determined a
method of ranking of competing systems’ according to their cost distributions [Abramson and Young,
1997]. First, the cost of each WBS element is modeled after a triangular distribution. The total cost
of a system then is approximated with a lognormal distribution. The authors’ claim is that the
lognormal distribution is reasonable for sums of positively correlated random elements. The fit to the
lognormal distribution is described in the paper and is derived from the mean and variance of the
WBS element cost distributions as well as the correlation matrix for these elements (this matrix
actually appears to be the correlation coefficient matrix). Since the paper describes a general
14
technique to fit to the lognormal distribution, distributions other than triangular could be used for each
WBS element if appropriate. Rank ordering then can be determined pair-wise by calculating the
distribution for the ratio of costs for any two systems. The distribution for this ratio also is
lognormally distributed. One can then calculate the probability that the ratio distribution is greater
than unity to represent the probability that one system cost (numerator system cost random variable)
would exceed the other (denominator system cost random variable). Since the techniques presented in
this paper involve calculations on only the mean, variance, and correlation matrix of the WBS
elements, system cost estimates probably can be modeled on a personal computer.
An alternative approach to modeling cost proposes an artificial neural network approach to
model the cost of software development [Venkatachalam, 1993]. It accounts for aspects such as the
size of the project, the experience of the programmers, and the tools used.
Garvey [2000] describes applicability for variety of probability density functions used in cost
analysis. Triangle and beta distributions are commonly used for specifying uncertainties at low levels
of a system such as at an assembly or component level. In some cases trapezoidal and uniform
distributions are used at this level; however, uniform distributions typically are used only in the very
early stages of system design. Normal and lognormal distributions commonly describe uncertainty
descriptions derived from multiple low-level distributions. From the central limit theorem we can
expect normal distributions to result from the summation of independent random variables.
Lognormal under certain conditions may be more reasonable when correlations produce a positive
skew to an overall distribution.

Overview of Some Schedule Risk Assessment Models
Numerous models for schedule risk have been developed based on PERT analysis [Kerzner,
1995]. This assessment method involves modeling time to completion of each element in a work
breakdown structure (WBS) as a random variable with a triangular distribution. The total time to
completion of a project depends on the combination of events that happen in parallel and in series.
15
This method provides and alternative to estimating project schedule based on the deterministic values
of a critical path analysis.
An extension of the PERT analysis allows for correlation of the random variables associated
with the WBS elements. Two authors describe a method of generated correlated random variables and
applying them for simulation of hypothetical activity schedules [Book and Young, 1992]. The
correlated random vector is generated with a linear transformation matrix derived from a Cholesky
factorization (upper and lower triangular) of the correlation matrix. Lognormal distributions then are
applied to event durations. Completion times of specific tasks are correlated by a specified amount.
Example calculations show distributions of a hypothetical schedule that contains a number of activities
in parallel and in series.

Aspects of Environment Risk
General models for environment risk are difficult to derive since events in this category of
risk are outside the scope of a development. Events in this category relevant to satellite
communications development include the following few:
Customer market change
Statutory and regulatory changes
Launch failures
Market changes account for activity and operation of competing communications systems—
with respect to commercial systems—or for changes in the worldwide political environment—with
respect to military systems. Forecasts that address these changes have been developed by a number of
companies. Statutory and regulatory changes may occur at the national level, in response to
administration changes with elected officials, or at the international level, primarily through
negotiations through the International Telecommunications Union (ITU). Launch failures can be
estimated based on the success rates for a family of launch vehicles for past launch attempts.
16
3.3 Conventional Uncertainty and Risk Assessments
Traditional literature often divides decision-making under conditions of certainty,
uncertainty, and risk. The most straightforward of these is a condition of certainty, where
deterministic relations can be constructed among alternative outcomes. This class of conditions can
apply to many complex situations and lead decision-makers to sound decisions, but it is not to be
developed further in this document.
Complete uncertainty often applies to conditions where possible outcomes may be known but
probabilities associated with these outcomes cannot be reasonably estimated. This class of problem is
the opposite of complete certainty and leaves the decision-maker with choices such as maximizing
potential gain or minimizing potential loss. In application this suggests that potential consequences of
a decision would not jeopardize future operations of an organization or else a project or alternative
may not be undertaken. Approaches to decision making of these types reflect attitudes of the decision
maker with respect to tolerating loss, and descriptions of these approaches can be found in a number
of risk management and project management texts and are summarized here [Baird, 1989], [Haimes,
1998], [Kerzner, 1995].
For a particular decision consider a
I
as the real-valued range of potential payoff or benefit for
alternative i. The realized payoff for each alternative depends on chance, or the state of nature, at the
time following selection an alternative. We denote the chance events that lead to possible outcomes as
S
j,
where j is one of J possible events. An analyst can then represent potential payoffs for all
considered alternatives and possible states of nature in a matrix with elements a
ij
as shown in the
following table.
17
Table 1. Example Matrix for Decision Alternatives and States of Nature for Decisions in
Complete Uncertainty
States of Nature
Alternative S
1
… S
j
… S
J
A
1
a
11
… a
1j
… a
1J

: … : :
A
I
a
I1
a
ij
a
iJ

: : … :
A
N
a
N1
… a
Nj
… a
NJ

The optimistic Maximax criterion is used to maximize the potential payoff or benefit among a
set of alternative choices. It can be appropriate when the decision maker wants to select an action that
is capable of realizing the best possible outcome among available choices, regardless of the potential
loss or downfall that also may result from that choice. This choice may not be unreasonable for
companies with sufficient assets to sustain the potential loss while also aiming for maximum possible
payoff. Use of this criterion assumes that the range of loss or benefit for each decision alternative is
known. Potential loss is represented by negative payoff values. The Maximax criterion for selecting a
particular alternative A
I
out of N choices with J possible outcomes for each choice can be expressed as

ij
J j N i
a
1 1
max max
The pessimistic Maximin criterion (sometimes known as Wald criterion) is used to minimize
the potential loss from the available decisions. This criterion may be appropriate for a small company
that seeks to minimize potential losses among a set of potentially bleak choices. Its use highlights the
reasonably worst scenario from possible outcomes. In response the decision maker determines the
minimum gain (worst loss) for each choice and selects the maximum value among the minima. Use of
this criterion also assumes that the range of loss or benefit for each decision alternative is known. The
minimin criterion for selecting a particular alternative A
I
out of N choices with J possible outcomes for
each choice has the following form

ij
J j N i
a
1 1
min max
18
The Hurwitz rule provides a compromise between the optimistic and pessimistic criteria
[Haimes, 1998]. This rule implements a linear combination of the optimistic and pessimistic criteria by
applying an -index, where ranges from 0 to 1. The Hurwitz rule is expressed as follows

+

ij
J j
ij
J j N i
a a
1 1 1
max ) 1 ( min max , 0 1
Note that may be considered as a “coefficient of optimism” [Baird 1989]. An analyst may use
values for in a simplified sensitivity analysis to determine ranges for that would correspond to
different recommended decisions. Points between adjacent decision regions would correspond to
indifference points.
Another variation of uncertainty decision-making seeks to minimize the regret, or opportunity
loss. This type of decision maker is sometimes described as the sore loser. This analysis has three
parts: first, convert real-valued payoffs to non-negative regrets; determine the worst regret possible for
each action; then select alternative with the lowest “worst regret”. The resulting minimax criterion
(sometimes known as Savage criteria) is applicable for a finite number of states of nature, S
I
, or
alternatively a finite number of outcomes possible from each action. The transformation from a payoff
matrix to a regret matrix is calculated by determining the best alternative for each state of nature, and
then for each regret r
ij
, by subtracting the payoff for each alternative from the best alternative:

( )
j
S
ij ij
N i
ij
a a r
=
1
max

In this regret matrix large values are worse than small values, and 0 is the best obtained for any state
of nature. The analyst then applies the minimax criterion to determine the minimum “worst regret”
for each alternative:

ij
J j N i
r
1 1
max min
or

j
S
ij ij
N i J j N i
a a
1 1 1
max max min
19
The Laplace criterion attempts to transform decision making in complete uncertainty into a
risk-like methodology for conditions with a finite number of states of nature. In the absence of any
probabilities associated with potential states of nature, or outcomes, the Laplace criterion assumes that
all states of nature are equally likely. This bold assumption may not be reasonable for many
situations. The criterion considers J
I
possible states of nature for each action a
I
to be equally likely.
The representation merely considers the set of all possible actions {a
ij
} and determines the numerical
average of outcomes for each alternative action.

=

i
J
j
ij
N i J
a
i
1
1
max
For system development projects where alternative technologies and alternative architectures
are reasonably understood, a risk analyst can estimate probabilities associated with potential outcomes
for key decisions. Thus, the analyst armed with probabilities and consequences associated with each
decision can determine estimates for consequences. Based on this information one can determine
means of handling the risk.
One method of handing likelihoods and consequences on an ordinal scale has been presented
by the US Defense Systems Management College (DSMC) [DoD, 2000]. This model for risk rating is
worthy of description here because of its wide use in industry and ostensible acceptance within the
U.S. government. The assessment process includes activities aimed at identifying risk events, their
likelihoods, and corresponding consequences. After compiling the list of risk events, each likelihood
and each consequence is rated on a five-point ordinal scale as indicated in the following figures. The
range of the scales typically extends from level of small significance to a level of grave significance,
and descriptions for likelihood and consequence often are tailored to the needs and development phase
of a particular project. Such ordinal scales can be useful as a point of departure for estimating risks;
however, as can be seen in the following tables, deriving useful aggregations—such as the ones
suggested for cost—can be a bit problematic. Ideally, descriptions for each level in the ordinal scales
are provided by “experts familiar with each risk area” [DoD, 2000] and are to be tailored for the
20
specific program [DoD, 1999]. This aim is to include input from personnel familiar with potential
development problems so that risks can be described such that their severity relative to other program
risks can be identified.
Table 2. Example of Likelihood Ordinal Scale
Level Likelihood of Risk Event
A Remote
B Unlikely
C Likely
D Highly likely
E Near certainty
Table 3. Examples of Consequence Ordinal Scales
Level Magnitude of Consequence
Performance Schedule Cost
A Minimal or no impact Minimal or no impact Minimal or no impact
B Acceptable with some
reduction in margin
Additional resources required;
able to meet need dates
<5%
C Acceptable with significant
reduction in margin
Minor slip in key milestones; not
able to meet need date
5% – 7%
D Acceptable; no remaining
margin
Major slip in key milestone or
critical path impacted
7% – 10%
E Unacceptable Cannot achieve key team or major
program milestone
>10%
Potential risk effects to a program are commonly rated as “high (H)”, “medium (M)”, or “low
(L)” to program management. One derives this rating by placing the ordinal scales along the axes of
grid as shown in the following figure. A low likelihood-low consequence event would be rated “low
risk”, and high likelihood-high consequence event would be rated “high risk”. But, determination of
“medium risk” requires some interpretation. Use of the risk-rating diagram allows the risk analyst or
program manager to assign boundaries between each risk rating. As with the ordinal scale, the
boundary can be tailored to the specific program needs. The resulting method determines a qualitative
rating for each risk event. The ratings allow the program manager to develop a prioritized “watch
list” [DoD, 2000] for risk events. The higher rated risk concerns greater attention for risk mitigation
activities than do lower rated concerns. The prioritization of events with identical risk ratings is
determined at the discretion of the analyst or program manager. No additional ordinal or qualitative
21
ranking is appropriate as a general methodology. Further, one should note that performing arithmetic
operations on the ordinal scales to refine any risk assessment generally is erroneous and misleading.
Figure 3. Example Risk Rating Diagram Based on Ordinal Scales
E M M H H H
D L M M H H
C L L M M H
B L L L M M
Likelihood
A L L L L M
A B C D E
Consequence

Early in the program, development risks can be introduced when the requirements are
unstable. Thus, an objective defined for the Concept Exploration phase of a program is to define and
evaluate feasible alternatives that account for system merits as well as associated risk [DoD, 1999].
In subsequent program phases knowledge of the system requirements and implementation concepts
should make assessment of cost, schedule, and performance risks better understood [DoD, 2000].
Program Definition and Risk Reduction phase, includes development of prototypes, and
demonstrations to reduce program risks [DoD, 1999]; and the Engineering and Manufacturing
Development phase, focuses on a feasible design concept. Client involvement in mitigation
approaches and requirements definition is still significant up to this point since competitive bidding
typically occurs prior to subsequent phases. Furthermore, potential cost and schedule impacts due to
residual performance risks are also assessed prior to full-scale production [DoD, 1992; DoD, 1994].
Feedback from experts and available industry data are used to derive cost and schedule effects, but no
specific methodology is provided. The phase of Production, Fielding/Deployment, and Operational
Support includes factory production and system delivery to the client. During this phase risk handling
techniques become more essential to the builder.
An important component of the risk mitigation activities is a client (Government)
understanding of technical implementations that may reasonably be available during the time of the
satellite system deployment. This effort currently has the name “Cost As Independent Variable,” or
“CAIV” [DoD, 2000; DoD, 1996]. The underlying principle is that client performance requirements
must be commensurate with the cost criteria available for a system. If estimated cost risk is
22
unacceptably high, then the client and system architect should adjust performance goals so that
assessed cost risk becomes acceptable. This process is iterative and requires conscientious
participation from client (Government) and industry stakeholders.
A compilation of potential risk areas and process-related risk mitigation activities that may be
addressed at each phase of a program is presented in [DoD, 1985]. The process templates cover
design, test, production, facilities, logistics, and management issues. In aggregate they stress that risk
identification and reduction is a technical process rather than a managerial or organizational strategy.
The claim, and probably a valid one, is that an important part of risk reduction “is to recognize that
risk is eliminated only when the industrial process is changed, and that change is effected at a level of
detail normally not visible to the technical decision maker”. Templates for specific aspects related to
each risk area are presented. For example, aspects of design risk range from the reference mission
profile to trade studies and configuration control. Each template defines the specific aspect of a risk
area and provides a recommended outline for reducing the risk. The template then relates activities in
the outline with a Gantt chart that depicts phases in program deployment. While the all templates
demonstrably describe mitigation procedures for critical path operations, they are applicable for all
operations contributing to development of a new system.
Coarse qualitative attributes of risk (high, medium, and low) can be used as determinants for
deriving dominant risk handling methods during each activity [Vaughan, 1999]. Avoidance and
reduction activities are appropriate to mitigate potential performance and financial costs for risks
characterized by high probabilities and high consequence. Assumption (or retention) and reduction is
appropriate for high probability and low consequence risks since the cost of transferring the risk via
insurance would be high. Transfer via an insurance policy is appropriate for low probability, high
consequence risks. It is not surprising that risk transfer is not a dominant handling method for
activities that occur prior to DoD or commercial production phases. Prior to these phases,
development activities typically address reduction of performance risk. Transfer via insurance
becomes increasingly relevant for a system as it approaches final deployment. It is reasonable that the
23
primary activity that may induce risk transfer occurs during the technical risk assessment activity.
Executed properly, management and decision-makers participate in this activity during all phases of
the system acquisition and assess risks as deployment and user support approaches.
A risk analyst may also focus on product oriented risk events by examination of the work
breakdown structure (WBS) elements associated with the development system [DoD, 2000]. The
nature of this examination places this effort on the system builder, and to some extent the architect,
rather than the client. Application of lessons learned and industry “best practices” is appropriate for
this analysis. One can then assess cost and schedule effects directly based on the design concept with
various program management tools such as Estimate at Completion (EAC) Monte Carlo cost
simulations and Critical Path Method (CPM) [Grey, 1992], [Croll, 1995].
3.4 Current Trends in Risk Management
The Aerospace Corporation has co-hosted with the Air Force Space and Missile Systems
Center (AF SMC) several symposia on specific work in risk management; papers presented at these
symposia describe current applications and research in risk management applicable to a variety of
large-scale systems, including development of space systems. Current trends represented by these
papers are significant in that they summarize the most recent applications of risk management from an
engineering and program management perspective. Key aspects of these papers and other related
papers are summarized here.
Topics in risk management literature tend to fall into five main categories:
General Philosophy on Risk Management
Risk management heuristics
Lessons learned case studies
Risk Management processes
Ordinal Methodologies
24
Clearly, these categories are not mutually distinct. However, they provide a guide to summarizing
salient aspects common among risk management trends rather than merely reviewing each paper
individually.
3.4.1 General Philosophy on Risk Management
In the context of program success, risk management plays a large role in supporting
deployment a system, and subsequent delivery to a client, while satisficing a desired level of quality
assurance within cost and schedule constraints. In this context quality assurance refers to attaining and
maintaining desired performance in an operational environment. A common thread that appears is
that successful implementation of any risk management plan requires “buy-in” from senior
management, both for the client and the builder [Conrow, 2000; Cvetko, 2000; Neitzel, 2000; Spear,
2000; Dewan, 2000]. This includes strategic prioritization regarding the importance of risk
management and routinely asking about the progress of risk management activities to reinforce
corporate commitment to this discipline [Neitzel, 2000]. This allows corporate leadership to over
potential resistance to identifying and tracking risks. Continued commitment reinforces that
application of this discipline is not just a passing management fad. Reinforcement of the importance
of risk management also facilitates its implementation among lower levels in the organization
[Neitzel, 2000; Conrow, 2000]. The process of management involvement draws a strong analogy to
Deming’s management obligation for constancy of purpose for maintaining quality [Latzko, 1995].
Thus, risk management when introduced in an organization should become an integral part of
program management, and such management interest may be considered sponsorship of a risk
management culture. This approach also accommodates a view os applying risk management in a
holistic framework similar to systems analysis [Haimes, 2001], [Hitt, 1998].
As the risk management culture, or mindset, pervades the organization informal teaching and
learning about risk management relevant to the program would occur among the technical personnel
[Neitzel, 2000]. The culture also promotes an environment for project members to think proactively
25
about potential system problems rather than reactively upon discovery [Parolek, 2000]. After this
mindset is achieved, development of processes and tools, and ultimately consistent practice of risk
management within the organization [Cvetko, 2000]. A model that describes a potential corporate
culture regarding risk management is shown in the following figure. In this hierarchy, the ability to
effectively implement any particular level depends on the successful implementation of the level
immediately beneath it [Cvetko, 2000].
Figure 4. Risk Management Needs Hierarchy
Risk Management Culture
Effective Risk Process
Risk Tool
Consistent
Practice
McClain characterizes effective and successful risk management processes [McClain, 2000].
Effective risk management processes begin by identifying and understanding all risks and then
developing tracking and mitigation plans to reduce high risk. Successful processes also identify low
risk items that could become high risk if actions are not taken and developing appropriate mitigation
plans. Further, to be successful risk management activities should be applied to all phases of the
development cycle [Neitzel, 2000].
3.4.2 Risk Management Heuristics
The risk management literature is replete with heuristics that provide qualitative prescriptive
declarations derived from risk management experience [Rechtin, 1991], [Neitzel, 2000], [Dewan,
2000], [Cvetko, 2000], [Ransom, 2000]. They are worth mentioning separately from “lessons
learned” topics since each can concisely prescribe a course of action for program management rather
26
than illustrate a particular program’s success or failure. A modest—but not exhaustive—list is
included in an Appendix.
Risk management heuristics tend to emphasize needs for senior-level management consent,
breadth in scope surrounding a project’s internal events and external drivers, facilitating the report of
bad news up through management levels, and continuous attention and goals toward improvement.
Many heuristics also note long-term benefits that would follow the up-front costs. This is noteworthy
since management in some organizations may need to be convinced to spend resources not directly
related to design or production activities. Also significant are heuristics referring to ownership of
risks. This also is noteworthy in improving accountability of personnel to monitor, track, and handle
risks effectively.
3.4.3 Lessons Learned Case Studies
Case studies provide detailed descriptions of successes or failures related to risk management
in developing, deploying, or operating a system. A significant fraction of the risk management
literature consists of these examples. They contribute to the study of risk management by
documenting relevant experiences. A number of these papers are applicable for program managers
and risk analysts, particularly if they work in a similar reference field described in the case study.
Unfortunate failures that occurred on some programs may be avoided in future programs. However,
the specific processes or implementation methods mentioned in these papers cannot necessarily be
generalized and applied other programs.
Case studies that discussed programs in development often cover aspects related to
requirements creep and the need for continuous monitoring of identified risks specific to the program
[Gleiter, 2000]. Some papers report on the specific application of risk management processes to a
particular development [Conrow, 2000; Neitzel, 2000]. Other papers describe a process for insertion
of technology into an existing system in method that purports to minimize cost and technical risks
Blohm [1993].
27
A number of case studies also detail resolutions of identified failure modes that may affect
decisions for deployment or subsequent operation. Relevant systems for this document include
satellite bus operation that may affect payload performance [Ransom, 2000] or launch vehicle and
upper stage vehicle performance [Sketoe, 2000].
Specific case studies on programmatic risks describe aspects of how organizational
philosophies and personnel structures for the client and builder affect risk management approaches
and potential resolution of risks. For example the management organizations for the U.S. Government
and contractor helped determine the oversight method used to monitor risks [Stevens, 2000]. (In this
particular program the need to retain review and approval authority over technical specifications down
to subcontractor and lower tier vendors was identified.) Another example is the review of the intent
versus the realization of NASA’s “Faster, Better, Cheaper” philosophy on the success of scientific
space missions [Spear, 2000].
3.4.4 Risk Management Processes
The fundamental elements of risk management processes incorporate aspects similar to a
quality control paradigm: identifying potential problems, assessing them, planning for methods to
handle them, and tracking and control of the risk handling activities [Cvetko, 2000; Dewan, 2000;
Parolek, 2000]. These elements are reminiscent of the Shewhart Cycle for learning and promoting
innovation in an organization [Latzko, 1995]. Frequent communication of risks to the project team
members and corresponding documentation accompanies execution of the aforementioned elements.
Continuous application of all these elements should occur throughout a development cycle.
Risk management processes are often derived from information in the Defense Systems
Management College (DSMC) Risk Management Guide [DoD, 2000]. A generic process based on
this material is illustrated in the following figure [Conrow, 2000; Guarro, 2000]. Solid lines in the
figure indicate the process for ideal planning and identification of risks. The dashed lines indicate the
common reality that project teams may reveal additional risks in the course of a program.
28
Figure 5. Generic Risk Management Process
Risk
Planning
Risk
Handling
Risk
Assessment
Risk
Monitoring
Risk
Identification
Risk
Analysis
Feedback
Risk Documentation
Risk planning involves developing and documenting the strategy for identifying and
evaluating risk issues, risk handling plans, monitoring how risks may change, and the overall risk
management process tailored to the current program. This step elicits risk screening and acceptance
criteria from program managers and decision-makers. This establishes a threshold for which a risks
events should warrant further analysis and monitoring, the subsequent level to which a risk should be
handled (e.g., mitigated) to be considered acceptable for program continuation, and the risk reduction
versus cost criteria for selection of risk handling methods.
Risk assessment consists of risk identification and risk analysis. Risk identification involves
examination of specific program areas and each critical technical process and technology associated
with the program development or operation. The program areas to review may include the following
items [Roberts, 2000]:
Program plans
Design and production processes
Design and production procedures
Technical requirements
Integrated Master Plan
Integrated Master Schedule
Cost estimates
29
Identification also implements screening criteria to determine whether tracking and analysis of risks is
to be carried forward. For example, risk events that are associated with minor consequences relative
to system performance, cost, and schedule are likely to be screened out of the process. Risk Analysis
involves further examination of remaining risk events to refine the description of the risk and to
estimate the cause, likelihood, and consequences of its occurrence.
Risk handling then involves the identification, evaluation, selection, and implementation of
strategies to reduce risks to a level acceptable for the program objectives and within the program
resources. This step in the process implements the risk reduction versus cost criteria for identifying
and evaluating alternative risk handling methods. For example, cost-based decisions to initiate risk
mitigation testing, alternative technology development, or purchase of insurance would occur at this
step. Implementation follows through with the decision.
Risk Monitoring includes systematic tracking and evaluation of the selected risk handing
options. This step leads to periodic reassessment of identified risk events and potentially
identification of additional possible risk events.
Documentation occurs throughout the process; this serves as means to communicate current
aspects of the process to other members of the project team, to track past progress on risk management
over the program life cycle, and to record causes for successes or failures within the program that may
be applicable for other future programs.
One possible process that expands on the generic description for risk assessment and
handling is shown in the next figure [Roberts, 2000]. In this example the risk analysis consists of
classifications according to ordinal scales of probability and consequence. Much of this classification
is based on examination of how proposed technology has been successfully used on past programs and
how one can apply it successfully on the current program. The classification also may be based in part
on the quality of the management processes as documented and as executed in the organization. After
classification, one implements a triage step which highlights notably high risks that warrant the
expense and effort of further quantification; risk handling strategies for the “lower risk” elements are
30
devised with no further quantification. Cardinal probabilities and consequences are developed for the
“higher risk” elements before risk handling strategies are devised.
Figure 6. Possible Expansion of Risk Assessment Using Ordinal and Cardinal Methods
Risk
Identification
Risk
Classification
Risk
Quantification
Risk
Handling
Risk
Tracking &
Communication
Triage
LH M
H
M
L
H
H
M
M
Several authors have developed modifications to the generic process based on risk
assessment and handling techniques from the DoD Risk Management Guide [DoD, 2000]. The
following figure indicates one such process model with potential applicability among a number of
projects [Billman, 2000; Sadowski, 2000]. This process model highlights trade analyses for selection
of risk handling strategies and indicates need to satisfy a management criteria before risk elements are
retired from tracking.
31
Figure 7. More Detailed Risk Management Process with General Project Applicability
Risk
Planning
Identify
Risks
Plan Assess Handle Monitor
Analyze
Risks
Prioritize
Risk
Update
Risk List
Confirm
Ownership
Perform
Trades
Develop
Handling
Plans
Approval?
Risk
Handled?
Update
Risk List
Integrate
Handling Tasks
in Program Plan
Implement
Plan
Track
Plan
Report
Progress
Monitor
Risk Item
Retire
Risk
H or M Yes
No
L
No
Yes
The literature clearly indicates that risk management processes should be tailored to the
specific program and for the organizations that would execute the program. While presentation of
specific risk management processes may provide valuable case-study insight into the success or failure
of aspects of a certain program, a complete enumeration of these processes available in the literature is
not to be presented here.
3.4.5 Ordinal Methodologies
Some authors present a method of rank ordering risks elements based on the product of the
ordinal likelihood and consequence scales [Billman, 2000; McClain, 2000]. For example, consider an
ordinal scale of likelihood ranging from 1 to 10, where 10 corresponds to a probability close to unity,
and consequence scale of 1 to 5, where 1 corresponds to minor effect and 5 corresponds to
catastrophic failure. Then, if one assesses a risk element with a likelihood of 4 and a consequence of
3, one could calculate a risk score of 12. Risk scores for other risk elements would be calculated
similarly. This method provides a simple means of rank ordering a large number of risks; however,
32
calculated risk scores do not capture cardinal differences in probability and consequence and should
not be associated with expected values.
3.5 Risk Analysis and Decision Structures
Quantitative risk analysis requires an estimation of the probabilities of events, which
unfortunately either have not been measured or cannot be measured. Classical approaches to statistics
would not directly state an actual probability of uncertain events. Rather, a classical statistician may
state a confidence interval derived from sampled statistics (e.g., 0.05 – 0.2) for which there is a certain
probability that the interval contains the actual probability of an event (e.g., launch failure). This
description would be of limited use to a typical decision maker. Further, an a posterior derivation of
relative-frequency probabilities by performing experiments of multiple alternative technology
developments or testing of launch vehicles by launching a sample population and recording of results
would be economically prohibitive (and career limiting). However, subjective assessments of events
based on a Bayesian statistical approach avoid this quandary.
A Bayesian point of view allows for introduction of intuitive judgements of probabilities or
of a probability density function into a decision problem. This accommodates quantitative
descriptions of problems that can lead to prescriptive solutions. This perspective is grounded in large
part by a “Likelihood Principle” [Raiffa, 1968], which asserts that “information about an experiment
over and above [observed past outcomes] is irrelevant for inferences or decisions about the population
parameter.” This allows someone with a Bayesian point of view to observe events regarding a
parameter and to propose a probability distribution, describing degrees of belief about an unknown
state for that parameter, without needing to supply conditional probability assessments such as
confidence intervals and significance levels. Indeed, if large sample sizes are not available, reasonable
confidence intervals could not be derived anyway. The application of a Bayesian perspective to risk
analysis allows an analyst to apply probability distributions about a project event for which there may
be limited statistical data. This is particularly important for projects with new technology or
architectures in which degrees of belief on a parameter may even be determined by analogy with
33
previous developments. In this way quantitative risk assessments rely on extensive use of expert
judgment in evaluating probabilities [Apostolakis, 2004]. For this research a Bayesian perspective
enables the risk analyst to apply expert experience against potential outcomes such launch vehicle
success or initiating a risk mitigation engineering development.
An application is the decision flow diagram, or decision tree. Decision trees for decision
analysis have been described in a number of well-known texts including [Raiffa and Schlaifer, 1961],
[Raiffa, 1968], [Baird, 1989], [Haimes, 1998]. A decision diagram like the example in Figure 8
captures a sequence of alternative decisions (A
i
), costs associated with each decision (C(A
i
)),
probabilities associated with each state of nature (p(S
j
)), and consequences of each alternative realized
by the states of nature (a
ij
),. A properly constructed decision diagram for a problem facing a decision-
maker depicts a realistic chronological sequence of alternating decision forks and chance forks. This
sequence represents the temporal aspects of multiple related decisions in a problem. The reasoning
behind the construction of each level in the diagram is analogous to an “IF-THEN-ELSE” structure;
i.e., if alternative A
1
is selected and event S
2
occurs, then a subsequent set of alternatives can be
considered, or else if alternative A
I
is selected and event S
j
occurs, then a different subsequent set of
alternatives can be considered. Hence, event probabilities associated with branch on a chance fork are
conditional probabilities based on previous decisions and potential states of nature. Each branch on
the chance fork also has an associated consequence, which may be a cost value or some other system
attribute as long as a consistent measure is used throughout the diagram. One may note that the
chance forks in the following figure represent discrete random variables; however, in many system
analysis problems, the possible consequences may be more realistically represented by continuous
random variables. For such cases, an event fan representing the range for realizations of the
continuous random variables can be incorporated in lieu of a chance fork. Decision branches, if
necessary, may be based upon particular ranges or bounds on the realization of the random variable.
34
Figure 8. Example Decision Diagrams with One Attribute
Single-level Decision Extension to Multilevel Decision
p(·)
a
·
Decision Chance Decision Chance
p(S
jt
|A
1
,S
·I
,A
2
,S
·2
, …)
A
1
A
2
A
N
…
Decision
Chance
p(S
1
)
p(S
2
)
p(S
J
)
…
a
11
a
12
a
1J
p(S
1
)
p(S
2
)
p(S
J
)
…
a
21
a
22
a
2J
p(S
1
)
p(S
2
)
p(S
J
)
…
a
N1
a
N2
a
NJ
C(A
1
)
C(A
2
)
C(A
N
)
With this diagram an analyst can determine a preferred decision based on the expected value
of the particular attribute. This value can be maximized or minimized depending on the measure and
system application. A recommended path through the diagram is found by a procedure of “averaging
out and folding back”. Averaging out determines the conditional expected value at the node of a
chance fork. In practice this expected value is often indicated at the node of the chance fork, or
chance node. Folding back then determines the best alternative path at the decision fork based on the
conditional expected values of the corresponding chance nodes. This procedure begins with the final
consequences and works node-by-node chronologically backward through the diagram. At the
conclusion a desired sequence of choices is indicated.
For more complex problems, typical of system analysis and development, an analyst may
construct decision diagrams with multiple attributes associated with each state of nature. This is
desirable if a single attribute cannot be reasonable or consistently be used as a surrogate measure of
other system attributes. For example, radiated power may not easily be used a surrogate for satellite
lifetime. The multi-attribute decision diagram is constructed in a similar manner as the single attribute
diagram; however, the multiple consequences associated with potential consequences of a decision are
35
depicted as an n-dimensional vector at each branch of a chance fork. The dimension of the vector
corresponds to the number of attributes tracked in the diagram where each attribute is represented by a
random variable. Application of the averaging out and folding back procedure then can identify
desirable decisions—as long as all attributes of a particular alternative are preferred over the attributes
calculated for the all other alternatives.
However, the random variables are not identically distributed in general. Thus, if an analyst
applies the averaging out and folding back procedure, a decision desirable for one attribute may
coincide with a different decision desirable for another attribute. At best the analyst can identify the
minimum set of non-inferior alternatives at a decision node. This set identifies a Pareto optimum set
for that decision node. The vectors for each non-inferior alternative then must be carried back to the
origin of the decision diagram to identify a set of Pareto optimum alternatives. One should caution
that number of vectors carried to the origin may grow large. For example, if d
I
decision alternatives
are available at the ith level of an m-level decision diagram, the number alternatives in the Pareto
optimum set could be as high as
i
m
i
d
1 =
.
A number of authors have developed methods to handle data contained in large decision
diagrams. For example, Delmotte and Borne [1998] present a rule for fusing data that may contain
contradictory elements. The rules incorporate parameters that account for the quality and reliability of
the data sources. Mathematical detail and computational examples describe the new fusion technique
and compare it with other existing techniques. While the techniques may allow one to draw
conclusions on measured or estimated data, the direct applicability to managing risk in a developing
program appears to be limited.
Kirkwood [1998] then presents a memory efficient and computationally efficient method of
calculating probability distributions for nodes in a decision tree. It builds upon earlier work in solving
large sequential decision problems. This method represents interior nodes of a decision tree as a
vector that corresponds to the path from the root node. Values for expected utility (tied to some
desired measure such as dollars) are associated with each node. Probability values (and also expected
36
utility values) then are calculated with the recursive algorithm provided in an appendix. This method
is primarily applicable for large sequential decision models that may consist of tens of thousands of
nodes.
Additionally two authors [Wang and Archer, 1998] develop a fuzzy-set model for decision
making problems. Uncertainty is modeled in both the information vector and the conclusion, or
decision, made by the decision maker. The paper combines classical decision-making theory
developed by Raiffa and Luce with fuzzy set theory to present uncertainty in a form that accounts for
the subjectivity of human decisions. The authors also justify this model in part to a claim that Bayes
probability functions for describing subjective judgments may lead to erroneous results. A neural
network model is developed, and an example of this model is applied against a graduate admissions
decision for a group of students.
A example methodology based on engineering economic analysis to aid in the decision
making regarding acceptance or rejection of advanced manufacturing system technology (AMST) is
provided by Demmel and Askin [1996]. The methodology can be viewed as an augmentation of
discounted cash flow measures in that investment risk and qualitative aspects of a technology
investment also are considered. First, the authors summarize a deterministic multiobjective model.
This model is modified to account for risk. The risk in the model is incorporated in the cash flows, the
qualitative flows, the project length, and the monetary and non-monetary interest rates. Interest rates
are represented by a random variable that varies from time period to time period. Furthermore, the
length of the technology project in years also is represented as a discrete random variable. This can
allow one to derive expressions for the mean and variance of monetary index. Simulation with
random cash flows and qualitative flows then allow for characterization of the distribution for the
monetary and non-monetary flows. The authors then present a case study that illustrates the
application of the stochastic model for selection of a quality control information system.
Utility theory allows the analyst to account for risk attitude and values of a decision-maker
for particular realizations of a decision attribute [von Neumann, 1944], [Keeney and Raiffa, 1976],
37
[Keeney, 1994], [Keeney, 1996]. Its axiomatic formulation is derived explicitly by von Nuemann
[1944]. A utility function is a real-valued function—often expressed with a range over the interval
[0,1]—with its domain over the potential realization of the decision attributes. Values of utility
function describe the relative preference of a particular consequence relative to a lottery of potential
realizations of the decision attribute. Use of a utility function is applicable for decisions with
consequences as the realizations of random variables but where the expected value of the consequence
may not represent the attitudes toward risk exhibited by the decision-maker. To illustrate this concept,
examine the following figure for the unidimensional decision problem. In this figure, a high value for
attribute x is preferable over lower values. The straight line represents a risk-neutral decision-maker,
one that is willing to accept the expected value of realizations of x. However, suppose this person (if
given a hypothetical choice) would exhibit a preference for receiving some value for x with 100%
certainty (i.e., x ˆ ) rather than risk the potential realization of a lower value and despite the possible
realization of a higher value. The value x ˆ would represent the certainty equivalent for the decision
over x. For monotonically increasing utility functions a decision maker would exhibit risk-averse
behavior if x ˆ is less than the expected value of x. That is, the decision maker would prefer the
guarantee of x ˆ to the gamble among possible outcomes of x even thought the expected value of the
outcome is higher. More explicitly the certainty equivalent for a utility function u(x) is defined as
follows [Keeney, 1976].
[ ] ) ( ) ˆ ( x u E x u = or [ ] ) ( ˆ
1
x u E u x

