Responding to tragedy

News has come in of a tragic aviation aircraft accident in China. A relatively young Boeing 737 aircraft has been lost with all soles on-board. The Boeing 737-800 (B-1791) was built in 2015. As is often the case, social media is full of speculation. Even at the earliest moments after this catastrophic event, comment was being made of the limited information available.

There is a divide. Some people, out of respect for those who have perished make a point of saying that they will not speculate around the information that’s public. Other responses fit into a couple of camps. Let’s just say that there’s informed comment and ill-informed comment.

It’s reasonable to feel that ill-informed comment can step over into the realms of the disrespectful and inconsiderate. That rarely daunts a lot of users of social media.

A first response should be one of compassion. When a great number of passenger and crew fatalities occur the question of – why has this happened? Will come up soon enough. In the first instance a tragedy deserves a moment of reflection. It’s our natural human empathy. The pain and suffering of the families and friends of those who are not coming home, should be at the front of our minds.

After a moment has passed the call for action is rightly the next most urgent response. However, action based on scant information is a most difficult step. Often, such actions are precautionary. Imagining, the worst-case scenario, like the potential for reoccurrence of the accident, and then act accordingly. The cry is rightly – something must be done.

At this stage, as an aviation professional I have no problem with informed speculation. In this fast-moving digital world, that we live in, the flow of information is like a torrent. It cannot be easily stopped. At least not in our free and open societies. Therefore, it’s better that informed comment be given a space, otherwise the ill-informed variety will dominate.

Comments appear not only on the fatal accident but the response that has followed. That can be tough to hear when the first responders, emergency services, investigators and regulators get armchair critics commentating immediately on their performance.

Again, I’m not going to say this should stop. Transparency is vital if the public are to have confidence in the civil aviation. So, tolerating rough commentary that turns out to be wrong is part of the realpolitik. Although, it would be good if such commentors admitted when they had got it wrong.

Post tragic event, as information flows start to become more reliable so informed comment becomes more of an honest reflection of what happened. It’s as well to be remind that fatal aviation accidents with the loss of all on-board are rare. It’s always crucial to analyse what happened and act rapidly to prevent any possibility of reoccurrence. Whatever the commentary and speculation, that must not effect the work of the bodies who have the responsibility to take corrective action.

A wing and a prayer

Gaps

Fascination with the new. Who can resist? Advanced Air Mobility (AAM) provides just that. Often visualised in Science Fiction, plans for flying cars, taxies and autonomous machines buzzing around our heads are as popular as ever. A long-held dream of taking the imagination and making it real is the business of a lot of new entrants in aviation. The proliferation of projects is astonishing. Even with all the hype aside, there’s a strong chance that some organisations will suceeed in changing our skies forever.

This is great. It’s a way of decarbonising but continuing to fly. It opens new ways of undertaking vital tasks, like getting drugs and vaccinees to remote regions of the world. Emergency services can benifit in getting people from A to B faster and less expensivly. It may help get internal combustion engines off our congested roads in major cities. Air quailty may then improve for densly populated areas.

Nothing is for free. The shear complexity of the problems that need to be solved are taxing some smart people all over the globe. Not only that but the accommodation of aviation’s hundred-year legacy must be factored in too. That’s one reason why research and technical programmes are swallowing up the funds with a voracious appetite. Academics, consultants, and engineers are tapping into the pool of funds that Governments are making available.

Aviation has a pitfall that in that it is very unforgiving when errors and failures occur. It’s why the refrain that fits into every safety advocate’s lexicon is – safety is our number one priority. I will not argue as to how sincere those words are spoken. In the vast majority of cases, people mean what they say.

The awareness that in-service aircraft accidents can sink businesses is not lost on most protagonists. Health and Safety practitioners often say: “If you think safety is too expensive, try an accident”.

This note is more about the gaps that are evidence. Reading several publications on advanced air mobility safety and operations, I’m struck by the vagueness and wooliness of the material available. Or at least that’s how the material often starts. Then there’s a rush into infinitesimal detail to crack problems that seem more tangible. There are two problem spaces. There’s the part where uncertainty prevails. Then there’s the part where the nicely bounded nutty, gritty technical problems exist.

