Originally published on https://linkedin.com December 2024. Part of an ongoing series on aviation risk methodology.
In the last article, Why is operational risk classification two dimensional — Part 3?, I promised this:
Standby for the next exciting instalment, which will investigate the inherent and immutable limitations of risk assessment, the flapping of the butterfly's wings and the inanity of Root Cause analysis.
One thing I did learn recently was that the LinkedIn algorithm punishes long posts, so I'm going to go right ahead and post something lengthy in response, again. However, I have realised while penning my thoughts that the topics I raised for the next part of my series are too lengthy for a single article. Hence, in this discussion I shall cover only the first topic — limitations of risk assessment.
Space Junk FTW
Being of a numerical mindset and kind of smug in my comfortable numeracy, I used to use a derisive expression to dismiss risk responses that I perceived as irrational. It went along these lines — if you're worried about [that] (insert anticipated catastrophic event here) happening, you should wear a helmet every time you walk outside to protect you from falling space junk.
[Note: I've included a link at the end of the article to a good discussion about this risk and how it's evolving over time for those who would like to know if this form of derision remains viable.]
My argument was fairly simple: with no recorded human death from falling space junk (although there have been a couple of fairly recent spectacular attempts by returning core stage components of Long March 5b rockets), the risk is infinitesimal and so being concerned about such things is irrational.
Imagine my surprise when I spent a long night with my airline operations team in January 2012 monitoring the uncontrolled re-entry of Russian space junk which had previously been the Phobos-Grunt Mars probe. You might ask why we were interested in this. We were interested predominantly because we thought that it would be a bad idea to have it fall on one of our aircraft, particularly when it was already in flight. With an uncontrolled re-entry, the forecast splash down zone was equally uncontrolled, moving from the originally declared mid-Atlantic to the eastern Pacific at relatively short notice.
The Russian space probe — which had already failed its primary mission to reach Mars — was now threatening to fail spectacularly at its backup mission of 'not hitting anything important on the way down.'
Re-routing aircraft around danger zones is a fairly rational practice. Attempting to re-route an aircraft which was already en route, around a danger zone which continued to change locations and dimensions at various speeds, was also rational, unsurprisingly challenging but barely imaginable.
Hence, and with a fairly solemn degree of self-realisation, I no longer make quips about the need for a helmet when walking outside. Age, possibly wisdom and certainly experience have taught me that probabilistic certainty is flawed and of marginal utility when the outlier cases are demonstrably catastrophic.
And while that's the happy ending to my own space junk story, it does lead us nicely to the first and most significant limitation of the risk assessment process.
Donald Rumsfeld's Risk Assessment (The Rumsfeld Matrix)
While my space junk epiphany was personal, it turns out Donald Rumsfeld had already created a framework for this type of thinking — though I doubt he was considering falling satellites when he did so.
Remember the first time you heard the apparently esoteric distinction between 'known unknowns' and 'unknown unknowns'? In 2002, Donald Rumsfeld famously made a 2 x 2 matrix (miraculously, without paying extraordinary amounts to Gartner) which divided 'Knowns' and 'Unknowns' into categories of 'Known' or 'Unknown'. Three of those four categories — Known Knowns, Known Unknowns and Unknown Knowns — are regularly considered in the process of risk analysis when building a risk register, but what about the Unknown Unknowns?
The most fundamental limitation of the risk analysis process is that it's only the 'imaginable' which is assessed, and therefore mitigations are biased towards addressing the forecastable.
Having to spend some nervous energy on in-flight aircraft re-routing to avoid the debris field of de-orbiting Russian space junk was not on my Bingo card. It wasn't that the space junk was particularly Unknown, but the re-entry timing and location forecasts were not so much works of fiction as they were precise in the very same way that Pravda provided accurate and balanced political analysis throughout the 1980s.
It's worth noting that in aviation, for fairly obvious reasons we generally prefer our position reports to be slightly more accurate than 'somewhere between Kazakhstan and Chile, probably.'
If a Black Swan event (see Nassim Nicholas Taleb for further advice on same) is one with a high-impact, one that is likely unforeseen and one that seems inevitable in retrospect, downing an aircraft with falling space junk fits the bill nicely.
Three of the four risk categorisations deal with imaginable possibilities. That's a great start and has demonstrated quantum leaps in harm reduction, but I'd argue that most of the systemic gains from that form of risk management have already been captured.
To be clear, I'm not arguing here that the current version of risk analysis should be dropped. Healthy pre-mortem style risk forecasting can certainly improve safety outcomes by subsequent implementation of pre-meditated mitigation or avoidance strategies. However, like many other human fallibilities arising from overconfidence, or what some might describe as a bias of false competency, the idea that a system is 'safe' or 'robust' because of the creation of a lengthy risk register containing many imagined eventualities is a systemic demonstration of my Space Junk theorem.
The irony here is that our sophisticated risk assessment tools might actually be increasing our exposure to Black Swan events. The more comprehensive our risk registers become, the more confident we feel in our preparation — and it's precisely this confidence that blinds us to the limitations of our own imagination.
Unknown Unknowns don't care if you couldn't imagine them happening. That's the Rumsfeldian quadrant where the really interesting stuff lives.
Next time, we'll get to the flapping of the wings of the butterfly in the Amazon and why Root Cause analysis is in itself a systemic risk.
And in case you are still interested to know about the risk of space junk and how it has varied over time, see link below: