The crash of China Eastern Airlines Flight MU 5735 is deeply saddening. My thoughts are for the families, friends, and loved ones of those who were on board that ill-fated flight.

Watching video that has been circulated in social media the signs are that the China Eastern Airlines Boeing 737-800 dived and hit the ground at very high speed. The aircraft appears to have plummeted more than 20,000 feet in about a minute.

The aircraft crash site is in a difficult to get to location[1]. Authorities in China are searching the hillside looking for evidence as to what happened and recovery of the aircraft accident flight recorders[2]. Given what is suspected to have been a high-speed impact, damage to the accident flight recorders can’t be ruled out. They are made to withstand high impacts but are not invulnerable.

It’s most likely that the flight recorders will be of the solid-state type. This is where memory devices are enclosed in a strong crash protected metal box. So, much of the flight recorder could have severe damage but the recordings inside should be preserved.

On this type of public transport civil aircraft, there are usually two accident flight recorders fitted. One Cockpit Voice Recorder (CVR) and one Flight Data Recorder (FDR). To ensure that they meet rigorous technical requirements accident flight recorders are approved by aviation authorities. The technical requirements for approval are called: Technical Standard Orders (TSO)[3][4].

In both the US and European systems, TSO 123 is applicable to CVRs, and TSO 124 is applicable to FDRs. These two TSOs call up the applicable industry standards of EUROCAE ED-112A, MOPS for Crash Protected Airborne Recorder Systems[5]. This comprehensive technical document defines the minimum specification to be met for all aircraft required to carry flight recorders which may record flight data or cockpit audio in a crash survivable recording medium to be used for aircraft accident investigation.

One of the tests described in this long-standing international standard requires manufactures to shoot a crash protected module into a target at high speed. This test is often done by loading up a large pneumatic cannon, charging it and firing a module at a specially made target. To pass the test the module must survive sufficiently well to replay a recorded record.

So, there is a good chance that the on-board crash-protected recorders of MU 5735 might have survived. Let’s hope so.

---

[1] https://www.nytimes.com/2022/03/22/world/asia/china-eastern-crash-explained.html

[2] https://www.theglobeandmail.com/world/article-investigators-search-for-survivors-and-answers-after-china-eastern/

[3] https://www.faa.gov/aircraft/air_cert/design_approvals/tso/

[4] https://www.easa.europa.eu/domains/aircraft-products/etso

[5] https://eurocaeshop.azurewebsites.net/eurocae-documents-and-reports/ed-112a/#non-member

Part 5

It’s my 62^nd birthday in a couple of days. I live on a residential road where there’s a large education college. Around here, it’s impossible, during term time, to go anywhere without being faced with gaggles of 18-year-olds. They are finding their way, on the first steps shape the world of the future.

Although there’s 44 years between us, I don’t feel that much different from the engineering apprentice that I was at Yeovil College[1] in 1978. It’s true that I know a lot more but the curiosity, fascination with how things work and sense of wonder that I had then remains.

In my career, I’ve been fortunate in having experiences in, and working with a wide range of organisations across the globe. Therefore, I’ll not be reticent in expressing a view on what works and what doesn’t.

Those 44 years have been a transformative time. It really has been a dramatic shift from a primary analogue to the predominantly digital. What engineering organisations do, and how they organise has changed far further than was predicted by pragmatic futurists in 1978.

I’m going to relate this to the story of the Boeing 737. It is the most populous civil aircraft in everyday use around the world. It has, if you aggregate all the hours of in-service flying experience, an excellent safety record. More pilots know how to fly it and more mechanics know how to fix it than any other civil aircraft type.

These facts make the MAX saga even more galling. How on earth did such an experienced engineering organisation like Boeing make such a fatal mess? The question has been asked by a lot of people in the past 5-years. There plenty of analysis, investigation, and speculation for the public to chew over. From highly technical reports to sensationalist documentaries.

