(Click image for full size.)
Bryan O’Connor retired as chief of Safety and Mission Assurance on August 31, 2011, after serving nearly a decade as NASA’s top safety and mission assurance official. O’Connor is a former U.S. Marine Corps test pilot and aeronautical engineer, with more than five thousand hours of flying time in over forty types of aircraft. He joined the NASA astronaut program in 1980 and flew two Space Shuttle missions, serving as pilot on STS-61B in 1985 and commander of STS-40 in 1991. ASK the Academy’s Matthew Kohut spoke with him on his last day in the office.
Kohut: You were a test pilot and a shuttle astronaut before becoming chief of Safety and Mission Assurance, and your successor, Terry Wilcutt, followed a similar career trajectory. Can you talk about how being a test pilot is good preparation for leading in safety and mission assurance?
O’Connor: As you mentioned, both of us have test-pilot backgrounds, for about the same amount of time and from the same place. Different airplanes, but we came from Patuxent River Naval Air Test Center backgrounds. We learned there that you have to have a great deal of respect for the potential and kinetic energy of these things we strap on to ourselves. We spent an awful lot of time planning for the flights we did.
There’s an obvious safety piece that was a little different than what we had as operational pilots. We learned the difference between hard rules that you just cannot violate and rules that are the kind you challenge. An operational pilot knows that you’re supposed to stay within the flight envelope of the aircraft: don’t go faster or higher than the aircraft is cleared for. But we were creating the envelope as test pilots, so we gained a great deal of respect for the idea of expanding an envelope, and all the test preparation and understanding of the aerodynamics and the engineering and the systems stuff that we had to know in order to rewrite, challenge, or change things that in the past had been inviolable rules. I think it was that learning that helped us appreciate the safety aspects of what we were doing when we came to NASA.
Kohut: What changes have you seen in the safety culture during your time at NASA?
O’Connor: Before the Challenger accident, the safety and mission assurance community and the safety culture in human spaceflight were what we’d inherited from the Apollo days. There was a substantial operational flavor to it. For those of us in the crew office, I remember one of the first lectures we heard as brand-newbies down there in Houston was the Apollo 13 story. Gene Kranz himself gathered us all around and spent about three hours talking about that flight, and what it meant to the human spaceflight community to have experienced the failure of the hardware and bringing back the crew alive, and how Apollo 13 was considered by folks in the mission operations world as right up there almost at the same level of success as Apollo 11 itself.
Later, I read about the British explorer Ernest Shackleton, who failed in his mission to explore the South Pole and Antarctica, but got all twenty-seven of his people back. He spent two years down there after his ship got stuck in the ice and then was crushed and sunk, and his men were standing on ice floes for all that time before they could finally get them back to England. It’s the fact that he saved everybody that makes that story very compelling and unusual, and it has a special place in the hearts and minds of British people when they talk about their heroes. The Apollo 13 story has the same flavor. It suggested that we like doing high-risk things, but we really like bringing the crew back alive afterward. So that was what I was introduced to in Houston.
The developmental aspects of systems safety engineering were there, but they were not very well founded. They weren’t accepted too much by the engineering community; even though there were safety, reliability, and quality engineers involved in the design, development, and test flying, it was almost as if they were checks in the box: “Did somebody remember to call them?”
It was the learning from both the Challenger and Columbia accidents that helped solidify the need for a capable and credible SR&QA [safety, reliability, and quality assurance] workforce to help from day one in the development of a new system. I hope that’s the legacy of those mishaps, because there were strong words in both of those mishap reports about the safety organization. Where is it? What is it doing? Is it relevant? Do the things that the safety people do mean anything to the developers? I think today that as a [SR&QA] community, we’re much more appreciated. They’re [engineers and designers] actually asking us to show up for their meetings because they don’t want to start them without us. That’s been a big change.
Kohut: A couple of years ago at an event at Goddard on organizational silence, you said that there has to be an institutional system in place that ensures that people speak up and bring relevant information forward. Do you think NASA has arrived at that point today?