=
One measure of the degree of risk aversion is the risk premium, RP(x) indicated below, which is be
positive for utility functions depicting risk averse behavior.
[ ] x E RP ˆ ) (
= x x
This premium should not be confused with the insurance premium IP(x). If x were to represent
realizations for monetary values, the insurance premium would represent the cost of one may spend to
rid oneself of the financial gamble represented by x. As expected, this is the cost of the certainty
equivalent:
38
x IP ˆ ) (
= x
However, the degree of risk aversion may vary according to the potential outcome of x. Thus, the
local risk aversion at some value of x is defined for increasing utility functions as
) ( '
) ( ' '
) (
x u
x u
x r
= .
Thus, if r(x) increases with x, the decision-maker becomes increasingly risk-averse for increasing
values of x. Alternatively, the degree of risk aversion may remain unchanged (i.e, r(x)=constant) or
may decrease with x (r(x) decreasing with x).
Figure 9. Example of Risk Neutral, Risk Averse, and Risk Prone Utility Functions
U(x*)
U(x
0
)
U
rn
(x), Risk Neutral
U
ra
(x), Risk Averse
U
rp
(x), Risk Prone
Utility
Attribute, x
x
0
x*
E[x]
x
^
x
^
Risk Premium
U
ra
(E[x])
E(U
ra
[x])
Risk prone behavior can be characterized in a similar manner as with the risk-averse behavior
except that the characteristics are reversed. For example, the risk premium and local risk aversion at
some x for risk prone behavior would be negative, and the insurance premium as defined above would
no longer apply sensibly.
It is reasonable to anticipate that large organizations would be able to accept larger risks in a
program in comparison to those accepted by smaller organizations and therefore would be
39
comparatively less risk averse. That is, the large organization’s risk premium may be lower. Effective
risk management also may allow certain decision makers to become less risk averse since some
mitigation strategies would have been implemented. Regardless of organization size, it has been
argued that the value of risk management on a project can be determined by the decrease in risk
premium it provides [de Klerk, 2001].
Utility functions also can account for multiple attributes to a system problem. This analysis
can become much more complex since utility independence, not just probabilistic independence,
among the attributes may need to be considered. An attribute is said to be utility independent of
another attribute when conditional preferences for the 1
st
attribute do not depend on a particular value
for the other attribute [Keeney, 1976]. It is important to realize that attributes may be utility
independent in a decision and not necessarily probabilistically independent. Determining utility
independence is significant in that it may simplify the calculations of an analysis. For example, for a
two-attribute analysis if x
1
is utility independent of x
2
, then we know that we know from the definition
that utility preference over attribute x
1
for any particular value of x
2
is be a linear combination of the
utility over x
1
for a different value of x
2
. Following this reasoning for x
1
utility independent of x
2
, one
can show that a two-dimensional utility function u(x
1
,x
2
) can be completely described by three
unidimensional utility functions: u(x
1
, x
2a
), u(x
1b
, x
2
), and u(x
1c
, x
2
) where x
2a
, x
1b
, and x
1c
are specific
values for an attribute. Further simplifications result if the attributes are mutually utility independent
or are additive independent.
A difficulty remains in identifying decision-maker utility functions. An exponential function
may provide a reasonable model for risk-averse decision makers. An exponential function has the
potentially desirable property of maintaining constant local risk aversion, but other relations such as
polynomial functions may be used as well. Alternatively, Benedikt [1993] describes a method of
deriving a utility function based on the information obtained from a few repeated trials. While this
latter approach may be useful for repeatable events (e.g., launch vehicle success), it does not appear to
40
be useful applying to development of new systems, or system architectures, that had not been
previously deployed.
One may also wish to account for time dependencies for utilities; or more specifically, one
can describe how utility associated with the timing of an attribute (e.g., data received or performance
achieved) may reflect that it is worth more now than later. Several authors [Pate-Cornell, 1998b],
[Maier, 2004], [Keeney, 1976] have modeled time criticality in terms of a discount rate, r, which may
be applied like a financial discount rate over multiple time intervals. Thus, if we consider a utility
function as originally expressed for present time, u(x)|
t=0
, its time dependence over n time periods may
be described as:
n
r
n x u
r
x u
r
x u
x u n x u
) 1 (
) , (
) 1 (
) 2 , (
1
) 1 , (
) 0 , ( ) , (
2
+
+ +
+
+
+
+ = L
Applications for examining utilities over a time stream can involve assessing multiple projects with
associated costs and impacts over time or even assessing how a utility function for a single project
attribute may change over time. For this research, it may be reasonable to model how perceived utility
may decrease over time for a client.
3.6 Quantitative Risk Research
Some encouraging research on estimating satellite development and production schedules
was performed by the Institute for Defense Analysis (Harmon, 1993). The goal of this research was to
allow assessment of the reasonableness of proposed acquisition schedules for space-based elements of
the proposed Strategic Defense System (SDS). In this work basic satellite types (e.g., navigation,
communications, or sensor) and historical top-level characteristics such as BOL power were used to
derive time-estimating relationships (TERs). This work is significant in that it indicates that predictive
acquisition schedule relationships can be derived.
However, this research has several shortfalls that this proposal aims to correct. First, the
assessment model only accounts for schedule characteristics and does not account for correlated
relationships with system cost. This research also only assessed whether a proposed schedule would
41
fall within or exceed a predicted time; distributions on exceedance with respect to predicted time to
first satellite delivery was not derived. Further, the models in this research were derived based on
technical parameters, such as satellite type and BOL power, which may not remain valid estimating
parameters over time since technology improvements may alter the feasibility of certain performance
goals. It seems appropriate that a revised risk model would, among other things, normalize against
specific performance levels by addressing them according to their level of technical maturity.
Aspects of organizational investment strategies in risk management are described in a number
of articles. A particularly nice treatment that addresses budget reserves to allocate on a project in
order to minimize technical and programmatic failure on space systems is provided in a sequence of
papers from Pate-Cornell and Dillon [1998a], [1998b], [2001], [2003], [2005]. Several aspects
relevant to this research are summarized here. The authors begin with potential functional
configurations for a system (or subsystems) and their lowest cost design configurations. The residual
budget for this system is then the difference between the budgeted amount and the minimum-cost
design for configuration k, X
k
. The authors’ model then prescribes a sequence of optimization steps to
allocate technical and programmatic budget reserves within the residual budget. Allocation of
technical reinforcement budget first requires calculation of technical failures, which are defined as
involving the possibility that a product does not work according to specifications (partial technical
failure) or potentially not work at all (total technical failure). This requires knowledge of the
following types [Dillon, 2003]:
1. A functional block diagram and fault trees for each design configuration,
2. Probabilities of component, or subsystem, failures for the minimal-cost design for
each configuration,
3. Functional relationships between the probabilities of failures and the investment in
reinforcement for each component,
4. The relative costs of total and partial technical failure states
42
Armed with this knowledge of subsystem and components, one can calculate probabilities for
technical failures for entire potential configurations using a probabilistic risk assessment calculation
with decision trees as described in Section 3.5. Investment dollar amounts that constitute the technical
reinforcement budget are incorporated into the model by adjusting the probability of failure for a
subsystem or component as a function of the investment amount. The authors model this as an
exponential function of the investment amount and a scaling constant determined by heuristic
judgment of system experts. The sum of all investments for configuration k would then equal the
technical reserves for that configuration, which would be some fraction of the residual budget. Costs
for the realization of a technical failure are also calculated with the help of system experts.
The programmatic management reserve that remains for each configuration is then allocable
to address management risks, which are defined as involving the chances that the project as scoped
cannot be completed within budget or schedule. A management failure indicates a significant cost or
schedule overrun that leads to project cancellation; partial management failures indicates a small
overrun or descope of functions that still leads to project completion. Minimum costs for
programmatic management reserves can be calculated via relation similar to that for technical failures,
again with the help of domain experts.
The authors then use the previous two optimizations to identify the optimal allocation of
technical and management reserves, allowing for specification of tolerable thresholds for technical or
management failure. If the thresholds for failure cannot be satisfied, then shadow costs for budget and
schedule constraints may be addressed. We define shadow cost here as the increase in an objective
function that may be achieved by the relaxing of a particular constraint by one unit. These costs can
allow a decision maker to determine potential adjustments to project scope early in a project life cycle.
An application of this approach to assess project alternatives for a search for life on Mars is also
presented by the authors [Pate-Cornell, 2001].
Additional risk modeling efforts focus more on alternative technologies to integrate within a
system, thereby requiring a system developer to apply an optimal budget allocation that would trade
43
risk of probability of development success (or development speed) against probability of operational
success (e.g., lack of failure or maintained safety) [Sachon, 2004]. Operational success is modeled
over a specified time period such as first year of operation. In this modeling approach, technology
alternatives are considered for each functional capability in a system design. Results of this research
indicate that under conditions when a decision maker is concerned with achieving success as early as
possible, funding just one technology project (i.e., technology development) per functional capability
would dominate other development strategies. Similarly, when a decision maker is concerned with
yielding the highest probability of operational success, funding just one project appears preferable;
this unexpected finding may result from how the marginal reduction in probability of operational
failure is modeled for simultaneous funding of alternative technologies. A mixed strategy of funding
alternative technologies results when the two strategies are balanced. Another finding from this study
is that preference for preserving operational success or development success varies with the time
horizon under consideration. As the time horizon increases, the funding allocation increasingly
resembles a strategy that emphasizes probability of operational success. This result seems consistent
with intuition.
Further research expands on the concern for maintaining high probability of operational
success—particularly for systems that involve human safety—and applies a state transition, or
Markov, modeling of system failures. Fundamental elements to consider for operating a safety-critical
system are listed as follows [Baron, 1999].
System design
Operations and maintenance policies
Management of abnormal events
Personnel management
Safety responsibility
Management of resource constraints

44
Regulatory environment and regulations with the regulators (if applicable)
System decommissioning
A model developed by the authors identify two types of failures in critical systems in operation: 1)
accidents, and 2) unplanned interruptions in production or breakdowns. The basic types of system
states shown in the following figure indicate potential states that can be realized at a particular instant
of time.
Figure 10. Basic System States for a Cycle of Operation
[Baron and Pate-Cornell, 1999]

In this model an accident refers to a catastrophic and disabling failure, and an unplanned
shutdown refers to a failure state from which system operation can resume with comparatively lower
costs to transition back to operation. In general, more than one possible state of “unplanned
shutdown” can be conceived and modeled. Costs associated with each time interval account for costs
incurred for one unit of time while in a particular state and any cost incurred for the transition to that
state. Transition probabilities account for the elements of the risk management strategy listed above
and are determined based on a combination of past operating experience, systems analysis modeling,
or expert opinion. Applicability to a decision maker is enabled by applying a utility function to the
transition probabilities and costs to reflect risk attitude and, by extension, safety thresholds below
S
1
: Planned Maintenance
Planned
Maintenance
Accident
Operation
Accident
Unplanned
Shutdown
S
2
: Planned Operation
45
which a risk is not tolerable. The authors acknowledge that safety thresholds may or may not be cost
effective. A model tailored to a particular system and attitudes of a decision maker allows modeling
of risk attitudes and implemented management strategies, such as time between period of preventative
maintenance and investment of system design and maintenance operations and tools.
The concept of a warning system in risk management can help describe the degree to which
personnel may respond to an identified risk based on previous realizations of risk events [Pate-
Cornell, 1986]. This particular modeling framework was originally developed for systems that issue
warnings related to public safety. This model accounts for a signal that alerts to an imminent
realization of a risk (e.g., a fire), and a response (e.g., evacuation) of people for whom the signals are
issued. Probabilities of detection and false alarm are associated with the issued signals. Response
rates for the warned population can then be modeled according to a previous sequence of false alarms
and valid alerts. Thus, the author develops several Markov models in which each state represents a
sequence of warnings—both false and valid alarms—with associated public response times. Response
times would typically be longer, or less effective, as the number of false alarms outweighs the number
of valid alarms. Aspects of this warning system model can apply to engineering development work:
project staff assesses—or re-assesses—potential for one or more risk events and alerts a decision
maker (signal issuance), and a decision maker and associated staff would respond in some manner
depending on past risk realizations. One can continue this methodology to indicate how risk tolerance
(i.e., rate or response) can change depending on previous risk realizations.
An application of this framework allows an analyst to account for risk in operational costs by
finding the sum of fixed costs, expected costs of system failure if a signal is missed, of expected costs
of successful actions when a signal is received, and of expected costs of false alerts [Lakats, 2004].
Potential applicability for this framework can be quite broad, to include maintenance of critical
components within a discrete system to development and operation of complex, distributed systems.
To focus more specifically on the system design, some risk studies have examined
probabilities of maintaining an operational state based on internal system redundancies. A particular
46
aspect of redundancy was examined to account for incremental cost and risk-reduction effect in
supporting a decision to launch two identical spacecraft on identical missions [Pate-Cornell, 2004].
Particular aspects of this work indicate the ripple effect of using a common design for multiple
components of a system. This has the effect of introducing strong dependencies among potential
failures. Thus, probability of mission failure would not be cut in half with use of a redundant element
of identical design. Such risk mitigation benefit would be less than potentially perceived previously
since undetected, but common, design errors may be instantiated in the redundant system element.
When we follow risk management into the domain of insurance, we begin to see aspects of
capital and asset management associated with premiums and probable losses. Insurance capacity
becomes an important notion for the solvency of an underwriting company. For this research we
consider capacity as the financial buffer that protects the company from insolvency and its inability to
pay policyholder losses. As such the total premium for a portfolio of policies as well as its expected
income must exceed specified levels [Mulvey, 2003], or:

=

N
i
i i
Minprem p x
1
and
( ) ( )

=

N
i
s i i i
MinInc l e p x
1
,
where: i is an index for the set of N accounts in the portfolio
x
i
is the amount of an account in a portfolio (if it’s either in or out then { } 1 , 0
i
x )
p
i
is the premium for account i,
e
i
is the non-catastrophe expenses of running account i,
and l
i,s
is the loss for account i in scenario s.
With these constraints Mulvey [2003] constructs an objective function by computing the ratio
of the expected income across all foreseen scenarios (each with probability
s
) to a maximum
estimated loss figure for the entire portfolio, or:
47
( ) ( )
() ()

=

==

N
i
i i i
S
s
N
i s i i i i s
e p x F
l e p x
Max
1
1
11 ,
) 99 . 0 (

where: is a discount factor, and
F
-1
(0.99) corresponds to 99
th
percentile loss for the portfolio. This is calculated from
the loss in dollars for a portfolio account under examined scenarios; it is a figure used to derive a
maximum estimated loss in the preceding equation. It can be viewed as a conservative criterion since it
accounts for a potentially large spread about the mean of the probability distribution. It reflects
sensitivity and implicit preference to reducing the standard deviation of the loss probability rather than
only reduction of the mean.
Additional modifications to the objective functions by the authors allow for allocation of
capital, and investment of capital, across multiple divisions in an organization. Optimizations still aim
to maximize income or returns for the whole organization.
The underwriter also must make short-term decisions when liquidity may be questionable.
For some relevant work we can see how liquidity issues have been modeled when an organization
must pay some bills while some outstanding bills have been sent, but for which payments have not
been received [Pate-Cornell, et al., 1990]. For this, probabilities of receiving payments between t
0
and
t
0
+Wt
0
are estimated. Weibull, beta, and some discrete distributions are compared. Applications can
be tailored depending on a firm’s particular industry and market conditions that would affect cash flow
and received payments.
There are a couple methods of rectifying differences in risk behavior among distinct
stakeholders. One method posed by Sage [1992] allows construction of a single utility curve for two
different stakeholders involved in a life insurance sale. Both buyer and seller may be equivalently risk-
averse (i.e., apply scaled versions of the same curve), but each may be making decisions on different
parts of the curve. When considering the range of expected monetary value that affects a decision to
buy (or sell) insurance and comparing this range against the assets of the individual buyer or of those
of the underwriters, the proportion of this range against these assets would vary considerably. This
48
range for a single insurance policy is much larger compared to assets of the individual versus the
underwriting company and would affect greater consideration by an individual than a large company,
even though both may be equivalently risk averse.
Alternatively, game theory could become relevant in this research since we have differing
business objectives across potential scenarios, i.e. utilities, for distinct organizations. Much of the
basics for multi-person zero-sum and non-zero-sum games are described in a number of texts
including Von Neumann and Morgenstern [1944], Luce and Raiffa [1957], and Osborne [2004].
Aspect of Nash equilibrium states, developed in game theory could provide an extension to the
proposed research herein, but it does not appear to provide prescriptive models of potential decision-
making. It is not suggested for inclusion in the research at this time.
On an insurance application, Yanling [2003] develops several expressions for assessing
utility in terms of premiums and expected losses for an insurance company seeking its own insurance
policy against potential losses, or reinsurance. The author refers to this as mutual insurance, and the
utility functions are similar in form to the income equations of Mulvey [2003]. A key difference is
that the insured dollar amount in Yanling’s equation may not equal the loss inflicted by an accident.
The interesting claim implicit in his expressions is that managers would reveal estimates of
probabilities of hazards but not the probabilities themselves. That is, losses Q
i
and proffered estimates
of hazard likelihood s
i
would be observable for the ith insurant, but the probabilities p
i
would be non-
observable. The claim then is that the portfolio for the mutual insurer reaches equilibrium based on
the minimal estimates proffered. However, this is not clearly proven despite some interesting
relations. Furthermore, the distinction between estimated and actual probabilities is probably not
defensible due to the sparse amount of data associated with development and deployment of new or
unique systems.
3.7 Space Insurance Applications
It is relevant to review aspects of space insurance applications to this research since it guides
development of the appropriate models. Initial underwriters on space flights were aviation insurers
49
and reinsurers because of the perceived relationship of space flight and aviation [Fordyce, 1985].
Over time underwriters have become more specialized in their participation and forms of insurance,
with premium bases developed from experience gained in this arena. Key types of space insurance
available now are summarized in Table 2 [FAA 1998], [FAA 2002b], [Select Committee, 1999]. The
dominant costs typically are attributed to launch insurance and on-orbit insurance. Data from
commercial launches indicate that more than 90% of failures occur during launch and early orbit and
most launch failures occur from problems with the launch vehicle rather than upper stages or satellite
damage [FAA, 1998]. It is reasonable that much of the premium costs are associated with these
insurance types as well. US law as mentioned in Section 2 requires government property insurance
and third party insurance. One may note that Arianespace and Long March also both require some
form of third-party insurance as well. Re-launch insurance differs in that it is a first party insurance
provided by the launch provider; this provider then may purchase insurance itself for a series of
launches to protect itself and to offer better rates [FAA, 2002b]. The remaining insurance types in this
table are not as common. Constellation insurance is interesting in that it would apply to a constellation
of satellites in which each satellite would be roughly interchangeable; thus service would be provided
as part of the operation of multiple satellites rather than the functioning of a single asset.

50
Table 4. Primary Types of Space Insurance
Type Description
Typical
coverage
Approximate
rate
Who buys
Pre-launch
insurance
Indemnifies current owner of a satellite
(e.g., builder) launch vehicle for losses
during construction, transportation and
processing phases prior to launch.
Hundreds of
$millions
Manufacturer
Launch
insurance
Indemnifies the owner of a satellite for
combination of failed launch, failed
vehicle, or failed satellite. Sometimes
also includes coverage for year or more
on orbit.
$250 million to
$300 million
7% – 25% Owner or
manufacturer
In-orbit
insurance
Indemnifies against failure during in-
orbit operations period; may include
satellite life insurance, manufacturer
incentive insurance, and insurance of
satellites during on-orbit testing.
Hundreds of
$millions
1% – 3% Owner or
manufacturer
Government
property
insurance
Indemnifies the government for loss of
any government property due to launch
operations. Required by US law.
$75 million to
$100 million
1.5% – 2% Owner or
manufacturer
Third-party
liability
insurance
Indemnifies a third party from loss
related to hardware or mission failure
(e.g., debris falling on private property).
Required by US law.
$200 million to
$500 million
0.1% – 0.2% Owner or
manufacturer
Re-launch
insurance/
guarantees
Launch service provider guarantees a
second launch if the first launch results
in failure; client agrees to accept re-
launch in lieu of cash payment
Tens of
$millions
Varies Owner or
manufacturer
Business
insurance
Indemnifies for revenue loss, typically
for satellite owners if the satellite fails
to attain operational status (few sold).
Varies Varies Owner
Constellation
insurance
Covers of entire satellite constellation or
part of a constellation.
Multiple
hundreds of
$millions
Varies Owner or
manufacturer
The actual amount of coverage provided, particularly for launch, on-orbit, and third-party
liability, depends on the insurance capacity. Capacity for a single satellite launch is the entire amount
of coverage that insurance underwriters are willing to underwrite for a project. This amount varies
over time and has ranged from a few hundred $million in the early 1990s to about $1.3 billion in 1999
[FAA 2002b]. Capacity has reduced since then, particularly after September 2001. For a single
launch it reduced to $840 million in 2002 and about $450 million in 2005 [FAA, 2006].
The underwriting process is covered in a number of references and is summarized briefly
here [Select Committee, 1999], [FAA 2002b]. The process begins when either the satellite owner
(client) or manufacturer (builder) chooses an insurance broker. At times a satellite manufacturer may
51
provide a list of brokers. Selection typically is competitive, and payment is on a commission basis.
After selection, the broker then becomes the conduit for transfer of all information between the insured
party and potential underwriters, but the broker does not assume any of the risks themselves [Fordyce,
1985]. The process continues with a technical assessment of the satellite and launch vehicle. The
insured party prepares technical reports and presentations for the brokers regarding the satellite project
and launch service capabilities and procedures. Materials would also contain aspects of partial or full
loss, associated costs, and launch service availability as well as program risks, history of launch
vehicle performance, design modifications, and reasons for using new technology. Presentations are
designed to build confidence of the potential underwriters and may include detailed descriptions of
major satellite subsystems as well as descriptions and simulations on the performance and reliability of
their designs [Pidgeon, 1999]. When evaluations are complete, potential underwriters present the
broker with bids containing information on capacity, premiums, and terms and conditions that they are
willing to offer the insurance client.
There are few players in the space insurance business. As of 1999 the four primary US
brokers were J&H Marsh & McLennan, Willis Corroon Inspace, International Space Brokers, and
AON Inc. Only about a dozen key underwriters, and only a few dozen worldwide actually provide the
space insurance. Multiple underwriters may participate in a particular insurance package, thereby
spreading the risk across global markets [Select committee, 1999].
3.8 Causes of Risk Aversion
A large organization may have sufficient financial resources to absorb many consequences of
risks potentially faced by an organization. This suggests that a large organization may prefer to act in
a risk-neutral manner as long as the potential consequences—financial or reputation-wise—do not
affect a significant portion of the total resources. This aspect also is reinforced in much of the risk
management literature where expected monetary value calculations and analogous probabilistic risk
assessment models are used as examples for decision making under uncertainty. Analysis using risk-
52
neutrality as a basis of departure avoids potential complications associated with quantifying risk
attitudes while still allowing for unique contributions to scholarly work.
However, a motivation for this research is that the US government—a rather large
organization—allows use of space insurance on government contracts despite its available financial
resources. Such action is indicative of implicit agreement to fund a risk premium to enable transfer of
risk to third party underwriters; this behavior indicates a risk-averse attitude despite the organization’s
very large size. Another motivation is that decisions on transfer of risk from one organization to
another imply accounting of risk attitudes for the affected entities.
Space systems acquisitions may particularly affect risk attitude since they typically involve
very large dollar value projects, and potentially severe consequences resulting from an associated
failure can adversely affect ability to maintain operations, even for large organizations. More
generally, factors affecting risk attitude in a large organization appear to be in response to perceptions
of limited resources relative to potential consequences, needs to sustain an organization’s continued
existence, and obligations to preserve public safety. A number of factors are acknowledged in
engineering literature, even if analyses do not explicitly model risk aversion, e.g., [Baron and Pate-
Cornell, 1999], [Deleris et al., 2004], [Keeney and Raiffa, 1976], [Lakats and Pate-Cornell, 2004],
[Pate-Cornell et al., 1990], [Sachon and Pate-Cornell, 2004]. Government reports have indicated a
shift toward risk-averse attitudes in the wake of acquisition program difficulties, such as in [Defense
Science Board, 2003]. More direct assessment of organizational factors affecting risk attitudes can be
found in management literature; referenced examples indicate how risk-prone or risk-averse cultures in
an organization are created by perceptions of management trust, communications effectiveness, and
even involvement with public officials [Bozeman and Kingsley, 1998], [Brown, 1987], [Hauser,
1998], [Singh, 1986]. Lists of several factors indicated in the references are organized by basic
project management categories below.
53
For cost risk aversion:
Cost saving objectives
Profit incentives
Preservation of cash flow liquidity
Incentive to preserve an organization’s good financial performance
Degree of cost overrun (risk sharing) between buyer and supplier
For schedule risk aversion:
Avoidance of financial penalties for late delivery
Market pressures to achieve delivery goal
Mitigation of potential supply chain interruption
For performance risk aversion:
Immediacy of application (i.e., system in production vs. exploratory research and
development)
Minimum performance thresholds for safety critical systems
Minimum reliability thresholds during near-term operation of system
Performance incentive contract clauses that determine client payments
Creation of threshold and objective (or goal) mission performance metrics (e.g., for civil
and military systems)
Acknowledgement of non-linear value of performance metrics (i.e., achieving delivery of
something useful rather than risk non-delivery or delayed delivery within stated timeline)
Career aspirations and avoidance of perceived failures during management tenure (e.g.,
“not on my watch”)
54
Organizational culture contributing to risk aversion across categories:
Perceptions of risk as affected by previously realized risks or failures (of cost, schedule,
or performance)
Degree of centralized decision making within an organization
Perceptions of coworker’s risk attitudes
Degree of formalization and red tape
Perception of weak link between rewards and job/project performance
High involvement with elected officials
Perception of management trust via internal supervision and controls
Low level of goal clarity from senior management
To illustrate, we can construct simple examples of these affects on cost, schedule and performance.
Consider a project with a budgeted cost that is pursued by some organization. The budgeted
costs may result from a parametric cost estimation model, which can provide most likely, expected,
and a percentile distribution of costs for the project. A risk neutral organization may budget according
to expected value costs. Since increasing utility functions are often easier to visualize, consider the
potential net reserves, or project savings. We achieve this metric with a linear transformation of costs,
which preserves strategic equivalence (preference ordering): budgeted cost minus the actual costs.
With this in mind an organization decision maker may prefer some level of reserves that would be
guaranteed rather than risk the potential for losing any reserve (or even overrunning the budget). In
comparison to potential loss of all reserves, the decision-maker may reasonably be preferentially
indifferent between a guaranteed level of net reserves that is less than the expected value of net
reserves. By definition, this attitude reflects risk aversion. Such activities correspond to desire to
maintain a safety margin on organization costs and contribute toward an organization’s net profit (in
the case of a builder or underwriter) or potential cost reduction (in the case of a client).
We can construct a similar example for schedule aversion in terms of margin maintained.
This would be particularly reasonable if there are financial incentives to preserving schedule margin
55
such as contractual penalties for not delivering on time or loss of market share by not satisfying
customer expectations. Alternatively, for modeling purposes an analyst may choose to derive cost
impacts as a surrogate for schedule risk attitudes.
An example on performance risk aversion can examine a client’s determination of threshold
and objective performance metrics that are assessed and settled during contract negotiations with a
builder. Differentiating between two levels of performance upon entering negotiations acknowledges
that some satisfactory level of performance, delivered with a high degree of assuredness, is preferable
to risking potential lack of timely delivery on a system that achieves very high levels of measured
performance. Again, preference for guaranteed delivery of a threshold capability leading to
preferential indifference between a satisfactory level of performance and a lottery between high
performance and lack of delivery indicates a risk-averse attitude.

56
Chapter 4: Critique of Past Approaches
The literature on engineering risk management is replete with case studies, lessons learned,
qualitative analyses, and some process descriptions. However, with a few recent exceptions, there
appears to be comparatively fewer prescriptive quantitative materials that can be generalized to design
and production processes or that can lead to risk handling decisions on engineering projects.
Clearly, decision rules established for complete uncertainty account only for potential states
of nature and do not account for probabilities associated with any decision consequences.
Ordinal methods offer some improvement and appear to dominate current risk analysis
practices. Ordinal scales for likelihood and consequence are relatively easy to describe in comparison
to some cardinal techniques, but they do not describe the magnitude in difference between
probabilities and the measurable difference in consequences associated with a risk element. For
example, a “moderately high” likelihood for achieving performance in an antenna design is not
equivalent to the “moderately high” likelihood for a launch vehicle failure. Furthermore, rank
ordering or risks described with ordinal scales does not capture the cardinal measures of individual
risks and their relative magnitudes or risk probabilities and consequences. Some specific drawbacks
include the following:
Provides only qualitative risk rating. While a cogent description of the program risk may
be good for communicating the overall risk of a development to an uninformed audience,
it does not provide an informed decision maker with a basis for invoking risk-handling
procedures.
No clear consistent definition of probabilities associated with events. What defines
small? The definition of “small likelihood” for one event may be intolerable for another.
For example, a short-term likelihood of channel bit error rates of 10
-1
may be tolerable
for some communications applications with error correcting coding, but may be
intolerable with regards to a launch failure.
57
Temptation for an uninformed decision-maker to perform arithmetic manipulations of the
data presented. This is erroneous at best, and misleading at worst.
Does not provide a measure of probability or consequence that can be used to trade off
against multiple conflicting mission objectives and alternative risk reduction tasks with
their costs.
The philosophical Government and industry approach to risk management identifies this
discipline as an inseparable part of project management that requires “buy-in” and reinforcement from
senior management and active participation from project members. This is closely aligned with
quality management practices. Heuristics further prescribe guidelines for conducting risk management
and for instilling an environment conducive to its practice.
Numerous case studies provide examples of practices, heuristics, and specific risk
management tools that have been applied to particular programs. While collectively they summarize
good and bad experiences obtained across a wide variety of programs, they do not explicitly facilitate
development of a specific risk management strategy or quantitative methodology applicable to a single
program or set of similar programs. These case studies do not typically provide prescriptive
quantitative guidance.
Descriptions of risk management processes provide some procedural guidance. They provide
value by presenting a structure to the potentially complex interaction of technology development,
program schedule planning, and maintaining cost goals. A number of papers more fully develop
process descriptions for risk analysis and risk identification. However, decision trade-offs for risk
handling do not appear to be discussed.
Work in recent years has provided more quantitative research on risk management applied to
engineering development. In particular, we can see models on allocation of technical investment using
reserves, and strategies for funding multiple technical projects. However, all those modeling efforts
consider decision by a single decision entity and resource apportionment internal to a single
58
organization. Relationships for different organizations associated with engineering deployment, but
with competing interests, are not modeled or investigated quantitatively.
We also note game theory is not applicable at this time in the research. While the
stakeholders in a hierarchical organization structure are competing against each other in some manner,
there are still utility functions of the individual entities that must be considered. It seems appropriate
to develop this theory before expanding it to potential extensions of game theory. Furthermore,
applications of utility theory facilitate development of prescriptive recommendations, which is a goal
of this research. In contrast, game theory describes equilibrium states, or steady states in which an
outcome can be no worse if an opponent changes strategies, achieved from repeated encounters
between competing entities; it does not necessarily prescribe optimum strategies that may be achieved
cooperatively.
The following table summarizes categories of current risk management literature as it relates
to the research proposed herein. This proposed research aims to build upon cardinal empirical
methods and mitigate shortfalls below.
Table 5. Summary Critique of Risk Management Literature Categories
Category Advantages Shortfalls
Philosophy & heuristics Prescriptive,
Describes basic theory and guidance
Difficulty translating into executable
plans
Case studies Documents lessons learned,
Helps identify causes of risk events,
Application specific relevance
Non-prescriptive,
Limited applicability outside of
reference field
Process descriptions Provides management guidance Difficulty translating into executable
plans
Ordinal methods Ease of communicating risks,
Aids determination of risk to monitor
Cannot capture relative severity of
likelihoods and consequences,
No uniform method or ranking risk
events
Cardinal empirical
methods
Describes severity of likelihood and
consequence,
Allows assessment models tailored to
specific project,
Allows modeling of decision-making
criteria
Facilitates allocation of resources and
staffing within an organization
Emphasis typically on cost or schedule
and not their interactions,
Risk handling limited to mitigation
techniques internal to an organization
Limited development of risk transfer
among hierarchically structured
organizations
Game theory Modeling of distinct entities in direct
competition
Primarily determines equilibrium states
rather than optimal states
59
Chapter 5: Hypothesis
The main hypothesis of this research is that the risk transfer methodology indicates that
current practice on establishing risk transfer via space insurance results in setting system costs higher
than a client organization’s risk threshold should allow. This is particularly evident for development
and deployment of government space systems, and it also would likely have a significant impact on
policies affecting commercial space launch activities.
This hypothesis is assessed based on the derivation of competing utility functions for client,
builder, and underwriter. The theory advanced as part of this is applicable to risk transfer activities in
organizational hierarchies.
If demonstrated, the results can indicate recommended changes to potential risk handling
methods via insurance policies that may result in significant cost savings (around 10%, or up to
multiple tens of $millions) if an organization enforces a space insurance policy commensurate with its
risk attitude. Government contracts, for example, could see this in a reduction of overhead fees
charged on contracts resulting in lower cost to the client and eventually to the taxpayer.

60
Chapter 6: Methodology
6.1 Overview
We begin by narrowing the scope of the hierarchical model presented in Section 2 and focus
on the risk transfer concerns among the system client, builder, and underwriters. This portion of the
figure is repeated again below. As before, each link indicates a negotiated transfer of risk between
two organizations, each with differing business objectives and differing risk attitudes and utility
functions. For the simplified figure the role of the system architect, while still important, becomes
more implicit: influence should reduce risks for both the client and builder, but the negotiation of risk
transfer does not include the architect as a transferor or recipient. Key to the development of this
model is any input from a launch provider, typically in terms of estimated probabilities of launch
success. This block is not shown in Figure 11, however, since this organization provides a particular
service to the builder or client, and risks associated with successful operation of this service are
incurred by the builder or client and transferred by agreement to a third-party underwriter. The
existence of re-launch insurance by launch providers is acknowledged, but for purposes of this
research, the underwriting function associated with this can be modeled as occurring in a separate
organization.
Figure 11. Narrowed Focus for Model Development
Client
System
Builder
Prime contractor
Underwriters
3
rd
Party
Risk Share
Government or Business Owner
Launch insurance
In-orbit insurance
It also seems appropriate to consider just launch insurance and in-orbit insurance initially,
since launch failures and early orbit failures (e.g., within one year of service) dominate
61
indemnification. Upon development of a model, application is expanded to investigate suitability of
third-party liability insurance, which is currently mandated.
The interface for risk transfer consists of the result from negotiation between two competing
utility functions. This differs from multi-attribute utility functions of a single decision-maker because
all three organizations represented in this model seek to maximize potential benefits to be received by
their own organization. Benefits gained by the other organizations are secondary. However, it is
recognized that continued operation by all three organizations relies on mutual cooperation among all
participants. Model development accounts for cooperative risk-sharing among organizations with
competing interests, i.e., utility functions. Alternative utility functions internal to each organization
and prior to negotiations are likely to be hidden and difficult to measure. However, aspects of the
resultant functions at the interface between organizations can be measured based on extant data
regarding reliability and insurance costs.
This modeling approach recognizes a hierarchy of authority: the client entity has superceding
decision-making authority over the others. Implicit in this hierarchy of competing utility functions is
whether the client entity should pull in the underwriting capability and self-insure. Referring back to
Figure 1, we can see other aspects of this hierarchy; the system builder, or prime contractor, has
decision-making authority over sub-contractors and can decide to pull work in-house; and
subcontractors have similar authority, for example, over suppliers.
6.2 Risk Events
We begin with the development of basic parameters for launch events, overall premiums, and
expected losses. This allows us to determine the overall risk attitude of the space underwriting
industry over time. We would anticipate a risk-averse characteristic, which would be suitable for
ensuring profitability of underwriting organizations, but we would also expect this to be less risk
averse than the other two entities in order to preserve the fundamental premise of insurance. However,
we have also clearly seen significant losses in the late 1990s that accompanied an initially slow
increase in premium rates.
62
Factors that shape risk attitude typically reflect the amount of resources one is willing to risk
losing while also remaining able to sustain existence or operation with the potential loss of those
resources. From the perspective of a business or a government, we may reasonably consider the
willingness to invest an amount of money that may be lost relative to some guaranteed return—or
payment—while still being able to remain in business or operation. With this in mind we then can
consider the amount of money one could tolerate the risk of losing. As this amount of invested money
increases to become a significant portion of an organization’s total assets, we can expect the
organization to prefer a guaranteed return or payment to the potential of terminating operations. How
an organization defines “significant” would be up to discretion of the organization’s decision makers;
however, we can reasonably expect that among several interacting organizations, the entity with the
largest resources should be the most risk neutral. However, this does not appear to be the case with a
number of contracts between the US government and prime contractors. Thus, the hypothesis of this
research is that many such contractual agreements violate our expectation of the entity with the most
resources being the most risk neutral. Gauging risk attitudes across an industry segment is key to this
research. As a surrogate measure of risk attitudes, we examine space insurance premiums and
indemnifications over time and for risk events associated with launch and in-orbit operation of
unmanned spacecraft.
We note that for a business such as a builder, commercial operator, or underwriting firm the
revenues should exceed losses and operating expenses. Very simply, over durations of n years—
where n is preferably small—revenues, R, losses or indemnifications, L, and operating expenses, O,
should be:

+ >
n
n n
n
n
O L R ) (
Or when we consider profits, P, a company should hope that positive profits over time yield:

>
= +
n
n n
n
n n
n
n
O L R O P ) ( ) (
63
This gives us a simple bound for revenues and losses related to profit. It also forms a basis for
checking derivation of insurance capacity and changes in risk attitude of space insurance underwriters.
One may note that these relations do not necessarily hold for a government. Government clients aim
to satisfy mission needs that are funded through other means, most notably taxes.
Now we derive relations for expected loss and revenue. Let x(t,v) be a random variable that
indicates launch success (1=success, 0=failure) and is a function of time, t, and launch vehicle type, v.
We then define p
l
as the probability of launch success, or
l l l
p V v T t = = = = ] , 1 Pr[x
where: T
l
and V
l
are the time of launch and type of launch vehicle.
Since p
l
is never quite known, we can estimate it for vehicles with a launch history. Which
gives us our estimate, m(K) for the Kth launch of vehicle V
l
:
1
) , (
) (
1
1

=
=

=
K
V T t x
K m
K
k
l k
for approximately 5 K
We then can define the loss as the product of the insured value, h
l
and x(t, v), and further, the
premium, r
l
, as the product of a rate
l
and the insured value. This gives us the expected loss as

=

= = =

=
1
) , (
1 )] , ( [
1
1
K
V T t
r
V v T t E
K
k
l k
l
l
l K
x
L

and the expected revenue:

=

= = =

=
1
) , (
1 )] , ( [
1
1
K
V T t
r
r V v T t E
K
k
l k
l
l
l l K
x
R

With these derivations, which are basically functions of empirical averages, we can tailor the
approach to find expected losses and revues across a particular industry set. This allows aggregation
among an industry set and can account for improvements in launch vehicle product types and
discontinuation of less desirable types. It also more accurately reflects success probabilities that may
be faced for a particular industry for a particular year. For instance, we can calculate expectations
based on the reliability of only the launch vehicles in production in any given year for just the United
64
States. A similar calculation can be made for Europe, northern Asia, or any industry set of interest.
The tailored calculation yields:
1
) , (
) , (
1
1
1

= <

=

K
t LV V T
LV T t T t m
K
k
k k
K K
x
, where LV is the industry set of interest;

= <

=

1
) , (
1 ] , ) ( [
1
1
1
K
t LV V T
r
LV T t T t E
K
k
k k
l
l
K K
x
L

and

= <

=

1
) , (
1 ] , ) ( [
1
1
1
K
t LV V T
r
r LV T t T t E
K
k
k k
l
l
l K K
x
R

.
A similar approach can be used to calculate in-orbit satellite anomalies based on empirical
data. We can let y(t,s) be a random variable that indicates the duration of in-orbit operation (in years)
as a function of time and satellite, s. An expected time for an anomaly to occur can be calculated
based on anomaly reports for an industry set of satellite manufacturers for previous years. Within each
industry set we can also aggregate anomaly types according to catastrophic failures, F
c
, which results
in complete loss of operation and partial failures, F
p
, which results in degraded operation. An
estimate of the probability of anomaly type in a particular year then would account for the fraction of
satellites that experience an anomaly compared to the total number of satellite launches in previous
years. More succinctly, a forecasted time to anomaly would behave as

s s
F S s F S s
s t
, ,
) , ( y
, where S is the
industry set and F
s
is failure type of interest. An estimate for probability of a first-year anomaly in-
orbit for particular year, T, would be:
" #

=

< <

< <

=
1
1
,
) , 1 , (
) , , 1 , (
) , (
K
k
k k k k k
F S s
s k
s s
S s T T T V T s
F S s T t T s t
S F T m
s
x
y
,
where s
k
is the number of satellites launched in launch vehicle V
k
.. We are typically interested in first-
year anomaly since that is a common period for coverage with in-orbit insurance. Data on in-orbit
operation time to critical anomalies also confirms this (see Section 7.4). Construction of this estimate
65
accounts for modifications to satellite bus and payload design that have improved demonstrated in-
orbit reliability and have increased satellite operational life.
There are several quick simplifying transformations we can perform on probabilities of risk
events. We begin by examining the two main random variables affecting utility: launch performance,
x(t, v), and time to critical anomaly, y(t, s| F
c
). We can model these as independent random variables
since different processes are involved in the manufacturing and operation of a launch vehicle and the
satellites it carries. Modeling of potential correlations between satellite and launch vehicle
performance, such as jerk and vibration damaging a satellite, can be eliminated if we consider adverse
satellite affects resulting from a nominal launch activity to be the result of a deficiency in the satellite
design to meet the electro-mechanical environment of a launch environment. Note that in-orbit
operation is irrelevant in the event of a launch failure. Since with in-orbit anomalies we are primarily
interested in whether they occur in the first year, we now can transform the continuous y to the
binary y
~
, such that y
~
= 0 for critical anomaly in the first year, and y
~
= 1 for absence of critical
anomaly by that time. This results in a ternary mass distribution: {(x, y
~
)} = {(0, _ ), (1, 0), (1, 1)}.
Finally, to indicate whether the satellite operates at least one year or results in an indemnification, we
construct a the random variable z from x and y
~
such that
)
~
, min( y x z =
or
] 1 | 0
~
Pr[ ] 0 Pr[ 1 ] 1 Pr[ = =
=
= = x y x z ,
or with a change in notation to be
1 0 1
|
1
x y x z
o
p p p

=
This transformation of random variables allows us to develop a unidimensional utility function for the
underwriter, client, and builder entities.
In contrast to risk against mission success, events that cause damage to US government
launch ranges or third-party damages appear to be much less common. For launch range damage we
66
can derive an empirical estimate by dividing the number of events that resulted in damage by the
number of launch attempts in the current inventory of launch vehicles. However, if no range damage
has occurred for the current inventory of launch vehicles, then the empirical data can only allow
derivation of a bound on the probability, which would be the reciprocal of the number of vehicles in
that inventory that have been launched previously. We have the same problem with 3
rd
party losses;
no record of damage from US-licensed launches leads to the same bound on probability. Therefore, at
this time our estimated probability for range loss, p
range-loss
, and third party loss, p
3rd-party
, would be:
US k loss range
LV V
K
p

<

1
1
where LV
US
is the set of active launch vehicle types across the entire US industry, and
US k party rd
LV V
K
p

<

1
1
3
For these events we also introduce two non-negative continuous random variables. Consider
X as the amount of third-party liability damages and Y as the amount of property damages to
government launch range property, both measured in US dollars. From the previous discussion on risk
events, we know Pr[X>0]=p
3rd-party
and Pr[Y>0]=p
range-loss
. Reasonable ranges for X and Y can be
approximated from the relatively small amount of data available for non-US launch mishaps with
unmanned space missions. For now we can also consider these random variables to be statistically
independent since liability damages can occur both prior to actual launch (e.g., launch-activity related
accidents) and after launch (e.g., objects falling on personnel or property) regardless of potential
launch pad explosion. These data are described later in Section 7.
6.3 Underwriter Utility
The research investigates both the short-term (i.e., one-year) and long-term characteristics of
the client utility. Both aspects are useful for determining effects on the ability of an organization, such
as an underwriter, to accept risks transferred in from another entity. Long-term characteristics allow
characterization of the overall trend of risk attitude for an entity over time. Short-term characteristics
67
give an indication of year-by-year tactical planning by an underwriting industry or of a client’s
anticipation of potential costs associated with risk transfer.
Development of the long-term model begins by considering potential outcomes from
realization of z for a single satellite. The potential range associated with the underwriter utility is
shown in Figure 12. Preliminary data from Section 7.1 suggest that the underwriter utility is risk
averse, which corresponds to the open region in this figure. As z increases toward one, the utility
reaches it maximum, which corresponds to receiving the full premium, r
k
, with probability of one. At
the other extreme, the minimum utility corresponds to the received premium minus the insured value.
Within the potential range of utility, there exists an expected earnings that is a function of the
forecasted estimate for z, or z ˆ . The figure shows the expected earnings for a single satellite based on
the estimate z ˆ . Multiple estimates and expected earnings for the underwriter shown in a single plot
can indicate trends that depict the characteristic utility. These expected earnings relate demonstrated
client utility with estimates of successful satellite operation, z ˆ , as it is adjusted over time by the
premium rates.
68
Figure 12. Range for Potential Underwriter Utility on a Single Satellite Project
0
1
z
r
k
r
k
-
r
k
(t)
r
k
-
r
k
(t)
z
^
z
^
r
k
-E[L]

As we examine the data it becomes necessary to normalize values among satellite project
sizes that may differ considerably. Thus, for yearly summaries of premiums, rates, and losses, we can
normalize the utility by dividing by the collected premium. This constrains the maximum possible
utility to unity in all cases. The revenue estimate becomes the estimated fraction of premium retained,
(r
k
-E[L])/r
k
. The minimum becomes 1-1/(t), which tends to vary by year, but that seems reasonable
since the degree of severity associated with a large loss may change with recent history. It also is also
unlikely that such large risks would be accepted anyway if probabilities of success were to be that low.
With short-term effects, we note from preliminary insurance data (see Section 7.1) that
premium rates, , tend to vary inversely with insurance capacity and that capacity tends to vary with
cumulative income received in previous years. It follows that premium rates for year T
n
would vary
inversely with the sum of past premiums received per year, R, minus losses incurred per year, L, or:
[] {}

=

= =
1
0
) ( , ,
1
) (
n
i
i i
n
L R t g t
T t
$

69
where $(t,·) allows for occasional adjustments to premium rates, and g(t,·) is a function describing
insurance capacity that operates on cumulative income. Both functions are determined from the data
in Section 7.
From the long-term model, we note that the utility within a particular year would be indicated
by
n
n n
n uw
r
L E r
T t U
] [
) (

= =
.
By substituting previous equations for premium rate, expected loss, and the estimate of project success
into this utility function we get a predicted utility based on realized gains and losses.
[ ] { }() z L R t g t T t U
n
i
i i n uw
ˆ 1 ) ( , , 1 ) (
1
0

= =

=
$
Analysis of any trends in collected data can allow determination of functions, $(t,·) and g(·).
6.4 Client Utility
The utility functions for a client, in general, can account for multiple performance attributes.
We denote this function as U
c
(% ), where % corresponds to the set of performance attributes of
concern, such as watch items, associated with on-going risk management activities. With this
construct, a client’s risk-averse utility function would still refer to preference for some guarantee of
delivery of capabilities over a potential lottery between two levels of expressed needs.
However, without loss of generality to the overall research approach, we can simplify the
client’s utility function to be single attribute. This attribute, for example, could refer to capacity,
erlangs, or coverage for communications satellites, or resolution or sensor spectrum for weather
satellites. Specific utility functions may vary widely depending on the system under development, so
this research examines effects of several potential client utility functions with different characteristics
of risk attitude and of local risk aversion. At a minimum we examine risk-neutral and risk-averse
attitudes. We then further address three classes of local risk aversion for the risk-averse client:
70
constant, increasing, and decreasing. Examples of risk-averse classes are illustrated in the figure
below.
Figure 13. Example Classes of Client Utility Curves
0
0.2
0.4
0.6
0.8
1
1.2
0 5 10 15 20
Attribute, x
U
c
(x)
~(1-e
-cx
)
~ln(x+b
)
~ a+bx-cx
2
| x k
n
h+C
B
+C
L
, the utility
becomes greater than unity to indicate in increase in client organization wealth, resources, or
capabilities. This seems reasonable in order for a client even to attempt a project. As z approaches
zero, the utility reaches it minimum, which is characterized by the lack of mission benefit and the
potential loss of satellite value depending on whether insurance has been selected. Normalizing the
utility function by wealth is appropriate since an engineering project would contribute to the
capabilities or resources a client organization already has. The size of W also may be adjusted to
account for smaller divisions within a client organization if that becomes appropriate.
72
Figure 14. Potential Range for Client Utility for Time Period T
n
[
n
M-k
n
h- (C
B
+C
L
) + W] /W
[kh - k
n
h- (C
B
+C
L
) + W] / W
0
1 z
Since reasonable upper and lower bounds are constructed for the client utility function, we
can then scale candidate utility functions, such as those shown in Figure 13, to fit within these bounds.
The scaled candidate client utility functions are used for hypothesis testing.
6.5 Builder Utility
The utility function of a builder can be described as a monotonically increasing function of
earned profit. As with the client, the specific shape of this function may vary with builder and
circumstances associated with a particular contract. However, we can construct a reasonable estimate
of the shape by equating the certainty equivalent with a baseline fixed fee paid in addition to costs
incurred. For a risk-averse builder we would expect this baseline fee to be less than the expected
earned profit. This construct is consistent with cost-plus type contracts, and an estimate of reasonable
fees can be based on fees received on past projects. This is particularly appropriate on contracts that
contain a fixed base fee in addition to other fees. The range of award and incentive fees would be
contributors to the earned profit; a minimal value from the potential range would be representative of
the certainty equivalent if no base fee were applicable. Utility functions associated with firm fixed-
73
price contracts would probably rely on internal organization pricing strategies, but the basic premise of
associating the certainty equivalent with a minimum tolerable amount greater than incurred costs still
applies.
An example diagram of a builder’s utility function is shown in Figure 15. The builder’s
utility is function of the percentage profit earned on a contract with the client. The expected profit, µ,
may be based on past performance, and the certainty equivalent is a base fee,
B
, expressed as a rate or
percentage of contract value. While a minimum attractive fee may vary according to situation, base
fees from past cost-plus contracts with the US government have ranged from 0% to 4%; award fees
may often range up to 15% and have averaged about 8.7% [GAO, 2005].
Figure 15. Example Construction of Builder Utility Function
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 1 Profit (% )
Builder Utility, UB
µ
(profit) fee,

'
In returning to the specific issue of risk transfer associated with space insurance, we note that
direct costs associated with insurance premiums would be passed on to the client. We therefore can
look at the builder-underwriter relationship two ways. For one, the builder must make the decision
whether to pursue space insurance, much like how the client would decide whether to assume or
transfer risk to underwriters. Another perspective considers that this interaction between the builder
74
and underwriter would be handled in addition other project risks and through somewhat separate
activities. In both perspectives, the decision to assume or transfer risk and the ability to isolate the
modeling of this risk transfer problem from other project risks indicates that modeling the builder-
underwriter interaction would devolve into the problem similar to the client-underwriter interaction.
Thus, it is appropriate at this time to maintain focus on aspects of the client-underwriter interaction
throughout the remainder of this research.
6.6 Statutory Underwriter and Client Utilities
For the underwriter and client utility functions associated with statutory requirements for
liability and government range property damages, we consider the potential for mishaps involving
launch activities and their effects on associated indemnifications. Since the claimed US government
intent is to encourage growth in industries involved with commercial satellite and launch activities,
both underwriter and client utilities are addressed.
In construction of this utility function, it is notable that the random variables for third-party
liability and launch range damages, X and Y respectively, are additive utility independent; paired
preference comparisons of any two lotteries defined by the joint probability on X × Y depends only on
the marginal probability distribution. More simply here, we consider a multi-million dollar loss to be
preferentially just as bad whether it results from liability, property damage, or a combination of the
two. Such understanding of the random variables simplifies the resulting utility functions.
The underwriter utility function is modeled by developing a linearly decreasing function with
potential indemnifications up to the statutory limits on maximum probable loss. Beyond these limits,
the US government would indemnify for additional damages. This utility function is illustrated in
Figure 16 for the domain of one random variable. In this figure k once again is an indicator variable
for possible selection of (or requirement for) insurance and r
s
denotes premiums for the statutory
insurance. Also, included are the indemnification limits for maximum probable loss associated with
liability, I
MPL-l
, and property damage to the launch range I
MPL-d
. It is reasonable to consider the
underwriter to be at least risk-neutral over the range of potential loss since at this time such types of
75
insurance is required by law and there does not appear to be any need for buy-in with clients for this
business. With these effects in mind the following statutory underwriter utility is used:
() ( ) [ ]
p MPL l MPL s uw s
I I r k U

, min , min Y X
Figure 16. Potential Range for Statutory Underwriting Utility
X,Y
kr
s
–I
MPL-l,p
kr
s
0
I
MPL-l,p
X,Y
kr
s
–I
MPL-l,p
kr
s
0
I
MPL-l,p
From the current statutes and regulations, maximum probable loss limits are the minimum of
either the maximum amount reasonably available on the world-wide market or $500 million for
liability and $100 million for range property damage.
The statutory client utility function also is modeled as a linearly decreasing function of
potential loss, offset by resulting insurance and government indemnifications. For the case of
insurance purchased as required, the statutory client function should remain flat and zero-valued. For
the case of no insurance, the function can grow quite negative. The function can be described as
follows to account for all possible underwriter and government indemnifications:
76
[ ]
Y
X
Y
X
Y X
= +
= +

=

=

+ + +

p USG p
l USG l
p USG p USG
l MPL l USG
p MPL p
l MPL l
s p USG l USG p l c s
I I
I I
I I
I I
I I
I I
W r I I I I k U
) , 0 max(
) , 0 max(
/ ) (
The expressions I
USG-l
and I
USG-p
refer respectively to US government indemnifications for liability and
range property damages beyond the maximum probable limits. However, from the perspective of the
client this would simplify to:
[] Y X Y X

+

) (
1
s c s
r k
W
U
In other words, the client either suffers damages or is indemnified via insurance paid with premium r
s
.
6.7 Hierarchical Risk Transfer Model
We can build upon a concept presented by Brown [1987] for cost sharing between entities
and can modify that approach to maximize client’s expected utility across demonstrated risk attitudes
of an underwriting entity. We begin by noting that maximizing the expected client utility over
underwriter attitudes has the form
[ ]
((

z
z c
U
d d f f t K U
uw
z z z ) ( ) ( ), ( , max

where f
z
(z) is the probability density function of z and f

() is a probability density function of the
client’s estimate of premium rates in a time period of interest. The mean of f

() is unity. Mission-
specific constants from the construction of the client utility function are represented by K for now.
The problem with using this form of objective function with a two-valued random variable z is that the
expected utility would account only for the maximum and minimum values of z and would be
applicable for calculations with a linear utility function. This is suitable for a risk neutral client, but it
does not account for client utility for other risk attitudes in the neighborhood of estimates for Pr[ z=1].
It becomes appropriate to consider the client’s estimate for probability of successful launch and in-
77
orbit operations, z ˆ , the corresponding distribution of that estimate, and the behavior of the utility
function around that estimate. This results in an objective function of the form
[ ]
((

z
z c
U
d z d f z f z t K U
uw
ˆ
ˆ
ˆ ) ( ) ˆ ( ˆ ), ( , max

Therefore, as the variance in z ˆ decreases (and neglecting f

() for the moment), we would expect this
objective function to converge to the client utility function itself.
Some characteristics of (t) also help with simplification of the expected client utility. Since
premium rates are adjusted over time to remain consistent with the risk attitudes of this industry, it
becomes possible to solve for after the underwriter utility has been determined. It is also reasonable
to for the client’s knowledge of the current premium rate to be close to an actual value since the
current rates would be revealed through any negotiations between the client and underwriter. This
potential domain of (t) will narrow throughout negotiations and would eventually converge to a
single value with probability one.
It becomes illustrative to determine how the client utility function then would vary with
demonstrated attitudes of an underwriter. From development of the underwriter utility we recall that
) (
)] ( [ ) (
) (
t r
t L E t r
t U
uw

=
which after substituting the expression for expected loss gives us
() z
t
z t U
uw
ˆ 1
) (
1
1 ) ˆ ), ( (

=

.
Solving for premium rates as a function of z ˆ then enables construction of a client utility adjusted to
account for previous risk transfer agreements to underwriting organizations.
It is now necessary to address a constraint based on the premise of risk transfer. Upon
agreement with the premium rate and the insured amount, the client’s utility function becomes
adjusted to reflect new upper and lower bounds that account for potential indemnification of the
insured amount and costs associated with the premium rate. As a result, the slope of a monotonically
increasing utility function decreases, but it does not necessarily become linear. However, in order to
78
for risk transfer to become attractive, the resulting utility function that accounts for insurance must be
greater than a risk-neutral utility function for conditions without insurance. The resulting optimization
problem devolves to a choice between risk transfer via insurance (k=1) if the adjusted client utility
function at the estimate for probability of mission success is greater than (i.e., preferable to) a risk-
neutral function without insurance (k=0). Otherwise, the risk should be retained. After including
constants from the construction of candidate client utility functions and allowing for different premium
rates, we then derive the following test, subject to constraints on the domain of z ˆ :
[]
W
C C W
W
M
z z z U W C C h k M U
L B
n
k
uw L B c
) (
ˆ ˆ ), ˆ ( , , , , , , ,
1
1
+

+ >
=

choose k=1;
otherwise choose k=0.
This threshold criterion is applied in the hypothesis testing of Section 8. Since the variance
among probability estimates and of premium rates are anticipated to be small (see Section 7), the
testing first examines potential ranges of candidate client utility functions that would indicate
preference for risk transfer or self insurance. The decision space of interest is the space covered by z ˆ
and W. Sensitivity of these results based on the data variance is assessed in Section 9.
We can derive bounds on the estimation z ˆ based on the construction of z from its constituent
random variables x and y and application of Chebyshev bounds [Stark, 1986]. First, we determine the
variance of z ˆ :
()
2
| 1
1 1
2
ˆ
1
|
1 1
)
)
*
#
+
+
,
"
+
+ =

= =
x y x
n
i
i
y
n
i
i
x
z
y x
n n
E µ µ - x y x
,
Where n
x
and n
y
are respectively the annual number launch attempts and number of satellites to enter
first year of service. After some manipulation of terms, the variance expression greatly simplifies to
yield:
y
x y
x
x
z
n n
2
|
2
2
ˆ
1
-
-
- + =
79
From Chebyshev’s inequality and z ˆ as the estimator for the mean for z, we then obtain the following
bound:
[]

+

y
x y
x
x
n n
E z
2
|
2
2
1
1
] [ ˆ Pr
-
-
.
. z
The benefit of applying this bound is determination of the effect of estimation error on the choice of
risk transfer or risk retention.
6.8 Statutory Risk Sharing Model
The model describing the statutory government indemnification in the event of excessive
liability and launch range property damages is a special case of risk transfer in a hierarchy. In this
special case a hierarchically superior entity (i.e., US government) aims to promote performance of
subordinate entities. The decision to pursue the proposed risk transfer agreement or to make any
adjustments to it remains with the principle entity.
Statutes and regulations aim to benefit both potential space mission clients and potential
space underwriters simultaneously. We can model this as an attempt to encourage maximization of
utilities for both entities simultaneously and to avoid forcing a trade that would benefit one industry
over another. Costs for government indemnification would reduce this function proportionally. This
allows construction of a government utility function follows:
() () [ ]
p MPL l MPL uw s c s USG
I I kC U U U

+

/ = Y X , 0 max , 0 max
2 1
0 0
where 0
1
and 0
2
are both greater than zero to promote mutual growth and C is a proportionality
constant for resultant government costs. (Alternatively, a function that maintains a consistent
preference of one industry over another could have the form (U
c
01
+U
uw
)
02
, but that does not appear
consistent with the intent of the statutes.)
We can then determine a recommended approach to the mandated government-industry risk
sharing scheme by maximizing the expected government utility over changes in the maximum
probable loss limits:
80
( ) ( ) Y X Y X Y X d d p p events loss f U
loss range party rd Y X USG
I k
p l MPL

((

3 ,
,
| , , max
,
This expression is suitable for Monte Carlo simulation after collection of data supporting the modeling
of distributions for liability and range property loss are obtained, and bounds for loss events are
determined. Alternatively, if the data for these losses appear consistent with analytic distributions, the
previous expression may be solved in closed form.

81
Chapter 7: Space Risk Data
7.1 Raw Data Elements
We proceed by looking at the probability of launch success, which derived from an industry
database and summarized well by Chang [2000], [2005]. An estimate of launch probability is
obtained by reviewing the demonstrated reliability of a launch vehicle. As an example, Figure 17
shows the reliability to deliver satellites on orbit for several recently operational product lines of
launch vehicles. The worldwide aggregate for demonstrated reliability is also shown in this figure
from 1957 to present. Clearly this is a high-stakes activity, with non-trivial potential for failure and
large costs for launch vehicles and satellites. Early experience was notably rough and characterized by
less than 50% demonstrated reliability in aggregate prior to the mid 1960s.
Figure 17. Demonstrated Launch Reliability for Satellite Payload Delivery
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1956 1960 1964 1968 1972 1976 1980 1984 1988 1992 1996 2000 2004
Year
Payload Delivery Success Rate
Worldwide Aggregate
Atlas
Delta
Titan
Pegasus
Athena

82
From this quick look at the launch data we can see some trends already. Overall launch
reliability is fraught with some early failures for each product line and tends to exceed 80% after
roughly a dozen years. More recently we see the Pegasus and Athena product lines coming into use
with dramatic, but not necessarily unforeseen, difficulties. We can also see that as the initial failures
have been corrected, the reliability rates over time tend to smooth out and become more predictable, at
least for these product lines. Some of the smoothing, of course, is due to a greater sample size, but
improvements in the vehicle production and launch processing also is a factor. Particularly notable for
initial development of a risk model, is that the worldwide aggregate for launch reliability is—to first
order—a reasonable approximation for launch vehicle reliability for product lines that achieve a stable
reliability.
As can be expected there are also several aspects to these data that may require adjusting to
derivation of a valid risk transfer model. First, the product lines as currently shown do not
differentiate among design types within a vehicle product line; this can include difference among lift
classes that determine ability to place small, medium, and heavy weight satellites into orbit. Major
upgrades within a product line are not shown either. One can also note occasional sudden decreases in
indicated reliability. Two particular examples are with the Atlas in 1968 and the Delta in 1969. In
both cases these sudden decreases result from a single launch failure that caused the loss of multiple
satellite payloads. Thus, the figure accurately indicates the reliability of delivering payloads to orbit,
but some adjustment is necessary to properly reflect the reliability of a single launch vehicle to
delivery any number of payloads to orbit. Lastly, reliabilities of non-US launch vehicles are not
shown. Performance of these vehicles may be appropriate for development of a model with
applicability for commercial clients that may use European or Chinese launch services.
Similar types of data appear to be available for early mortality of on-orbit satellites. These
data are relevant for modeling risk transfer associated with guarantees for on-orbit performance. Such
data are presented in the next section.
83
Obtained data on space insurance show aggregate characteristics across the industry; these
include annual premiums collected, annual indemnifications, and average premium rates, which
permits the computation of insurance company profits and overheads. Clearly, the nature of these data
is sensitive to multiple business operations and typically is presented in open literature in aggregated
form. Fortunately, summaries of the space insurance industry include some data to indicate current
health and status of the industry [FAA, 1998], [FAA, 2002], [FAA, 2006], [Futron, 2002], [Hughes,
2000]. These data can be combined to form a contiguous history of key events. A twenty-two year
summary of annual premium and loss data for all forms of space insurance is shown in Figure 18.
Figure 18. Approximate Premiums Collected and Claims Paid for Space Insurance
-2000
-1500
-1000
-500
0
500
1000
1500
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
Year
Aggregate Annual Premium & Loss ($M)
Cumulative
Income ($M)
Data clearly show an increase in premiums leading up to the late 1990s, which is consistent
with documented summaries of underwriting capacity. Insurance capacity is the maximum value the
underwriting industry is willing to insure for a single satellite project. The total annual amount is the
84
amount the industry is willing to underwrite for all space activities in a particular year. As shown in
Figure 19, this metric has varied considerably over time.
Figure 19. Total Annual Insurance Capacity
0
200
400
600
800
1000
1200
1400
1980 1982 1984 1986 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006
Year
Insurance Capacity ($M)
A quick examination of capacity indicates that it tends to increase roughly in proportion to
cumulative income shown in Figure 18. Losses in the early 1980s decreased the capacity made
available by underwriters, while gains in the 1990s, prior to 1996, contributed to capacity increases.
However, we can also note that the rate of increase in capacity relative to cumulative income is not the
same every year. This may indicate short-term adjustments to risk attitude on the part of the
underwriting entities.
In comparison to the previous two figures, we also can see in Figure 20 how underwriters
corrected for previous losses and then for capacity increases with adjustments to their premium rates.
Particularly notable is a spike in 1986, following two years of net loss, as well as similar relative
maxima around 1994 and 2001. We can also see that minimum insurance rates follow year just after a
maximum in capacity. Together these premiums collected, capacity, and premium rates are clear
85
measurable surrogates for risk attitudes over time. The combined effect of these is investigated later
as part of short-term modeling of underwriting utility.
Figure 20. Approximate Average Premium Rates for Space Insurance
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
1980 1982 1984 1986 1988 1990 1992 1994 1996 1998 2000 2002 2004 2006
Year
Average Premium Rate
Launch+ 1-year
Insurance
In-Orbit
Insurance

Space insurance premiums have been noted also to depend on a variety of factors to include
[Select Committee, 1999]:
Reliability of the launch vehicle
Reliability of the satellite
Level of complexity of the satellite
Scope of coverage
Amount of insurance
Launch vehicle history
Overall design of the satellite
Product assurance plan
Satellite’s operational lifetime
Insurance capacity
86
Commercial versus government launched
Regulatory standards for launch vehicles
Implicitly, risk attitudes of the underwriters underscore all elements in the previous list. All these
aspects may potentially be modeled as part of future research. However, we emphasize in the initial
scope the dominant influences, which appear to be related to the launch vehicle, and underwriter
status, and client operational needs.
7.2 Preliminary Trends
With this approach we can compare premiums against expected revenue for launch vehicle
product lines and launch insurance. As a point of departure, we first look at the worldwide aggregate
launch reliability over time and the overall premiums collected. This allows us to approximate a two-
decade aggregate risk function for the space insurance industry. This relationship is shown in Figure
21.
Figure 21. Aggregate Premium-Revenue Trend in Space Insurance Industry over Eighteen
Years
0
200
400
600
800
1000
-1000 -800 -600 -400 -200 0 200
Expected Revenue ($M)
Annual Premiums Collected ($M)
87
First we notice that premiums tend to be negatively correlated with expected revenue. This
may not be what was initially expected. Typically, we think of more revenue as better, which would
correspond to a utility function that increases with expected revenue. However, a negative trend as
shown above is realistic under some circumstances since as the expected revenue for a launch event
becomes potentially more profitable for the insurer, the need for space insurance would decrease, and
the premium to be collected also would decrease. By comparison, we also note that the largest
premiums are associated with event with the most potential losses, also to be expected. The greatest
difference between premium and expected revenue occurs somewhere in the middle. This tends to
indicate a concave function of collected premium versus revenue, which is consistent with a risk-
averse behavior for a decreasing utility function. However, one can also note a large amount of
dispersion among points on the right side. This is problematic and reinforces a need to separate data
along lines of launch vehicle type and satellite metrics.
We can also see the need to refine the data sets if we then attempt to estimate the local risk
aversion from the data in Figure 21. An approximation of local risk aversion is shown in Figure 22.
The conclusions at this time are similar to the previous plot: there appears to be a slightly decreasing
risk aversion with estimated revenue, but closer examination of the data set is necessary to adequately
construct prescriptive models.
88
Figure 22. Indication of Local Risk Aversion for Annual Aggregates of Space Insurance Data
0
0.5
1
1.5
2
2.5
3
3.5
4
0 200 400 600 800 1000 1200 1400 1600 1800
Expected Revenue ($M)
Estimated Local Risk Aversion (1/$)
In particular, we notice a jump in local risk aversion where the estimated revenue is about
$400 million and a move back toward the rest of the data at around $700 million. We get some
indication of the cause by reviewing Figure 18 again. The initial jump corresponds to a contrast
between two periods with approximately the same estimated revues, 1992 and 1994, but with different
realized losses. The premiums collected in 1994 are markedly more than in 1992 and reflect an
adjustment in risk aversion at that time. We then see a trend back toward the nominal data set with the
next high number—corresponding to 1995 and estimated revenues of about $700 million—noticeable
increase in premiums relative to 1994. This move back to the nominal data seems to indicate a market
adjustment to account for insurance capacity and may be evidence to some degree of price-demand
elasticity.
7.3 Launch Events
As mentioned previously, we had three key adjustments to account for in the launch data:
differentiation among design types in a single product line, reflecting only a single launch event for
launch vehicles that lift multiple satellites, grouping of launch vehicle reliability by country or region
89
(e.g., US, European, etc.). Data allowing such refinements from over 6500 launch events was
obtained from the Space Systems Engineering Database maintained by The Aerospace Corporation on
launch vehicle activities captured in the open literature [SSED, 2006]. We can also restrict our view
of events to consider only launch vehicles that were available for commercial use from 1980 to 2005
since that is the period for which we have space insurance data. We also restrict data associated with
launch vehicles of the former Soviet Union to dates after 1992 since that is when commercial launch
services would have first become available. This gives us a set of launch vehicles shown in Table 6.
Table 6. Launch Vehicle Types and Service Years Considered
United States Industry
Athena I Athena II Atlas G Atlas H Atlas I
1995 present 1998 present 1984 1989 1983 1987 1990 1997
Atlas II / IIA /
IIAS
Atlas III Atlas V
Delta (39xx, 49xx,
59xx)
Delta II
1991 2004 2000 2005 2002 present 1975 1990 1989 2006
Delta III Delta IV Falcon Minotaur Pegasus
1998 2000 2002 present 1994 present 2000 present 1990 present
Taurus Titan 34D Titan II Titan III / IIIB Titan IVA / IVB
1998 present 1982 1989 1964 2003 1966 1992 1989 2005
Europe (Ariane)
Ariane 1 Ariane 2 Ariane 3 Ariane 4 Ariane 5
1979 1986 1986 1989 1984 1989 1988 2003 1996 Presen
t
Russia / Confederation of Independent States (CIS)
Kosmos 11K65M Proton-K Proton-M Rockot Soyuz
1967 present 1967 present 2001 present 2000 present 1973 present
Russia / CIS Ukraine / CIS
Start-1 Dnepr Tsiklon 2 / 3 Zenit
1993 present 1999 present 1969 present 1985 present
China (Long March)
CZ 2C / CZ 2C/SD CZ 2C / CZ
1975 present 1990 1995 1984 present 1996 present 1988 present
India Brazil
SLV-3 ASLV PSLV GSLV VLS-1
1979 1983 1987 1994 1993 present 2001 present 1997 present
Japan
H-I H-II H-IIA Mu-3S Mu-3S-II
1986 1992 1994 1999 2001 present 1980 1984
N-1 / N-2
1969 1987
In addition to times of service, data also are needed to meet other criteria before
consideration in this table. Note that for calculations of launch success rate (or demonstrated
reliability) we still may need to consider performance prior to 1980 (or 1992) if that is when a
90
particular vehicle type was in operation. Launch vehicles were considered if data were available on at
least two flights. Announced retirement of a vehicle line allows it to be removed from subsequent
calculations of demonstrated reliability (shown in following figures). Also, vehicles are considered
retired if they have not been used for ten years. It is reasonable to remove retired vehicle types from
the calculations since these types would not be available for consideration by space insurance
underwriters in assessing risk transfer.
Separation of data according to product lines and industry types enables refined calculations
of demonstrated launch reliability in accordance with Section 6.2. For example, demonstrated launch
vehicle reliability for individual launch vehicle types within a single product line can be calculated as
depicted in Figure 23. This figure shows only an example set of launch vehicles for the Ariane
product line. However, we recall that it is more important for this research to consider overall industry
launch vehicle performance in comparison to industry insurance data. Thus, data such as in this
example becomes the constituent data for calculation of aggregate performance across industry types.
Similar breakdowns of vehicle types for all product lines across an industry are used for calculations
of overall industry reliabilities.
91
Figure 23. Sample of Constituent Launch Data
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1980 1984 1988 1992 1996 2000 2004
Launch event
Success Rate
Ariane 1
Ariane 2
Ariane 3
Ariane 4
Ariane 5

Calculation of the demonstrated performance for launch vehicles across the US industry is
shown in Figure 24. One finding is that the demonstrated probability of launch success is remarkably
stable even with the addition of new product lines over time and removal of retired ones. We can see
a few small short-term decreases in launch success, such as in the late 1980s and around 2006. This
decrease is more evident in the close up view provided in Figure 25. For example, the initial drop in
the 1986 is associated with back-to-back failures of a Titan 34D and a Delta 3419. Rapid increases in
industry reliability around 1990 then resulted from retiring of several product lines that had
experienced prior failures and empirically had demonstrated reliability less than the rest of the US
industry. In 2006 we see another decrease that coincides with the retirement of the Delta II launch
vehicle; in this case, the demonstrated reliability of this vehicle was greater than the rest of the
industry.
92
Figure 24. US Aggregate Launch Vehicle Demonstrated Reliability
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Jan-80 Jan-84 Jan-88 Jan-92 Jan-96 Jan-00 Jan-04
Launch event
US industry overall demonstrated launch reliability
Standard deviation across vehicle types
After updating the estimate for probability of launch success for each launch vehicle and each
launch event, we also can calculate the standard deviation of estimates across the vehicle types in
operation at a certain time. This calculation gives us an indication for the consistency of launch
vehicle performance within an industry. Since vehicle types in operation for a long time constitute
large portions of the operational vehicle population, vehicles with many years of service dominate
calculation of standard deviations for the probability estimate. Again, we see that as a population, the
US launch vehicle product lines are quite consistent. Since 2001, the standard deviation in
performance reflects continued use of reliable launch vehicle types.
93
Figure 25. Close Up of US Launch Vehicle Performance
0.9
0.91
0.92
0.93
0.94
0.95
0.96
Jan-80 Jan-84 Jan-88 Jan-92 Jan-96 Jan-00 Jan-04
Launch event
Success Rate
US Industry Overall
0
0.01
0.02
0.03
0.04
0.05
0.06
Jan-80 Jan-84 Jan-88 Jan-92 Jan-96 Jan-00 Jan-04
Launch event
Std Dev
Empirical standard deviation across vehicle types

The same calculations on empirical success rate and standard deviation of estimates for
probability of success were performed for several other industries. Industry performance on launch
vehicles for Europe and the Confederation of Independent States (CIS) may be relevant to insurance
data since these vehicles often carry commercial satellites eligible for space insurance. Associated
calculations for these are shown in Figure 26 and Figure 27.
94
Figure 26. Europe Aggregate Launch Vehicle Demonstrated Reliability
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Jan-80 Jan-84 Jan-88 Jan-92 Jan-96 Jan-00 Jan-04
Launch event
Europe industry overall demonstrated launch reliability
Standard deviation across vehicle types

We note that in Figure 26 that demonstrated reliability and standard deviation varies
considerably over time. This results from the typical occurrence of only one or two vehicle types in
operation in any year; therefore, demonstrated industry reliability is sensitive to single vehicle
performance and any retirement of a product line. Correspondingly, standard deviation calculations
are either null for periods with only one launch vehicle, or positive during periods with more than one
vehicle.
95
Figure 27. CIS Aggregate Launch Vehicle Demonstrated Reliability
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Jan-80 Jan-84 Jan-88 Jan-92 Jan-96 Jan-00 Jan-04
Launch event
Success Rate
CIS industry overall demonstrated launch reliability
Standard deviation across vehicle types

In contrast, the demonstrated reliability of vehicles across the CIS industry is extremely
stable. This results from continued use of the same reliable launch vehicle types, with little
modification, for a very long time—several types from the late 1960s. Note also that the launch data
begins in 1992, which coincides with the fall of the Soviet Union. After this time these launch
vehicles are available for commercial launch services and potential consideration by space insurance
underwriters.
The rest of the world launch industry treated separately from the others but in aggregate since
launch capability in these countries associated is not as mature as with the previous industry sets.
Figure 28 depicts data from this industry set. Estimated probability of success is much less than that
of the US or CIS; but demonstrated reliability and even consistency of performance appears to be
improving over time.
96
Figure 28. Rest of World Aggregate Launch Vehicle Demonstrated Reliability
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Jan-80 Jan-84 Jan-88 Jan-92 Jan-96 Jan-00 Jan-04
Launch event
Rest of world industry demonstrated launch reliability
(China, India, Japan, Brazil)
Standard deviation

7.4 In-Orbit Events
To determine risk transfer considerations associated with in-orbit failures, we are interested
in the number of anomalies per year and potential changes in demonstrated in-orbit reliability (e.g.,
flight time to anomaly) over time. Data allowing such determination from over 10,500 anomaly events
was obtained from the Space Systems Engineering Database maintained by The Aerospace
Corporation on satellite deployment and operation activities captured in the open literature [SSED,
2006]. Figure 29 indicates the number of anomalies reported worldwide per year beginning in 1985.
Two types of anomalies are indicated: catastrophic, which result in complete loss of mission prior to
retirement, and non-catastrophic, or partial failure which results in some degradation of mission
capabilities. Anomalies in this figure correspond only unmanned spacecraft and satellites that do not
receive in-orbit repairs; they do not include interplanetary landers, suborbital missions, the Hubble
97
Space Telescope, International Space Station, Mir, or space shuttle missions. The peak corresponds to
a surge in satellite deployments in the middle 1990s, and it provides a rough indication of when in-
orbit insurance risks were likely to have been realized.
Figure 29. Annual Reported In-Orbit Anomalies Worldwide
0
100
200
300
400
500
600
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
Calendar year of operation
Number of anomalies
Partial failure
experienced in
calendar year
Catastrophic failure
experienced in calendar year
A more revealing indication of how risk in-orbit failure has changed over time is determined
by calculating the average time and distribution characteristics for an anomaly, or failure, in a
particular year. From the data previously shown, Figure 30 shows the average and standard deviation
of times to failure (in years) for the reported anomalies worldwide. Clearly, the time in-orbit
associated with a partial failure has increased over time. This can result from improvements in design
performance (longer time to first anomaly) as well as robustness (ability to maintain operation despite
previous anomalies). We also note that the standard deviation of times in orbit is also quite large,
indicating that average time to anomaly may not be a sufficient predictor for time to partial anomaly.
A more reasonable measure for assessing potential for risk transfer is the time to critical anomalies
indicated here. Despite apparent improvements in time to partial failures, critical anomalies were all
realized in the first year of operation. This figure does not include anomalies realized near the end of
a satellite design life that may lead to retired operation. Thus, the data for first-year critical anomalies
98
remains consistent with a typical coverage period for in-orbit insurance, and it allows some
simplification for estimating probabilities for critical in-orbit anomaly events.
Figure 30. Worldwide Reported Service Times to In-Orbit Anomaly
0
1
2
3
4
5
6
7
8
1980 1984 1988 1992 1996 2000 2004
Calendar year of operation
Year after launch
Ave time to partial
failure experienced in
calendar year
Standard deviation for
time to partial failure
Ave time to critical
failure experienced
in calendar year
Standard deviation for time
to critical failure
It is interesting to compare the worldwide number of anomaly reports and service times to
anomaly to those associated with only clients of US satellite manufacturers. This is shown in Figure
31 and Figure 32. We can see that the data have a very similar characteristic to aggregate worldwide
results. Some differences include somewhat longer times for in-orbit partial failure events and
somewhat fewer catastrophic anomalies. Overall this indicates that missions of US clients probably
dominate worldwide data, and worldwide data are probably reasonable to use for calculations
associated with risk attitudes. One may note that this data are not parsed according to satellite bus
type. This is also reasonable for this research since satellite manufacturers with specific bus product
lines frequently upgrade these designs, roughly every couple years, and particularly since we are
interested in aggregate performance across the industry over time.
99
Figure 31. Annual Reported In-Orbit Anomalies for US Client Missions
0
100
200
300
400
500
600
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
Calendar year of operation
Number of anomalies
Partial failure
experienced in
calendar year
Catastrophic failure
experienced in calendar year
Figure 32. Reported Service Times to In-Orbit Anomalies for US Client Missions
0
1
2
3
4
5
6
7
8
1980 1984 1988 1992 1996 2000 2004
Calendar year of operation
Year after launch
Ave time to partial
failure experienced
in calendar year
Standard deviation for
time to partial failure
Ave time to critical failure
experienced in calendar
ear
Standard deviation for time to critical
failure

100
We now construct an estimate of probabilities for critical anomalies in a specific year based
on the number of reported anomalies and the number of satellites successfully launched the previous
year. This is indicated as the fraction of successfully launched satellites that experience a critical
anomaly in Figure 33. We can see that the pattern associated with the year-by-year fraction
corresponds to the total number of critical anomalies reported in each year. This would indicate that
not only are there many satellites deployed in the late 1990s, a higher fraction of them experienced
critical anomalies relative to other years.
Figure 33. Demonstrated Rate of First-Year Critical Anomalies
0.00
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.10
1980 1984 1988 1992 1996 2000 2004
Calendar year of operation
Fraction of critical anomalies in first year
Year-by-year
5-yr average

However, when used an estimator for the risk of incurring a critical anomaly, the year-by-year
may give overly pessimistic estimates in some years and optimistic estimates in others. This concern
is reinforced when considering the production times of both commercial and government satellites,
which typically are at least three to five years [Futron, 2004]. Design and production processes that
101
result in demonstrated performance may reasonably take on the order of five years to detect and
correct. Therefore, reasonable indications of long-term industry trends may consider a five-year
average of critical anomaly rates rather than a year-by-year assessment. (Validity of multi-year
averaging is examined in Section 9.2.)
7.5 Third-Party Loss and Government Range Damage Events
As mentioned previously, third party damages and range loss events during a launch event
fortunately have not been realized during the enforcement of the FAA licensing statutes. However, an
empirically derived upper bound on the probability of both these events can be determined based on
the record of US launch attempts. This is shown in Figure 34. Since this figure accounts for the
number of vehicles in current operation over time, the bound decreases with each launch attempt.
Discontinuities result from the retiring of a launch vehicle product line, and its subsequent removal
from the applicable launch attempts.
Figure 34. Empirically Derived Upper Bound on Third-Party Loss and Range Damage Launch
Events
0
0.002
0.004
0.006
0.008
0.01
0.012
0.014
0.016
0.018
0.02
1980 1984 1988 1992 1996 2000 2004
Launch event
Upper bound on probability
102
Potential consequences associated these two types of damage can be estimated from non-US
mishaps associated with unmanned mission launch activities. Fortunately, these also have been
infrequent. A summary of mishaps that involved fatalities is presented in Table 7 [Space Disaster,
2007], [SSED, 2006], [Douglas Aircraft, 1964], [NASA, 1983], [ANSER, 1994], [ESA, 1995].
Liability damages over time can be estimated by applying a surrogate measure for the value of life. A
measure determined by the US Department of Transportation as a benefit of averting accidental
fatality is currently $3 million [DOT, 2002]. While other actuarial values could be considered by
other entities, this provides a good basis for analysis, especially for analyses with values and utilities
associated with US government policy. Availability of launch pad repair data in-open literature is
especially sparse. Potential launch pad damage can be estimated based on construction of a new pad.
A project that includes construction of new launch pad at Brazil’s Alcantara launch site is to cost
about US$280 million [FAA, 2004].
Table 7. Summary of World-Wide Fatalities and Range Damages Associated with Launch
Activities
Date Location Event Liability Damage
Range
Property
Damage
14 April
1964
Cape Canaveral,
USA
Delta third-stage motor ignited
in vehicle assembly room prior
to pre-launch tests
11 burned
3 fatalities
N/A
26 June 1973
Plesetsk
Cosmodrome,
USSR
Nine killed in launch pad
accident
9fatalities Unknown
18 March
1980
Plesetsk
Cosmodrome,
USSR
Explosion while fueling
Vostok-2M booster
48 fatalities Unknown
19 March
1981
Cape Canaveral,
USA
Six technicians enter STS aft
engine compartment while in
nitrogen purge (manned space
mission)
2fatalities N/A
5 May 1995
Kourou Space
Center, Guiana
Major nitrogen leak during
inspection of launch pad
2fatalities N/A
15 February
1996
Xichang
Satellite Launch
Center, China
Long March 3B veered off
course and crashed into nearby
village
80 homes damaged
57 injured (official)
6 fatalities (official)
(unofficial reports
much higher)
N/A
15 October
2002
Plesetsk
Cosmodrome,
Russia
Soyuz U disintegrated
beginning 20 seconds after
launch; booster struck launch
pad
Forest fire
8 injured
1 fatality
Structural
damage
22 August
2003
Alcantara,
Brazil
Explosion on launch pad 21 fatalities
Destruction of
launch pad
103
From this information we can construct very rough estimates for distribution of potential
liability and property range loss damages given that a damage incident occurs. These are shown in
Figure 35. The liability damages are estimated only from reported fatalities listed previously. Range
loss damage are based on roughly $200 million for a new launch pad and about 25% of this cost for
major structural repairs.
Figure 35. World-wide Empirical Distribution for Liability and Range Property Damage When
Incident Occurs
0
0.25
0.5
0.75
1
0 50 100 150 200
Damage Surrogates ($M), X, Y
Demonstrated Pr[damages < X,Y ]
Liability
damages
Range property
damages
No US range incidents reported for
unmanned space missions since 1964
(since 1981 for manned missions)

Since most data points in these distributions correspond to events that occurred outside the
US, it is feasible that they may overstate potential damages at low probabilities since safety procedures
and launch preparation activities among launch sites may vary. Nonetheless, these distributions still
provide a good basis of departure from available data. As the empirical distribution approaches unity,
the damages may actually be understated, since verification of this most-damaging event is
questionable. For simulation purposes it may be reasonable to triple the liability damages for this
worst event, which would correspond to an increase in fatality rate by about 2.5 and inclusion for
destruction of several hundred residential homes. This would raise the potential damage for this event
just above the maximum probable loss limit for this type of coverage.
104
After this adjustment, the empirical distributions—especially for liability damages—closely
resemble a power-law distribution. With this in mind the following distribution provides a remarkably
good fit for liability damages:

O
X
X X X X X F = 1
=

* 52 . 0 71 . 0 :
52 . 0
1
1 ) (
52 . 0 52 . 0
O
X
X X X F > = : 1 ) (
A bound for the domain for this random variable is included to keep the expected value finite. This
bound can be set to be consistent with government limits on liability indemnification, which is $1.5
billion plus adjustments for post-1998 inflation. A similar approach yields a distribution for potential
range property damages, but this distribution would be capped near the estimated cost of a new launch
pad. This yields the following distribution for range property damages:
209 10 * 10 55 . 11 :
28 . 0
1
8 . 1 ) (
28 . 0
) 224 . 0 log(
28 . 0
) 504 . 0 log(
28 . 0
1 = = 1
=

O
Y
Y Y Y Y Y F
Besides providing a good fit, these distributions allow for direct analytical determination of expected
government utility.
7.6 Underwriter Model
For the analysis of long-term trends for the underwriter industry, we first examine the how
revised calculations for probabilities of launch success and in-orbit operations affect determination of
expected loss in comparison to premiums collected. We would anticipate that premiums collected
each year would exceed the expected losses, and that is what we see in Figure 36 for the comparison
of these metrics. Each data point in this figure corresponds to the total amount of premiums collected
in a single year and the expected loss calculated for year. The dotted line indicates a boundary
between a profitable year and one that may likely incur a loss. Revised calculations for launch
probabilities have allowed the points to cluster along a curve.
105
Figure 36. Comparison of Premiums and Expected Loss from US Launch Operations by Year
(1984–2001)
0
200
400
600
800
1000
1200
0 200 400 600 800 1000 1200
Expected Annual Loss ($M)
Ave Premium ($M)
Results from the previous figure are what would be anticipated, but it does not account for
estimated probability of first-year in-orbit critical anomalies. Stated premium data also account for
this. When in-orbit and launch data are combined we obtain the calculation results in Figure 37.
Inclusion of in-orbit failure data increases the expected loss by a small amount and has the effect of
spreading the points to the right. What is interesting is that four points have moved under the
boundary separating expected profitability from loss, which is not expected. These correspond to the
years 1997 to 2000, which also happens to correspond underwriter claims of several years with high
losses [Futron, 2002] and to a period of subsequent increases in premium rates. In retrospect it is
apparent that several years of losses in the multiple tens of $millions would be probable and that an
adjustment to premium rates could be anticipated.
106
Figure 37. Comparisons of Premiums and Expected Loss from US Launch and Anomaly
Operations by Year (1984–2001)
0
200
400
600
800
1000
1200
0 200 400 600 800 1000 1200 1400 1600
Expected Annual Loss ($M)
Ave Premium ($M)
From Section 6.3 a utility function for a client is determined by calculating the total
premiums collected per year minus the corresponding expected loss, which is then normalized by the
collected premium. More simply we can view this as the expected fraction of revenue retained for a
particular year. When calculated values for each this fraction are plotted for each year as a function of
z ˆ , we see the patterns of data points in Figure 38 and Figure 39. Both plots indicate the rather narrow
range of z ˆ in which the underwriters appear to operate: between about 0.89 and 0.95. Positive values
for retained fraction suggest a scatter about a slight curve for values in the upper portion of this range
and a steep drop toward the lower end. Negative values for the retained fraction correspond to years
of anticipated loss and further suggest a steep decrease in the underwriter utility for values of z ˆ in this
neighborhood.
107
Figure 38. Determination of Long-Term Underwriter Utility (linear scale)
-0.5
-0.3
-0.1
0.1
0.3
0.5
0.7
0.9
0.880 0.890 0.900 0.910 0.920 0.930 0.940 0.950
z
Fraction of Retained Premium
1-5341*exp(-10.16*z)
1-(1.050E+11)*exp(-29.05*z)-2.965*exp(-2.873*z)
2-(1.050E+11)*exp(-29.05*z)-16.94*exp(-2.873*z)
^
Figure 39. Determination of Long-Term Underwriter Utility (logarithmic scale)
0.1
1
0.880 0.890 0.900 0.910 0.920 0.930 0.940 0.950
z
Fraction of Retained Premium
1-(1.050E+11)*exp(-29.05*z)-2.965*exp(-2.873*z)
2-(1.050E+11)*exp(-29.05*z)-16.94*exp(-2.873*z)
1-5341*exp(-10.16*z)
^
108
Three candidate utility functions also are indicated in these figures. Candidate functions were
determined by a linear minimum squared error fit on the log of the data points. This led to a good fit
with exponential functions for candidate utilities. Calculation of the sum of the squared errors with
respect to each data point allowed comparison of these functions. The closest to fit the data within the
indicated range of z ˆ in the figure is indicated with a solid line. The corresponding function is
recommended for use within the range of data shown, but it only reaches a maximum value of about
0.8 instead of unity. This is problematic in that it seems reasonable that retaining 100% of the
premium would still be considered to be of greater value than 80% of it. This is also a problem with
the candidate with only a single exponential function, indicated by the dashed line. The other utility
constructed with two exponential functions has the benefit of following a steep drop around below
z ˆ =0.9 while also maintaining a good fit to the plotted values.
At this point it would be desirable to assess the local risk aversion function demonstrated by
the plotted values to assess whether the demonstrated risk aversion is constant or decreasing with z ˆ .
Unfortunately, the deviations in demonstrated utility relative to their overall trend and their tight
clumping between probability estimates of 0.9 and 0.95 do not allow estimation of the first—and
especially second—derivatives of the utility function to converge well. In the absence of
demonstrated local risk aversion, we can assess the behavior of local risk aversion with the candidate
utilities mentioned above. Utility functions that consist of the sum of two exponential functions
decrease in their local risk aversion as z ˆ approaches unity; this would indicate decreased aversion to
risk as the estimated fraction of premium retained approaches 100%. In contrast, the utility function
that consists of a single exponential function indicates constant risk aversion; the underwriter entity
would remain equally risk averse for low and high probabilities of success.
Returning to Figure 37 and Figure 38, we can make another observation about the negative
values of demonstrated utility. The negative values also correspond to years in which the collected
premiums were also at their highest. This suggests that despite the potential for losses—lower
estimates of mission success, z ˆ —the overall industry appeared to be willing to retain low premium
109
rates in order to continue attracting potential clients; the potential for large income seemed more
attractive than what the industry would typically be willing to accept. This suggests risk prone
behavior in a region where the utility function initially decreases below zero. The plot suggests that
this would occur at probability estimates around 0.9. To model this aspect, we can adopt a candidate
utility function that is less than a risk neutral (linear) function below probability estimates around 0.9.
To illustrate this thought, a comparison of the candidate functions is shown below in Figure 40. All
candidate functions depict both risk averse and risk prone behavior across potential values of z ˆ .
However, the figure shows the utility functions constructed by the sum of two exponential functions
are consistent with the demonstrated utility and potentially risk prone behavior in the neighborhood of
=0.9. We would like to have data sufficient to define the utility as z ˆ approaches unity; unfortunately it
is not available and remains undefined for values of z ˆ above 0.95. Thus, we appear to have a choice
between one function that depicts risk-averse behavior as the probability of mission success
approaches unity and another that allows greater risk taking on the part of the underwriting industry.
Figure 40. Comparison of Candidate Underwriter Utility Functions
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0.8 0.85 0.9 0.95 1
z
Candidate Utility Functions, U(z)
1-(1.050E+11)*exp(-29.05*z)
-2.965*exp(-2.873*z)
1-5341*exp(-10.16*z)
2-(1.050E+11)*exp(-29.05*z)
-16.94*exp(-2.873*z)
risk neutral for average
premium rate
110
Since an objective of this research is to determine empirically demonstrated utility and the
resulting client decision to transfer or retain risk, we restrict our defined utility function for values of
z ˆ that have been previously demonstrated. Further examination of the utility at limiting values of z ˆ is
to be retained for subsequent research. We are left with the following recommended utility function
for the entity willing to accept risks, which is based on the best fit for the demonstrated utility:
For ]96.0,86.0[
~
ˆz ,
)ˆ 873 . 2 exp( 965 . 2 ) ˆ 05 . 29 exp( 10 050 . 1 1
11
z z U
c

×
=
For short-term examination of an entity that may accept risks, we look for the demonstrated
relationship over time among aspects of the premium rate, capacity—or amount the entity is willing to
risk—and cumulative income. It is illustrative to break this down in accordance with the steps
presented in Section 6.3; that is, to assess the inverse relationship between premium rate and capacity,
the relation between capacity and cumulative income, and then their combination.
One would expect that capacity would increase with cumulative income. Data confirm this as
indicated in Figure 41; however, as expected, the relation between capacity and income vary with
time. Rather than plotting only year-by-year values, this figure connects the values by year to indicate
the trajectory of trends for determining capacity over time. Three surprisingly linear trends appear to
have occurred over this fifteen-year period. Each increase between several-year trends corresponds to
an apparent willingness to put at risk a larger sum of resources (e.g., consequence of money) on
accepting potential client risks. The slope of each trend indicates the sensitivity of capacity increases
to cumulative income. Interestingly, the slopes are similar across all years. Also telling, is the large
capacity for small income associated with years 1998 to 2000, which corresponds to years of probable
loss indicated previously. In year 2001, the capacity decreased by about $80 million. Available data
do not extend beyond 2001, but feasible trend derived from the average of slopes for previous years is
indicated in the figure.
111
Figure 41. Comparison of Capacity for Accepting Risk Against Cumulative Income
0
200
400
600
800
1000
1200
1400
-400 -200 0 200 400 600 800 1000 1200
Cumulative Income ($M)
Capacity ($M)
start: 1987
~[0.48983(R-L)+264.6]
~[0.47463(R-L)+461.5]
~[0.78303(R-L)+1106]
end: 2001
~[0.583(R-L)+1025]?
Figure 42 shows a similar assessment to relate average industry premium rates to the inverse
of cumulative income. As before, there are a number of nearly linear trends, most with positive
slopes, which would indicate a tendency to increase premium rates inversely to capacity. In contrast
to the previous figure, there do not appear to be incremental jumps in premium rates. Instead there
appear to be transition years in which rates creep to the next linear trend. The first transition region
begins in 1992. Another seems to occur in years 2002 to 2004 in which rates appear to be capped at
20%. This follows a very steep slope with a trend that began in 1999, ostensibly in response to losses
in previous years. A change in the rate-to-capacity relation also appears to occur in the two years
preceding an adjustment in capacity-to-income and then again as a new capacity-income trend is
followed.
112
Figure 42. Comparison of Average Premium Rates and Cumulative Income
0%
5%
10%
15%
20%
25%
0.000 0.002 0.004 0.006 0.008 0.010 0.012 0.014
1/Capacity
Premium rate,

start: 1987
transition:
~[-37.64/C+0.2610]
~[9.832/C+0.1238]
~[88.36/C-0.0081]
~[374.0/C-0.2108]
~[0.2000]
~[152.2/C-0.1804]?
end: 2005

The combination of these trends are then combined to derive the time varying function
$(t,3(R-L)), which further allows derivation of a time varying utility of the form U=1-$(t,3(R-L))(1-
z ˆ ). Construction of the function $(·) in this form has an advantage of allowing general modeling of
many different types of entities that have the potential to gain or lose significant resources upon the
acceptance of risks from a client organization. From the preceding discussion we can model
adjustments in risk attitude for time periods T
n
in the form:
1
) (
) (

)
)
*
#
+
+
,
"
+
+

= =

n
n n
n
n
d
b L R a
c
T t $
In this model, a
n
and b
n
form a schedule for determining the amount of organization resources
potentially to be expended on a project. In this research problem the organization is the underwriting
entity, and the expense is money in the amount of insurance capacity. Stepwise adjustments in
capacity are affected by changes in b
n
, and the planned response to near-term income changes is
determined by a
n
. A contract rate charged to a client entity is determined by a schedule consisting of
113
c
n
and d
n
. This determines the degree to which an organization aims to recoup for past losses or
sustain past revenue. Market conditions—probably basic attractiveness to potential clients—appear to
preclude viability of any stepwise changes in this latter schedule. Instead, the schedule formed by c
n
and d
n
appears to create a continuous relation between premium rate and reciprocal of capacity. The
effect is that c
n
and d
n
determine a planned response to capacity changes, often to reduce rates as
capacity builds during a time period T
n
. These coefficients also allow, or at least describe, creation of
transition periods between a former and new schedule.
The aim for constructing the function $(·) is to allow assessment of for changes in utility over
time. The resulting function of time, cumulative income, and estimate of mission success probability is
shown in tabular form below for nine periods that extend over 19 years. Results from this table can
allow timely estimation of current utility for an entity if background data on cumulative income are
available for the entity to accept a risk. It also has the significance of allowing short-term refined
estimation of underwriter utility in addition to long-term trends.
114
Table 8. Empirically Determined Time Varying Function of Client Utility
U
UW
(t,3(R-L), z ˆ ) = 1-$(t,3(R-L))(1- z ˆ )
Years (T
n
) $(T
n
,3(R-L))
1987–1991
1
1238 . 0
6 . 264 ) ( 4898 . 0
832 . 9

)
*
#
+
,
"
+
+
L R
1992–1993
1
2610 . 0
6 . 264 ) ( 4898 . 0
64 . 37

)
*
#
+
,
"
+
+

L R
1994
1
2610 . 0
5 . 461 ) ( 4746 . 0
64 . 37

)
*
#
+
,
"
+
+

L R
1995–1987
1
0081 . 0
5 . 461 ) ( 4746 . 0
36 . 88

)
*
#
+
,
"

+
L R
1998
1
0081 . 0
1106 ) ( 7830 . 0
36 . 88

)
*
#
+
,
"

+
L R
1999–2000
1
2108 . 0
1106 ) ( 7830 . 0
0 . 374

)
*
#
+
,
"

+
L R
2001–2002 Est.:
1
2108 . 0
1025 ) ( 5824 . 0
0 . 374

)
*
#
+
,
"

+
L R
2003–2004

5
2005 Est.:
1
1804 . 0
1025 ) ( 5824 . 0
2 . 152

)
*
#
+
,
"

+
L R
115
Chapter 8: Risk Transfer and Risk Sharing Analysis
8.1 Hierarchical Risk Transfer
After quantitative characterization of relevant probabilities for launch success, one-year in-
orbit mission success, and demonstrated attitudes toward accepting the transfer of these risks by
underwriting entities, the ability to model desirability of risk transfer from the perspective of a client
becomes possible. Since potential client attitudes toward risk can vary considerably, this section
addresses several classes of client risk attitudes to form a representative sample of potential decisions
these attitudes should imply when associated with transfer of these risks to a separate entity. Two
commonly described attitudes—risk-neutral and constantly risk-averse—are examined first since they
are often used in literature and can apply to a wide range of situations. Decreasingly risk-averse
attitudes are then examined since they may have particular relevance to large client entities. Finally,
increasing risk aversion and risk-prone behavior are investigated.
From the discussion in Section 6.6 on the methodology for assessing risk transfer, basic
equations and selection criteria can be derived for each class of client risk attitudes after the
demonstrated long-term underwriting utility has been determined. To begin, consider the decision
inequality, repeated below, which has the following general form:
[]
W
C C W
W
M
z z z U W C C h k M U
L B
n
k
uw L B c
) (
ˆ ˆ ), ˆ ( , , , , , , ,
1
1
+

+ >
=

If the inequality holds true for k=1, then the recommended action for the client would be to pursue risk
transfer via insurance. The left side of the inequality refers to the extant risk attitude of the client,
which can have many different forms after it has been adjusted to account for insurance costs. These
costs are incorporated by including the demonstrated risk attitude of an underwriting entity, or
) (ˆ
1
z U
uw

. From the methodology discussion we also know that the adjusted client risk attitude has a
lower bound of [h-(z ˆ)h-(C
B
+C
L
)+W]/W, which corresponds to insured value minus costs for
insurance, production, and launch relative to entity wealth. We also know that the client attitude has
116
an upper bound of [
n
M-( z ˆ )h-(C
B
+C
L
)+W]/W, which corresponds to mission value minus associated
costs relative to entity wealth. Both upper and lower bounds are determined in part by the premium
rate, which is a function of the estimate for probability of mission success. This rate is determined
directly from the demonstrated underwriter utility function. The right side of the inequality indicates a
risk-neutral attitude in the absence of insurance. This side is a threshold for the viability of risk
transfer via insurance.
Specific client utility functions can vary widely according to changing client attitudes and
decision environments in which a potential risk transfer would be determined. However, fundamental
classes of risk attitudes can be examined by assessing risk transfer viability for a representative utility
function in each class. These representative client utility functions, after adjustment for insurance
effects, can then be examined for a realistic range of mission success.
Among the simplest representative client utility functions to derive is that for a risk-neutral
attitude. We begin with a linear function of the estimate for mission success that ranges from loss of
mission to the mission benefits offset by construction and deployment costs. After modifying this
function for potential indemnification upon mission failure and adjusting for insurance premiums, we
can derive the following selection criteria for an estimate of mission success probability:
If:
()
W
C C W
W
M
z
W
W C C h
ce ae
z
h
W
h M
z z U
L B
n L B
z d z b
n
k
neutral c
) (
ˆ
) (
ˆ 1
) (
ˆ ˆ
ˆ ˆ
1
+

+ >
+ +

+

+

=

=

choose k=1 (risk transfer via insurance);
otherwise choose k=0 (retain risk, or self-insure).
From the determination of underwriting utility, several terms in the numerator for client utility are
used in the expression for ( z ˆ ):
a = 1.050×10
11

b = 29.05
c = 2.965
d = 2.873
117
Since the expression for premium rate does not change in this section, subsequent client utility
functions herein simply replace the exponential expression with the term ) ˆ (z in accordance with
following relation:
z d
ce
z b
ae
z
z
ˆ ˆ
ˆ 1
) ˆ (

+

=
This replacement also should ease the readability of the representative client utility functions.
From an examination of the decision criterion, one can anticipate that under reasonable
probabilities of mission success, the adjusted client utility would be less than the unadjusted risk-
neutral utility function. This is a reasonable conclusion since a risk-neutral client would begin from a
position of willingness to accept the lottery between mission loss and mission success. Risk transfer
via insurance would ameliorate the severity of potential consequences and decrease the potential
benefits by the insurance premium. The adjusted client utility for high success probabilities would
still remain less than a unadjusted risk-neutral attitude between.
This is illustrated in Figure 43. On the left side the adjusted and unadjusted functions
indicate the potential difference between the indemnified and risk-assumed losses relative to the total
wealth of the organization. Both functions here indicate a decrease from a pre-project wealth of unity;
they differ by the insured value minus the premium. Somewhere in the middle the two functions cross.
To the right of this point, the unadjusted risk-neutral function is greater and indicates preference to
retain the risks. To the left of this point, the preference changes toward insurance because the
modeled premium rates for these low estimates of mission success probability do not offset the value
of potential indemnification. Moving to the extreme right side of this figure, the illustration indicates
how the two functions converge again as probability of success approaches unity. Again, this is
sensible since a client in such a position would not agree to pay much for an insurance premium, nor
could an underwriter justify requesting it. The region on the right with increasing slope, forming a
slight trough underneath the original linear function, is the region of particular interest because success
probabilities greater than 0.85 constitute the decision region for both the client and underwriter. It is
118
also the region for which supporting data exist. As a result, the adjusted utility function becomes less
defined for probability estimates less than 0.85. In this figure a premium rate of about 15.7%—the
average launch+1
st
year rate—was used for lower probabilities. One could argue that premium rates
for low probabilities would be much higher, which would reduce the adjusted utility function even
lower and increase the range of probabilities that correspond to retention of risk. However, it is
reasonably more likely that an underwriter would not even accept the financial risk for such low
probabilities of success.
Figure 43. Effect of Insurance Premium on Risk-Neutral Client
-1
-0.5
0
0.5
1
1.5
2
2.5
3
0 0.2 0.4 0.6 0.8 1
Estimate for Probability of Mission Success, z
Adjusted and Non-Adjusted Risk-
Neutral Client Utilities
^
Risk-neutral adjusted for transfer
Original risk-neutral utility
Conditions:
Client wealth = cost of satellite
Insured at full satellite cost
Mission benefit = 3 × satellite cost
Launch costs = 40% of satellite costs
Prefer risk retention
The previous illustration demonstrates that if the US government is indeed risk neutral, it
should not pursue insurance for purposes of risk transfer under reasonably demonstrated probabilities
of mission success. Interestingly, one may also note that since the entire adjusted client utility
function in the previous illustration is less than a linear function connecting its end points, the adjusted
client utility would be consistent a slight risk prone attitude. This is contrary to the original risk
attitude. While part of this contrary depiction is the result of using a moderate (i.e., average) premium
119
rate for low probability values, it does illustrate that pursuit of insurance for these purposes is
inconsistent with the original attitude of such a client.
This raises the question regarding what conditions would drive a client to adopt risk-neutral
behavior, or at least attitudes that come close to demonstrating it. Thus, even if an organization would
not consider itself risk neutral, it is illustrative to investigate the other risk attitudes to understand
when risk-neutral attitude may be a reasonable approximation. This becomes more evident when the
effect of organization wealth is included in criteria for risk transfer.
The affect of wealth can be seen on the degree of preference for risk transfer when we
consider a risk-averse attitude for a client. Figure 44 shows the preference for risk transfer for a risk-
averse client relative to a risk neutral criterion adjusted for insured consequences. In this example the
decision criterion is as follows:
If:
()
()
()
W
C C W
W
M
z
W
W C C h z h
e
e W
h M
z U
L B
n
L B z c
c
n
k
const averse c
) (
ˆ
) ( ) ˆ (
1
1
) (
ˆ
ˆ
~
~
1
_
+

+ >
+ +

+

=

=

choose k=1;
otherwise choose k=0.
This corresponds to a client with a constant level of local risk aversion over the domain of the estimate
of success probability. Positive values indicated in the figure for probabilities less than about 93
percent indicate preference for risk transfer; the higher the value, the greater the preference. A
discontinuity in slope around z ˆ = 0.9 is an artifact of modeling premium rates below this probability
estimate. Actual preference values may reasonably be decreased a few percent, but the choice to
transfer risk in this neighborhood of z ˆ still holds. For probability estimates above about 93 percent,
the recommended choice for this client would be retain the risk and forego insurance. This is a
significant result since the certainty equivalent associated with that success probability in this example
would be close to z ˆ = 77 percent. Also significant is the degree to which organization wealth
decreases the preference for risk transfer. While this may have been expected, this model indicates
that even when the criteria for risk transfer have been met, the degree of its preference is reduced to a
120
very low level even for organizations with assets a few tens of times more than the satellite project
production costs.
Figure 44. Preference of Insured Risk-Averse Client to Risk Neutrality
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.85 0.9 0.95 1
Estimate for Probability of Mission Success, z
Preference for Risk Transfer
^
W=C
B
W=3C
B
W=10C
B
W=30C
B
Conditions:
Client wealth (W ) = multiple of satellite costs (C
B
)
Insured at full satellite cost
Mission benefit = 3 × satellite cost
Launch costs = 40% of satellite costs
Risk premiums approximately 15%

Nonetheless, the criterion for risk transfer here is met at the same probability estimate,
however weakly, for all organizations regardless of wealth. This effect of coincidence results from an
originating client utility function that is constantly risk averse; local risk aversion remains unchanged
over the domain of the random variable of interest. In this class of risk aversion, the degree of local
risk aversion is determined by the parameter c
~
, which in this figure has a value of 3. Increases to this
parameter would correspond to greater risk aversion and higher thresholds for risk retention.
It is helpful for to interpret preferences in terms of the decision regions for risk retention and
risk transfer. This is useful for summarizing the association of wealth and success probability for
large organizations or organizations that may account for project risks within a divisions or other sub-
entity. For this particular class of constantly risk-averse attitudes, the decision region can be
expressed solely in terms of a threshold against mission success probability. Wealth can provide
another dimension to this threshold when the class of decreasing risk aversion is examined.
121
In contrast with the previous class, a client utility function with decreasing risk aversion
corresponds to an attitude in which aversion to a lottery of potential consequences decreases as the
probability of meeting the most beneficial consequence increases. This class of risk attitude may be
very suitable for an organization that can absorb a potential loss since the risk may seem more
tolerable if the chance for dire consequences seems low [Keeney, 1976]. For this class of risk
attitude, the following specific criteria are examined:
If:
()
W
W C C h
W
h M
z
W
W C C h z h
W
h M
z z U
L B
n
L B
n
k
decr averse c
+ +

