how we learn reading room: near-catastrophic incidents

Robert Trivers, The folly of fools, 2011 [ ]

p.194

(If accidents were not isolated incidents, we would not get on airplanes.)

(Trivers, Robert., The folly of fools : the logic of deceit and self-deception in human life / Robert Trivers., 1. self-deception., 2. deception--psychological aspects., 3. deception--social aspects., 2011, 153.4, )

<------------------------------------------------------------------------>

https://www.flightradar24.com/

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#2022

https://aviation-safety.net/database/record.php?id=19760509-0

https://aviation-safety.net/database/

https://web.archive.org/web/20090207200901/http://gladwell.com/outliers/index.html

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

p.18

Then, in 1954, two Comets went down at sea within 3 months of each other, causing 56 deaths.

pp.18-19

The designers hadn't accounted for the way metal expands and contracts with extreme temperature changes. Over repeated flights the skin had weakened, especially around the Comet's'square windows and the result was an explosives decompression.

p.19

With years of B-47 flight behind them, its engineers had already chosen round windows and a thicker skin for its first jet-powered commercial aircraft. They welded pieces of titanium known as “tear stoppers” into the fuselage to prevent any tiny cracks from spreading.

p.20

Elaborate tests put the fuselage through thousands of depressurization cycles before it ever flew.

p.20

The film showed giant steel blades penetrating the cabin of a pressurized test fuselage filled with seyats, dummy passengers, and overhead bins. In the first test, of a fuselage similar to the infamous Comet's, the skin bursts and everything inside is blown out ── even the floor. In the second, of the Boeing model equipped with tear stoppers [welded pieces of titanium known as “tear stoppers” into the fuselage to prevent any tiny cracks from spreading], small puffs of air escape as the blade rips the skin, but nothing inside moves. A narrator explains that the occupants would be able to don oxygen masks while the captain safely lands the plane.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

new york : doubleday, 2021, bibliographical references and index., (ebook), (hardcover), (trade paperback), (ebook), boeing company──management.|boeing 737 (jet transport)──accidents.|aircraft industry──united states──management.|aircraft industry──united states──employees.|corporate culture., HD9711.U63 (ebook), 338.7/6291300973──dc23, 2021, )

____________________________________

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1954

https://en.wikipedia.org/wiki/BOAC_Flight_781

Date: 10 January 1954

Summary: In-flight metal fatigue failure leading to explosive decompression and mid-air break-up

Site: Mediterranean Sea off Elba

Aircraft type: de Havilland DH-106 Comet 1

([ at the beginning, they did not know what had happened to de Havilland DH-106 Comet 1, like the causal reason for the lost of communication ])

Upon examination of the aircraft wreckage by the RAE, it became evident that the aircraft had broken up in mid-air, and there was initially some speculation that the aircraft might have been brought down by a bomb. Suspicion then shifted to the possibility of an engine turbine explosion, and modifications were instigated in other Comets, where the turbine ring was encased with armour plate to contain a possible disintegration of the turbine disk. The possibility of failure of the pressure cabin was also considered, but this theory was discounted because the Comet's cabin had been designed to a considerably higher strength than was considered necessary at the time.

After the equivalent of 3,000 flights simulated with G-ALYU, investigators at the RAE were able to conclude that the crash of G-ALYP had been due to failure of the pressure cabin at the forward ADF window in the roof. This window was one of two apertures for the aerials of an electronic navigation system in which opaque fibreglass panels took the place of the window glass. The failure was a result of metal fatigue caused by the repeated pressurisation and de-pressurisation of the aircraft cabin. Another fact was that the supports around the windows were riveted, not glued, as the original specifications for the aircraft had called for. The problem was exacerbated by the punch rivet construction technique employed. Unlike drill riveting, the imperfect nature of the hole created by punch riveting caused manufacturing defect cracks, which may have caused fatigue cracks to start around the rivet. The investigators examined the final piece of wreckage with a microscope.[8]

In addition, it was discovered that the stresses around pressure cabin apertures were considerably higher than had been anticipated, particularly around sharp-cornered cut-outs, such as square windows. As a result, future jet airliners would feature windows with rounded corners, the purpose of the curve being to eliminate a stress concentration. This was a noticeable distinguishing feature of all later models of the Comet.[13]

https://en.wikipedia.org/wiki/South_African_Airways_Flight_201

Date: 8 April 1954

Summary: In-flight metal fatigue failure leading to explosive decompression & break-up

Site: Mediterranean Sea between Naples and Stromboli

Aircraft type de Havilland DH 106 Comet 1

([ four month later, they still did not know what had happened to de Havilland DH-106 Comet 1; obviously they had idea, and they knew some thing was wrong to have lost two aircrafts in such a close time span; ...])

Bull said he found it difficult to accept the fact that the circumstances surrounding the crash of BOAC flight 781 three months earlier had occurred again with the South African Airways flight.[2]

At the time of the accident, the investigation into the crash of BOAC Flight 781 was still in progress, but suspicion of the cause of the crash had fallen on the possibility of an engine turbine failure.

The joint investigation of this accident, and of BOAC 781, revealed manufacturer design defects (square windows) and metal fatigue that resulted ultimately in the explosive decompression that caused both accidents.

([ eventually, they were able to figure out that the de Havilland DH 106 Comet 1 explosively decompressed and broke-up in-flight from metal fatigue failure, metal fatigue caused by the repeated pressurisation and de-pressurisation cycle of the aircraft cabin, specifically fatigue crack around sharp-cornered cut-outs of the square windows (a stress concentration at the corners); windows were punch riveted, which would naturally create microscopic crack in the skin during the rivet punching process, not glued, or, drilled riveted. ])

____________________________________

Nathan Rosenberg, Inside the black box: technology and economics, 1982

p.110

commercial jet aeroplanes.

Britain introduced the Comet I two years before the Americans began the development of a jet airliner. Yet the Americans eventually won out. In retrospect, it is apparent that the American delay was salutary rather than costly to them, and that Boeing and Douglas chose the moment to proceed better than did de Havilland.

“Their delay allowed them to offer airplanes that could carry up to 180 passengers when the Comet IV carries up to 100, and a cruising speed of 550 mph instead of 480 mph ─ hard commercial advantages that they could offer because they were designing for later and more powerful engines. But they were also aided by the delay of four years in making the Comet safe after its accidents from metal fatigue.”14 More generally, information concerning the useful life of metal components could only be derived from prolonged periods of use and experience.

(Inside the black box./ Nathan Rosenberg, 1. technological innovations., 2. technology─social aspects., HC79.T4R673 1982, 338'.06, first published 1982, )

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

pp.20-21

But one evening in October 1959, Johnston was silently chewing his roast at home when his wife, DeLores, asked what was wrong. “Discussion time”, he pronounced. Days earlier a 707 piloted by a Boeing instructor had plowed into a river bank on a demonstration flight with a Braniff crew, killing four people. The crew had been practicing techniques to compensate for Dutch roll, an instability shared by all swept-wing jets that manifests as a kind of simultaneous bobbing and fishtailing. Survivors told Johnston it had been the instructor's mistake ── he'd exceeded the maximum bank angle recommended in Boeing's manual. A copilot saw what was happening and strapped himself into a rear seat. But there had been earlier near-catastrophic incidents during training. Johnston believed the 707's design could still be improved.

He called for a meeting with the plane's lead engineers, among them Ed Wells (who also helped to design the B-52 bomber). “It is obvious that training and establishing limits are not solving our problem”, Johnston told them. He recommended a redesign of the tail and rudder. The tone in the room was unenthusiastic, even icy. What Johnston was proposing was no small fix; it would amount to a costly overhaul.

p.21

But Wells, as Johnston later described the scene, simply said, “We will fix it.”

p.21

“It's easy for the bean counters to call out the lawyers ── and the lawyers will say, ‘There was nothing wrong with our airplane ── it was pilot error.’ A manufacturer can go on for years this way. Wells wouldn't put up with that.”

p.21

The test pilot went to London to brief BOAC, which had been spooked by news of the crash, and told airline officials the changes would eliminate the possibility of any more accidents of that type.

“Who pays?” the pilot was asked. Boeing, he answered.

p.21

Johnston, relieved to put the perilous issue behind him, summed up the decision in this way: “THe one built-in marginal characteristic of the 707 would be corrected; the future of the airplane was assured.”

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1959

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1974

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

pp.30-31

p.30

The first crash of one of the new fully loaded wide-body planes was an international scandal, provoking newspaper coverage of shocking design lapses, televised congressional hearings, and even a full-length book exposé. Soon after the plane's takeoff from Paris Orly airport in March 1974, an explosion blew out the cargo door, buckling the floor and severing hydraulic lines. All 346 people aboard died when the plane plunged into Ermenonville forest outside Paris, the worst airliner crash in history at the time. Debris was scattered for half mile through wooded trails popular with Sunday hikers.

The plane was a DC-10, a slightly smaller wide-body McDonell Douglas had developed to keep up with Boeing's 747.

https://en.wikipedia.org/wiki/Turkish_Airlines_Flight_981

March 3 – Turkish Airlines Flight 981, a McDonnell Douglas DC-10, crashes in the Ermenonville forest near Senlis, France, after the rear underfloor cargo door opens in mid-flight; all 346 on board die.

p.30

To save valuable interior cargo space, they broke with industry convention by designing a door that opened outward.

pp.30-31

It emerged that Douglas engineers had known the design was vulnerable to catastrophic failure, and indeed, two years earlier, a near disaster had ensued on a flight over Windsor, Ontario, which also lost a cargo door. The pilot had been able to land the plane in that case.

p.30

..., Mr. Mac holding the purse strings as tightly as ever.

p.31

Instead of fixing the issue immediately, McDonnell Douglas had convinced the FAA to let it add a support plate over time to the doors ── a “gentlemen's agreement” revealed in the congressional hearings. Records at Douglas showed that the support plate had been added to the Turkish airlines plane, when it had not. Three company inspectors had signed off on the nonexistent fix.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

McDonnell Douglas DC-10 flight over Windsor, Ontario

<< look up this near disaster flight >>

https://en.wikipedia.org/wiki/American_Airlines_Flight_96

Date June 12, 1972

Summary Cargo door failure due to design flaw leading to rapid decompression

Site Airspace above Windsor, Ontario

Aircraft type McDonnell Douglas DC-10-10

The rapid decompression in the cargo hold caused a partial collapse of the passenger compartment floor, which in turn jammed or restricted some of the control cables which were connected to various flight control hydraulic actuators. The jamming of the rudder control cable caused the rudder to deflect to its maximum right position. The control cables to the number two engine in the tail were severed, causing that engine to shut down.[1] There was no rupture of any hydraulic system, so the pilots still had control of the ailerons, the right elevator, and the horizontal stabilizer.

The cause was traced to the cargo door latching system, which had failed to close and latch the door completely without any indication to the crew that it was not safely closed. A separate locking system was supposed to ensure this could not happen but proved to be inadequate. McDonnell Douglas instituted a number of minor changes to the system in an attempt to avoid a repeat. These were unsuccessful, however; on March 3, 1974, the rear cargo door of Turkish Airlines Flight 981 experienced the same failure and blew open, causing the aircraft to lose all control and crash in a forest near Paris, France. This crash killed all 346 people on board, making it the deadliest in aviation history until the 1977 Tenerife airport disaster and the deadliest single-aircraft crash until the 1985 crash of Japan Airlines Flight 123.[3]

In the cabin, the flight attendants saw a "fog" form within the cabin and immediately recognized it as a depressurization.

It happened that while training to convert his expertise to flying the DC-10, McCormick had practiced, in a simulator, controlling the plane with the throttles in this fashion, in the worst-case scenario of a hydraulic failure.[2] A similar technique was used on another DC-10 in 1989 following a complete loss of hydraulic pressure on United Airlines Flight 232.[6]

The cabin floor failure was also a matter of poor design. All of the other portions of the cargo holds had holes cut into the cabin floor above the cargo areas. In the case of a pressure loss on either side of the floor, the air would flow through the vents and equalize the pressure, thereby eliminating any force on the floor. Only the rearmost portion of the cabin lacked these holes, and it was that portion that failed. Because the control cables were running through the floor for the entire length of the aircraft, however, a failure at any point on the floor would cut controls to the tail section.

____________________________________

Douglas engineers had known the design was vulnerable to catastrophic failure, and indeed, two years earlier, a near disaster had ensued on a flight over Windsor, Ontario, which also lost a cargo door. The pilot had been able to land the plane in that case.

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1974

https://en.wikipedia.org/wiki/Turkish_Airlines_Flight_981

Date 3 March 1974

Summary Cargo door failure due to aircraft design flaw leading to explosive decompression, destruction of control systems, and loss of control

Site Ermenonville Forest, Fontaine-Chaalis, Oise, France

Aircraft type McDonnell Douglas DC-10-10

Just after the aircraft passed over the town of Meaux, the rear left cargo door blew off and the sudden difference in air pressure between the cargo area and the pressurized passenger cabin above it, which amounted to 36 kPa (5.2 psi),[9]: 44 caused a section of the cabin floor above the open hatch to separate and be forcibly ejected through the open hatch,

When the door blew off, the primary as well as both sets of backup control cables that ran beneath the section of floor that blew out were completely severed, destroying the pilots' ability to control the plane's elevators, rudder, and number two engine. The flight data recorder showed that the throttle for engine two snapped shut when the door failed.[9]: 26 The loss of control of these key components resulted in the pilots losing control of the aircraft entirely.

The Lloyd's of London insurance syndicate that covered Douglas Aircraft retained Failure Analysis Associates (now Exponent, Inc.) to also investigate the accident. In the company's investigation, it was noted that during a stop in Turkey, ground crews had filed the cargo door's locking pins down to less than a quarter of an inch (6.4 millimetres), when they experienced difficulty closing the door. Subsequent investigative tests proved the door yielded to approximately 15 psi (100 kPa) of pressure, in contrast to the 300 psi (2,100 kPa) that it had been designed to withstand.[13]

The cargo door design flaws, and the consequences of a likely aircraft floor failure in the event of in-flight decompression on the DC-10, had been noted by Convair engineer Dan Applegate in a 1972 memo.[14] The memo was written after American Airlines Flight 96, being operated by another DC-10, experienced a rear cargo door failure similar to the one that occurred on Flight 981, also causing an explosive decompression. Fortunately, even though the pilots' ability to control Flight 96 was compromised by some severed underfloor cables in the damaged section of the plane, they were able to land in Detroit without further injuries – though Applegate warned that a more severe outcome was likely when (not if) a similar incident happened on another DC-10.

Although French media outlets called for Mahmoudi to be arrested, the crash investigators stated that it was unrealistic to expect an untrained, low-wage earning baggage handler, who could not read the warning notice, to be responsible for the safety of the aircraft.

This possibility of catastrophic failure as a result of this overall design was first discovered in 1969 and actually occurred in 1970 in a ground test, both of which McDonnell-Douglas knew about. This information, and the 1972 "Applegate Memo", came to light in the material supplied to the litigants after the 1974 crash.[16] McDonnell-Douglas had ignored these concerns, because rectification of what Douglas considered to be a small problem with a low probability of occurrence would have seriously disrupted the delivery schedule of the aircraft, likely causing Douglas to lose sales.

Additionally, the FAA ordered further changes to all aircraft with outward-opening doors, including the DC-10, Lockheed L-1011, and Boeing 747. These changes included requiring vents be cut into the cabin floor to allow pressures to equalize in the event of a blown-out door, thus preventing a catastrophic collapse of the aircraft's cabin floor and other structures that could damage the control cables for the engine, rudder, and elevators.

Aircraft other than DC-10s have also suffered catastrophic cargo hatch failures. The Boeing 747 has experienced several such incidents, the most noteworthy of which occurred on United Airlines Flight 811 in February 1989, when a cargo hatch failure caused a section of the fuselage to burst open, resulting in the deaths of nine passengers who were blown out of the aircraft.[21]

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1979

May 25 – American Airlines Flight 191, a McDonnell Douglas DC-10, crashes upon takeoff from O'Hare International Airport after its left engine detaches from the wing, killing all 271 on board and two on the ground in the worst single-aircraft accident on U.S. soil.

https://en.wikipedia.org/wiki/American_Airlines_Flight_191

Date: May 25, 1979

Summary: Loss of control caused by engine detachment due to improper maintenance

Site Des Plaines, Illinois, U.S.

Total fatalities 273

Aircraft type McDonnell Douglas DC-10-10

Regardless of how it happened, the resulting damage, although insufficient to cause an immediate failure, eventually developed into fatigue cracking, worsening with each takeoff and landing cycle during the 8 weeks that followed. When the attachment finally failed, the engine and its pylon broke away from the wing. The structure surrounding the forward pylon mount also failed from the resulting stresses.[1]: 12

Inspection of the DC-10 fleets of the three airlines revealed that while United Airlines' hoist approach seemed to be harmless, several DC-10s at both American and Continental already had fatigue cracking and bending damage to their pylon mounts caused by similar maintenance procedures.[1]: 18

The investigation also revealed other DC-10s with damage caused by the same faulty maintenance procedure. The faulty procedure was banned, and the aircraft type went on to have a long career as a passenger and cargo aircraft.

Earl Russell Marshall, chief of the crew of American Airlines maintenance facility in Tulsa who supervised the last maintenance procedure on the aircraft,[20] subsequently committed suicide the night before he was to be deposed by McDonnell Douglas attorneys.[21][22]

The type certificate was amended, however, stating, "...removal of the engine and pylon as a unit will immediately render the aircraft unairworthy."[citation needed]

In the wake of the grounding, the FAA convened a safety panel under the auspices of the National Academy of Sciences to evaluate the design of the DC-10 and the U.S. regulatory system in general. The panel's report, published in June 1980, found "critical deficiencies in the way the government certifies the safety of American-built airliners", focusing on a shortage of FAA expertise during the certification process and a corresponding over reliance on McDonnell Douglas to ensure that the design was safe.

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

p.31

May 1979 brought another disaster. A DC-10 operated by American airlines crashed in Chicago, killing 273, when the left engine and pylon simply fell off the wing on takeoff. A federal judge, acting in response to a consumer group's complaint that the FAA had taken “wholly inadequate” precautionary measures, ordered a grounding of the entire fleet ── the first for a U.S. airliner since 1946. The FAA complied.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

Nathan Rosenberg, Inside the black box: technology and economics, 1982

p.132

22 The disastrous DC-10 crash in Chicago in May 1979 raises some extremely troublesome questions about the effectiveness of the interwining in the case of this particular aircraft. If the crash was indeed caused by a faulty maintenance procedure ─ the failure to separate the pylon and the engine during removal and reinstallation ─ the aircraft designers hardly deserve complete exculpation. At the very least, the design of the aircraft apparently made the maintenance procedure exacting and inherently dangerous. Surely, a basic desideratum of good design is that aircraft components should be more “forgiving” to variations in handling procedures.

(Inside the black box./ Nathan Rosenberg, 1. technological innovations., 2. technology─social aspects., HC79.T4R673 1982, 338'.06, first published 1982, )

____________________________________

── metal fatigue

── inter-granular corrosion due to metal aging

── unusual resonances that eventually weakened the engine mounts

── frequent failure under stress of the fan-jet turbine blades

── operating costs

Nathan Rosenberg, Inside the black box: technology and economics, 1982

pp.125-126

p.124

Learning by using, in its purest form, is disembodied. As we will see, however, this process creates new information that eventually results in the physical modification of hardware. In this sense, it constitutes a feedback loop into the design aspect of new product development. Obviously, it is difficult to make a sharp distinction between the embodied and the disembodied consequences of learning by using because, in practice, the former blends into the latter.

p.124

Extensive use of an aircraft may eventually lead to the discovery of faults in components or design, as in the discovery of metal fatigue that led to considerable loss of life in the Comet, or the unusual resonances that eventually weakened the engine mounts of the Electra and also led to fatal crashes, or the frequent failure under stress of the fan-jet turbine blades of the Boeing 747

in 1969-70.

p.126

In addition, the behavior of metals after prolonged use or with aging is still very difficult to analyze. Metal fatigue remains a nemesis in the design and construction of aircraft. Simulation methods for studying aging, methods that, for example, are supposed to accelerate the aging process of certain alloys, have not proven to be a reliable guide in the recent past.9

p.126

9 “Steiner pointed out that ‘accelerated aging’ tests have not proved accurate in the past. He cited the case of certain alloys that ‘aged in a most peculiar manner’ a few years ago. In five to ten years, these alloys ─ utilized on the Boeing 707 and other transports ─ developed inter-granular corrosion, requiring expensive inspection procedures and replacement.” “Greater Government R&D Urged to Spur Advances”, Aviation Week and Space Technology, 12 September 1977, p. 35. Steiner was a Boeing vice-president in charge of production evaluation at the time.

p.126

The performance of new engines remains notoriously uncertain in the development process; problems much be dealt with essentially by trial and error. Thus, one must not exaggerate the extent to which, even today, the design of aircraft can draw upon precise scientific methodology.10 Much of the essential knowledge in the aircraft design and construction can still be derived only from in-flight learning.11

p.126

11 It is still far from unusual for engineers in many industries to develop a successful solution to a problem for which there is no scientific explanation, and for the engineering solution to generate the subsequent scientific research that eventually provides the explanation. For some interesting examples, see R. R. Whyte, ed. Engineering Process through Trouble (The Institution of Mechanical Engineers, London, 1975).

pp.174-175

7 The episodes of the supersonic transport (SST) and Concorde illustrate the usefulness of a diffuse, rather than sharply focused, role for government in affecting the demand for a new technology. Both the SST and Concorde programs are examples of a misapplication of military procurement techniques to commercial aircraft development. Although it is eminently sensible for the ultimate purchaser to specify in detail the operating and design characteristics of a given aircraft, the attempt to have designs for commercial application developed by an intermediary places great demands upon effective public-private sector communication and responsiveness. Also, it is important for decision makers to appreciate the commercial limits of success to avoid the dangers of preoccupation with technical characteristics alone. Both the SST and Concorde paid little heed to operating costs, which probably would not have occurred if private airlines had controlled the design and development processes.

(Inside the black box./ Nathan Rosenberg, 1. technological innovations., 2. technology─social aspects., HC79.T4R673 1982, 338'.06, first published 1982, )

____________________________________

August 12, 1985

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1985

August 12 – Japan Airlines Flight 123, a Boeing 747 operating a domestic flight in Japan, crashes into Mount Takamagahara after suffering a rapid decompression that severs all hydraulic lines and renders the aircraft uncontrollable; with the loss of 520 of the 524 people on board, this is the deadliest single-aircraft disaster in history to date.

On August 12, 1985, Japan Airlines Flight 123 crashed when the rear pressure bulkhead of a 747SR flying from Tokyo to Osaka failed at cruising altitude, severing the aircraft's vertical stabilizer. The pilots kept it in the air for 32 minutes, but it eventually struck Mount Takamagahara and crashed. Of the 524 people on board, only four passengers survived, making it the deadliest-ever single-aircraft accident. The accident was caused by Boeing improperly repairing the tail strike suffered by the same aircraft seven years earlier.[19]

https://en.wikipedia.org/wiki/Japan_Air_Lines_Flight_123

Japan's Aircraft Accident Investigation Commission (AAIC) concluded,[1]: 129 agreeing with investigators from the U.S. National Transportation Safety Board,[2] that the rapid decompression was caused by a faulty repair by Boeing technicians after a tailstrike incident during a landing at Osaka Airport in 1978 as JAL Flight 115. The rear bulkhead of the plane had been repaired with an improperly installed doubler plate, compromising the plane's airworthiness. Cabin pressurization continued to expand and contract the improperly repaired bulkhead until the day of the accident, when the faulty repair failed, causing a rapid decompression that ripped off a large portion of the tail and caused the loss of hydraulic controls to the entire plane.

https://en.wikipedia.org/wiki/United_Airlines_Flight_232

Similar accidents[edit]

The odds against all three hydraulic systems failing simultaneously had previously been calculated as low as a billion to one.[53] Yet such calculations assume that multiple failures must have independent causes, an unrealistic assumption, and similar flight control failures have indeed occurred:

• In 1971, a Boeing 747, operating as Pan Am 845, struck approach light structures for the reciprocal runway as it lifted off the runway at San Francisco Airport. Major damage to the belly and landing gear resulted, which caused the loss of hydraulic fluid from three of its four flight control systems. The fluid which remained in the fourth system gave the captain very limited control of some of the spoilers, ailerons, and one inboard elevator. That was sufficient to circle the plane while fuel was dumped and then to make a hard landing. There were no fatalities, but there were some injuries.[54]

• In 1981, a Lockheed L-1011, operating as Eastern Airlines Flight 935, suffered a similar failure of its tail-mounted number two engine. The shrapnel from that engine inflicted damage on all four of its hydraulic systems, which were also close together in the tail structure. Fluid was lost in three of the four systems. The fourth hydraulic system was struck by shrapnel, but not punctured. The hydraulic pressure remaining in that fourth system enabled the captain to land the plane safely with some limited use of the outboard spoilers, the inboard ailerons, and the horizontal stabilizer, plus differential engine power of the remaining two engines. There were no injuries.[55]

• On August 12, 1985, Japan Airlines Flight 123, a Boeing 747-146SR, suffered a rupture of the pressure bulkhead in its tail section, caused by undetected damage during a faulty repair to the rear bulkhead after a tailstrike seven years earlier. Pressurized air subsequently rushed out of the bulkhead and blew off the plane's vertical stabilizer, also severing all four of its hydraulic control systems. The pilots were able to keep the plane airborne for 32 minutes using differential engine power, but without any hydraulics or the stabilizing force of the vertical stabilizer, the plane eventually crashed in mountainous terrain. There were only 4 survivors among the 524 on board. This accident is the deadliest single-aircraft accident in history.[56]

Japan Air Lines Flight 123 (also known as JAL123) was a scheduled domestic Japan Air Lines passenger flight from Tokyo's Haneda Airport to Osaka's Itami International Airport, Japan.

On August 12, 1985, a Boeing 747SR operating this route suffered a sudden decompression 12 minutes into the flight, and crashed in the area of Mount Takamagahara, Ueno, Gunma Prefecture, 100 km (62 mi; 54 nmi) from Tokyo 32 minutes later. The crash site was on Osutaka Ridge, near Mount Osutaka.

Tailstrike incident[edit]

On June 2, 1978, Japan Air Lines Flight 115, a scheduled domestic passenger flight from Tokyo's Haneda Airport to Itami Airport, Osaka Prefecture, was carrying out an instrument landing system (ILS) approach to runway 32L at Itami Airport in Japan, but bounced heavily on landing. The pilot excessively flared the plane, causing a severe tailstrike. No fatalities occurred among the 394 people on board, but 25 people were injured, 23 minor and 2 serious. The tailstrike cracked open the aft pressure bulkhead. The damage was repaired by Boeing technicians, and the aircraft was returned to service.[4][1][5]

Correct (top) and incorrect splice plate installations:

(1) The aircraft was involved in a tailstrike incident at Osaka International Airport seven years earlier as JAL Flight 115, which damaged the aircraft's aft pressure bulkhead.

(2) The subsequent repair of the bulkhead did not conform to Boeing's approved repair methods. For reinforcing a damaged bulkhead, Boeing's repair procedure calls for one continuous splice plate with three rows of rivets.[21] The Boeing repair technicians, however, had used two splice plates parallel to the stress crack.[22][2] Cutting the plate in this manner negated the effectiveness of one of the rows of rivets, reducing the part's resistance to fatigue cracking to about 70% of that for a correct repair. The post-repair inspection by JAL did not discover the defect, as it was covered by overlapping plates.[1][2][23] During the investigation, the Accident Investigation Commission calculated that this incorrect installation would fail after about 10,000 pressurization cycles; the aircraft accomplished 12,318 successful flights from the time that the faulty repair was made to when the crash happened.[1]: 101–05

(3) Consequently, after repeated pressurization cycles during normal flight, the bulkhead gradually started to crack near one of the two rows of rivets holding it together. When it finally failed, the resulting rapid decompression ruptured the lines of all four hydraulic systems and ejected the vertical stabilizer. With many of the aircraft's flight controls disabled, the aircraft became uncontrollable.[1]: 128

according to wikipedia entry, there were four survivors.

In the aftermath of the incident, Hiroo Tominaga, a JAL maintenance manager, died from suicide intended to atone for the incident,[25] as did Susumu Tajima, an engineer who had inspected and cleared the aircraft as flightworthy, due to difficulties at work.[26]

____________________________________

https://en.wikipedia.org/wiki/China_Airlines_Flight_611

• On May 25, 2002, China Airlines Flight 611, a 747-200B en route to Hong Kong International Airport from Chiang Kai-shek International Airport, broke up in midair 20 minutes after take-off and crashed into the Taiwan Strait, killing all 225 occupants on board. Subsequent investigation determined the cause to be metal fatigue cracking due to an improperly performed repair after a tail strike.[40]

── metal fatigue cracking due to an improperly performed repair after a tail strike.

https://en.wikipedia.org/wiki/China_Airlines_Flight_611

Consequently, after repeated cycles of pressurization and depressurization during flight, cracks began to form around the exposed scratches. Finally, on 25 May 2002, coincidentally 22 years to the day after the faulty repair was made on the damaged tail, the hull broke open in midair. An explosive decompression occurred once the crack opened up, causing the separation of the aircraft's fuselage at section 46 (aft of the main wingbox).[29] The remainder of the aircraft forward of section 46 entered an abrupt descent, causing all four engines to separate from the wings near-simultaneously, as the engine fuse pins failed at about 29,000 feet (8,800 m). After this point, the wings and fuselage forward of the initial breakpoint remained connected until impact with the sea.

This was not the first time that a 747 had crashed because of a faulty repair following a tailstrike. On 12 August 1985, 17 years before Flight 611's crash and 5 years after the accident aircraft's repair, Japan Airlines Flight 123 from Tokyo to Osaka with 524 people onboard had crashed when the vertical stabilizer was torn off and the hydraulic systems severed by explosive decompression, leaving only four survivors. That crash had been attributed to a faulty repair to the rear pressure bulkhead, which had been damaged in 1978 in a tailstrike incident.[30] In both crashes, a doubler plate was not installed according to Boeing standards.

China Airlines disputed much of the report, stating that investigators did not find the pieces of the aircraft that would prove the contents of the investigation report.[31]

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

pp.33-34

the crash of a 747 in Japan that killed 520 people and became the deadliest single-aircraft accident ever, surpassing the grim record set by the DC-10 a decade earlier.

A half hour into a short domestic flight, the plane's verticle fin had ruptured, and it plowed into a mountain ridge.

Speculation began swirling that the skins of the giant planes were vulnerable to fatigue, the dreaded issue that had ruined the reputation of the De Havilland's Comet 30 years earlier.

p.34

The Seattle plane maker surprised crash investigators when it issued a mea culpa just weeks after the crash. A statement said one of its repair teams had incorrectly installed a splice plate on the jet's rear bulkhead after a hard landing that damaged the tail section years earlier. Japanese officials, just settling for a long examination and tough negotiations, were stunned at the company's transparency.

p.34

incorrectly installed a splice plate on the jet's rear bulkhead after a hard landing that damaged the tail section years earlier (1978). ==> the crash of a 747 (1985) [take seven years for the failure of the rear bulkhead]

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

737-200 in Colorado Springs in 1991

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1991

March 3, 1991

https://en.wikipedia.org/wiki/Boeing_737_rudder_issues

Testing revealed that under certain circumstances, the PCU's dual servo valve could jam and deflect the rudder in the opposite direction of the pilots' input.[3]: 81–85 Thermal shock testing revealed that the uncommanded rudder movement could be replicated by injecting a cold PCU with hot hydraulic fluid. Thermal shock resulted in the servo's secondary slide becoming jammed against the servo housing, and that when the secondary slide was jammed the primary slide could move to a position that resulted in rudder movement opposite of the pilot's commands.[2]: 79 [3]: 294 The NTSB concluded that all three rudder incidents (United Flight 585, USAir Flight 427, and Eastwind Flight 517) were most likely due to the PCU secondary slide jamming and excessive travel of the primary slide, resulting in the rudder reversal.[3]: 294

As a result of the NTSB's findings, the Federal Aviation Administration ordered that the servo valves be replaced on all 737s by November 12, 2002.[8]

investigators considered the possibility of rudder hardover due to PCU servo malfunction.[14]

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1994

https://en.wikipedia.org/wiki/Boeing_737_rudder_issues

On September 8, 1994, USAir Flight 427, a Boeing 737-300, crashed near Pittsburgh, Pennsylvania. While on approach to Pittsburgh International Airport, Flight 427 suddenly rolled to the left. Although the pilots were briefly able to roll right and level the plane, it rolled left a second time and the pilots were unable to recover.[3]: 4 The resulting crash killed all 132 people on board.[3]: 9

https://en.wikipedia.org/wiki/USAir_Flight_427

Thursday, September 8, 1994, the Boeing 737 flying this route crashed in Hopewell Township, Pennsylvania

After the longest investigation in the history of the National Transportation Safety Board (NTSB), it was determined that the probable cause was that the aircraft's rudder malfunctioned and went hard over in a direction opposite to that commanded by the pilots, causing the plane to enter an aerodynamic stall from which the pilots were unable to recover. All 132 people on board were killed, making the crash the deadliest air disaster in Pennsylvania's history.

Several employees of the U.S. Department of Energy had tickets to take later flights, but used them to fly on Flight 427.

The NTSB remarked that no airline had ever trained a pilot to properly recover from the situation experienced by the Flight 427 pilots and that the pilots had just 10 seconds from the onset of the roll to troubleshoot before recovery of the aircraft was impossible.[11]: 153

Investigators later discovered that the recovered accident rudder power control unit was much more sensitive to bench tests than other new such units. The exact mechanism of the failure involved the servo valve, which remains dormant and cold for much of the flight at high altitude, seizing after being injected with hot hydraulic fluid that has been in continuous action throughout the plane. This specific condition occurred in fewer than 1% of the lab tests but explained the rudder malfunction that caused Flight 427 to crash. The jam left no trace of evidence after it occurred, and a Boeing engineer later found that a jam under this controlled condition could also lead to the slide moving in the opposite direction than that commanded. Boeing felt that the test results were unrealistic and inapplicable given the extremes under which the valve was tested.[13][11]

The NTSB concluded that similar rudder problems had caused the previously mysterious March 3, 1991 crash of United Airlines Flight 585 and the June 9, 1996 incident involving Eastwind Airlines Flight 517, both Boeing 737s.[1]: 292–295 The final report also included detailed responses to Boeing's arguments about the causes of the three accidents.

However, the FAA changed its attitude after a special task force, the Engineering Test and Evaluation Board,[14] reported in July 2000 that it had detected 46 potential failures and jams in the 737 rudder system that could have catastrophic effects. In September 2000, the FAA announced that it wanted Boeing to redesign the rudder for all iterations of the 737, affecting more than 3,400 aircraft in the U.S. alone.[14]

Boeing agreed to redesign the rudder control system with a redundant backup and paid to retrofit the entire worldwide 737 fleet.[20] Following one of the NTSB's main recommendations, airlines were required to add four additional channels of information into flight data recorders in order to capture pilot rudder pedal commands, and the FAA set a deadline of August 2001 for airlines to comply.[21]

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

p.39

two crashes

737-200 in Colorado Springs in 1991

737-300 near Pittsburgh in 1994

faulty rudder design

a single-paneled rudder

The crashes had been the result of a faulty rudder design.

[a single-paneled rudder design] lacked a device called a limiter, which made the plane more vulnerable to what's known as a hardover, an uncommanded deflection that appeared to happen only in extremely rare circumstances, such as when microscopic bits of grit got stuck in a valve.

p.181

In the wrangling over the Boeing rudder design blamed for two crashes back in the 1990s, litigation had eventually turned up a memo titled “We have a problem”, in which engineers acknowledged ── even before a second crash ── that a rudder valve had the potential to jam. Some pilots had seen the anguish it caused colleagues who were asked to explain themselves years later, and they became more careful about what they put in writing.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

ignition source for the surge tank fire that destroyed a 747 near Madrid in 1976.[1]: 293–294

Imperial Iranian Air Force Flight ULF48, a 747 freighter, crashed near Madrid on May 9, 1976, due to the structural failure of its left wing in flight, killing the 17 people on board. The accident investigation determined that a lightning strike caused an explosion in a fuel tank in the wing, leading to flutter and the separation of the wing.[8][9] ([ in 1976, no technical fix to bleed off a lighting strike on a 747 aircraft? ])

https://en.wikipedia.org/wiki/Imperial_Iranian_Air_Force_Flight_ULF48

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1976

the surge tank fire that destroyed a 747 near Madrid in 1976.

____________________________________

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1996

https://en.wikipedia.org/wiki/TWA_Flight_800

July 17, 1996

In-flight breakup due to fuel tank explosion caused by short circuit

July 17 – TWA Flight 800, a Boeing 747, explodes in mid-air above the ocean off East Moriches, New York, killing all 230 people on board; 70% of passengers are sucked out during the explosion.

All 230 people on board died in the crash; it is the third-deadliest aviation accident in U.S. history. Accident investigators from the National Transportation Safety Board (NTSB) traveled to the scene, arriving the following morning[1]: 313 amid speculation that a terrorist attack was the cause of the crash.[2][3][4]

The four-year NTSB investigation concluded with the approval of the Aircraft Accident Report on August 23, 2000, ending the most extensive, complex and costly air disaster investigation in U.S. history at that time.[7][8] The report's conclusion was that the probable cause of the accident was explosion of flammable fuel vapors in the center fuel tank. Although it could not be determined with certainty, the likely ignition source was a short circuit.[1]: xvi Problems with the aircraft's wiring were found, including evidence of arcing in the fuel quantity indication system (FQIS) wiring that enters the tank. The FQIS on Flight 800 is known to have been malfunctioning; the captain remarked on "crazy" readings from the system about 2 minutes and 30 seconds before the aircraft exploded. As a result of the investigation, new requirements were developed for aircraft to prevent future fuel tank explosions.[9]

During refueling of the aircraft, the volumetric shutoff (VSO) control was believed to have been triggered before the tanks were full. To continue the pressure fueling, a TWA mechanic overrode the automatic VSO by pulling the volumetric fuse and an overflow circuit breaker. Maintenance records indicate that the aircraft had numerous VSO-related maintenance writeups in the weeks before the accident.[1]: 31

Examination of the cockpit voice recorder (CVR) and flight data recorder data showed a normal takeoff and climb,[15]: 4 with the aircraft in normal flight[45]: 2 before both abruptly stopped at 8:31:12 pm.[1]: 3 At 8:29:15 pm, Captain Kevorkian was heard to say, "Look at that crazy fuel flow indicator there on number four... see that?"[1]: 2 A loud noise recorded on the last few tenths of a second of the CVR was similar to the last noises recorded from other airplanes that had experienced in-flight breakups.[1]: 256 This, together with the distribution of wreckage and witness reports, all indicated a sudden catastrophic in-flight breakup of TWA 800.[1]: 256

the lack of any other corroborating evidence associated with a high-energy explosion led the NTSB to conclude, "the in-flight breakup of TWA flight 800 was not initiated by a bomb or missile strike."[1]: 259

the center wing fuel tank (CW fuel T).[48]: 29

A major reason for the flammability of the fuel-air vapor in the CWT of the 747 was the large amount of heat generated and transferred to the CWT by air conditioning packs located directly below the tank;[1]: 298 with the CWT temperature raised to a sufficient level, a single ignition source could cause an explosion.[1]: 298

previous fuel explosions in the CWTs of commercial airliners such as Avianca Flight 203 and Philippine Airlines Flight 143 confirmed that a CWT explosion could break apart the fuel tank and lead to the destruction of an airplane.[1]: 261

the NTSB concluded that "the TWA flight 800 in-flight breakup was initiated by a fuel/air explosion in the CWT."[1]: 63

fuel quantity indication system (FQIS)

For the FQIS to have been Flight 800's ignition source, a transfer of higher-than-normal voltage to the FQIS would have needed to occur, as well as some mechanism whereby the excess energy was released by the FQIS wiring into the CWT. The NTSB concluded, "the ignition energy for the CWT explosion most likely entered the CWT through the FQIS wiring."[1]: 294 [52]

center wing fuel tank (CW fuel T)

Though the FQIS itself was designed to prevent danger by minimizing voltages and currents, the innermost tube of Flight 800's FQIS compensator showed damage similar to that of the compensator tube identified as the ignition source for the surge tank fire that destroyed a 747 near Madrid in 1976.[1]: 293–294 This was not considered proof of a source of ignition. Evidence of arcing was found in a wire bundle that included FQIS wiring connecting to the center wing tank.[1]: 288 Arcing signs were also seen on two wires sharing a cable raceway with FQIS wiring at station 955.[1]: 288

NTSB and the FBI clashed (During the investigation)

In 2005, the NTSB and the FBI entered into a memorandum of understanding (MOU) that states that, "[i]n the immediate aftermath of a transportation accident, the NTSB is the presumptive lead investigative agency and will assume control of the accident scene." The FBI may still conduct a criminal investigation, but the NTSB investigation has priority. When investigative priority remains with the NTSB, the FBI must coordinate its investigative activities with the NTSB investigator-in-charge. This authority includes interviewing witnesses. The MOU states that: “[t]his procedure is intended…to ensure that neither NTSB nor FBI investigative activity unnecessarily complicates or compromises the other agency’s investigation. The new statutory language and the MOU have improved coordination between the NTSB and FBI since the TWA flight 800 accident. As of 2005, NTSB and FBI personnel conduct joint exercises. Each agency can call upon the other's laboratories and other assets. The NTSB and the FBI have designated liaisons to ensure that information flows between agencies, and to coordinate on-scene operations.[67][non-primary source needed]

Destruction of wreckage[edit]

For almost 25 years, the wreckage of Flight 800 was kept by the NTSB and used as an accident-investigation teaching aid. By 2021, the methods taught using the wreckage were determined to no longer be relevant to modern accident investigation, which by then relied heavily on new technology, including three-dimensional laser-scanning techniques.[70] The NTSB did not wish to renew the lease on the hangar it was using to store the reassembled accident debris, and decided it should be disposed of. Accordingly, the NTSB decommissioned the wreckage in July 2021.[71] As the NTSB had agreements with the victims' families that the wreckage cannot be used in any kind of public memorial or be scuttled in the ocean, it plans to scan each piece of debris with a three-dimensional laser scanner, with the data being permanently archived, after which the wreckage will be destroyed and the metal recycled. Any parts of the plane that cannot be recycled will be disposed of in landfills.[72][73] Destruction of the wreckage was scheduled for completion before the end of 2021.[71]

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

p.119, p.118

TWA flight 800 exploded and crashed into the Atlantic ocean off Long Island in July 1996

737

After TWA flight 800 exploded and crashed into the Atlantic ocean off Long Island in July 1996, Collins participated in the NTSB-led investigation as it zeroed in on the possibility of a spark igniting vapors in the 747's center fuel tank. The only wires entering the tank were extremely low voltage; they were supposed to be spark-proof. TWo years later, with Boeing still suggesting in court documents that a bomb or missile might have brought down the plane, Collins watched in a lab at the Everett plant as engineers snaked more than a hundred feet of wires like the 747's. The room was like a bank vault, shielded from any outside electrical signals. They turned out the lights and switched on a relay to simulate a tiny short-circuit in a chafed wire. A spark jumped, the culprit in Flight 800's detonation exposed. It led to mandates Collins helped write to inspect the wires, shield or separate them, and add sensors or surge protectors in thousands of commercial aircraft.

inspect the wires, shield or separate them, add sensors or surge protectors

p.149

fuel-tank safety rules after the TWA flight 800 crash, an FAA manager told boeing it didn't need to put a fast-acting circuit breaker on Max fuel pump wires carrying high voltage. Inexplicably, the agency did require the safety feature on its European competitor, Airbus.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

https://en.wikipedia.org/wiki/South_African_Airways_Flight_295

• On November 28, 1987, South African Airways Flight 295, a 747-200BSCD "Combi" en route from Taipei to Johannesburg, crashed into the ocean off Mauritius after a fire broke out in the rear cargo hold, damaging vital control systems. All 159 people on board died.[21]

https://en.wikipedia.org/wiki/United_Airlines_Flight_811

• on February 24, 1989, United Airlines Flight 811, a 747-100, which suffered an explosive decompression in mid-flight. killing 9 of 355.

https://en.wikipedia.org/wiki/Air_India

Air India Flight 132

• On May 7, 1990, Air India Flight 132 touched down at Delhi-Indira Gandhi International Airport after a flight from London-Heathrow. On application of reverse thrust, a failure of the number-one engine pylon-to-wing attachment caused this engine to tilt nose down. Hot exhaust gasses caused a fire on the left wing. The aircraft, VT-EBO, was damaged beyond repair.[24]

── failure of the number-one engine pylon-to-wing attachment

https://en.wikipedia.org/wiki/China_Airlines_Flight_358

• On December 29, 1991, China Airlines Flight 358, a 747-200, crashed shortly after takeoff from Chiang Kai-shek International Airport in Taipei, Taiwan, killing all five crewmembers, when the number-three and number-four engines (the ones on the right wing) detached from the aircraft.[26]

── number-three and number-four engines (the ones on the right wing) detached from the aircraft.

https://en.wikipedia.org/wiki/El_Al_Flight_1862

• On October 4, 1992, El Al Flight 1862, a 747-200F, crashed shortly after takeoff from Amsterdam Schiphol Airport after the right-side engines both fell off, due to metal fatigue, and damaged the right wing, killing all three crew members and the single passenger on board, as well as 39 people on the ground.[27]

── the right-side engines both fell off, due to metal fatigue

https://en.wikipedia.org/wiki/TWA_Flight_800

• On July 17, 1996, TWA Flight 800, a 747-100 bound for Charles de Gaulle Airport in Paris, exploded during its climb from JFK in New York, killing all 230 people aboard. A spark from a wire in the center fuel tank is believed to have caused the explosion. Changes in fuel tank management were adopted after the crash.[32]

── spark from a wire in the center fuel tank

https://en.wikipedia.org/wiki/China_Airlines_Flight_611

── metal fatigue cracking due to an improperly performed repair after a tail strike.

Air India Flight 829

• On September 4, 2009, Air India Flight 829, a 747-400, suffered an engine fire at Chhatrapati Shivaji Maharaj International Airport, Mumbai, shortly before take-off. None of the 213 passengers and 16 crew was injured or killed, but the aircraft was written off.[47]

── engine fire

https://en.wikipedia.org/wiki/UPS_Airlines_Flight_6

• On September 3, 2010, UPS Airlines Flight 6, a 747-400F, crashed near Dubai International Airport, killing two crew members. The crash was blamed on lithium-ion batteries in the cargo hold that caught fire.[48]

── lithium-ion batteries in the cargo hold that caught fire.

https://en.wikipedia.org/wiki/Asiana_Airlines_Flight_991

• On July 28, 2011, Asiana Airlines Flight 991, a 747-400F, caught fire and crashed in the sea near Jeju island, killing both crew members.

── caught fire and crashed

source:

wikipedia

Boeing 747 hull losses

https://en.wikipedia.org/wiki/Boeing_747_hull_losses

____________________________________

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#1989

July 19 – United Airlines Flight 232, a McDonnell Douglas DC-10, suffers a complete hydraulic system failure over Iowa, United States, after the tail-mounted engine disintegrates. The crew maintains partial control of the aircraft using differential throttle, bringing it to a crash landing on the runway of the Sioux City, Iowa, airport. Of the 296 people on board, 112 die.

https://en.wikipedia.org/wiki/United_Airlines_Flight_232

At 15:16, while the plane was in a shallow right turn at its cruising altitude of 37,000 feet (11,000 m), the fan disk of its tail-mounted General Electric CF6-6 engine explosively disintegrated. The uncontained failure resulted in the engine's fan disk departing the aircraft, tearing out components including parts of the No. 2 hydraulic system and supply hoses in the process; these were later found near Alta, Iowa.[1]: 25, 75 Engine debris penetrated the aircraft's tail section in numerous places, including the horizontal stabilizer, severing the No. 1 and No. 3 hydraulic system lines where they passed through the horizontal stabilizer.[1]: 75 [8]

The rear engine's fan disk and blade assembly – about 8 ft (2.4 m) across – could not be located at the accident scene[1][page needed] despite an extensive search. The engine's manufacturer, General Electric, offered rewards of $50,000 for the disk and $1,000 for each fan blade.[22] Three months after the crash, a farmer discovered most of the fan disk, with several blades still attached, in her cornfield, thereby qualifying her for a reward, as a General Electric lawyer confirmed.[22] The rest of the fan disk and most of the additional blades were later found nearby.

The NTSB determined that the probable cause of this accident was the inadequate consideration given to human factors, and limitations in the inspection and quality control procedures used by United Airlines' engine overhaul facility. These resulted in the failure to detect a fatigue crack originating from a previously undetected metallurgical defect located in a critical area of the titanium-alloy stage-1 fan disk that was manufactured by General Electric Aircraft Engines. The uncontained manner in which the engine failed resulted in high-speed metal fragments being hurled from the engine; these fragments penetrated the hydraulic lines of all three independent hydraulic systems on board the aircraft, which rapidly lost their hydraulic fluid. The subsequent catastrophic disintegration of the disk resulted in the liberation of debris in a pattern of distribution and with energy levels that exceeded the level of protection provided by design features of the hydraulic systems that operate the DC-10's flight controls; the flight crew lost its ability to operate nearly all of them.

([ a fatigue crack originating from a previously undetected metallurgical defect located in a critical area of the titanium-alloy stage-1 fan disk ])

([ metallurgical defect ==> a fatigue crack ==> fan disk disintegration during flight operation ==> ... ==> lost of flight controls ==> ... ])

Post-crash analysis of the crack surfaces showed the presence of a penetrating fluorescent dye used to detect cracks during maintenance. The presence of the dye indicated that the crack was present and should have been detected at a prior inspection.

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

p.121, p.122

1989, DC-10 crashed

regulators might let a safety problem linger because of a cold cost-benefit analysis

Turkish air DC-10

“I'm here because my only child died in Sioux city, Iowa, in 1989, when a DC-10 crashed”, he said. “111 died, and 189 lived. Heather was 24 years old. She was a graduate of Tulane law school, a member of the New Jersey bar, and a captain in the U.S. army JAG corps, serving at Fort Collins, Colorado, at the time of her death. She would found on the tarmac.”

newspaper's headline referring to “the Achilles heel” of the DC-10.

ever since that first crash of a Turkish Air DC-10 at Orly, when the cargo door popped open and hydraulic lines under the floor snapped, regulators had known how vulnerable those lines were.

In the accident that killed his daughter, a blown engine spewed fragments that severed all three lines and left United Airline captain Al Haynes without controls to steer the jet.

p.122

if a safety valve for the hydraulic lines had been mandated 15 years earlier ... “a $10,000 item back then” ... the flight controls would not have been lost.

p.122

“it's dominated by industry representatives whose goals may sometimes be at odds with the public interest.”

p.148

yet another flaw: the lack of shielding around its rudder cables.

They wanted design changes that would prevent shrapnel from an engine blowout shredding the cables ── a situation like the one that brought down the DC-10 in Sioux city in 1989.

p.148

Boeing was in the midst of assembling the first MAX in mid-2015 when the agency's senior management overruled 13 of its own engineers, one of its pilots, and at least 4 other managers on what the specialists felt was yet another flaw: the lack of shielding around the rudder cables.

They wanted design changes that would prevent shrapnel from an engine blowout shredding the cables ── a situation like the one that brought down the DC-10 in Sioux City in 1989.

Boeing executives argued the changes were impractical. But Airbus had had a similar issue on the A320neo, and it did make modifications.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_commercial_aircraft#2018

October 29 – Lion Air Flight 610, a Boeing 737 MAX 8, crashes into the Java Sea shortly after takeoff from Soekarno–Hatta International Airport in Jakarta en route to Depati Amir Airport in Pangkal Pinang, Indonesia. All 181 passengers and eight crew are killed.

Lion Air Flight 610

https://en.wikipedia.org/wiki/Lion_Air_Flight_610

On October 29, 2018, Lion Air Flight 610, a 737 MAX 8, plunged into the Java Sea 13 minutes after takeoff from Soekarno–Hatta International Airport, Jakarta, Indonesia. The flight was a scheduled domestic flight to Depati Amir Airport, Pangkal Pinang, Indonesia. All 189 people on board died. This was the first fatal aviation crash and first hull loss of a 737 MAX. The aircraft had been delivered to Lion Air two months earlier.[214][215] People familiar with the investigation reported that during a flight piloted by a different crew on the day before the crash, the same aircraft experienced a similar malfunction but an extra pilot sitting in the cockpit jumpseat correctly diagnosed the problem and told the crew how to disable the malfunctioning MCAS flight-control system.[216]

malfunctioning MCAS flight-control system.[216]

Ethiopian Airlines Flight 302

https://en.wikipedia.org/wiki/Ethiopian_Airlines_Flight_302

On March 10, 2019, Ethiopian Airlines Flight 302, a 737 MAX 8, crashed approximately six minutes after takeoff from Addis Ababa, Ethiopia,[219] on a scheduled flight to Nairobi, Kenya,[220] killing all 149 passengers and 8 crew members on board. The aircraft was four months old at the time.[221]

https://en.wikipedia.org/wiki/Boeing_737_MAX_groundings

December 3, 2018: the FAA Seattle Certification Office reviewed an unpublished quantitative risk assessment analysis of the MAX, prepared using the "Transport Aircraft Risk Assessment Methodology" (TARAM). The U.S. House Committee on Transportation and Infrastructure made the report public just over a year later, on December 11, 2019. In the committee's words, the report concluded that "if left uncorrected, the MCAS design flaw in the 737 MAX could result in as many as 15 future fatal crashes over the life of the fleet", predicting 2900 deaths over 30 years.[66]

the airplane entered service in 2017

https://en.wikipedia.org/wiki/Maneuvering_Characteristics_Augmentation_System

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

pp.177-178

This was not the deadly flight but another, luckier Lion air flight.

Minutes after the 737 Max departed Bali for Jakarta, just after 9 p.m. on Sunday, October 28, 2018, the software that Boeing had pressed regulators to delete from the manual had kicked in.

As the plane seesawed up and down over the next 10 minutes, Surpriano Sudarto, seated in the second row, saw flight attendants and pilots going in and out of the cockpit carrying what looked like dictionaries. “Is that the instruction book or what?” he thought to himself. At least one person vomited.

p.178

Unknown to pilots, at the base in Bali mechanics had replaced a faulty angle-of-attack vane on the almost brand-new jet with a used one from a repair shop in Florida. The vanes, sitting like nostrils on either side of the plane's nose, are designed to detect how steeply the craft is flying into oncoming winds. A protruding part of the vane rotates in response to the airflow. It's attached to what looks like a system of gears inside ── actually small electrical transformers called resolvers that read the angle in comparison to a static reference and then feed that information into the plane's computer. A test is supposed to be performed before installation to make sure the resolvers are properly calibrated. No one at the shop or the maintenance base noticed that the resolvers on this particular vane were misaligned ...

p.178

one of the links in the “chain of errors” often said to accumulate in aviation accidents, the heart breaking clarity coming only in hindsight.

p.178

the sloppiness had started at Boeing, in the early compromises of the plane's design, and then in the loose ends left dangling in the final days of development.

The MCAS software was designed to only take input from a single sensor, alternating from one side to the other after each flight.

The bad sensor happened to be the one feeding into the captain's controls, so when the Lion air jet took off, it set off a thumping “stick shaker” that made the control wheel vibrate in his hands, triggered altitude and airspeed warnings, and, most perilously, commanded the plane's nose down.

pp.178-179

By chance, this crew had an advantage that pilots Suneja and Harvino would not when they stepped into the very same plane, only hours later.

p.179

A third, off-duty pilot was sitting in the jump set between the two at the controls, hitching a ride. In the commotion he noticed the trim wheel between them moving. That suggested to him the proper checklist, among the dozens in the handbook ── the one for a run away stabilizer. The captain flipped a switch to turn off the stabilizer motor, just as Boeing engineers had reasoned a pilot would. For the rest of the flight, he had to turn the wheel himself, a remarkably rustic thing to ask of a pilot of a large commercial aircraft in the 21st century. The control column also kept vibrating in his hand; there was no mechanism in the Max to shut off the stick shaker if the data were faulty. But the crew managed to land safely in Jakata 90 minutes later.

p.179

Back on the ground, the captain documented what had happened in the log book, and Lion air's mechanics got to work clearing the plane for the next flight.

The captain's note included the alerts he'd seen ── ALT DISAGREE, IAS DISAGREE, and FEEL DIFF PRESS (indicating bad altitude, airspeed, and hydraulic pressure).

He and the mechanics never saw the alert that would have pin pointed the problem ── AOA DISAGREE, suggesting a discrepany between the left and right angle-of-attack vanes. The reason: Lion air hadn't paid for it. They had purchased a bare-bone MAX plane, with no such indicator. Moreover, Boeing had never disclosed the potential issue to customers.

So the Lion air maintenance team never knew to replace the bad vane. They turned off the power, followed the procedures for the other alerts, and, without any other reason to hold it back, the plane was allowed to depart the next morning. A quirk of the software, however, meant that after a power-down, the bad sensor would again feed into the captain's controls on the left side. Suneja and Harvino would be unwitting guinea pigs, this time without a third pilot to guide them.

p.202

The almost brand-new plane and the 157 people it carried burrowed into a field of dull yellow teff, a grain cultivated for centuries around Bishoftu.

p.202

This time the plane had killed its occupants in 6 minutes, half the time in which the MCAS software had brought down the Lion air plane.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

Ben R. Rich and Leo Janos., Skunk works: a personal memoir of my years at Lockheed, 1994

pp.81-83

Alan Brown

the air data measurement system, called pitot probes,

took us the entire two and a half years.

these probes, which extended out the nose in stiletto shapes, recorded for the onboard computer static pressure, dynamic pressure, airspeed, angle of attack, and angle of sideslip so that the computer could make its microsecond flight adjustments.

how to heat these probes to keep them from icing without having them become conductive and act like antennas to radar or infrared devices was a problem

developed a nonconductive heating wire the thickness of a human hair

(Skunk works: a personal memoir of my years at Lockheed / Ben R. Rich and Leo Janos., 1. lockheed advanced development company ─ history., 2. rich, ben r. ─ career in aeronautics., 3. aeronautics ─ research ─ united states ─ history.,

TL.565.R53 1994, 338.7'623746'0973, 338.7623 rich, 1994, )

____________________________________

Peter Robinson, flying blind : the 737 max tragedy and the fall of boeing, 2021

p.6

The deaths of 346 people on a brand-new aircraft within five months badly shook the widely shared assumption of safety in air travel. There was the chilling fact that software had overrides humans.

p.205

satellite transponders

Satellite transponders on aircraft record the position, altitude, direction, and speed every 8 seconds. The Boeing officials showed Bahrami and his team a graphic that superimposed these traces from the flight in Ethiopia over the Lion Air plane's last moments. It was a match. In addition, a piece of the plane had been recovered that showed the flaps were in an “up” position ── a precondition for MCAS to fire. There was nothing more to say; Bahrami walked out of his office and told his boss they needed to ground the fleet.

p.207

The MAX had hit the ground with such speed that it had disintegrated, interring the fragments dozens of feet deep.

(Flying blind : the 737 max tragedy and the fall of boeing / peter robinson.

____________________________________

“the never-ending challenge” by H. G. Rickover

metals engineering quarterly

february, 1963

pp.1-6

Progress ── like freedom ── is desired by nearly all men, but not all understand tha both come at a cost. whenever society advanced ─ be it in culture and education or science and technology ─ there is a rise in the requirements man must meet to function successfully. the price of progress is acceptance of these more exacting standards of performance and relinquishment of familiar habits and conventions rendered obsolete because they no longer meet the new standards.

to move but one rung up the ladder of civilization man must surpass himself.

The simple life comes “”naturally“”. the civilized life compels effort.

In any advancing society some elements will accept the advantages of life at a higher plateau yet ignore its obligations. this is readily seen when backward people seek to modernize their society. sociologists call it a “culture lag”. something akin to culture lag exists even in highly developed countries such as the united states. and, because all parts of a modern society are interdependent, failure to meet rising standards in any sector becomes a brake on general progress and harms society as a whole.

... ... ...

besides this unsatisfactory situation in welding, casting and radiography, practical application of nuclear power is also hampered by unresolved problems of fatigue in materials.

present knowledge of material fatigue under thermal cycling stress is meager. in consequence, we in the reactor group have had to develop special test loops to conduct tests for determining the adequacy of conventional components. based on results of these tests we have had to change the design of many equipments ── valves, nozzles, thermal sleeves ── all of which have been in use by industry for many years. yet fatigue is not peculiar to nuclear propulsion: nor is it a new problem for industry. the civil aeronautics board reports that every year several commercial airplane accidents are caused by fatigue failure of propellers, landing gear, or hydraulic pressure lines. reporting on a recent helicopter accident caused by fatigue cracking of a main rotor blade, the CAB warned that there was urgent need for better understanding of safe fatigue life of materials and for more conservative design.

... ... ...

similar cases of poor quality control are prevalent in areas other than nuclear propulsion; areas where safety is just as important. about 10 per cent of commercial airplane accidents are traceable to poor quality control during maintenance. take the following CAB report on one particular accident: a worn bolt was found in a control system during an overhaul and removed for replacement. but no new bolt could be found in the shop so the worn bolt was put back “finger tight”, with no locking pin, apparently to stay there until a new bolt could be ordered. no note was made of this, and during the next shift, the overhaul was completed and the airplane was checked out as satisfactory. on a flight next day, vibration caused the loose nut to back off, the pilot lost control and the plane crashed. in another case, a commercial airliner crashed during take-off after a major overhaul because the aileron control cable cables were reversed.