O’Connor: There has been a lot of work done since the Columbia accident investigation. There was a need to improve the standing of both the engineering and the SR&QA organization in decision making when there’s residual risk. So, we explicitly wrote into our policy the requirement that all these people have a seat at the table, that they have mandatory votes where their authority calls for it. We’ve also instituted and put in writing for the first time the role of the risk taker when we’re talking about residual risk, and that’s been very important.
When Terry [Wilcutt] and I were at Pax [Patuxent] River, we spent a heck of a lot more time planning and participating in the development of the next aircraft or the next major mod to an aircraft with the designers and the developers than we did in the cockpit.
I think of it as the four-legged stool: the technical authority owns the requirements, the safety and mission assurance authority decides whether the risk is acceptable or not, the risk taker must volunteer to take the risk, and then and only then, when those three things have been done, can the program or project manager accept that risk. Those four roles have been stated in the highest documents for governance in the agency. It’s flowing down—and in some places it was already there— for the decision making for the high-risk work that we do, especially when there’s safety involved.
Having said that, I keep telling my people and the center directors around the agency that instituting that governance model in a set of words does not make it work. The only way it works is if you have good, credible, respected people populate the various legs of that stool. You shouldn’t just hire enough crewmembers to fly the space station missions and no more. You must have experienced crewmembers who are not currently flying available to the next development activity as part of the development team, so that you can get the crew’s look at residual risk areas, and have them in tune and involved enough so they understand what the risks are and can represent “the crew volunteers to take the risk” model that I talked about. I say this because there are people questioning how many crewmembers NASA needs, and why you need more than what you’re flying. This is an R&D activity; it’s not just about flying.
When Terry [Wilcutt] and I were at Pax [Patuxent] River, we spent a heck of a lot more time planning and participating in the development of the next aircraft or the next major mod to an aircraft with the designers and the developers than we did in the cockpit. We spent a tremendous amount of time in simulators and design sessions, and looking over hazard analysis reports, and giving the crew’s input to the development. That same thing applies here at NASA. Sometimes people forget that.
In the past we sometimes were criticized for not having capable people in our workforce. Folks might show up at a meeting and not be prepared or not understand the issue. Maybe we’d send a propulsion person from the safety organization when the subject was aerodynamics. They weren’t much help, and they didn’t bother to ask for help because staffing was very low in the home office. These are all problems that cannot be fixed by simply saying, “You have to have the safety office represented in the meeting.” You have to have good, capable, credible people in those organizations with responsive home offices to back them up. This is the job of the center directors, by and large, and I credit them for putting really good people in our safety and mission assurance [SMA] organizations over the years. In my opinion, NASA SMA is populated today with the best group that we’ve ever had at NASA.
Kohut: What do you think is the most memorable contribution you’ve made in your time?
O’Connor: I don’t know that I’ve personally made any contributions, because I tend to steal from other (smarter) people. [Laughs.] I am not very good at inventing things or coming out of nowhere with creative ideas, but I know a good one when I see it, and I’ll steal it and benchmark it and ask my guys to do something like it if we think it makes sense. Coaching and prodding is the mode that I’ve been using. The real work that’s been done is by the folks in the trenches.
The requirements work that it takes to do this job at Headquarters is continuous. We often are criticized for having too many “shall” statements, and then the very next day we’re criticized by others for not being standardized enough across the agency, which begs for more “shall” statements. Trying to drive that mission-support function that we own in SR&QA down the middle of that road is tricky. We’re not a bunch of Chicken Littles waving red flags every five minutes, and yet we’re credible enough that when we do speak up, people will listen because they trust us. That’s the car I’ve been trying to drive, but I’m just steering. The folks who are in our divisions here and at the Safety Center and at the IV&V [Independent Verification and Validation] facility, and the safety and mission assurance directors at the centers with their people, are the ones who get the credit for these changes over time.
Kohut: What do you see as the biggest challenge on the horizon for safety and mission assurance?
O’Connor: Fighting complacency. I commonly tell our folks that there are two modes of mishap prevention. One mode is reacting to the last big accident, and the other mode is fighting complacency. Just about everything we do in the SR&QA world can fit into one of those two buckets. For example, the Launch Services Program has seen a couple of failures with the commercial Taurus XL rockets that they buy. They’re reeling right now and trying to figure out how to prevent that in the future. Complacency is not anywhere to be seen in that community. Reacting to the last mishap and trying to understand what happened and put things in place that will prevent similar failures in the future basically defines their entire workday. In the human spaceflight world, we haven’t had any failures in quite a while. Right now we’ve got a logistics issue with Russian rocket problems, but by and large since the Columbia accident there hasn’t been a real human-safety failure to speak of.
If it's been a while since our last failure, people who are looking to us to do great things sometimes forget how hard this work is to do.
There’s a tendency—not necessarily of the people in the trenches—but we Washingtonians sometimes tend to forget the lessons because we haven’t thought about them in a while. We sometimes forget the tremendous amounts of energy involved and the challenges posed by the environment and the human elements to our designs. Those things become a little bit past history, and unfortunately that sometimes feeds complacency. It shows up at all levels, including our stakeholders outside the agency. If it’s been a while since our last failure, people who are looking to us to do great things sometimes forget how hard this work is to do. We start talking more about affordability than safety, and about getting the NASA oversight and insight down to very low levels because it’s so expensive, without mentioning in the same sentence how important oversight and insight are to preventing mishaps. We even hear our astronauts being referred to as simply “biological cargo” by people who should know better. These are signs that we look for that we’re in complacency mode, and of course it’s natural for that environment to creep up on us. It’s a real challenge for our community to fight that.
Kohut: What are your thoughts about the safety and mission assurance challenge ahead regarding the transition to commercial crew?
O’Connor: The SMA challenge for commercial crew is trying to figure out where we fit in best, how to support the program in ensuring that, when we do finally decide to put our people on top of these rockets, we’re not taking unnecessary risk. These are not NASA developments, per se. The concept designs are coming from the commercial people. We’re experimenting with new ways to oversee that work with as few people as we can manage in order to meet the affordability goals. It’s a big management experiment for us, and our folks are not comfortable with it, just as nobody is comfortable when they’re getting into unknown territory. I think the big challenge that I hand off to Terry is, “Make sure that we’re not doing something inappropriate here in pulling back or not having the visibility we need, or by not setting the table properly for our decision makers to accept risk and to put our people on these rockets when they’re relatively new and haven’t been tested yet.”
Kohut: What advice do you have for young professionals entering the aerospace profession fresh out of college?
O’Connor: When we hire a fresh-out, we do it because we like their technical potential, their education, and their energy, and we want them to help us go to the next levels in the agency. Because of that, when they see something they don’t understand or that doesn’t pass a sanity check, it’s okay for them to raise their hand and say something about it. This goes back to that concept of organizational silence. Sometimes our new people are intimidated a little bit and don’t speak up, even when something doesn’t smell right. We should encourage them to go ahead. You don’t want to overdo it, of course, and have people being disruptive or educating themselves at the expense of everyone else who’s trying to get something done. I know that can be overdone. But when I first showed up at the Johnson Space Center, they had a plaque over the wall in the mission ops control room that said something to the effect of, “In God We Trust—All Others Bring Data.” That was quite intimidating to a new person, because between the lines it suggested that, “We’re not interested in your opinion on things. If you have data, we’ll listen, but your opinion is not requested here.”
A lot of us came to NASA after years of flight testing and R&D work and so on. After the Challenger accident, I really beat myself up for being too silent in the first few years that I was there, and I said to myself, “This agency isn’t as smart as it thinks it is,” to quote Tommy Holloway.