September 28, 2011 Vol. 4, Issue 7
On his last day in the office, Bryan O’Connor, Chief of Safety and Mission Assurance, spoke with ASK the Academy.
Bryan O’Connor retired as Chief of Safety and Mission Assurance on August 31, 2011, after serving nearly a decade as NASA’s top safety and mission assurance official. O’Connor is a former Marine Corps test pilot and aeronautical engineer, with more than 5,000 hours of flying time in over 40 types of aircraft. He joined the NASA astronaut program in 1980 and flew two space shuttle missions, serving as pilot on STS-61B in 1985 and commander of STS-40 in 1991.
ASK the Academy: You were a test pilot and a shuttle astronaut before becoming Chief of Safety and Mission Assurance, and your successor Terry Willcutt followed a similar career trajectory. Can you talk about how being a test pilot is good preparation for leading in safety and mission assurance?
Bryan O’Connor: As you mentioned, both of us have test pilot backgrounds, for about the same amount of time and from the same place. Different airplanes, but we came from Patuxent River Naval Air Test Center backgrounds. I think we learned there that you have to have a great deal of respect for the potential and kinetic energy of these things we strap on to ourselves. We spent an awful lot of time in planning for the flights we did. Operationally, there was always obviously planning for a mission. We were operational pilots. But when we went into the test world, the planning took a different slant to it. It was more about the test objectives. The actual airplane itself is the test objective, not delivering a weapon to a target.
There’s an obvious safety piece that was a little different than what we had as operational pilots. We learned the difference between hard rules that you just cannot violate and rules that are the kind you challenge. An operational pilot knows that you’re supposed to stay within the flight envelope of the aircraft. Don’t go faster or higher than the aircraft is cleared for. But we were creating the envelope as test pilots, so we gained a great deal of respect for the idea of expanding an envelope, and all the test preparation and understanding of the aerodynamics and the engineering and the systems stuff that we had to know in order to go and rewrite, challenge, or change things that in the past had been inviolable rules. I think it was that learning that helped us appreciate the safety aspects of what we were doing when we came to NASA.
ATA: What changes have you seen in the safety culture during your time at NASA?
BOC: Before the Challenger accident, the safety and mission assurance community and the safety culture in human spaceflight were what we’d inherited from the Apollo days. There was a substantial operational flavor to it. For those of us in the crew office, I remember one of the first lectures we heard as brand-newbies down there in Houston was the Apollo 13 story. Gene Krantz himself gathered us all around and spent about three hours talking about that flight, and what it meant to the human spaceflight community to have experienced the failure of the hardware and bringing back the crew alive, and how Apollo 13 was considered by folks in the Mission Operations world as right up there almost at the same level of success as Apollo 11 itself. The safety culture was just very much a piece of that story.
In later years I read about the British explorer Ernest Shackleton, who failed in his mission to explore the South Pole and Antarctica, but he got all 27 of his people back. He spent two years down there after his ship got stuck in the ice and then was crushed and sunk, and his men were standing on ice floes for all that time before they could finally get them back to England. It’s the fact that he saved everybody that makes that story very compelling and unusual, and it has a special place in the hearts and minds of British people when they talk about their heroes. That was the same flavor of the Apollo 13 story. It really suggested that we like doing high-risk things, but we really like bringing the crew back alive afterward. So that was what I was introduced to in Houston.
The developmental aspects of systems safety engineering were there, but in retrospect they were not very well founded. They weren’t accepted too much by the engineering community, and even thought there were safety, reliability, and quality engineers involved in the design, development, and test flying, it was almost as if they were checks in the box: “Did somebody remember to call them?” Their value statement was not as high as it subsequently became.
It was the learning from both the Challenger and the Columbia accidents that really helped to solidify the need for a capable and credible SR&QA (safety, reliability and quality assurance) workforce to help from Day 1 in the development activities of a new system. I hope that’s the legacy of those mishaps, because there were strong words in both of those mishap reports about the safety organization. Where is it? What is it doing? Is it relevant? Do the things that the safety people do mean anything to the developers? I think today that as a (SR&QA) community, we’re much more appreciated. They’re (engineers and designers) actually asking for us to show up for their meetings because they don’t want to start them without us. That’s been a big change.