+

>
+ +

+

+
)
)
*
#
+
+
,
"

=
=

) ( ) (
ˆ
) ( ) ˆ (
1 1
) (
exp ˆ ln ˆ
1
_

choose k=1;
otherwise choose k=0.
When this class of client utility function is examined for different levels of organization wealth, a
similar family of curves is obtain as shown in Figure 45. As before, wealth has a significant effect on
reducing the degree of preference for risk transfer. However, in this class the threshold for choosing
risk transfer of risk retention changes with wealth.
122
Figure 45. Preference of Insured Decreasingly Risk-Averse Client to Neutrality
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.85 0.9 0.95 1
Estimate for Probability of Mission Success, z
Preference for Risk Transfer
W=C
B
W=3C
B
W=10C
B
W=30C
B
^
Conditions:
Client wealth (W ) = multiple of satellite costs (C
B
)
Insured at full satellite cost
Mission benefit = 3 × satellite cost
Launch costs = 40% of satellite costs

This time the wealth significantly alters the threshold for risk transfer. The corresponding
decision regions are shown in Figure 46. What is interesting here is that this utility function indicates
not only decreased sensitivity of preferences on project risk as the wealth increases but also
justification for retaining the risk even with assets of only about ten times the project costs. This
particularly holds over the domain of interest for estimated success probabilities above about 85
percent. Specific client attitudes for this class may vary, of course, but the applicability to large
organizations and the trend of decreasing the threshold for risk retention still holds. In this particular
example the certainty equivalent for the utility function with equivalent wealth and satellite costs (W =
C
B
) is about 80 percent—a good degree of risk aversion relative to risk-neutrality in the absence of
insurance. Some variations in client utility functions among specific organizations can be expected.
Further decreases in the certainty equivalent would result in an increase in the threshold by a few
percent, potentially emphasizing that costs associated with a risk transfer agreement could offset
potential gains in transferring the risk.
123
Figure 46. Decision Regions for Decreasingly Risk-Averse Class of Client
0
5
10
15
20
25
30
0.85 0.9 0.95 1
Estimate for Probability of Mission Success, z
Wealth (multiple of satellite costs)
Transfer Risk
Retain Risk
^
As an example, consider a launch and operation of a communications satellite.
Manufacturing costs for a satellite within state-of-the-art may reasonably cost a couple hundred
$million. A large organization with this risk attitude and several $billion in total assets should choose
to retain launch and first-year insurance. Several commercial satellite companies may belong in this
category as well as most any government capable of acquiring and operating space missions.
For completeness, it is helpful to briefly investigate both increasingly risk-averse and risk-
prone attitudes. While mathematically possible, it is difficult to construct a meaningful application for
associating increasing aversion to a risk as the probability of approaching a most beneficial
consequence increases. Put in the context of corporate wealth, perhaps one could envision an
organization that takes chances when small but desires to strongly retain what it has obtained as it
gains wealth. A decision criterion for one class of increasing risk aversion is shown as follows:
124
If:
()
W
C C W
W
M
z
W
W C C h z h
W
h M
z
W
h M
z z U
L B
n
L B
n n
k
incr averse c
) (
ˆ
) ( ) ˆ ( ) ( 2
ˆ
) (
ˆ ˆ
2
1
_
+

+ >
+ +

+

+

=
=

choose k=1;
otherwise choose k=0.
The corresponding family of curves for this class is shown in Figure 47. This has a similar shape and
characteristic to the constantly risk averse class of client utility functions. Wealth has a similar effect
on degree of preference for risk transfer or risk retention. We can anticipate that the decision region
would vary with success probability. In this example the increase in local risk aversion grows large
for estimated success probabilities above 0.95. The effect on this family of curves is that the degree of
preference for risk retention is reduced slightly at these high probability estimates. However, the
comparatively small change in local risk aversion at lower probability estimates, relative to constant
risk aversion, results in no apparent change in the decision region as a function of wealth. For
purposes of decision-making, this class of client may be well served by a utility function that
corresponds to constant risk aversion.
125
Figure 47. Preference of Insured Increasingly Risk-Averse Client to Neutrality
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.85 0.9 0.95 1
Estimate for Probability of Mission Success, z
Preference for Risk Transfer
W=C
B
W=3C
B
W=10C
B
W=30C
B
^
Conditions:
Client wealth (W ) = multiple of satellite costs (C
B
)
Insured at full satellite cost
Mission benefit = 3 × satellite cost
Launch costs = 40% of satellite costs

Since the risk-prone client would tend to prefer the lottery between potential consequences
over a particular certainty equivalent, we would not expect risk transfer modeling to indicate
preference for insurance under any circumstances. This conclusion is consistent with the previous
discussion on a previously risk-neutral client, except that for risk prone, the lottery is preferred. That
indeed is the case illustrated in Figure 48. The family of curves in this figure corresponds to a
constant risk-prone attitude. The criteria for this class of utility function are the same as for the
constantly risk-averse utility function, except that the aversion parameter, c
~
, has a value of -2 in this
figure. As with all the previous classes of client utility, wealth in this case has the effect of decreasing
the relative degree of preference, which in this case is to retain the risk.
126
Figure 48. (Lack of) Preference of Insured Risk-Prone Client to Neutrality
-0.1
-0.05
0
0.05
0.1
0.15
0.2
0.85 0.9 0.95 1
Estimate for Probability of Mission Success, z
Preference for Risk Transfer
W=C
B
W=3C
B
W=10C
B
W=30C
B
^
Conditions:
Client wealth (W ) = multiple of satellite costs (C
B
)
Insured at full satellite cost
Mission benefit = 3 × satellite cost
Launch costs = 40% of satellite costs
Risk premiums approximately -4%

8.2 Statutory Risk Sharing
The statutory risk sharing model can be viewed as a special case for modeling of hierarchical
risk transfer. The mission benefit in this problem is the promotion of mutual growth in subordinate
entities of the space system client and underwriter industries. In this problem the government pays for
liability and launch range damages that exceed statutory and regulatory limits on maximum probable
loss. Damages below these limits are covered by the underwriter entities. Costs from the government
perspective are handled as though the government is risk-neutral to covering excess damages. The
objective in this section is to examine how changes in the statutory limits would affect a government
utility function that contains constituent utility functions for client and underwriter entities.
Several constituent utility functions and supporting data derived previously are repeated
below. The government utility has the following form.
() () [ ]
p MPL l MPL uw s c s USG
I I kC U U U

+

/ = Y X , 0 max , 0 max
2 1
0 0
127
U
s-c
and U
s-uw
are respectively the constituent client and underwriter utility functions for the liability
and range damage risks. The right-most term corresponds to potential government costs, scaled
according to a degree of dissatisfaction for paying them. The constituent client utility has the form
below, which corresponds to potential loss and potential indemnification with paid insurance.
[] Y X Y X

+

) (
1
s c s
r k
W
U
The constituent underwriter utility has the following form, which corresponds to received premiums
for this coverage minus potential losses up to the indemnification limit.
() ( ) [ ]
p MPL l MPL s uw s
I I r k U

, min , min Y X
From the available data, approximations for the distributions on liability and launch range damages
respectively are repeated below.
O
X
X X X X X F = 1
=

* 52 . 0 71 . 0 :
52 . 0
1
1 ) (
52 . 0 52 . 0
209 10 * 10 55 . 11 :
28 . 0
1
8 . 1 ) (
28 . 0
) 224 . 0 log(
28 . 0
) 504 . 0 log(
28 . 0
1 = = 1
=

O
Y
Y Y Y Y Y F
A reasonable upper limit for the liability damages is about $1.7 billion. From US launch data, an
upper bound on the probability of occurrence for each type of damage event be less than about 1
percent.
After inserting utility functions for the statutory client and underwriting entities as well as
derived probability density functions for potential damages, the following expression is obtained to
describe expected government utility for promoting growth in two constituent industries:
() [] () ( ) ( ) []
((

×
)
*
#
+
,
"

+ =

00
2
1
,
** ,
, min , min , max
Y
Y
X
X
l MPL l MPL s USG
I k
I Y I X r k Y X r Y X
W
k
U E
p l MPL
0
0
Y X
() ( ) [] dXdY p p Y X I X I X kC
loss range party rd l MPL l MPL

×

+

3
28 . 1 52 . 1
, 0 max , 0 max

To simplify this expression somewhat, we note that for k=0, the expected utility goes to zero,
indicating here that lack of a risk-sharing agreement does not provide apparent benefit or penalty to
the US government. We continue with k=1.
128
Solving for the statutory limits on maximum probable loss, this expression now reduces to:
() []

)
*
#
+
,
"
=

+
28 . 0 52 . 0
) 28 . 0 )( 52 . 0 (
4
,
2 1
p MPL l MPL USG
I I
W
r
Y X U E
0 0
()
( )
()
52 . 0 28 . 0 28 . 0
2
2
1 1
*
) 28 . 0 )( 52 . 0 ( ) 28 . 0 ( 52 . 0

°
)
*
#
+
,
" +

+

+
0
0 0
0
l MPL
I Y Y
W
WC r
W
r
( )
48 . 0
28 . 0 28 . 0
52 . 0
) 28 . 0 )( 48 . 0 (
*
) 28 . 0 )( 52 . 0 (
2
2 1
l MPL l MPL
I
Y Y C
I
W
r

+
)
*
#
+
,
"
°

+
)
*
#
+
,
"

+
0 0
l MPL l MPL
I
W
Y WCX
I
W
Y X r

)
*
#
+
,
" °

+
)
*
#
+
,
" °

+
) 28 . 0 )( 52 . 0 (
*
) 28 . 0 )( 52 . 0 (
*
28 . 0 52 . 0 28 . 0 52 . 0
2
1
0
0
()
( )
()
28 . 0 52 . 0 52 . 0
2
2
1 1
*
) 28 . 0 )( 52 . 0 ( ) 28 . 0 ( 52 . 0

°
)
*
#
+
,
" +

+

+
0
0 0
0
p MPL
I X X
W
WC r
W
r
( )
72 . 0
52 . 0 52 . 0
28 . 0
) 72 . 0 )( 52 . 0 (
*
) 28 . 0 )( 52 . 0 (
2
2 1
p MPL p MPL
I
X X C
I
W
r

+
)
*
#
+
,
"
°

+
)
*
#
+
,
"

+
0 0
p MPL p MPL
I
W
Y WCX
I
W
Y X r

)
*
#
+
,
" °

+
)
*
#
+
,
" °

+
) 28 . 0 )( 52 . 0 (
*
) 28 . 0 )( 52 . 0 (
*
28 . 0 52 . 0 28 . 0 52 . 0
2
1
0
0
( )
()
( )
()
)
*
#
+
,
"

°
+
)
*
#
+
,
"

°
+

) 28 . 0 ( 52 . 0
* *
) 28 . 0 ( 52 . 0
* *
2
52 . 0 52 . 0 28 . 0
2
28 . 0 28 . 0 52 . 0
2 1 2 1
0 0
0 0 0 0
W
X X Y r
W
Y Y X r
( )
)
*
#
+
,
" ° + ° +
+

+
) 28 . 0 )( 52 . 0 (
* * * *
28 . 0 52 . 0 28 . 0 52 . 0 28 . 0 52 . 0
2 1
W
Y X Y X Y X r
0 0
( ) ( )
loss range party rd
p p
Y X X Y Y X
C

)
*
#
+
,
" °
°
+

° °
+
3
72 . 0 52 . 0 52 . 0 28 . 0 28 . 0 48 . 0
) 72 . 0 )( 52 . 0 (
*
) 28 . 0 )( 48 . 0 (
*
This lengthy expression allows investigation of changes in the expected utility for the US government
over ranges in the underwriter’s statutory indemnification limits (I
MPL-l
and I
MPL-p
) and coefficient for
dissatisfaction with funding government indemnifications for damages (C). In particular, this problem
addresses the resultant utility over ranges of both indemnification limits simultaneously. This allows
calculation of a surface over the range of I
MPL-l
× I
MPL-p
that indicates expected utility for the
government based on empirical data of risk events. To ease calculation somewhat, we can preserve the
conditions for mutual growth of the subordinate entities (client and underwriter) by letting 0
1
= 0
2
.
These particular exponents affect the magnitude of the gradient of the utility, but the overall direction
toward mutual benefit is maintained; therefore this simplification is reasonable for now.
The surface that depicts the calculated utility over ranges of both types of limits on maximum
probability of loss is shown in Figure 49. These limits act as thresholds such that potential excess
129
damages beyond these limits are indemnified by the government. This shape in this figure
corresponds to 0
1
= 0
2
= 1, and a government cost penalty coefficient of 10, which indicates strong
government dissatisfaction for paying these excess damages. This example indicates that above
relatively low thresholds for indemnification limits the utility function becomes positive. The vertical
scale increases with the cost penalty coefficient, C, which indicates corresponding benefit with
increasing the damage threshold.
Figure 49. Expected US Government Utility for Ranges of Risk-Sharing Thresholds (Large
Cost Penalty)
1
6
11
16
21
26
31
36
41
S1
S6
S11
-0.14
-0.12
-0.1
-0.08
-0.06
-0.04
-0.02
0
0.02
0.04
0.06
0
100
200
300
400
500
600
700
800
Conditions:
Large cost penalty (10 × actual costs)
Equal promotion of client and underwriter entities
Potential Limit on
Launch Range
Property Damage
($M), I
MPL-p
Expected Government Utility
Potential Limit on Liability
Damage ($M), I
MPL-l
100
200

The shape remains roughly the same with changes in the exponent for client coefficient, 0
1
.
This results because as long as the agreement for government indemnification remains in enactment
(k=1), the client would not suffer significant losses. From the previous analysis on risk sharing, we
can see that this benefit of government indemnification particularly would benefit small clients that
could experience dire additional consequences with significant losses.
130
When cost penalty goes to unity, indicating neutral attitude to indemnified costs, the partial
derivative with respect to both limits reaches zero, indicating a maximum. In the example shown in
Figure 50, the maximum occurs at a liability limit of $565 million and property loss limit of $197
million. This indicates that there may be perceived benefits to increasing the current limits on
maximum probable loss under these conditions.
Figure 50. Expected US Government Utility for Ranges of Risk-Sharing Thresholds (Unity Cost
Penalty)
1
6
11
16
21
26
31
36
41
S1
S6
S11
-0.015
-0.01
-0.005
0
0.005
0.01
0
100
200
300
400
500
600
700
800
Conditions:
Low cost penalty (1 × actual costs)
Equal promotion of client and underwriter entities
Potential Limit on
Launch Range
Property Damage
($M), I
MPL-p
Expected Government Utility
Potential Limit on Liability
Damage ($M), I
MPL-l
100
200

The surface shape, however, is quite sensitive to changes in the growth coefficient for the
underwriter. At values of 0
2
less than about 0.95 the utility remains negative. At about 0.95, which
indicates slight preference for growth of client versus underwriting entities, the optimum positive
value occurs at liability and property damage limits of $430 million and $100 million, close to the
current statutory limits. As this exponent increases beyond about 1.5, the surface becomes convex.
This indicates that preference for promotion of growth for underwriting entities would dominate any
131
penalties perceived for government costs and would continue to increase as the limits on damages
increase. An example of this convex surface is shown in Figure 51 for an exponent value of 2.
Figure 51. Example of Risk Sharing Utility for Large Underwriter Growth Coefficient
1
26
51
76
S1
S12
0
5
10
15
20
25
30
0
500
1000
1500
100
300
Conditions:
Low cost penalty (1 × actual costs)
Preferred promotion of underwriter entities
Potential Limit on
Launch Range
Property Damage
($M), I
MPL-p
Potential Limit on Liability
Damage ($M), I
MPL-l
Expected Government Utility
100
200

However, the applicability of the underwriter growth exponents much above about 1.0 are
probably not good anyway since it is unlikely that particular benefits would be provided to a
supporting industry to the originating acquisition and operating client. Reasonable values for both
client and underwriter exponents appear to be in the small neighborhood of 1.0.
132
Chapter 9: Evaluation of Results
9.1 Hypothesis Evaluation
The main hypothesis is that an allowable practice on establishing fees for space insurance
results in setting system costs higher than a large client organization’s risk threshold should allow.
Particular interest focuses on testing this hypothesis for space projects operated by the US
government. In the strict sense of assessing the hypothesis against claims of a risk-neutral
government, this hypothesis has been shown to be valid. The potential benefits associated with pursuit
of risk transfer via insurance do not offset the fees incurred by an a priori risk-neutral client. These
fees can be assessed either through direct negotiation and contracting between client and underwriting
entities, or they may be paid by a builder and passed on to the client through direct costs.
A stronger argument against risk transfer via insurance is shown for the decreasingly risk
averse client with an organization wealth that is on the order of ten times the builder costs for the
space mission project. The significant aspect of this argument is that decision regions can be
constructed that show that an a priori risk-averse client—without changing its risk attitude—should
still prefer to retain the risk of potential mission failure for reasonably high probabilities (above about
92 percent). This same client should also prefer to retain this risk over insurance for lower success
probabilities, as long as the client wealth is several times the project acquisition and deployment costs.
When the client wealth exceeds about ten times the project costs, risk transfer via space insurance is
not preferable for all reasonable probabilities of mission success.
Two additional aspects on these conclusions remain apparent. First, risk transfer via
insurance still remains a reasonable preference for client entities—possibly divisions or departments
within a larger organization—that do not have a significant amount of wealth in comparison to project
costs. For demonstrated mission success probabilities, this remains a reasonable course of action since
consequences of mission loss could be dire for a small client organization. The multiple $millions in
insurance premiums may be considered the cost of staying in business. Second, large organizations
133
that choose to retain the risk still may experience occasions with mission loss. While mathematically
apparent, retention of these risks implies acceptance by the client decision maker to accept these
possible failures with non-zero probability.
9.2 Model Validation
Data on demonstrated launch reliability and reported in-orbit anomalies is derived from the
Space Systems Engineering Database (SSED) maintained by The Aerospace Corporation. It is a
compilation of world-wide launch and satellite operations summaries collected from available open
sources. It is comprehensive in terms of the variety launch vehicles types, satellite mission types, and
timeline of associated activities dating back to 1958. Since the company responsible for maintaining
this database is prohibited from satellite and launch vehicle manufacturing, potential bias in the data is
negligible.
Data on insurance industry data are made available publicly in reports distributed by the US
Federal Aviation Administration (FAA) and by Futron Corporation. The database for the FAA reports
have been maintained by the Futron Corporation. Futron is a technology management consulting firm
and is not involved in underwriting activities. The business model of working with governments and
satellite industries, as well as reporting of data in US government reports, strongly suggest that the
information is sufficiently comprehensive to represent and characterize space underwriting activities.
Data have typically been consistent among reports and sources. One difference is noted in
the number of in-orbit anomalies reported by year between one FAA report [FAA, 2006] and the
SSED. The difference, which is a factor of about 4, corresponds to the FAA’s reporting of US
commercial satellites and the SSED’s reporting of all missions world-wide. The ratio of all in-orbit
anomalies to critical anomalies reported for each year is approximately the same from both sources.
Models that characterize risk probabilities for launch and in-orbit events demonstrated
underwriting attitudes are purposely constructed from available aggregated data. By design of the
methodology, the research has intended to reduce subjective input to the models and to let the data, as
demonstrated by risk events, determine the model characteristics. Overall aggregation is intended to
134
eliminate reflection of proprietary data and to reinforce overall demonstrated trends by the launch,
satellite operations, and underwriting industries. By design, the risk events and risk acceptance
models should be valid.
Most of the demonstrated underwriting utility also focused primarily on demonstrated launch
performance of US launch vehicles. This is reasonable because most of the underwriting activities
account for performance of US launch vehicles, and more recently those from Europe and central
Asia, which in aggregate have similar aggregate performance.
Modeling a client entity that is the hierarchical principal in choosing either risk transfer or
risk retention relies on hypothesis testing against several representative classes of risk attitudes. This
is the appropriate approach to this general problem since client attitudes may vary significantly across
organizations, mission areas, and even over time. Examination of several classes of risk aversion are
critical for determining reasonable and repeatable decision regions that accommodate both success
probability and entity wealth or applicable organization resources.
9.3 Modeling Error and Sensitivity
Some potential errors can result from modeling of risk events due to the distribution of the
estimator for probability of mission success. An upper bound for this error is obtained using
Chebyshev inequality since it is broadly applicable to any random variable and since the distribution
for z ˆ —and the constituent distributions for launch success and in-orbit operation—may vary year by
year. The disadvantage to using this bound is that is not known for being a very tight bound for
estimation error. Calculation of this bound is dominated by the annual estimates for the rate of in-orbit
critical failures since this is based on the number of satellites placed in orbit. This in-orbit number
typically is smaller in comparison to the number of launches attempted by the active line of launch
vehicles. Probability bounds for two interval sizes are show in Figure 52 as a function of
demonstrated annual launch and in-orbit reliability. Probability bounds for exceeding the ±3% and
±2% intervals typically are less than 20 percent and 40 percent respectively. This indicates that the
modeled estimator, z ˆ , usually has been good. In several particular years the potential for greater error
135
is possible. These correspond to years in which there was a significant increase in critical first-year in-
orbit failures. Some mitigation of such notable increases has been enabled by multi-year averaging of
the in-orbit failures in construction of the estimate for success probability.
Figure 52. Upper Bound on Estimation Error for Probability of Mission Success
0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
0.90
1.00
1980 1984 1988 1992 1996 2000 2004
Calendar Year of Operation
Upper Bound for Pr[|z-E(z)|>
.
]
. = 0.02
. = 0.03
The underwriting utility model demonstrates a small degree of sensitivity to the estimation
error for success probability. Errors would have the potential effect of translating the candidate utility
functions over small intervals of z ˆ . The aggregate effect of multiple random errors on the utility
function would be smaller than the intervals indicated above, since it is unlikely that all errors would
occur uniformly in the same direction. A rough estimate of potential translation is the average annual
standard deviation for the estimator, which is less than 1.5%. Translation of the client utility on the
order of this amount could move the applicable domain of z ˆ to values as low as 87.5 percent and as
high as 96.5 percent. Even translations this large still would cover the primary region of interest,
which is in the low 90 percent interval for z ˆ . Thus, estimation errors could alter the determined
underwriting utility model, but it would not alter the reasonable range of interest or the fundamental
shape of the function in describing demonstrated attitude for accepting transferred risks.
136
The client utility model is less sensitive to estimation error because the estimate for success
probability is treated as an independent variable.
The construction of the success probability also addresses time averaging in-orbit failure
rates to account for production processes. In addition to literature claims, we can illustrate the
relevance of time averaging by calculating the covariance for annual in-orbit failure rates as a function
of the difference in years of operation. The covariance, K(n), is calculated as typically defined for the
difference in n years, and then it is scaled to help illustrate its ratio to the failure rate as follows:
[ ]
2
|
2
| 1 1
1
1
) | ( ) | (
) (
~
x y
x y
u
u x n t x t E
n K

=
y y
This function is plotted over the range of in-orbit failure data in Figure 53. As expected, it indicates a
strong correlation among the first several years. The covariance stays low and appears to approximate
uncorrelated failure rates after separation of about five or six years. It stays within a small interval
(about ±16%) of for another few years. A surprising aspect of this plot is that the covariance function
continues to decrease—become more negative valued—for separations up to about sixteen years.
This, however, is an artifact of the data size; the covariance function compares the several-year peak in
in-orbit failures against years with low rates but does not have a large number of data points on either
side of this peak to determine whether peak failure times such as this would be averaged out. Overall,
the depiction of scaled covariance indicates that 5-year time averaging for in-orbit failure rates appears
reasonable.
137
Figure 53. Scaled Covariance for Demonstrated 1st-year Critical In-orbit Failure Rates
-1
-0.8
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
0 5 10 15 20
Difference in Operating Years, n
Scaled Covariance Function
K (n )/µ
2
Other potential errors can result from human inconsistency in underlying behavior
demonstrated by underwriter utility. In determining the long-term trend for underwriting utility
function, the variation in calculated values results from a succession of adjustments in response to
realized cumulative income. Three candidate long-term utility functions were identified based on the
data. The basic form of each candidate underwriter utility function and the corresponding sum-
squared errors for each candidate are summarized in Table 9.
Table 9. Sum-Squared Estimation Error for Candidate Demonstrated Underwriter Utility
Functions
Recommended Alternate 1 Alternate 2
z d z b
ce ae
ˆ ˆ
1

z d z b
e c ae
ˆ
1
ˆ
2

z b
e a
ˆ
2
2
1

Err = 0.10302 Err = 0.15976 Err = 0.11581
We can then check the residual error on the recommended underwriter utility function as
means to assess variation in the range of estimated utility. The residual errors depicted in Figure 54
indicate that deviation from the recommended function appear to roughly approximate a uniform
distribution with near-zero mean (mean residual = –0.0653, standard deviation of residual = 0.0857).
138
That the residuals are uniformly distributed rather than normal or some other clustering around a zero
mean is understood since this underwriting utility is long-term and includes near-term stepwise
adjustments in premium rates. The result is that the range of the underwriting utility function, in
concept, could be offset by as much as about 0.13.
Figure 54. Residual Errors from Underwriting Utility Function
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
-0.15 -0.05 0.05 0.15
Residual Error
Distribution
The sensitivity to this error on the hypothesis testing is that the cost of insurance as a function
of estimated success probability could vary, but it would not affect the conclusions very much. At
most the modeled premium rates could result in a calculated decrease by as much as 5 percentage
points or increase by as much as 14 percentage points for some success probabilities above 95 percent.
However, such extreme adjustments would not correspond to historical data. If calculations against
the risk transfer criteria were to continue anyway, this could alter the adjusted client utility for high
success probability estimates by as much as only about 5 percent. The alteration near the decision
threshold is even lower. The consequence of error estimation for the underwriting utility is potential
for small change to threshold probability for risk transfer (about a change in probability estimate by as
much as one percent for small client entities) and no change against the determination and behavior of
boundaries for risk transfer decision regions.
139
A comment also is necessary on the effect of extrapolating the underwriting utility function
beyond the available data set. Generally, extrapolation is to be avoided. In this model as success
probabilities increase beyond about 95 percent, the impact of calculating premium rates from the
underwriting utility function is dominated by the term (1- z ˆ ) as the estimator approaches unity. In
contrast, as the estimator decreases below about 89 percent, some continuation of the utility function
could be modeled, but as the estimator decreases much below this point the viability of negotiating an
affordable insurance agreement may no longer exist. Thus, the model maintains primary applicability
above about 85 percent, and plots are provided at somewhat lower probability estimates to illustrate
model behavior. Extrapolation problems are mitigated.
A comment also is appropriate on the sensitivity of classes of client utility functions
presented previously. While some differences between the presented risk-averse client utility
functions and ones specific to a particular organization can be found somewhere, the emphasis in this
research has been to present reasonably risk-averse functions with risk premiums that are a significant
fraction (e.g., at least 1/3) of the estimated success probability. Smaller risk premiums would
correspond to higher certainty equivalents and risk attitudes that more closely approach neutrality.
Therefore, smaller risk premiums would strengthen the original hypothesis. As an example, consider
the constantly risk-averse client utility function determined by the parameter c
~
. The sensitivity of the
decision threshold to this parameter is shown in Figure 55. Low values of the parameter increase the
range of the estimator applicable for risk transfer. High values of the parameter, indicating increasing
risk aversion, still preserve the potential viability of risk transfer via insurance.
140
Figure 55. Parametric Sensitivity of Constantly Risk-Averse Client Utility Function to Risk
Transfer
0
1
2
3
4
5
6
7
0.85 0.9 0.95 1
Estimate for Probability of Mission Success, z
Risk-Aversion Parameter, c
Transfer Risk
Retain Risk
^
~
The investigation of the special risk-transfer case on statutorily mandated risk sharing
between underwriters and the US government also derived all analytical distributions on damages
directly from existing available data. A comparison of the empirical and analytical distributions is
shown in Figure 56. The distributions provide a reasonably good fit, suitable for potential calculation
of expected government utility for these low-probability events.
141
Figure 56. Comparison of Empirical and Analytic Distributions on Damages for Potential Risk-
Sharing Events
0
0.25
0.5
0.75
1
0 100 200 300 400 500
Damage Surrogates ($M), X, Y
Demonstrated Pr[damages < X,Y ]
Analytic approximation for
range property damage
Estimates from reported range property incidents
Empirical liability damages
Analytic approximation for
liability damage
Adjustment for
destruction of
village in China

The model investigating transfer of risk from the underwriters to the government also has
indicated establishment of thresholds for this transfer that are commensurate with current statutory
limits on underwriter-indemnified maximum probable loss. While models based on different criteria
could be developed, the one presented by this research provides results both consistent with objectives
of the statutes as reflected in regulations and representative of the current government and
underwriting policy environment.
142
Chapter 10: Conclusions, Recommendations, and Future Work
10.1 Conclusions
The research shown herein has shown that a client entity that plans the acquisition and
deployment of a space system should retain the risk of potential mission loss while still remaining in
accordance with its a priori risk attitude as long as the client entity’s wealth is at least about an order
of magnitude above satellite project costs. This is a stronger result than the proposition that a
previously risk-neutral government should retain such risk since risk retention is defensible for entities
with fewer financial resources than a large government and for reasonably risk-averse clients under
reasonable success probabilities. Smaller organizations may justifiably transfer this risk to an
underwriting entity (or set of entities) if the risk of mission loss threatens the continued viability of the
client organization.
This research also has demonstrated the ability to develop a prescriptive cardinal model for
risk transfer decision making based on demonstrated measurable events of associated industries.
Expert interviews with subjective responses and rational mitigation assumptions—common in
scholarly risk management literature—were specifically avoided in this research in favor of multi-
decade data trends in the space underwriting, satellite launch, and satellite operations industries. Data
collection for these industries supports the characterization of entities subordinate to the decision-
making of the client entity charged with acquisition and operations of the space system. Risk models
for these entities also are valid since they reflect and remain consistent with measurable events. In
contrast to the stated data characterization, modeling of client entities was allowed to vary in order to
capture a range of risk attitudes and to prescribe appropriate risk transfer or risk retention strategies
accordingly.
Modeling errors introduced by estimation error of mission success probabilities and
characterization of underwriting risk attitudes are acknowledged and do not significantly affect the
143
results of this research. Statistical bounds on these errors are developed and potential sensitivities to
the risk transfer models are explained.
Some specific findings from the research include the following:
Demonstrated launch vehicle reliability for US launch vehicles, when adjusted year-by-
year to include only vehicle types available for commercial launch, is remarkably
consistent over the past twenty-five years, typically varying by less than ±2%.
Similarly demonstrated reliability for central Asian launch vehicles since the middle
1990s typically varies by less than ±0.1%, mostly the result of use of launch vehicle
product lines with lengthy periods of reliable service.
Critical in-orbit satellite anomalies that result in complete mission failure tend to occur in
the first year of operation for anomalies reported for both world-wide and US clients.
Reported in-orbit satellite anomaly data from US clients exhibits a very similar
characteristic to aggregate world-wide results (with exceptions of somewhat longer time
in orbit to partial failure event and somewhat fewer catastrophic failures); this indicates
that worldwide satellite anomaly data are dominated by missions of US clients.
Historically collected insurance premiums tend to be negatively correlated with expected
underwriting revenue.
Space launch and in-orbit data combined with insurance data allow construction of two
utility functions: long-term trend and underlying time dependent responses to near term
market conditions
Space insurance rates indicate clear adjustments in response to a decrease in
underwriting capacity, consistent with price-demand elasticity.
Likewise, underwriting capacity is proportional to cumulative income.
Proportionality coefficients for both underwriting capacity and premium rates are
adjusted every few years in response to market conditions, but the overall long-term
utility function trend remains consistent.
144
The combination of first-year in-orbit critical anomalies in addition to launch vehicle
demonstrated reliability is a critical aspect of the risk environment faced by underwriters.
Characterization of just launch vehicle performance, which is more typical, can
underestimate potential losses faced by space project underwriters.
Construction of an underwriter utility model appears to have predicted likelihood of
sever losses in the late 1990s.
A covariance function based on the number of critical first-year in-orbit anomalies
indicates correlation of failure rates within about five years of builder satellite deliveries,
and particularly strong correlation within the first two years.
Investigation of the special case of statutory risk sharing agreements indicates that current
thresholds for transfer of excess indemnification from private underwriters to the US government are
roughly consistent with a strategy that mutually promotes growth in both client and underwriting
industries. The current strategy slightly favors growth for potential space mission clients. Under
conditions of equally promoted growth, some increase in the current statutorily mandated limits on
maximum probable loss may be appropriate.
This research also demonstrates development of a more general theory on prescribing risk
transfer criteria between entities involved in the complex system development, particularly where low-
probability high-consequence risks are involved. The perspective of the research is from that of a
system architect acting on behalf of a client entity charged with the acquisition and deployment of a
complex system or product. The specific problem addressed herein focuses primarily on the
interaction between client and third-party risk sharing entities and included contribution to risk
probabilities introduced by a third-party deployment, or distribution, entity and a system builder.
However, the same principles introduced herein may be tailored to other entities associated in system
development and production, even in non-space domains. For instance, risk transfer considerations
between a prime contractor and a subsystem builder associated with component development and
delivery may be modeled from measurable data on past performance and potential fees may be based
145
on available data depicting past cumulative income and allocable resources to commit to a project (an
analog to insurance capacity). Utility functions of associated entities can be tailored to the level in the
system development hierarchy and type of system domain or product involved.
10.2 Recommendations
From the hypothesis testing on the specific problem area, several specific recommendations
result.
1. The US government entities should not pursue risk transfer via space insurance under
any anticipated circumstances. Potential savings on some contracts may reasonably
exceed up to multiple tens of $millions. One can expand on this thought to include
potential savings that could be incurred by multiple risk-neutral customers; based on
cumulative income from underwriter premiums and losses, potential aggregate savings
could well exceed $100 million in some years.
2. Large commercial client entities with financial resources in excess of several $billion,
even with risk-averse attitudes, should strongly consider retaining risks to space mission
success associated with launch vehicle and satellite manufacturing reliability.
3. Smaller client entities with financial resources on the order of magnitude of the space
project builder costs should consider space insurance if it ensures viable preservation of
continued operation of the client organization.
4. The structure of rewards and penalties for a client entity should be established to
promote a risk-taking attitude commensurate with the larger organization to which it may
belong. There are two aspects of this. If a client entity is a subset of a much larger
organization, such as a single project within a much larger government, the reward
structure and interaction with the parent organization should not create an inconsistently
risk-averse attitude that could incur disproportiontionally large insurance expenses
relative to what the parent organization would otherwise allow. Also, if acceptance of
mission risks is allowed, the decision makers of the client entity and parent organization
146
must acknowledge the reasonable and acceptable potential for occasional mission loss
with non-zero probability.
From development of the general theory on prescriptive cardinal risk transfer methodology,
there are also several recommendations.
1. A system architect entity should work closely with a client entity associated with
complex system development to characterize utility functions of subordinate entities
based on timely measurable data.
2. Thresholds separating decision regions for risk transfer between two hierarchically
organized entities should account for all relevant risk contributions from third-party
distribution (or deployment) entities that affect successful system delivery to the client or
principle entity under consideration.
10.3 Additional Research
The research presented herein also may be expanded to investigate related areas of
prescriptive risk transfer modeling. Some potential ideas for further investigation are as follows:
Characterization of utility functions specific to particular large and small satellite system
commercial operators
Demonstrated characterization of US and non-US government utility functions for
specific space mission areas
Expansion of the risk-transfer methodology to address development, deployment, and
sustained operation of multiple satellite space systems
Further investigation of risk acceptance, or underwriting, utility functions for extreme
values of estimated probability of mission success; particularly determination of
particular domains of this estimator where risk attitudes may alternatively become risk-
averse, risk-neutral, or even risk prone.
147
Expansion of the general theory to investigate applications of risk transfer between
system and subsystem builders associated with subsystem or component development
and delivery.
Extension and additional development of the general risk transfer theory to other
domains of complex system development besides satellite development and deployment.

148
Glossary
The following terms are used to construct mathematical models of risk events.
F
c
Catastrophic failure for in-orbit satellite, results in complete loss of operation

F
p
Partial failure for in-orbit satellite, results in degraded operation

F
s
Failure of interest type (critical or partial) for satellite type s, used for calculating
demonstrated in-orbit failure rates

h
l
Insured valued of satellite

L
n
Losses for event or year n
LV Launch vehicle industry set of interest, used for calculating empirical averages with launch
vehicle types built and operated by an industry in a particular country or geographic region
m(K) Estimated probability of launch success for Kth launch of vehicle
O
n
Operating expenses for year n
p
3rd-party
Probability of event that causes third-party liability damages associated with launch activities
p
l
Probability of launch success

p
range-loss
Probability of event that causes damage to US government launch range property
P
n
Profits for year n

r
n
, Insurance premium for event or year n
R
n
Revenue for event or year n
S Satellite industry set of interest among satellite manufacturers
t Time
T
k
Time of event or year of launch for launch vehicle of type k, used for calculating empirical
averages
V
k
Launch vehicle of type k, used for calculating empirical averages

x(t,v) Random variable that indicates launch success (1=success, 0=failure) and is a function of
time, t, and launch vehicle type, v.
x
1
Realization of x(t,v) resulting in launch success, x =1; used to simplify notation

X Random variable that indicates the amount of third-party liability damages given that a third-
party liability event has occurred, measured in US dollars

149
y(t,s) Random variable that indicates the duration of in-orbit operation (in years) as a function of
time, t, and satellite, s.
y
~
(t|S) Random variable that indicates successful in-orbit operation for first year (1=no critical
failure, 0=critical failure) as a function of time, t, given satellite industry, S.
y
0
Realization of y
~
resulting in 1
st
year on-orbit mission failure; used to simplify notation

y
1
Realization of y
~
resulting in 1
st
year on-orbit mission success; used to simplify notation

Y Random variable that indicates the amount of property damages to government launch range
property given that a property damage event has occurred, measured in US dollars

z(t|LV,S) Random variable that indicates at least one year of mission success (1=success, 0=launch
failure or first-year in-orbit critical failure) as a function of time, t, given launch vehicle
industry set of interest and satellite industry, S.

n
Insurance premium rate for event or year n, may also be shown as (t) to indicate premium
rate as a function of time, expressed as a percentage of insured value, h
The following additional terms are used in the construction utility functions for the separate
entities.

C
B
Cost of satellite builder to produce and deliver satellite, used in client utility function

C
L
Cost of launch activities, used in client utility function

g(t,·) Function of time and cumulative income, used by insurance underwriter entity to enable
occasional adjustments to insurance capacity

I
MPL-d
Indemnification limit for maximum probable loss associated with damage to a US
government launch range, established by US statutes and regulations, from insurance
coverage required for FAA launch license

I
MPL-l
Indemnification limit for maximum probable loss associated with third-party liability,
established by US statutes and regulations, from insurance coverage required for FAA launch
license

k Variable that indicates whether insurance is selected (1=insurance selected, 0=self-insure)

M Mission benefit for the client entity

r
s
Premium for statutorily required space insurance coverages for FAA launch license

U
B
(·) Utility function for the builder entity

U
c
(·) Utility function for the client entity

U
s-c
(·) Utility function for the client entity for statutorily required coverage, for third-party liability
and launch range damage insurance

150
U
s-uw
(·) Utility function for the underwriter entity for statutorily required coverage, for third-party
liability and launch range damage insurance

U
USG
(·) Utility function for the US government, for statutory agreements on risk transfer from
underwriters of third-party liability and launch range damage insurance

W Wealth of client entity

z ˆ Estimator for the expected value of random variable z , indicates estimate of at least one-year
mission success probability based on demonstrated launch vehicle and satellite reliability

n
Proportionality constant reflecting discount of client utility, or mission benefit, for delay of
mission deployment by n years (0 < < 1)

$(t,·) Function of time and insurance capacity, used by insurance underwriter entity to enable
occasional adjustments to insurance premium rates

0
1
, 0
2
Exponents applied to constituent client and underwriter utility functions that indicate mutual
growth in these industries, 0
1
> 0, 0
2
> 0, used in construction of government utility for
statutory requirements for coverage of liability and launch range damage

µ Expected profit for satellite builder entity, based on past performance on contracts, expressed
as a percentage of contract value

% Performance attribute of concern for the client entity; realization of this attribute relies on
affirmative mission success

B
Base fee on a contract for satellite builder entity, expressed as a percentage of contract value

The following additional terms are used in the construction and analysis of risk transfer
models between separate entities.

c
~
Parameter indicating degree of local risk aversion for constantly risk-averse or constantly
risk-prone attitudes

C Constant of proportionality indicating degree of aversion for the government to incur costs
associated with damages exceeding maximum probable loss limits

X° Value in range of potential liability damages that results in least preferred result, corresponds
to highest value in range, or about $1.736 billion

X* Value in range of potential liability damages that results in most preferred result, corresponds
to lowest value in range, or about $0.7 million

Y° Value in range of potential launch range property damages that results in least preferred
result, corresponds to highest value in range, or about $209 million

Y* Value in range of potential liability damages that results in most preferred result, corresponds
to lowest value in range, or about $11.6 million

2
ˆ z
- Variance of the estimator z ˆ .
151
Bibliography
Abramson, Robert L., and Young, Philip H., "FRISKEM – Formal Risk Evaluation Methodology,"
The Journal of Cost Analysis, Society of Cost Estimating and Analysis (SCEA), spring 1997, pp.
29-38.

AIAA, “U.S. Commercial Space Transportation: Risk Allocation and Insurance,” An AIAA Position
Paper, American Institute of Aeronautics and Astronautics, January 1988.

ANSER, “Foreign Launch Systems Comparison Study, Appendix B,” ANSER, Arlington, Virginia,
October 1994.

Apostolakis, George E., “How Useful is Quantitative Risk Assessment?” Risk Analysis, Vol. 24, No.
3, 2004, pp. 515-520.

Baird, Bruce F., Managerial Decisions Under Uncertainty – An Introduction to the Analysis of
Decision Making, John Wiley & Sons, Inc., New York, 1989.

Baron, Michelle M., and Pate-Cornell, M. Elisabeth, “Designing Risk-Management Strategies for
Critical Engineering Systems,” IEEE Transactions on Engineering Management, Vol. 46, No. 1,
February 1999, pp. 87-100.

Benedikt, Svetlana, “Decisions Under Risk with Incomplete Knowledge,” Proceedings of the Second
International Symposium on Uncertainty Modeling and Analysis, 1993, IEEE, College Park, MD,
April 1993, pp. 174-179.

Billman, Kenneth W., and Bruckner, Donald G., “Risk Management Plan for Airborne Laser,” RISK
Management 2000 Lessons for the Millennium Proceedings, The Aerospace Corporation,
McLean, Virginia, November 28–December 1, 2000.

William Blohm, et al., “Technology Assessment and Insertion for The Defense Information Systems
Network (DISN),” Proceedings of the 12
th
Annual IEEE Military Communications Conference,
IEEE, 1993, pp.1053-1057.

Book, S. A., and Young, P. H., “Monte-Carlo Simulation of Project Schedule Duration When Activity
Times Are Correlated”, presentation to Society for Risk Analysis Annual Meeting, San Diego,
CA, 6-9 September 1992.

Book, S. A. “Do Not Sum ‘Most Likely’ Cost Estimates,” presentation to 1994 NASA Cost Estimating
Symposium, Johnson Space Center, Houston, TX, 8-10 November 1994.

Book, S. A., and Smith, Patrick L., "Reducing Subjective Guesswork and Maintaining Tradeability
When Reporting 'Risk' Associated with a Cost Estimate," presented to the American Statistical
Association 1996 Joint Statistical Meetings, Chicago, IL, 4-8 August 1996.

Book, S. A. "Why Correlation Matters in Cost Estimating," presentation to the 65
th
Military
Operations Research Society, Quantico, VA, 10-12 June 1997.

Bozeman, Barry, and Kingsley, Gordon, “Risk Culture in Public and Private Organizations,” Public
Administration Review, Vol. 58, No. 2, March-April 1998, pp. 109-118.

152
Brown, Pamela Clark, “Optimal Risk-Sharing When Risk Preferences are Uncertain,” The Journal of
the Operational Research Society, Vol. 38, No. 1, January 1987, pp. 17-29.

Burgess, E. L., and Gobreial, H. S., "Integrating Spacecraft Design and Cost-Risk Analysis Using
NASA Technology-Readiness Levels," presentation to the 29
th
annual DoD Cost Analysis
Symposium, Leesburg, VA, 21-23 February 1996.

Caceres, Marco A., “Commercial Communications Satellites,” World Space Systems Briefing, Teal
Group Corporation, Fairfax, VA, December 1998.

Caceres, Marco A., “Near-term Outlook,” World Space Systems Briefing, Teal Group Corporation,
Fairfax, VA, October 1999.

Caceres, Marco A., “Worldwide Mission Model: 2000–2009,” World Space Systems Briefing, Teal
Group Corporation, Fairfax, VA, March 2000.

Chakraborty D., “VSAT Communications Networks – An Overview,” IEEE Communications
Magazine, Vol. 26, No. 5, 1988, pp. 10–23.

Conrow, Edmond H, Carman, Stephen L., and Cramer, Bryant, “Risk Management on Hyperion:
Consultant, Industry, and NASA Perspectives,” RISK Management 2000 Lessons for the
Millennium Proceedings, The Aerospace Corporation, McLean, Virginia, November 28–
December 1, 2000.

Cvetko, Robert, and Jabagchourian, Harry, “Integrating Program Risk Management into the IPPD
Environment,” RISK Management 2000 Lessons for the Millennium Proceedings, The Aerospace
Corporation, McLean, Virginia, November 28–December 1, 2000.

Croll, Grenville J., “Cost & Schedule Risk Analysis in Major Engineering Projects,” IEE Colloquium
on Future Developments in Projects Management Science, Eastern Software Publishing Ltd.,
Colchester, UK, 1995, pp.4/1-4/4.

Chang, I-Shih, “Space Launch Vehicle Reliability,” Crosslink, The Aerospace Press, Los Angeles,
CA, Winter 2000/2001, Vol. 2, No. 1, pp. 23-32.

Chang, I-Shih, “Space Launch Vehicle Reliability,” Crosslink, The Aerospace Press, Los Angeles,
CA, Spring 2005, Vol. 6, No. 2, pp. 23-32.

Defense Science Board, “Report of the Defense Science Board/Air Force Scientific Advisory Board
Joint Task Force on Acquisition of National Security Space Programs,” Office of the Under
Secretary of Defense for Acquisition, Technology, and Logistics, Washington, DC, May 2003.

de Klerk, Antonie M., “The Value of Project Risk Management,” Portland International Conference
on Management of Engineering and Technology, 2001, IEEE, July-August 2001, pp. 570-576.

Deleris, Lea A., Elkins, Debra, and Pate-Cornell, M. Elisabeth, “Analyzing Losses from Hazard
Exposure: A Conservative Probabilistic Estimate Using Supply Chain Risk Simulation”,
Proceedings of the 2004 Winter Simulation Conference, December 2004, pp. 323-330.

Delmotte, Francois, and Borne, Pierre, “Modeling of Reliability with Possibility Theory,” IEEE
Transactions on Systems, Man, and Cybernetics – Part A: Systems and Humans, Vol. 28, No. 1,
January 1998, pp. 78-88.

153
Demmel, Johann G., and Askin, Ronald G. “Multiobjective Evaluation of Advanced Manufacturing
System Technology Investments with Risk,” IIE Transactions, Vol. 28, 1996, pp. 249-259.

Dewan, Rakesh, and Lindblad, David, “Lessons Learned from Implementing risk Management for a
Legacy System,” RISK Management 2000 Lessons for the Millennium Proceedings, The
Aerospace Corporation, McLean, Virginia, November 28–December 1, 2000.

DoD, “Transition from Development to Production,” DoD 4245.7-M, U.S. Department of Defense,
Office of Assistant Secretary of Defense, Acquisition and Logistics, September 1985.

DoD, “Department of Defense Manual Cost Analysis Guidance and Procedures,” DoD 5000.4-M,
U.S. Department of Defense, December 1992.

DoD, “Cost Analysis Improvement Group (CAIG),” DoD Directive 5000.4, U.S. Department of
Defense, November 16, 1994.

DoD, “Defense Acquisition,” DoD Directive 5000.1, U.S. Department of Defense, March 15, 1996
(with changes to May 21, 1999).

DoD, “Mandatory Procedures for MDAPs and MAIS Acquisition Programs,” DoD 5000.2-R, U.S.
Department of Defense, May 11, 1999.

DoD, “Risk Management Guide for DoD Acquisition, 3
rd
Ed.,” U.S. Department of Defense, Defense
Systems Management College Press, January 2000.

DOE, “Accelerating Cleanup Paths to Closure,” DOE/EM-0362, U.S. Department of Energy, Office
of Environmental Management, June 1998.

DOT, “Treatment of Value of Life and Injuries in Preparing Economic Evaluations,” Memorandum
from Acting Deputy Assistant Secretary for Transportation Policy, U.S. Department of
Transportation, January 29, 2002.

Dillon, Robin L., Pate-Cornell, Elisabeth M., and Guikema, Seth D., “Programmatic Risk Analysis for
Critical Engineering Systems Under Tight Resource Constraints,” Operations Research, Vol. 51,
No. 3, May-June 2003, INFORMS, pp. 354-370.

Dillon, Robin L., Pate-Cornell, Elisabeth M., and Guikema, Seth D., “Optimal Use of Budget
Reserves to Minimize Technical and Management Failure Risks During Complex Project
Development,” IEEE Transactions on Engineering Management, Vol. 52, No. 3, August 2005,
pp. 382-395.

Douglas Aircraft, “Delta Accident Investigation, Preliminary Report,” SM-45187, Douglas Aircraft
Company, 24 July 1964.

Duffy, Raymond F., Jr., Testimony before the House Science Committee, November 5, 2003.

ESA, “N° 17-1995: Fatal accident at the Guiana Space Centre,” press release, European Space
Agency, 5 May 1995.

FAA, “Commercial Space Transportation Quarterly Launch Report, Special Report: Update of the
Space and Launch Insurance Industry” US Federal Aviation Administration, 4
th
Quarter 1998.

154
FAA, “Liability Risk-Sharing Regime for U.S. Commercial Space Transportation: Study and
Analysis,” US Federal Aviation Administration, April 2002.

FAA, “Commercial Space Transportation Quarterly Launch Report, Commercial Space and Launch
Insurance: Current Market and Future Outlook,” US Federal Aviation Administration, 4
th
Quarter
2002.

FAA, “First Quarter 2004 Commercial Space Transportation Quarterly Launch Report,” US Federal
Aviation Administration, 1
st
Quarter 2004.

FAA, “Quarterly Launch Report, Commercial Space and Launch Insurance: Current Market and
Future Outlook,” US Federal Aviation Administration, 2
nd
Quarter 2006.

Federal Acquisition Regulations (FAR), 28.3—Insurance.

Forecast International, “Analysis 3 — Commercial Communications Satellites — 2000–2019,” Space
Systems Forecast, Forecast International/DMS, Newtown, Connecticut, February 2000.

Forecast International, “Analysis 4 — Western Military Satellites,” Space Systems Forecast, Forecast
International/DMS, Newtown, Connecticut, May 1999.

Fordyce, Samuel W., “Insurance for Space Systems,” IEEE Journal on Selected Areas in
Communications, Vol. Sac-3, No. 1, January 1985, pp. 211-214.

Futron Corporation, “Satellite Insurance Rates On the Rise – Market Correction or Overreaction?”
Futron Corporation, Bethesda, MD, July 2002.

Futron Corporation, “Satellite Manufacturing: Production Cycles and Time to Market,” Futron
Corporation, Bethesda, MD, May 2004.

Garvey, Paul R., Probability Methods for Cost Uncertainty Analysis A Systems Engineering
Perspective, Marcel Dekker, Inc., New York, 2000.

Gleiter, Roberta F., “Risk Management of Ground Software Development for SBIRS High,” RISK
Management 2000 Lessons for the Millennium Proceedings, The Aerospace Corporation,
McLean, Virginia, November 28–December 1, 2000.

Government Accountability Office (GAO), “DEFENSE ACQUISITIONS DOD Has Paid Billions in
Award and Incentive Fees Regardless of Acquisition Outcomes,” December 2005.

Grey, Stephen, “Project Cost and Schedule Risk Analysis,” IEE Colloquium on Risk Analysis Methods
and Tools, IEE, London, UK, 1992, pp. 7/1-7-4.

Guarro, Sergio B., “Concept and Application of a Risk Management Approach for Space Systems,”
RISK Management 2000 Lessons for the Millennium Proceedings, The Aerospace Corporation,
McLean, Virginia, November 28–December 1, 2000.

Haimes, Yakov Y., Risk Modeling, Assessment, and Management, John Wiley & Sons, Inc., New
York, 1998.

Haimes, Yakov Y., “Risk Analysis, Systems Analysis, and Covey’s Seven Habits,” Risk Analysis,
Vol. 21, No. 2, 2001, pp. 217-224.

155
Harmon, Bruce R. and Om, Neang I., “Assessing Acquisition Schedules for Unmanned Spacecraft,”
IDA Paper P-2766, Institute for Defense Analysis, Alexandria, Virginia, April 1993.

Hauser, John R., “Research, Development, and Engineering Metrics,” Management Science, Vol. 44,
No. 12, Part 1 of 2, December 1998, pp. 1670-1689.

Henkle, Thomas G., “A Requirements Driven Approach to Synthesis of Military Satellite
Communications Payloads,” INCOSE ’99 Symposium Proceedings, Brighton, UK, June 1999.

Hitt, Ellis F., “Total Ownership Cost Use in Management,” Digital Avionics Systems Conference,
1998 Proceedings, AIAA/IEEE/SAE, Bellevue, Washington, November 1998, pp. A-32-1–A32-
5.

Hughes Space & Communications, “Space Insurance Overview,” briefing, Hughes Space &
Communications Company, January 27, 2000.

Keeney, Ralph L., and Raiffa, Howard, Decisions with Multiple Objectives, John Wiley & Sons, Inc.,
New York, 1976.

Keeney, Ralph L., “Using Values in Operations Research,” Operations Research, Vol. 42, No. 5,
September-October 1994, pp. 793-813.

Keeney, Ralph L., “The Process of Risk Management: The Role of Values in Risk Management,” The
Annals of the American Academy of Political and Social Science, 545 Annals 126, May 1996.

Kerzner, Harold, Project Management – A Systems Approach to Planning, Scheduling, and
Controlling, 5
th
Ed., Van Nostrand Reinhold, New York, 1995.

Kirkwood, Craig W. “Recursive Calculation of Probability Distributions for Sequential Decision
Analysis Models,” IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications
and Reviews, Vol. 28, No. 1, Feb. 1998, pp. 104-111.

Lakats, Linda M., and Pate-Cornell, M. Elisabeth, “Organizational Warning Systems: A Probabilistic
Approach to Optimal Design,” IEEE Transactions on Engineering Management, Vol. 51, No. 2,
May 2004, pp. 183-196.

Latzko, William J., and Saunders, David M., Four Days with Dr. Deming A Strategy for Modern
Methods of Management, Addison-Wesley, Reading, MA, 1995.

Luce, R. Duncan, and Raiffa, Howard, Games and Decisions, Introduction and Critical Survey, Dover
Publications, Inc., New York, 1957.

Maier, Mark W., Fishenden, James, and Singleton, Gregory, “Selecting System Portfolios,” 2004
IEEE Aerospace Conference Proceedings, IEEE, 2004, pp. 4099-4109.

Mankins, John C., “Technology Readiness Levels,” white paper, NASA, April 6, 1995.

Mankins, John C., “Research & Development Degree of Difficulty (R&D
3
),” white paper, NASA,
March 10, 1998.

156
McClain, Michael, and Stelzer, Maria C., “Improving the Risk Management of the Space Shuttle
Obsolescence into the Millenium,” RISK Management 2000 Lessons for the Millennium
Proceedings, The Aerospace Corporation, McLean, Virginia, November 28–December 1, 2000.

Mulvey, John M. and Erkan, Hafize G., “Risk Management of a P/C Insurance Company Scenario
Generation, Simulation, and Optimization,” Proceedings of the 2003 Winter Simulation
Conference, Vol. 1, IEEE, December 7-10, 2003, pp. 364-371.

NASA, “Chronology of KSC and KSC Related Events for 1981,” KHR-6, National Aeronautics and
Space Administration, John F. Kennedy Space Center, 1 September 1983.

Neitzel, August C., Link, Jo Lee Loveland, and Barbour, Richard E., “Risk Management in the Real
World: Rollout and Installation of Risk Management at the National Reconnaissance Office,”
RISK Management 2000 Lessons for the Millennium Proceedings, The Aerospace Corporation,
McLean, Virginia, November 28–December 1, 2000.

Nguyen, P, et al., “Unmanned Space Vehicle Cost Model, Seventh Edition,” USAF Space and Missile
Center, Los Angeles, California, August 1994.

Osborne, Martin J., An Introduction to Game Theory, Oxford University Press, Inc., New York, 2004.

Parolek, Frank; Gallo, Albert, and Hammer, Theodore, “Continuous Risk Management Training and
Implementation,” RISK Management 2000 Lessons for the Millennium Proceedings, The
Aerospace Corporation, McLean, Virginia, November 28–December 1, 2000.

Pate-Cornell, M. Elisabeth, “Warning Systems in Risk Management,” Risk Analysis, Vol. 6, No. 2,
1986, pp. 223-234.

Pate-Cornell, M. Elisabeth, Tagaras, George, and Eisenhardt, Kathleen M., “Dynamic Optimization of
Cash Flow Management Decisions: A Stochastic Model,” IEEE Transactions on Engineering
Management, Vol. 37, No. 3, August 1990, pp. 203-212.

Pate-Cornell, Elisabeth, and Dillon, Robin, “Challenges in the Management of Faster-Better-Cheaper
Space Missions,” Proceedings of the 1998 Aerospace Conference, IEEE, 21-28 March, 1998, pp.
507-514.

Pate-Cornell, Elisabeth, and Dillon, Robin, “Analytical Tools for the Management of Faster-Better-
Cheaper Space Missions,” Proceedings of the 1998 Aerospace Conference, IEEE, 21-28 March,
pp. 515-530.

Pate-Cornell, Elisabeth, and Dillon, Robin, “Success Factors and Future Challenges in the
Management of Faster-Better-Cheaper Projects: Lessons Learned from NASA,” IEEE
Transactions on Engineering Management, Vol. 48, No. 1, February 2001, pp. 25-35.

Pate-Cornell, Elisabeth, and Dillon, Robin, “Programmatic Risk Analysis to Search for Life on Mars,”
Aerospace Conference, 2001, IEEE Proceedings, Vol. 1, pp. 1-453–1-467.

Pate-Cornell, M. Elisabeth, Dillon, Robin L., and Guikema, Seth D., “On the Limitations of
Redundancies in the Improvement of System Reliability,” Risk Analysis, Vol. 24, No. 6, 2004, pp.
1423-1436.

157
Pidgeon, Alastair, and Marc-Elian Begin, “System Simulation: Risk Reduction for the New
Millennium,” Aerospace Conference Proceedings, 2000 IEEE, Volume 2, IEEE, 18–25 March
2000, pp. 415-425.

Raiffa, Howard, Decision Analysis, Addison-Wesley, Reading, Massachusetts, 1968.

Raiffa, Howard, and Schlaifer, Robert, Applied Statistical Decision Theory, Harvard Business School,
1961.

Ransom, Samuel, and Breese, Steve, “Thruster-Induced Jitter on Milstar: A Case Study in Risk
Management,” RISK Management 2000 Lessons for the Millennium Proceedings, The Aerospace
Corporation, McLean, Virginia, November 28–December 1, 2000.

Rechtin, Eberhardt, Systems Architecting Creating and Building Complex Systems, P T R Prentice
Hall, Englewood Cliffs, New Jersey, 1991.

Roberts, Barney B. “Risk Management Doesn’t Save Money, It Saves Programs,” RISK Management
2000 Lessons for the Millennium Proceedings, The Aerospace Corporation, McLean, Virginia,
November 28–December 1, 2000.

Sachon, Marc, and Pate-Cornell, M. Elisabeth, “Managing Technology Development for Safety-
Critical Systems,” IEEE Transactions on Engineering Management, Vol. 51, No. 4, November
2004. pp. 451-461.

Sadowski, Thomas J.; James, Ralph, and Sherman, Neil, “Risk Management Case Study: Space Based
Laser (SBL) Integrated Flight Experiment (IFX),” RISK Management 2000 Lessons for the
Millennium Proceedings, The Aerospace Corporation, McLean, Virginia, November 28–
December 1, 2000.

Sage, Andrew P., Systems Engineering, John Wiley & Sons, Inc. New York, 1992.

SAIC, “NASA/Air Force Cost Model 99 (NAFCOM 99),” Version 6.0, Science Applications
International Corporation, Huntsville, Alabama, November 1999.

SEI, Capability Maturity Model® Integration (CMMI
SM
), Version 1.1, (CMMI-SE/SW/IPPD/SS,
V1.1), Staged Representation, Software Engineering Institute, March 2002.

Select Committee of the United States House of Representatives, “Chapter 8 The Commercial Space
Insurance Industry,” in “U.S. National Security and Military/Commercial Concerns with the
People’s Republic of China,” Report 105-851, US House of Representatives, 1999.

Sketoe, James, “Case Study of Risk Assessment of Inertial Upper Stage Vehicle FMEA,” RISK
Management 2000 Lessons for the Millennium Proceedings, The Aerospace Corporation,
McLean, Virginia, November 28–December 1, 2000.

Sietzen, Frank, Jr., “Space Launch Indemnification Renewal Critical to Industry,” Space Policy
Digest, May 1999.

Singh, Jitendra V., “Performance, Slack, and Risk Taking in Organizational Decision Making,”
Academy of Management Journal, Vol. 29, No. 3, 1986, pp. 562-585.

158
“Space Disaster,” Wikipedia, http://www.en.wikipedia.org/wiki/List _of_space_disasters, updated
2007.

Space Systems Engineering Database, The Aerospace Corporation, El Segundo, California, with
revisions to 2006.

Spear, Tony, “NASA FBC Task Final Report,” RISK Management 2000 Lessons for the Millennium
Proceedings, The Aerospace Corporation, McLean, Virginia, November 28–December 1, 2000.

Stark, Henry, and Woods, John, W., Probability, Random Processes, and Estimation Theory for
Engineers, Prentice-Hall, 1986.

Stevens, Thomas, and Burner, Christopher, “Atlas II, Space Launch Complex 3-East (SLC-3E),
Design, Construction and Activation Risk Management,” RISK Management 2000 Lessons for the
Millennium Proceedings, The Aerospace Corporation, McLean, Virginia, November 28–
December 1, 2000.

Venkatachalam, A. R., “Software Cost Estimation Using Artificial Neural Networks,” Proceedings of
the 1993 International Joint Conference on Neural Networks, IEEE, pp. 987-990.

Vaughan, Emmett J., and Vaughan, Therese, Fundamentals of Risk and Insurance, 8
th
Ed., John Wiley
& Sons, Inc., New York, 1999.

von Neumann, John, and Morgenstern, Oskar, Theory of Games and Economic Behavior, Princeton
University Press, Princeton NJ, 1944.

Wang, Shouhong, and Archer, Norman P. “A Neural Network Based Fuzzy Set Model for
Organizational Decision Making," IEEE Transactions on Systems, Man, and Cybernetics, Part C:
Applications and Reviews, Vol. 28, No. 2, IEEE, May 1998, pp. 194-203.

Yanling, Wang, “A New Model Expression for Risk Management in Mutual Insurance,” Engineering
Management Conference, 2003, IEMC ’03, IEEE, November 2-4, 2003, pp. 396-399.

14 CFR 440

48 CFR 28.306–308

48 CFR 9904.416

49 U.S.C. 701

159
Appendix 1: Monetary Context from Past Space Forecasts
It is helpful to understand the significance of the satellite communications trends since they
reflect the projected investment in technology development, production and assembly methods, and
performance risk mitigation programs. Historically, government satellites from the United States and
the former Soviet Union have dominated worldwide satellite production. However, the number of
commercial satellite launches has increased steadily relative to government satellites for the last 20
years. In 1997 commercial satellite launches, comprising nearly three quarters of all launches,
surpassed government launches for the first time [Caceres, 1998]. This trend is expected to continue
over the next ten to twenty years [Forecast International, 2000]. Most of these commercial satellites
are anticipated to support communication services; a number of others will support Earth imaging and
navigation services. A summary from one forecast illustrating this trend is shown in Table 10
[Ceceres, 2000].
The values in the previous table represent a combined investment cost of more than $50
billion for commercial systems alone [Caceres, 1998]. Information on military systems is not as
readily available, but estimates show that the U.S. Government will dominate the world military
spending on satellites [Forecast International, 1999]. The market research also indicates that the year
2000 may mark the early stages in a boom in consumer demand for satellite communication services
with potential new applications including cargo tracking, Internet access, mapping, telephony, and
video services.
160
Table 10. Year 2000 Forecast of Satellite Launches Summarized by Payload Type
‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08 ‘09 Total
Commercial Communications Satellites
Broadband Media 6 69 89 80 41 79 120 120 16 60 655
Mobile 28 38 75 118 124 70 53 53 — — 527
Telecommunications/
Broadcast
45 28 17 14 6 6 2 2 — 1 120
Direct-to-Home TV
Broadcast
42 19 15 — 2 — 1 1 — — 80
Subtotal 121 154 196 212 173 155 176 118 16 61 1382
Civil Satellites
Scientific/Space
Exploration
60 24 11 22 12 7 2 60 51 1 250
Earth Observation &
Meteorological
30 22 22 14 4 5 4 2 3 — 106
Technology
Development
15 — 4 2 1 — — 1 — — 23
Communications 10 2 7 2 2 — — — — — 23
Subtotal 115 48 44 40 19 12 6 63 54 1 402
Military Satellites
Early Warning 2 1 4 4 — — 12 12 — — 35
Technology
Development
28 2 — 4 — — — — — — 34
Reconnaissance &
Surveillance
1 — 2 5 — 3 10 10 — — 31
Navigation 4 7 6 4 2 3 3 1 — — 30
Communications 3 1 10 1 1 1 4 3 3 2 29
Earth Observation &
Meteorological
2 1 1 — — — — 1 1 — 6
Subtotal 40 12 23 18 3 7 29 27 4 2 165
Other
Manned & Space
Operations
25 23 24 8 1 2 — — — — 83
Commercial Earth
Imaging
12 12 11 14 6 6 2 — — 1 64
Commercial Navigation — — — — — 12 9 8 7 — 36
Microgravity
Experiments
5 2 2 1 — — — — — — 10
Commercial Scientific/
Technology
4 1 — — — — — — — — 5
Subtotal 46 38 37 23 7 20 11 8 7 1 198
Total 322 252 300 293 202 194 222 216 81 65 2,147
Launch projections typically change somewhat for reasons listed here. Practical funding and
regulatory constraints probably will result in some reduction in actual launches, and possibly some
systems will be deployed that have not yet been envisioned. There is also a limit to the ability of the
market to sustain communication satellite production; hence, existing successful satellite systems may
not need replenishment for several years. The number of programs experiencing difficulty raising
161
financing to proceed with a system exhibits further limitations. These result from the number of space
ventures straining the market for investment capital [Ceceres, 1999]. This financing situation was
exacerbated with the recent bankruptcy filings of Iridium LLC and ICO Global Communications. The
net result is that the estimate of 2100 satellites to launch over the next decade is likely to change over
time; however, it provides a point of departure for underscoring the need for adequate risk
management in this field.
162
Appendix 2: System Architecture Reference Field
Consider the following satellite system and communications payload models described below
to place development of performance measures suitable for risk assessment in a general context of
communications satellite development, [Henkle, 1999]. Arguably, design of any proposed
communications system that does not sufficiently account for client and end user operations may fail
by measures of technical performance or cost viability. This can result from inadequate definition of
the physical and logical interfaces of the system. Attention to both aspects of the system is necessary.
The physical interfaces identify the boundaries among the major operating segments of the satellite
communication system. The logical interfaces define communications network topologies.
Fortunately, the logical and physical interfaces closely correspond and hence preserve the heuristic for
maintaining a match between functional and physical structuring of an architecture [Rechtin 1991].
First, we examine at the physical segments of a satellite communication system. Any
commercial or military satellite communications system consists of three main segments that comprise
the system architecture. The space segment often receives the most attention because it provides the
geographic connectivity and defines the limitations on the types of services provided. The terminal
segment provides the end users with access to the communication system and ultimately is the point of
entry for the system customers. The control segment supports management of system resources and
maintains operation of the system through all potential traffic scenarios and disruptions.
163
Figure 57. Primary Physical Segments of a Satellite Communications Architecture
Terminal
Segment
Control
Segment
Space
Segment
System Customers System Client
Telemetry and
Commands
Communication
Waveform
The space segment is distinguished by proposed payload functions. It typically is associated
with large development costs. This is reasonable since a typical communication system will consist of
fewer satellites than user terminals. High development costs result since satellites cannot be repaired
easily and are designed with enough flexibility to maintain system operation to accommodate changes
in terminal populations and communications demands. Due to limited on-board resources these
satellites determine limits on system capabilities such as simultaneous geographic coverage, operating
frequencies, and useable bandwidth.
The terminal segment provides a system point of entry for the customers. Its deployment
typically incurs large equipment costs. Yet unlike the space segment, the overall terminal cost
typically is distributed among a large population of users. The system life cycle cost of an individual
terminal should be low in order to be economically attractable. Thus, the investment for this segment
is heavily attributed to production costs. Technically, this segment determines information rate and
types of communications services available to system customers.
The communications signal structure, or waveform, traverses the interface between terminal
segment and the space segment. The complexity of this waveform in accommodating multiple access
or multiple data rates and modulations is likely to affect the cost of terminal production (or upgrade)
and payload development. The choice in the number and types of waveforms to support affects
decisions on the types of payload functions.
164
The control segment affects the operation of the space segment and potentially any
supporting communication ground nodes. It typically is associated with recurring system maintenance
costs. Some initial development is required for specialized software and equipment. These items
allow for commanding of satellites and their payloads, management of satellite network performance,
telemetry reception, and tracking of satellite position. Otherwise, day-to-day operations at a few
specific locations will dominate the segment costs. The control segment is critical for successful
operation of the system since it allows the system client to control the allocation of satellite resources
for individual user access and data transfer. This control of service to the customers occurs indirectly
through the space segment.
The telemetry and command formats and signal structures bridge the interface between the
control segment and the payload. Payload operations are realized through an on-board payload
control system. Other spacecraft bus functions are monitored and controlled with a satellite telemetry
and command subsystem.
Perhaps just as important as the physical segments is the logical function of the payload in a
communications network. Viewed from this perspective, the payload operates as a critical node in a
particular network. However, keys to determining appropriate payload configurations derive from the
assignment of desired functions to this space-borne node. These functions associate support of
specific network topologies, link bandwidths, baseband data rates, and resources required to maintain
links with appropriate terminals.
165
Table 11. Examples of Common Satellite Networks
Connection Physical Topology
Classification Point-to-Point Broadcast Report Back Mesh
Full Duplex Trunks Not applicable Not applicable Mobile voice
service,
V-Sat networks
Half Duplex Some examples Not applicable Not applicable Push-to-talk
Simplex Remote sensors,
Degenerate broadcast
Direct broadcast
television
Distributed sensor
networks,
Mission status
updates
Not applicable
Connectivity

...

...

...

Here we shall define a satellite network as a collection of users that transmit data among each
other according to specified connectivity classifications and topologies. Combinations of common
network links and topologies are shown in the following table. For simplicity crosslinks and relay
terminals between satellites are not shown. The basic types of links are simplex (one-way only), half-
duplex (one-way at a time), and full duplex (two way – analogous to a telephone call). Basic physical
topologies for satellite networks include point-to- point, broadcast, report back, and mesh. In concept,
other physical network topologies such as rings and trees could be possible with a satellite system, but
they typically are not implemented. In general, all networks are either full or partial meshes, but many
partial-mesh topologies have characteristics that make their separate treatment appropriate.
Conversely, all networks also can degenerate into a collection of point-to-point simplex links, and the
collection of these links determines the aspect of the network to analyze.
Let us look at each topology briefly. Of the point-to-point networks, trunks are examples of
high data rate work-horse links that connect two Earth terminals. These are common for the fixed
infrastructure of data communications networks for both the military and commercial data services.
Half-duplex point-to-point can be found with some military examples. Simplex point-to-point can be
used for collection of data (possibly environmental data) from remote terminals. For the broadcast
topology, only simplex links are appropriate since all but the transmitting terminal are receive only.
The same is true for report back topologies; however, the direction of the links are reversed relative to
166
broadcasts. These topologies could have applications for periodic status reporting to central locations.
Mesh networks provide two-way communications. Bandwidth constraints may determine the type of
satellite network implemented. For example, push-to-talk networks (analogous to CB radio) can serve
a large number of terminals within a relatively limited bandwidth. However, a full-duplex mesh
network analogous to a telephone conference call could require allocation of transmit and receive
bandwidth for each link to a terminal. An important variation of full-duplex connectivity is a V-Sat
network, a satellite network with a large central terminal that serves many geographically distributed
terminals with small antenna apertures [Chakraborty 1988]. These networks can be viewed as an
overlay of broadcast and report back networks. They typically use one forward link from the central
hub terminal to the small terminals and one return channel that is shared among the remote small
terminals.
To make full utilization of satellite resources, future military satellite communication systems
can operate as a unified architecture that allows interdependence among satellite nodes that support
multiple services. Hence, a collection of payloads can be configured such that their aggregate
supports military unique requirements, and the satellite nodes can provide interfaces to complementary
military payloads. The inter-payload interface may be implemented either on board the satellite or at a
terrestrial terminal. The decision as to where to implement this interface depends on desired
architecture operation as well as practical constraints on technology, staffing and statutory restrictions
(in the case of ground terminal operation).
A simplified model for a communications payload may resemble the following figure. Even
the simplest of communication payloads requires a collection of uplink and downlink antennas to
collect desired radio emissions and to radiate them back to Earth. In general, the number of antenna
beams is not equal to the number of antennas. For example, current technology allows multiple-beam
antennas (MBAs) and phased array antennas to support more than one beam per antenna. The heart of
the payload consists of components for translation of messages between appropriate uplinks,
downlinks, and possibly crosslinks. Functions in this subsystem allow designers to categorize basic
167
payload types. After passing through the uplink antennas, radio frequency (RF) and intermediate
frequency (IF) components perform essential manipulation of signals between the antennas and the
link translation components. The RF and IF handling may differ according to specific
implementations of the payload functions. These components may include signal amplification,
filtering, initial frequency conversion, and analog to digital (A/D) conversion. The remaining
subsystems in the figure are the high power amplifiers (HPAs) between the link translation
components and the downlink antennas. Output power levels from the HPAs may vary from less than
a watt to several hundred watts depending on the payload application. As noted in the figure, the
number of possible signal paths through the payload may vary among the different subsystems. Thus,
the interfaces between these fundamental subsystems may include combinations of multiple port
switches, combiners, and frequency multiplexing components. (Phased array antennas already
incorporate the antenna interface: amplitude and phase controlled power amplifiers [downlink] or
receiving components [uplink] are associated with each radiating element.)
Figure 58. Simplified Communications Payload Model
.
.
.
.
.
.
.
.
.
.
.
.
Uplink
Antennas
RF/IF
Preparation
Link
Translation
HPA Downlink
Antennas
Dimension: m n o p q r
Uplink
Beams
.
.
.
Downlink
Beams
.
.
.
The number and types of the antennas are configured to support the physical topology of the
anticipated networks. At the basic level, the antennas define the payload coverage on the Earth. This
includes not only the number of antenna beams, but also their shape (and gain), and ability to steer to
different geographic regions. Coverage flexibility may be an important factor here. For example, a
168
broadcast payload may use one or two uplink antenna beams to collect injection signals from a few
terrestrial locations and employ multiple mechanically or electronically steerable beams to cover
specific geographic regions. The antennas also greatly affect two primary figures of merit: the gain-to-
system noise temperature (G/T) and the effective isotropically radiated power (EIRP). G/T accounts
for antenna gain, or directivity, interface losses, and noise characteristics of the RF/IF components.
EIRP accounts for HPA output powers, interface losses, and antenna gain. A common top-level
design trade for antennas contrasts the coverage of an antenna beam with its corresponding G/T and
EIRP: large antenna beamwidths can cover wide ground swaths and possibly more user terminals,
but they also support less gain. Transmitting and receiving components of ground terminals may have
to counteract any loss in payload EIRP and G/T.
The functions of the link translation components determine the fundamental operation of the
payload as a node in a satellite network. For instance, in a non-regenerative, or transponded, payload
these components translate uplink channels to the appropriate channel in the downlink frequency band.
Each channel may contain a number of signals operating at different carrier frequencies. The
components maintain connectivity by mapping clumps of bandwidth between uplink and downlink
beams. Components in regenerative payloads demodulate uplink carriers, route the corresponding
data, and modulate a downlink carrier with the appropriate data. This operation typically implies use
of digital modulation with a specified signal structure. Regenerative payloads also come with at least
two varieties. Ones with partial processing demodulate data without interpreting any of its meaning.
For instance, they do not perform any error correction decoding or encoding. Thus, data routed
between uplink and downlink beams is in the form of a digital stream. Regenerative payloads with full
processing can allow decoding and some interpretation of the transmitted message. This can allow for
routing of messages in the form of individual data packets. In general, link translation components
can route channels and message data to other payload subsystems including crosslinks. In such cases
the same translation functions apply.
169
Assessment of payload performance clearly differs according to the type of link translation
subsystems proposed for use. Non-regenerative, or transponded, components are desirable for
payloads that support a variety of terminal networks that use different signal structures. These
payloads also are commonly used for analog transmissions such as FM television. Historically, these
payloads also are less expensive than regenerative payloads. Assessment criteria may include
aggregate data rates, number of simultaneous networks supported, and use of allocated bandwidth.
Regenerative payloads can provide some improvement in individual link performance relative to
transponded payloads (e.g., a link may operate at a lower bit error rate or with higher margin for a
desired bit error rate). They may also alleviate balancing of signal power among several networks
through a single HPA and improve mitigation of interference (intentional or otherwise). However,
these payloads require all terminals to operate with specified signal structures matched to the payload.
This can enhance power and bandwidth efficiencies relative to transponded payloads, but any changes
in the signal structure and access protocols from one payload generation to another may require
upgrading of or purchase of an entire terminal population. Assessment criteria for regenerative
payloads can differ with the level of on-board processing. Partial processing criteria may not differ
much from those for transponded payloads. Full processing criteria also may account for quality of
service measures for message delivery and statistical multiplexing. One may note that a payload may
contain more than one type of link translation subsystem. In such cases a variety of assessment criteria
are applicable.

170
Appendix 3: Some Risk Management Heuristics
Improving processes of any kind—including risk management—is a learned discipline; if risk
management is the first initiative, there will be increased front-end investment costs [Neitzel, 2000].
Those who introduce risk management will have a responsibility to maintain the organization’s
involvement with risk management processes and in incorporating them into standard operating
procedures. The first introduction of new practices, however, will incur some initial costs to the
organization. Once established, potential returns can be realized.
Risk management requires dedicated upfront costs—rewards come later [Neitzel, 2000].
When necessary, the upfront costs include investments for training in risk management, development
of internal processes, devoting critical meeting time for risk management functions, and freeing people
for risk management activities.
Risk management and program management must go hand in hand [Neitzel, 2000].
Identifying, assessing, and rational handling of risks including contingency planning and risk transfer
should be an integral part of program management. Further, once accepted processes are incorporated,
the organization’s approach to successfully managing a current program as well as approach to
handing new business will be affected.
Risk management needs to embrace all key elements of the enterprise [Neitzel, 2000]. This
will include involvement with program stakeholders, industry partners, and associated clients. Over
time this includes applying risk management to all phases of the life cycle.
To be successful over the long term, risk management requires establishing a strong beach-
head among senior leadership [Neitzel, 2000]. While incorporating risk management may begin at
lower levels in an organization, the long-term inclusion of risk management in an organization’s
practices will not take hold until senior management accepts and encourages it. This includes frequent
reinforcement of risk management of an organization’s corporate strategy.
Require continuous management commitment for risk management [Dewan, 2000].
Managers must provide adequate resources including qualified personnel, training, tools, and an
171
environment that encourages participation in risk identification. Furthermore, the managers must
support and defend use of risk management tools and practices and use them in making programmatic
decisions. Also, management should recognize that risk management not only applies to large and
new programs but also to all programs including improvement programs to modify existing systems.
Risk management processes also should not be harder than necessary to determine rational
conclusions; this facilitates wide-spread use within an organization and communication of results to
senior management and personnel outside the organization. The ground rules for identifying,
evaluating, tracking, and reporting risks should be well understood within the organization, and the
documentation method should be commensurately simple to facilitate its accessibility and use.
Risk management requires a culture that supports creative contributions, multiple
perspectives, and raising the “bad news” early enough so that effective mitigation strategies can be
built [Neitzel, 2000]. To be effective, risk management requires honest communication of program
risks both upward—to management—as well as across among other stakeholders or divisions in a
program development. Project management leadership often will be necessary to overcome resistance
to communication between different organizations.
Culture management is a critical success factor in risk management [Neitzel, 2000]. This
statement ties closely to the previous one. More specifically, though, personnel have to internalize
risk management for it to work in the organization, and the climate to facilitate this internalization is
determined in large part by management.
Creativity of leaders and individual contributors to the risk management process should—to
the extent possible—be welcomed into the risk management process [Neitzel, 2000]. Once the culture
is established, those that can contribute to the risk management process should be allowed to do so.
A risk should be “owned” where it can most effectively be managed [Cvetko, 2000]. On a
project this applies when three conditions are met: the identified risk affects outcome for a particular
team and its sub-teams, the risk can be mitigated or handled within the scope of that team, and the
potential impact of the risk does not exceed the resources available for that team. These conditions
172
help establish the group or management level suitable for handling a risk. Elevating ownership of a
risk to too high a level may create a condition where one group handles a large number of risks with
such varying degrees of magnitude that maintaining focus on significant risks may be lost. Ownership
also may be restricted to a particular group even when other teams and people may be involved in
mitigation efforts.
Allocate enough resources to take a broad view of a risk, but focus effort to support near-term
decisions [Ransom, 2000]. When assessing an identified risk, or even a known problem, the collateral
system impacts for a program should be investigated to determine the extent and scope of potential
consequences. Clearly, there is a limit to resources to expend on an investigation, and while the
perspective should determine system-wide impacts, the investigation should support design decisions
when a change may be appropriate or operational decisions when deployment or support of particular
services may need to be modified.

173
Appendix 4: Estimation of Technology Readiness
A common step in determining aspects of cost, schedule, and performance risk is assessing
the maturity of technologies to be included in a system development. NASA technology maturity
levels are widely used for development of space systems and have provided a basis for modeling such
aspects of risk. However, other maturity estimates are used by the U.S. Department of Defense and
U.S. Department of Energy and potentially could be used as well. A comparison of some documented
technology maturity metrics are summarized in the following table (Mankins, 1995), (SEI, 2002),
(DOE, 1998). Clearly, assignment of a maturity metric against a particular technology will be
subjective; however, such an assignment will provide some indication of anticipated development
required to realize performance functionality in the desired system.
174
Table 12. Comparison of Some Technology Maturity Metrics
NASA Technology Readiness
Level (TRL) Summary
Software Engineering Institute
(SEI) Capability Maturity Model
Integration
U.S Department of Energy Office
of Environmental Management
Level Description Level Description
Risk
Categ.
Description
9 Actual system flight
proven through successful
mission operations
5 Optimizing; continually
improving process
performance
1
(low)
Technology has been
demonstrated at the site
on some actual
waste/materials and is
operationally ready
8 Actual system completed
and flight qualified
through test and
demonstration
4 Quantitatively managed;
subprocess variation
controlled via statistical
techniques
2 The required
technology has been
fully developed and
demonstrated at another
site with a similar
waste/material type
7 System prototype
demonstration in a space
environment
3 Defined; processes
understood and
documented
3 Technology is in full
scale development and
demonstration
6 System/subsystem model
or prototype
demonstration in a
relevant environment
2 Managed; reqs. managed,
processes planned and
controlled
4
(high)
Development of the
technology is only at
the laboratory level
5 Component or breadboard
validation in relevant
environment
1 Initial; ad hoc and
chaotic processes
5
(high)
The technology
required to accomplish
the planned activity
does not exist
4 Component of breadboard
validation in laboratory
environment

3 Analytical and
experimental critical
function or characteristic
proof-of-concept

2 Technology concept or
application formulated

1 Basic principles observed
and reported

One aspect missing from these metrics is whether technical immaturity results from lack of
concern or is due to difficulty of advancing technology. This type of metric is not as widely
documented, but one approach at quantifying this is shown below (Mankins, 1998).
175
Table 13. Example of Development Difficulty for Stated Level of Technical Maturity
NASA Research and Development Degree of Difficulty (R&D3) Summary
Level Description
I Very low degree of difficulty, Pr[success in normal R&D effort] = 99%
II Moderate degree of difficulty, Pr[success in normal R&D effort] = 90%
III High degree of difficulty, Pr[success in normal R&D effort] = 80%
IV Very high degree of difficulty, Pr[success in normal R&D effort] = 50%
V Fundamental breakthrough required, Pr[success in normal R&D effort] = 20%
Scholarly determination of statistical distributions associated with the technology maturity
and development difficulty has not yet been accomplished. This may be an area for future research
outside the scope of this proposal.

Abstract (if available)

Abstract Research develops an empirically derived cardinal model that prescribes handling and transfer of risks between organizations with hierarchical relationships. Descriptions of mission risk events, risk attitudes, and conditions for risk transfer are determined for client and underwriting entities associated with acquisition, production, and deployment of space systems. The hypothesis anticipates that large client organizations should be able to assume larger dollar-value risks of a program in comparison to smaller organizations even though many current risk transfer arrangements via space insurance violate this hypothesis. A literature survey covers conventional and current risk assessment methods, current techniques used in the satellite industry for complex system development, cardinal risk modeling, and relevant aspects of utility theory. Data gathered from open literature on demonstrated launch vehicle and satellite in-orbit reliability, annual space insurance premiums and losses, and ground fatalities and range damage associated with satellite launch activities are presented. Empirically derived models are developed for risk attitudes of space system clients and third-party underwriters associated with satellite system development and deployment. Two application topics for risk transfer are examined: the client-underwriter relationship on assumption or transfer of risks associated with first-year mission success, and statutory risk transfer agreements between space insurance underwriters and the US government to promote growth in both commercial client and underwriting industries. Results indicate that client entities with wealth of at least an order of magnitude above satellite project costs should retain risks to first-year mission success despite present trends.

Linked assets

University of Southern California Dissertations and Theses

Conceptually similar

PDF

Impacts of system of system management strategies on system of system capability engineering effort

PDF

The identification, validation, and modeling of critical parameters in lean six sigma implementations

PDF

Clinical prediction models to forecast depression in patients with diabetes and applications in depression screening policymaking

PDF

Defending industrial control systems: an end-to-end approach for managing cyber-physical risk

PDF

Developing an agent-based simulation model to evaluate competition in private health care markets with an assessment of accountable care organizations

PDF

Modeling and simulation of multicomponent mass transfer in tight dual-porosity systems (unconventional)

PDF

A study of diffusive mass transfer in tight dual-porosity systems (unconventional)

PDF

Integrating data analytics and blended quality management to optimize higher education systems (HEES)

Asset Metadata

Creator Henkle, Thomas Grove, III (author)

Core Title Risk transfer modeling among hierarchically associated stakeholders in development of space systems

School Viterbi School of Engineering

Degree Doctor of Philosophy

Degree Program Industrial and Systems Engineering

Publication Date 05/31/2007

Defense Date 05/03/2007

Publisher University of Southern California (original), University of Southern California. Libraries (digital)

Tag decision theory,Engineering Management,OAI-PMH Harvest,risk management,space systems,systems architecting,systems engineering,utility theory

Language English

Advisor Settles, F. Stan (committee chair), [illegible] (committee member), Friedman, George J. (committee member)

Creator Email thomas.g.henkle@aero.org

Permanent Link (DOI) https://doi.org/10.25549/usctheses-m500

Unique identifier UC1321035

Identifier etd-Henkle-20070531 (filename),usctheses-m40 (legacy collection record id),usctheses-c127-497702 (legacy record id),usctheses-m500 (legacy record id)

Legacy Identifier etd-Henkle-20070531.pdf

Dmrecord 497702

Document Type Dissertation

Rights Henkle, Thomas Grove, III

Type texts

Source University of Southern California (contributing entity), University of Southern California Dissertations and Theses (collection)

Repository Name Libraries, University of Southern California

Repository Location Los Angeles, California

Repository Email cisadmin@lib.usc.edu