There are often far more questions than answers. Documents that proport to have answers are littered with questions. I’m reminded of the HHGTTG[1]. Talking about the invention of the wheel and a group considering what to do with it: “Well, if you’re so smart – what colour should it be?”

Asking the right questions is a must but there’s a lack of clarity too. Before going into painstaking detail on a set of scenarios a sound report should states its underlying assumptions first. It’s not a good idea to bypass the fundamentals. For AAM to go beyond a novelty, real world difficulties need to be faced head on. Context matters. Sharing the airspace with existing users must be considered[2]. Safety assessment must take account of interactions with General Aviation, ballons, recreational activities, aerial work, emergency services and military operations[3].

It wouldn’t be a bad idea to consider how accident investigation will be conducted, even at this early stage. No doubt lots of data will flow from AAM but will it be what’s needed when things go wrong?

[1] https://www.bbc.co.uk/programmes/b03v379k

[2] UK CAA CAP2272, October 2021

[3] https://www.mitre.org/sites/default/files/publications/pr-19-00667-9-urban-air-mobility-airspace-integration.pdf

How can we prevent organisational accidents?

Part 5

It’s my 62^nd birthday in a couple of days. I live on a residential road where there’s a large education college. Around here, it’s impossible, during term time, to go anywhere without being faced with gaggles of 18-year-olds. They are finding their way, on the first steps shape the world of the future.

Although there’s 44 years between us, I don’t feel that much different from the engineering apprentice that I was at Yeovil College[1] in 1978. It’s true that I know a lot more but the curiosity, fascination with how things work and sense of wonder that I had then remains.

In my career, I’ve been fortunate in having experiences in, and working with a wide range of organisations across the globe. Therefore, I’ll not be reticent in expressing a view on what works and what doesn’t.

Those 44 years have been a transformative time. It really has been a dramatic shift from a primary analogue to the predominantly digital. What engineering organisations do, and how they organise has changed far further than was predicted by pragmatic futurists in 1978.

I’m going to relate this to the story of the Boeing 737. It is the most populous civil aircraft in everyday use around the world. It has, if you aggregate all the hours of in-service flying experience, an excellent safety record. More pilots know how to fly it and more mechanics know how to fix it than any other civil aircraft type.

These facts make the MAX saga even more galling. How on earth did such an experienced engineering organisation like Boeing make such a fatal mess? The question has been asked by a lot of people in the past 5-years. There plenty of analysis, investigation, and speculation for the public to chew over. From highly technical reports to sensationalist documentaries.

Is there a phenomenon at the core of the succession of mistakes that were made? I think there is. It has to do with the reason why chains of events don’t break easily when there’s a high level of commitment to a course of action.

This occurs in aircraft accidents when a pilot knows that they should turn back but chooses not to do so, with fatal effects. It’s often called: Press-on-it is[2]. Organisations can have “goal fixation” as much as individuals can. That fixation can come about due to commercial pressure or pride or a naturally competitive spirit. A corporate urge to carry on regardless overtook Boeing, and the FAA and others.

From its inception to an aircraft that I might board tomorrow, the basic 737 is as ancient as I am. At its core it’s a 1960s aircraft that has undergone several big transformations. Bit like the dramatic shift from a primary analogue to the predominantly digital world.

Aircraft manufacturers, of all types are faced with this question. When is enough, enough? When do we stop modifying, upgrading, or converting a basic aircraft type?

I did design work for the BAe Advanced Turboprop (ATP)[3], The aircraft was a redesign of the Hawker Siddeley HS 748[4]. A long lived and successful aircraft type. Unfortunately, it was a redesign too far. Too many compromises, facing hot competition in the twin turboprop market. The ATP achieved limited sales and production was terminated. A decision was made to stop. I think that if BAe had started with a clean sheet of paper in the 1980s there’d still be a successful aircraft flying.

Back to the MAX saga. In my opinion it was a change too far. However, once committed to that change there was no turning back. Noone was able to decide to stop or rethink. A strong corporate urge to carry on regardless blinded people to the reality of the situation that was unfolding.

The MAX is a derivative of a derivative. The 737 went from “classic” to Next Generation to MAX over 4-decades. The story is not over but the last 5-years will never be forgotten by the aircraft industry.

[1] https://www.yeovil.ac.uk/

[2] https://skybrary.aero/articles/press-itis-oghfa-bn

[3] https://www.aerospace-technology.com/projects/bae_atp/

[4] https://www.baesystems.com/en/heritage/avro-748—avro-748mf

How can we prevent organisational accidents?

Part 4

What goes around comes around[1], so it is said. I think that idiom is often about bad things but can be about good things too. In other words, something done years ago can pop-up and have an impact on the here and now.

Some Microsoft PowerPoint presentations from the 1990s are difficult to read. One that I kept did convert into a readable format. The subject was Safety Management Systems (SMS). In the mid-90s, as a UK CAA Surveyor, I was presenting at a national workshop on design and production issues talking about the need for SMS. Describing what that term meant and how it should be used by approved organisations in the UK.

Airworthiness is about past, present and future. It’s about aircraft, procedures, and people. It’s about design, production, maintenance, repair, and overhaul. It’s a long-lived discipline that has developed over decades and delivered a remarkably good level of aviation safety performance.

What we were looking at 30 years ago was not only the experience of civil aviation but the results of investigation of tragic accidents in other industries. In 1986, the Space Shuttle Challenger was lost. 35 years ago, saw the Zeebrugge car ferry[2] disaster that killed 193 people. In 1988, explosions destroyed the Piper Alpha oil platform in the North Sea. Each accident pointed to the need for stronger safety management. Often the question was asked: how could such fundamental errors have been made? One response was: “Of all God’s creations, corporations seem to have the shortest memories of all”[3].

Lots of good people agreed that civil aviation needed to practice safety management but primarily on a voluntary basis. Not only that but there were numerous interpretations as to the meaning of SMS as applicable to the different disciplines in aviation. So, Air Traffic Services and Aircraft Operations went ahead with their own versions of SMS. Unfortunately, design and production organisations lagged. In the background, some specialists were attempting to distil a generic template for SMS.

It was the year 2005 that shook the tree. Measuring safety performance everyone had become accustomed a story of constantly improving global aviation safety. That year saw a series of major accidents which shook confidence and led to a High-level Safety Conference[4] at ICAO’s Headquarters in Montreal. This HLSC brought together Directors General of Civil Aviation and aviation organisations from most of ICAO’s Member States. Resulting from the HLSC was the Recommendation 2/5 and it was dramatic. It called for a new ICAO Annex on SMS. And so, ICAO Annex 19 was born.

It’s 2022. You might reasonably ask – why is it that we are only now implementing SMS for design and production organisations? Good question.

[1] The results of things that one has done will someday have an effect on the person who started the events.

[2] 6 March 1987, the roll-on, roll-off passenger, and freight ferry capsized 4 minutes after having left harbour.

[3] Safety Management, Strategy and Practice, Roger Pybus, Butterworth-Heinemann 1996.

[4] https://www.icao.int/Meetings/AMC/HLSC/HLSC%202010%20Report/HLSC.2010.DOC.9335.EN.pdf

How can we prevent organisational accidents?

Part 3

Make “challenging” better. Group think can be a source of innumerable problems. It doesn’t necessarily cause unethical organisational behaviours, but it sure does support them when they take hold. One method that can bust a cycle of self-deception is that of peer review. That is the sort of peer review where qualified participants can act independently, use their expertise and comment without prejudice.

I’m going to go back to the early 1990s. I have been fortunate to experience several different ways that aircraft certification and validation can be conducted. The method applied by the UK prior to the gradual harmonisation that took place to form the Joint Aviation Authorities (JAA) was unique.

A multidisciplinary team would visit an aircraft manufacture for a week or more. This was an intense activity of technical investigation. The output was an “orange book” and a series of findings that the aircraft manufacture must address before a national type certificate could be granted.

This process was hard work. It’s advantage was that a complete exploration of an aircraft type could be documented and that an applicant for a type certificate would be left in no doubt what needed to be done next. The first part of the activity was technical familiarisation. Each technical discipline would get a briefing on either the actual aircraft type or what was planned. This was done at the infancy of word processing. Believe it or not, I remember scissors and glue being used to cut and paste text to make-up the explanations and findings.

The purpose of these words is not to describe the use of airworthiness requirements (BCARs and the early JARs) but to describe what happened when the technical team returned home.

Having created an “orange book” with its key findings there was a need to inform colleagues of the who, what, where when and why. The authority’s senior management had to buy-in to the work of the technical team.

There were often a series of genetic findings that would deal with typical additional UK requirements. However, often more contentious was the technical findings that addressed flaws in compliance or design or unique technical features or controversial issues.

Having returned to the office members of the technical team had to justify their findings to their peers. This was done in a formal manner. It could be a daunting process. No stone was left unturned in questioning the investigation that had been done on-site at the aircraft manufacture. It was initiating to do this for the first time. Particularly when standing in front of the grandees who had been doing such work for decades. Some who had written the rules in the first place.

Although this was a tough process, it’s one that benefits a mature organisation a lot. It shakes complacency out of the system. It’s truly to be challenged.

How can we prevent organisational accidents?

Part 2

Make “challenging” better. It’s generally better to have more than one set of eyes on an issue.

The classical challenge is to perform an audit. To take a sample of the work being performed and check that its everything that it’s said to be. This can be done at any stage: design, development, test, production, and in-service. Unfortunately, audits can get bogged down in process, procedures, customs, and practice that get so heavy as to distract from the essences of the task.

There’s a focus on the tangible aspects of work too. How many reports? How many corrective actions? Show me the measurements. Nevertheless, well focused auditing is a powerful tool.

It would be wise not to discount the intangible benefits of an audit. Such activities provide a chance to view the more intangible aspects of work. Here’s a few anecdotes.

Often when being taken for an official guided tour around a design or production facility there time to look beyond what the hosts want you to see. I often found a moment to look at notice boards around a factory, or office and they gave a hint as to the culture in that organisation. Cartoons and jokes of good humour led me to put a “normal” tick in the box. But if they strayed into harsh lampooning of the management or the way of working then there was something to note.

Siting in a manager’s office being briefed as to the timetable for an audit it’s as well to take in the whole scene. All those certificates displayed on the wall. Were they pertinent? Were they there to show off? Or were they showing genuine pride in the achievements of the organisation?

Timetables for an audit are necessary but can be a menace if every second is filled. But an auditor should never be intimidated by a timetable. On occasion, I’ve walked past a pile of records only to turn back and say – and what about this one? Then being told we must hurry on. To which my reaction was to dig in and follow the trail.

It’s true that the environment has changed. Digitisation has made the random selection of a sample more difficult. Digital records lend themselves to more pre-prepared situations.

Mealtimes can be a revelation on organisational culture too. This doesn’t happen anymore, I’m sure. The factory canteen that serves alcohol is truly a thing of the past. However, an auditor being taken out for lunch is still commonplace. It’s possible to get moralistic about such invitations only to miss out on getting a sense of those intangibles that might help understanding.

Additionally, I will warn that there’s the small danger of vexatious challenge. It’s a rarity but obsessions can follow even the most capable of people around. There’s a risk too that focusing on one pet subject can mean gapping great holes are missed. Each subject needs to be taken proportional to its potential impact.

How can we prevent organisational accidents?

Reading the commentary, deep and wide, that has flowed from the saga of the certification and introduction to service of the Boeing 737 MAX there’s palpable frustration. A large volume of analysis and evidence is now in the public domain. It has taken a long time and the persistence of many good people to bring out the results of investigation to the fore. Frustration stems from knowing that the factors involved in the MAX saga are not new or unique. They have been seen far too often in fatal accidents and serious incidents right across the globe.

One common reaction is to place all the blame on the corrupting effect of large amounts of money. The line “follow the money” became common usage as a result of the 1976 movie “All The President’s Men[1]” despite the theory that it came from elsewhere.

“Follow the money” is good advice for investigators whether they be journalists, air accident investigators or police detectives. It’s certainly one of the known motivators for people to circumvent or disregard rules and regulations.

I could go on to talk about corporate liability[2]. There’s often a distinct lack of capability or inclination to hold large corporations, and the individuals running them liable for gross negligence and unethical behaviours. Another problem with this is that this is the button to press after the event. Yes, strong corporate liability laws rigorously applied can have a deterrent effect. However, the calculation made by those people at the source of the problem is often that of slim likelihood of failure or getting caught or, as with banks during the financial crisis, being too big to fail.

Although all the lessons learned from the analysis of organisational accidents is a good route to prevention of future accidents, that just one part of the puzzle.

Another common reaction is to reach for the human factors’ textbooks. There’s absolutely no doubt that human action is at the root of the events discussed. It takes people, and groups of people to choose to do the wrong thing knowing of the risks they take. Indefensible actions done with the awareness of an organisation are more than just process or procedural failure.

I started writing with the assumption that organisational accidents are preventable and must be prevented. This is to say that zero accidents are achievable. Yet, organisational accidents keep happening and prevention keeps failing. All be it, relative to the volume of global activity, a rare occurrence in civil aviation.

Maybe it’s better to accept that the motivations of a minority of people are to act unethically for personal gain and to take unacceptable risks. The larger problem is the failure of a greater number of people to act when they become aware of that behaviour.

In the cockpit pilots are taught to challenge bad decisions. Maybe we need to teach people how to challenge effectively.

[1] The movie takes protagonists Bob Woodward and Carl Bernstein through their quest to figure out the suspicious acts around US President Richrd Nixon.

[2] https://www.cps.gov.uk/legal-guidance/corporate-prosecutions

Aircraft Level View

The latest innovations in aircraft design are, without question, highly integrated systems. We have departed from the days when every aircraft system was a box. An autopilot, a display computer, a power controller may all sit in one cabinet of equipment. Each one interdependent upon the other.

The other day, I saw advertised as an antique a British P8 aircraft compass. Maybe, 80 years old, it was claimed to be still working. This bit of kit was fitted to the Spitfire, Hawker Hurricane and Mosquito. Truly, a discreet equipment. One basic function and independent of all other aircraft systems except cockpit lighting. Afterall, a compass isn’t much use if you cant see it.

One reflection of mine from times past is the real difficulty of getting people to take an aircraft level view. Some might say this is aerospace design history. It certainly was a major struggle in the mid-1990s. It was a message that was not always well received.

Without mentioning any names, I’d roll up at an aircraft manufacture and be confronted with a hanger sized office divided up into cubicles. Sound absorbing partition walls of shoulder hight stretching far into the distance. This is where the Scott Adams[1] got the idea for the Dilbert cartoons.

In one corner of the engineering building would be a venerable grey-haired gentleman who had spent his entire life working on toilet flush motors. At another corner would be a gaggle of whizz kids developing software specifications for the latest computing hardware.

Everything was the same placid light green with only a few signs to give identity to groups of people working together. Segregation and segmentation were a part of the process. Each functional group developed their skills to the highest degree in their chosen specialisation.

My role in all this was to sit in a rectangular meeting room receiving briefings from each technical team. The certification task had been divided up and everyone was doing their part. Certification plans for an autopilot, a display computer or a power controller were all competently presented. Preliminary safety assessments were dutifully described.

After a while it became all to clear to me that everyone was dedicated to their assignment but that communication between different teams was sketchy to say the least. So, questions like, where did you get that number from, when talking about a failure probability number taken from someone else’s analysis wasn’t always convincingly answered. As a result, I got to hammer on about the need to take an aircraft level view to the point of great irritation. It’s not that people didn’t want to hear the message. It was more that the means to look at interdependencies between aircraft systems was fragile and underdeveloped. We changed and progressively the challenge of integration was met.

Today, I sit and wonder if the new entrants in the aerospace world, rapidly putting together advanced new forms of air mobility, have taken on-board the lessons we learned in the 1990s. It’s not as easy to learn the above lessons unless the reason why is abundantly clear.

[1] https://www.scottadamssays.com/

Certification

In the wake of the Boeing 737 MAX troubles the purpose of aircraft certification has come under fire. It was intense fire too, as the subject was taken into the political arena. Both informed, and not so informed public accusations had to be addressed in a comprehensive and systematic manner. The outcome is real change impacting the way organisations and administrations work.

A basic framework is set by international agreement. The standards and recommended practices of ICAO Annex 8 sets a framework within which aircraft certification work is undertaken. Across the globe Administrations/ Agencies/Authorities cooperate to set common minimum standards.

We can talk about process, procedures and standards until the cows come home. These are ever evolving to cope with technical challenges and the experience of operation. What’s more fundamental, and almost never mentioned is what practitioners do day-to-day. Ultimately, despite the subject being highly technical it is people that are at the core of the activity.

Practical necessity mean that an aircraft project has an ambition and a time scale. Although projects are often known to overrun there’s no infinite pot of resources to carry on regardless. Good project management can be the make or break in realising an ambition.

What that means is that there is a constraint on aircraft certification. There is a window of opportunity to undertake the work in a comprehensive and systematic manner.

The true art becomes asking the right question at the right time. Yes, there is an intricate structure within which questions are asked but it is the nature of those questions that makes the diffidence. Ask a bland and easily answered question and the value added is negligible. Ask a probing and pertinent question and it can lead to a better and safer product.

The importance of the act of asking questions is underestimated. It’s not well taught. For the most part technical experts learn to do this on the job. From one project to the next they develop a set of approaches based on experience. Members of Administrations/ Agencies/Authorities have a great privilege in that they can expect their questions to be answered in full.

There’s a peer-to-peer relationship. To ask an effective question, technical experts on either side of the table don’t have to know everything the other knows. What is needed is a mutual respect and a sufficiency of command of a subject. Being able to pinpoint a gap or omission or inadequate coverage of a subject, or even waffle and evasion requires an intelligent and determined person.

Tea or Coffee

I’ll grab a newspaper and flick through the pages. I can almost guarantee in all the thousands of words use to describe the events of the week nowhere will you see the word “determinism”. Now, that shouldn’t surprise anyone. Or at least anyone who doesn’t spend their days in the systems engineering world. Yet, the basic idea of determinism is ingrained in everyday thinking.

Yesterday, I bought a new kettle. It works well. I can take cold fresh water from my kitchen tap, fill it to the two-cup line and press the button with confidence that within a couple of minutes I’ll have boiling water. Cause-and-effect are truly well connected. I pay my electricity bill and expect current to flow when the switch is thrown. I’d be really annoyed if my new kettle didn’t do what it said it would do on the box it was packaged in. My cup of tea is assured.

Now, let’s step into an imaginary future. Well, a future that not as imaginary as might first be thought. I’ll set aside my morning tea drinking habit and brew a coffee instead. I haven’t got one, but they are certainly being advertised. That’s a coffee machine that’s connected to the INTERNET[1]. It can be given voice commands to brew my favourite brew. It has an app where I can set-up my preferences. It’s a whizzy way to get an espresso.

I don’t say this function exists, only that as soon as the connection is made to an external service what happens next becomes just a little less predictable. A coffee machine with an integrated voice activation system will do as it’s told. At least we assume it will do as it’s told. Thus, cause-and-effect remain connected. Stand back. The door has now been opened. Let’s say, after I acquired the coffee maker the anxious manufacture changes the algorithm that runs the machine. They want me to drink the maximum number of their wonderful coffees but without going to the dark side.

Next time, I go for a smart espresso the machine talks back: “Are you sure? You’ve had 5 coffees already this afternoon.” I have no knowledge of, or control over the algorithm that’s coming up with this talk back. The question might be fair, sensible, and looking after my health but, in that moment, I have no ability to predict what the machine will do next. Will it let me carry on regardless? Or will it say: “No, you’ve had enough. Come back and talk to me in an hour.” The simple cause-and-effect relationship I have with my new kettle is no more. Without being warned, I’ve strayed into the world of non-determinism.

I think you can now appreciate the purpose of this short article. It’s to point out that our quaint classical deterministic world is going to go through a shakeup. Think of the scenario above for a car or an aeroplane. It’s not inevitably bad. In fact, non-deterministic systems offer huge potential benefits. My message is that we’d better be ready for all aspects of this transition.

I’ve made the contrast between either one or the other. In realty, there will be a fuzzy zone between what’s deterministic and what’s non-deterministic. The tea or coffee drinker may have a choice in different places at different times for different reasons.

[1] https://www.lavazza.co.uk/en/landing/voicy.html