Is there a phenomenon at the core of the succession of mistakes that were made? I think there is. It has to do with the reason why chains of events don’t break easily when there’s a high level of commitment to a course of action.

This occurs in aircraft accidents when a pilot knows that they should turn back but chooses not to do so, with fatal effects. It’s often called: Press-on-it is[2]. Organisations can have “goal fixation” as much as individuals can. That fixation can come about due to commercial pressure or pride or a naturally competitive spirit. A corporate urge to carry on regardless overtook Boeing, and the FAA and others.

From its inception to an aircraft that I might board tomorrow, the basic 737 is as ancient as I am. At its core it’s a 1960s aircraft that has undergone several big transformations. Bit like the dramatic shift from a primary analogue to the predominantly digital world.

Aircraft manufacturers, of all types are faced with this question. When is enough, enough? When do we stop modifying, upgrading, or converting a basic aircraft type?

I did design work for the BAe Advanced Turboprop (ATP)[3], The aircraft was a redesign of the Hawker Siddeley HS 748[4]. A long lived and successful aircraft type. Unfortunately, it was a redesign too far. Too many compromises, facing hot competition in the twin turboprop market. The ATP achieved limited sales and production was terminated. A decision was made to stop. I think that if BAe had started with a clean sheet of paper in the 1980s there’d still be a successful aircraft flying.

Back to the MAX saga. In my opinion it was a change too far. However, once committed to that change there was no turning back. Noone was able to decide to stop or rethink. A strong corporate urge to carry on regardless blinded people to the reality of the situation that was unfolding.

The MAX is a derivative of a derivative. The 737 went from “classic” to Next Generation to MAX over 4-decades. The story is not over but the last 5-years will never be forgotten by the aircraft industry.

---

[1] https://www.yeovil.ac.uk/

[2] https://skybrary.aero/articles/press-itis-oghfa-bn

[3] https://www.aerospace-technology.com/projects/bae_atp/

[4] https://www.baesystems.com/en/heritage/avro-748—avro-748mf

Part 4

What goes around comes around[1], so it is said. I think that idiom is often about bad things but can be about good things too. In other words, something done years ago can pop-up and have an impact on the here and now.

Some Microsoft PowerPoint presentations from the 1990s are difficult to read. One that I kept did convert into a readable format. The subject was Safety Management Systems (SMS). In the mid-90s, as a UK CAA Surveyor, I was presenting at a national workshop on design and production issues talking about the need for SMS. Describing what that term meant and how it should be used by approved organisations in the UK.

Airworthiness is about past, present and future. It’s about aircraft, procedures, and people. It’s about design, production, maintenance, repair, and overhaul. It’s a long-lived discipline that has developed over decades and delivered a remarkably good level of aviation safety performance.

What we were looking at 30 years ago was not only the experience of civil aviation but the results of investigation of tragic accidents in other industries. In 1986, the Space Shuttle Challenger was lost. 35 years ago, saw the Zeebrugge car ferry[2] disaster that killed 193 people. In 1988, explosions destroyed the Piper Alpha oil platform in the North Sea. Each accident pointed to the need for stronger safety management. Often the question was asked: how could such fundamental errors have been made? One response was: “Of all God’s creations, corporations seem to have the shortest memories of all”[3].

Lots of good people agreed that civil aviation needed to practice safety management but primarily on a voluntary basis. Not only that but there were numerous interpretations as to the meaning of SMS as applicable to the different disciplines in aviation. So, Air Traffic Services and Aircraft Operations went ahead with their own versions of SMS. Unfortunately, design and production organisations lagged. In the background, some specialists were attempting to distil a generic template for SMS.

It was the year 2005 that shook the tree. Measuring safety performance everyone had become accustomed a story of constantly improving global aviation safety. That year saw a series of major accidents which shook confidence and led to a High-level Safety Conference[4] at ICAO’s Headquarters in Montreal. This HLSC brought together Directors General of Civil Aviation and aviation organisations from most of ICAO’s Member States. Resulting from the HLSC was the Recommendation 2/5 and it was dramatic. It called for a new ICAO Annex on SMS. And so, ICAO Annex 19 was born.

It’s 2022. You might reasonably ask – why is it that we are only now implementing SMS for design and production organisations? Good question.

---

[1] The results of things that one has done will someday have an effect on the person who started the events.

[2] 6 March 1987, the roll-on, roll-off passenger, and freight ferry capsized 4 minutes after having left harbour.

[3] Safety Management, Strategy and Practice, Roger Pybus, Butterworth-Heinemann 1996.

[4] https://www.icao.int/Meetings/AMC/HLSC/HLSC%202010%20Report/HLSC.2010.DOC.9335.EN.pdf

Part 2

Make “challenging” better. It’s generally better to have more than one set of eyes on an issue.

The classical challenge is to perform an audit. To take a sample of the work being performed and check that its everything that it’s said to be. This can be done at any stage: design, development, test, production, and in-service. Unfortunately, audits can get bogged down in process, procedures, customs, and practice that get so heavy as to distract from the essences of the task.

There’s a focus on the tangible aspects of work too. How many reports? How many corrective actions? Show me the measurements. Nevertheless, well focused auditing is a powerful tool.

It would be wise not to discount the intangible benefits of an audit. Such activities provide a chance to view the more intangible aspects of work. Here’s a few anecdotes.

Often when being taken for an official guided tour around a design or production facility there time to look beyond what the hosts want you to see. I often found a moment to look at notice boards around a factory, or office and they gave a hint as to the culture in that organisation. Cartoons and jokes of good humour led me to put a “normal” tick in the box. But if they strayed into harsh lampooning of the management or the way of working then there was something to note.

Siting in a manager’s office being briefed as to the timetable for an audit it’s as well to take in the whole scene. All those certificates displayed on the wall. Were they pertinent? Were they there to show off? Or were they showing genuine pride in the achievements of the organisation?

Timetables for an audit are necessary but can be a menace if every second is filled. But an auditor should never be intimidated by a timetable. On occasion, I’ve walked past a pile of records only to turn back and say – and what about this one? Then being told we must hurry on. To which my reaction was to dig in and follow the trail.

It’s true that the environment has changed. Digitisation has made the random selection of a sample more difficult. Digital records lend themselves to more pre-prepared situations.

Mealtimes can be a revelation on organisational culture too. This doesn’t happen anymore, I’m sure. The factory canteen that serves alcohol is truly a thing of the past. However, an auditor being taken out for lunch is still commonplace. It’s possible to get moralistic about such invitations only to miss out on getting a sense of those intangibles that might help understanding.

Additionally, I will warn that there’s the small danger of vexatious challenge. It’s a rarity but obsessions can follow even the most capable of people around. There’s a risk too that focusing on one pet subject can mean gapping great holes are missed. Each subject needs to be taken proportional to its potential impact.

Reading the commentary, deep and wide, that has flowed from the saga of the certification and introduction to service of the Boeing 737 MAX there’s palpable frustration. A large volume of analysis and evidence is now in the public domain. It has taken a long time and the persistence of many good people to bring out the results of investigation to the fore.  Frustration stems from knowing that the factors involved in the MAX saga are not new or unique. They have been seen far too often in fatal accidents and serious incidents right across the globe.

One common reaction is to place all the blame on the corrupting effect of large amounts of money. The line “follow the money” became common usage as a result of the 1976 movie “All The President’s Men[1]” despite the theory that it came from elsewhere.

“Follow the money” is good advice for investigators whether they be journalists, air accident investigators or police detectives. It’s certainly one of the known motivators for people to circumvent or disregard rules and regulations.