ATA: Along that same line, a couple years ago at an event at Goddard on organizational silence, you said that there has to be an institutional system in place that ensures that people speak up and bring relevant information forward. Do you think NASA has arrived at that point today?
BOC: There has been a lot of work done after Columbia accident investigation. The checks and balances were one of the big root cause discussions. There was a need to improve the standing of both the engineering and the SR&QA organization in the decision-making when there’s residual risk, or safety matters especially. So, we explicitly wrote into our policy the requirement that all these people have a seat at the table, that they have mandatory votes where their authority calls for it. We’ve also instituted and put in writing for the first time the role of the risk-taker when we’re talking about residual risk, and that’s been very important.
I think of it as the four-legged stool: the technical authority owns the requirements, the safety and mission assurance authority decides whether the risk is acceptable or not, the risk-taker must volunteer to take the risk, and then and only then, when those three things have been done, can the program or project manager accept that risk. Those four roles have been stated in the highest documents for governance in the agency. It’s flowing down — and in some places it was already there — for the decision-making for the high-risk work that we do, especially when there’s safety involved.
Now having said that, I keep telling my people and the Center Directors around the agency that instituting that governance model in a set of words with a “shall” statement — “You shall have so and so governance model” — does not make it work. The only way it works is if you have good, credible, respected people with whom you have populated the various legs of that stool. You shouldn’t just hire enough crewmembers to fly the space station missions and no more. You must have experienced crewmembers who are not currently flying but who are available to the next development activity as part of the development team, so that you can get the crew’s look at residual risk areas, and have them in tune and involved enough so they understand what the risks are and can represent “The crew volunteers to take the risk” model that I talked about. I say this because there are people questioning how many crewmembers NASA needs, and why you need any more than what you’re flying. This is an R&D activity, it’s not just about flying.
When Terry (Willcutt) and I were at Pax (Patuxent) River, we spent a heck of a lot more time planning and participating in the development of the next aircraft or the next major mod to an aircraft with the designers and the developers than we did in the cockpit. We spent a tremendous amount of time in simulators and design sessions, and looking over hazard analysis reports, and giving the crew’s input to the development as part of being a test pilot. That same thing applies here at NASA, and sometimes people forget that.
The same goes on the safety and mission assurance side. In the past we sometimes were criticized for not having capable people in our workforce, and folks might show up at a meeting and not be prepared or not understand the issue. Maybe we’d send a propulsion person from the safety organization when the subject was aerodynamics, and they weren’t much help, and they didn’t bother to go and ask for help because their staffing was very low in the home office. These are all problems that cannot be fixed by simply saying, “You have to have the safety office represented in the meeting.” You have to fix these by having good, capable, credible people in those organizations with responsive home offices to back them up. This is the job of the Center Directors, by and large, and I credit them for putting really good people in our safety and mission assurance organizations over the years. In my opinion, NASA SMA is populated today with the best group that we’ve ever had at NASA.
ATA: You mentioned the legacy of the Challenger and Columbia accidents. What do you think is the most memorable contribution you’ve made in your time as Chief Safety Officer?
BOC: I don’t know that I’ve personally made any contributions, because I tend to steal from other (smarter) people. (Laughs.) I am not very good at inventing things or coming out of nowhere with creative ideas, but I know a good one when I see it, and I’ll steal it and benchmark and ask my guys to do something like it if we think it makes sense. Coaching and prodding is the mode that I’ve been using. The real work that’s been done is by the folks in the trenches.
The requirements work that it takes to do this job at Headquarters is continuous. We often are criticized for having too many “shall” statements, and then the very next day we’re criticized by others for not being standardized enough across the agency, which begs for more “shall” statements. Trying to drive that mission support function that we own in SR&QA down the middle of that road is tricky. We’re not a bunch of Chicken Littles waving red flags every five minutes, and yet we’re credible enough that when we do speak up, people will listen because they trust us. And that’s the car I’ve been trying to drive, but I’m just steering. The folks who are in our divisions here and at the Safety Center and at the IV&V facility, and the safety and mission assurance directors at the centers with their people are the ones who get the credit for these changes over time.
ATA: What do you see as the biggest challenge on the horizon for safety and mission assurance?
BOC: Fighting complacency. I commonly tell our folks that there are two modes of mishap prevention. One mode is reacting to the last big accident, and the other mode is fighting complacency. Just about everything we do in the SR&QA world can fit into one of those two buckets. For example, the Launch Services Program has seen a couple of failures with the commercial Taurus XL rockets that they buy. They’re reeling right now and trying to figure out how to prevent that in the future. Complacency is not anywhere to be seen in that community. They’re reacting to the last mishap, and everything they’re doing is to try to understand what happened and put things in place that will prevent similar failures in the future. That basically defines their entire workday, whereas in the human spaceflight world, we haven’t had any failures in quite a while. Right now we’ve got a logistics issue with Russian rocket problems, but by and large since the Columbia accident there hasn’t been a real human safety failure to speak of.
There’s a tendency — not necessarily of the people in the trenches — but we Washingtonians sometimes tend to forget the lessons because we haven’t thought about them in a while, and we sometimes forget the tremendous amounts of energy involved, and the challenges posed by the environment and the human elements to our designs. Those things become a little bit past history, and unfortunately, what that feeds sometimes is complacency, and it shows up at all levels, including our stakeholders outside the agency. If it’s been a while since our last failure, people who are looking to us to do great things sometimes forget how hard this work is to do. We start talking more about affordability than safety, and about getting the NASA oversight and insight down to very low levels because it’s so expensive, without mentioning in the same sentence how important oversight and insight are to preventing mishaps. We even hear our astronauts being referred to as simply “biological cargo” by people who should know better. These are signs that we look for that we’re in complacency mode, and of course it’s natural for that environment to creep up on us. It’s a real challenge for our community to fight that, and to remind each other that just because we haven’t had a recent accident doesn’t make this stuff easy.
ATA: What are your thoughts about the safety and mission assurance challenge ahead regarding the transition to commercial crew?
BOC: The S&MA challenge for commercial crew is trying to figure out where we fit in best, how to support the program in ensuring and assuring that when we do finally decide to put our people on top of these rockets, that we’re not taking unnecessary risk. These are not NASA developments, per se. The concept designs are coming from the commercial people. We’re experimenting with new ways to oversee that work with as few people as we can manage in order to meet the affordability goals. It’s quite a big management experiment for us, and our folks are not comfortable with it, just as nobody is comfortable when they’re getting into unknown territory. I think the big challenge that I hand off to Terry is, “Make sure that we’re not doing something inappropriate here in pulling back or not having the visibility we need, or by not setting the table properly for our decision-makers to accept risk and to put our people on these rockets when they’re relatively new and haven’t been tested yet.”
ATA: What advice do you have for young professionals entering the aerospace profession fresh out of college?
BOC: I’d tell them that when we hire a fresh-out, we do it because we like their technical potential, their education, and their energy, and we want them to help us go to the next levels in the agency. Because of that, when they see something they don’t understand or that doesn’t pass a sanity check in terms of a communication they’re witnessing, it’s OK for them to raise their hand and say something about it. This goes back to that concept of organizational silence. Sometimes our new people are intimated a little bit and they don’t speak up, even when something doesn’t smell right. We should encourage them to go ahead and do that. You don’t want to overdo it of course, and have people being disruptive or educating themselves at the expense of everyone else who’s trying to get something done. I know that can be overdone. But when I first showed up at the Johnson Space Center, they had a plaque over the wall in the Mission Ops control room that said something to the effect of, “In God We Trust — All Others Bring Data.” That was quite intimidating to a new person, because between the lines it suggested that, “We not interested in your opinion on things. If you have data, we’ll listen, but your opinion is not requested here.”
A lot of us came to NASA after years of doing flight testing and R&D work and so on. After the Challenger accident, I really beat myself up for being too silent in the first few years that I was there, and I said to myself, “This agency isn’t as smart as it thinks it is,” to quote Tommy Holloway.
The idea of asking if you don’t understand something — even if you want to go out in the hall and do it so you’re not disruptive — that’s fine. We hire good people to help us move forward, and asking questions is just part of that.
Astronauts Mary L. Cleve and Bryan D. O’Connor look toward the camera during an integrated simulation for the STS-6 mission. The two are at the spacecraft communicator (CAPCOM) console in the mission operations control room (MOCR) of the JSC mission control center.
Featured Photo Credit: NASA / JSC