I could go on to talk about corporate liability[2]. There’s often a distinct lack of capability or inclination to hold large corporations, and the individuals running them liable for gross negligence and unethical behaviours. Another problem with this is that this is the button to press after the event. Yes, strong corporate liability laws rigorously applied can have a deterrent effect. However, the calculation made by those people at the source of the problem is often that of slim likelihood of failure or getting caught or, as with banks during the financial crisis, being too big to fail.

Although all the lessons learned from the analysis of organisational accidents is a good route to prevention of future accidents, that just one part of the puzzle.

Another common reaction is to reach for the human factors’ textbooks. There’s absolutely no doubt that human action is at the root of the events discussed. It takes people, and groups of people to choose to do the wrong thing knowing of the risks they take. Indefensible actions done with the awareness of an organisation are more than just process or procedural failure.

I started writing with the assumption that organisational accidents are preventable and must be prevented. This is to say that zero accidents are achievable. Yet, organisational accidents keep happening and prevention keeps failing. All be it, relative to the volume of global activity, a rare occurrence in civil aviation.

Maybe it’s better to accept that the motivations of a minority of people are to act unethically for personal gain and to take unacceptable risks. The larger problem is the failure of a greater number of people to act when they become aware of that behaviour.

In the cockpit pilots are taught to challenge bad decisions. Maybe we need to teach people how to challenge effectively.

---

[1] The movie takes protagonists Bob Woodward and Carl Bernstein through their quest to figure out the suspicious acts around US President Richrd Nixon.

[2] https://www.cps.gov.uk/legal-guidance/corporate-prosecutions

The latest innovations in aircraft design are, without question, highly integrated systems. We have departed from the days when every aircraft system was a box. An autopilot, a display computer, a power controller may all sit in one cabinet of equipment. Each one interdependent upon the other.

The other day, I saw advertised as an antique a British P8 aircraft compass. Maybe, 80 years old, it was claimed to be still working. This bit of kit was fitted to the Spitfire, Hawker Hurricane and Mosquito. Truly, a discreet equipment. One basic function and independent of all other aircraft systems except cockpit lighting. Afterall, a compass isn’t much use if you cant see it.

One reflection of mine from times past is the real difficulty of getting people to take an aircraft level view. Some might say this is aerospace design history. It certainly was a major struggle in the mid-1990s. It was a message that was not always well received.

Without mentioning any names, I’d roll up at an aircraft manufacture and be confronted with a hanger sized office divided up into cubicles. Sound absorbing partition walls of shoulder hight stretching far into the distance. This is where the Scott Adams[1] got the idea for the Dilbert cartoons.

In one corner of the engineering building would be a venerable grey-haired gentleman who had spent his entire life working on toilet flush motors. At another corner would be a gaggle of whizz kids developing software specifications for the latest computing hardware.

Everything was the same placid light green with only a few signs to give identity to groups of people working together. Segregation and segmentation were a part of the process. Each functional group developed their skills to the highest degree in their chosen specialisation.

My role in all this was to sit in a rectangular meeting room receiving briefings from each technical team. The certification task had been divided up and everyone was doing their part. Certification plans for an autopilot, a display computer or a power controller were all competently presented. Preliminary safety assessments were dutifully described.

After a while it became all to clear to me that everyone was dedicated to their assignment but that communication between different teams was sketchy to say the least. So, questions like, where did you get that number from, when talking about a failure probability number taken from someone else’s analysis wasn’t always convincingly answered. As a result, I got to hammer on about the need to take an aircraft level view to the point of great irritation. It’s not that people didn’t want to hear the message. It was more that the means to look at interdependencies between aircraft systems was fragile and underdeveloped. We changed and progressively the challenge of integration was met.

Today, I sit and wonder if the new entrants in the aerospace world, rapidly putting together advanced new forms of air mobility, have taken on-board the lessons we learned in the 1990s. It’s not as easy to learn the above lessons unless the reason why is abundantly clear.

---

[1] https://www.scottadamssays.com/