... ... ...

to prevent poor workmanship, quality must be considered as embracing all factors which contribute to reliable and safe operation. what is needed is an atmosphere, a subtle attitude, an uncompromsing insistence on excellence, as well as a healthy pessimism in technical matters, a pessimism which offsets the normal human tendency to expect that everything will come out right and that no accident can be foreseen ── and forestalled ── before it happens.

... ... ...

I only wish i could tell you that the somber situation i have described no longer exists; that our efforts over the past 15 years have been successful in eliminating these problems. but i can't. as the naval reactor program grows in scope and more companies engage in manufacturing components for it, our difficulties with conventional components multiply; they get worse rather than better. i have no sweeping solution for this never-ending problem, but several things can be done:

1. more effective management and engineering attention should be given to the routine and conventional aspects of our technology. nothing must ever be taken for granted. management must get into the details of problems, look at hardware first hand, analyze the cause of trouble by personal investigation, and take prompt action to prevent recurrence. management must also remember that things once corrected do not stay corrected. a credo of management ought to be that every human endeavor has a “half-life”.

2. management and engineers must not conclude that their job is over once drawings have been completed and the first component successfully built and tested to these drawings. this is far from the whole sotry. to be satisfactory a component not only must perform its function, it must do so reliably and consistently. this requires that it be easy to manufacture, inspect and maintain in the field ── by personnel of average skills. this invariably demands simplicity of design, and usually requires redesign of the first model. I don't believe this concept of what makes a good design is well understood.

3. industry must take responsibility for developing better understanding of many basic processes in use today. technical societies such as yours can play an important part here. one way of reaching better understanding is by methodically investigating every problem so as to determine its cause. customers must inform manufacturers of all deficiencies they discover in equipment. this will help manufacturers improve production performance. in the naval reactors program we make every defect or failure to meet specifications, no matter how small, the subject of a special report from the ship or shipyard. this is followed in detail until corrective action has been taken and all concerned are advised of the problem and also of its remedy.

4. specifications and standards must be thoroughly understood, respected, and enforced by manufacturers as well as by customers. it should be of concern to us that specifications are normally written by the manufacturers and therefore usually represent the lowest standard of engineering to which all manufacturers are willing to agree. this should be changed. specifications and standards should be set by the customer with manufacturers acting only in a consulting capacity. this is another area in which technical societies could play an important part. they ought to see to it that industry develops comprehensive specification requirements are consistently and rigorously enforced. technical societies must carefully guard against becoming “kept” organizations.

5. quality control must be recognized as an essential tool to enable management to meet today's technological imperatives. customers must reject deficient equipment and insist that manufacturers meet their commitments. as long as manufacturers find that defective equipment is accepted it is difficult, if not impossible, to get them to improve ── to raise theirs plateau of engineering. one of the best ways you can help raise the level of technical excellence of american industry is by insisting, as I have, on high standards of design, workmanship and quality control.

... ... ...

metals engineering quarterly

february, 1963

Rickover's speech at the National Metal Congress

new york, 1962, “the never-ending challenge”

Theodore Rockwell., The rickover efffect : how one man made a difference / 1992,

(The rickover efffect : how one man made a difference / Theodore Rockwell., 1. rickover, hyman george., 2. nuclear submarines ── united states ── history.

3. admirals ── united states ── biography., 4. united states., navy──biography, V63.R54R63 1992, 359.3'2574'092--dc20, united states naval institute, Annapolis, Maryland, 1992 )

____________________________________

Sidney Dekker, The field guide to human error investigations, 2002

p.91 (pdf page: 90/154)

It is hard for organizations, especially in highly regulated industries, to admit that these kinds of tricky goal trade-offs arise; even arise frequently. But denying the existence of goal conflicts does not make them disappear. For a human error investigation it is critical to get these goals, and the conflicts they produce, out in the open. If not, organizations easily produce something that looks like a solution to a particular incident, but that in fact makes certain goal conflicts worse.

p.123 (pdf page: 121/154)

High reliability organizations do not try to constantly close the gap between procedures and practice by exhorting people to stick to the rules. Instead, they continually invest in their understanding of the reasons beneath the gap. This is where they try to learn──learn about ineffective guidance; learn about novel, adaptive strategies and where they do and do not work work.

p.134 (pdf page: 131/154)

In this sense your recommendations are a prediction, a hypothesis. You propose to modify something, and you implicitly predict it will have a certain effect on human behavior. The strength of your prediction, of course, hinges on the credibility of the connection you have shown earlier in your investigation: between the observed human errors and critical features of tasks, tools and environment. With this prediction in hand, you challenge those responsible for implementing your recommendations to go along in your experiment──to see if, over time, the proposed changes indeed have the desired effect on human performance.

p.134 (pdf page: 131/154)

• the ease with which your recommendation can be implemented;

• the effectiveness of your recommended change.

The ease of implementation and the effectiveness of an implemented recommendation generally work in opposite directions. In other words: the easier the recommendation can be sold and implemented, the less effective it will be (see Figure 11.1).

p.135 (pdf page: 132/154)

But after implementation, the potential for the same kinds of error is left in the organization or operation. The error is almost guaranteed to repeat itself in some shape or form, through someone else who finds him or herself in a similar situation. Low-end recommendation really deal with symptoms, not with causes. After their implementation, the system as a whole has not become much wiser or better.

p.140 (pdf page: 137/154)

A really good investigation does not necessarily lead to the implementation of really good countermeasures. In fact, the opposite may be true if you look at figure 11.1. Really good investigations may reveal systemic shortcomings that necessitate fundamental interventions which are too expensive or sensitive to be accepted.

source: The field guide to human error investigations, by Sidney Dekker,

Cranfield university press

filename: DekkersFieldGuide.pdf

(Sidney Dekker, The field guide to human error investigations, 2002, )

____________________________________

approach

p.202, p.203

Note that in choosing house A the manager knew why and on what grounds he was doing so. He did not take the "cancel-out" approach used by some managers in decision making. In this approach, ([in this approach]) the assumption is that an advantage cancels out a disadvantage so that things even up. This is not so.

([pause])

If there is a disadvantage attached to an alternative, finding an advantage does not get rid of it. Once the decision is made, the disadvantage will have to be lived with until it is removed by corrective action of some sort.

([pause])

The only safe way to deal with disadvantages in decision making is to recognize them and to keep them visible before one throughout the process. A final decision or course of action can then be made in full knowledge of the disadvantage rather than by glossing over defects and hiding them.

([pause])

Having all the assessments that enter into a decision visibly set forth is a major advantage in itself. For one may readily go back to reexamine the judgements made and consider corrective actions that can be taken to improve an already good alternative.

____________________________________

• every time an aircraft take off and land safety with no incident, no death, no injuries, no disturbance (the standard to be met and aspire to) that is a mark for safety;

── when this happens, we can say, this is safe;

── avoid sweeping the dirty and dust under the rug

─── the usual reaction is to hide the dead body

─── in sensitive circumstances: very difficult not to hide the dead body

── a recurring trouble or problem could be signal to a potential underlying incident waiting to happen;

── retired personnel and retired people with field experience

─── source of real world experience

─── should be periodically touch base and kept in the loop

─── many should have insight into the troubles and problems

• every time there is a death, an injuries, or a total lost of all lives on board the aircraft, that is a mark for not being safe;

── when this happens, we can say, this is not safe (deadly dangerous);

• to take the none "cancel-out" approach;

• the data for safety and the data for not being safe do not cancel-out each other, nor do they balance-out each other;

• it only takes one failure, one death, one injury for some thing not to be safe;

── why?

── that's how language and human community work (common sense);

── we can argue over this if you like; however, in general, most people would accept this as a common sense general acceptable meaning for safety;

── there seems to be a universal cross-cultural understanding on this;

── death is a universally cross-culture concept;

── on death, ...

• Sunday, October 28, 2018: 737 Max departed Bali for Jakarta with “A third, off-duty pilot was sitting in the jump seat between the two at the controls, hitching a ride. In the commotion he noticed the trim wheel between them moving. That suggested to him the proper checklist, among the dozens in the handbook ── the one for a run away stabilizer. The captain flipped a switch to turn off the stabilizer motor, just as Boeing engineers had reasoned a pilot would. For the rest of the flight, he had to turn the wheel himself, ...”;

── this flight was able to land safety; so this is a safe flight;

── a case can be made that this is a potentially not safe flight, because of the incident having to turn off the stabilizer motor;

── until the recurrence of the same event, causing the plane to crash, at the time it is uncleared if it was a one time incident;

• the same plane with pilots Suneja and Harvino on the next flight, the 737 Max would crashed killing all of its passengers, pilots and crews;

── this flight is not safe;

• same plane: the first safe flight do not "cancel-out" or balance-out the unsafe second flight, where all people died;

“”─“”‘’•─“”

____________________________________

Sidney Dekker, The field guide to human error investigations, 2002

p.62 (pdf page: 63/154)

• Safety is never the only goal in the systems that people operate.

Multiple interacting pressures and goals are always at work. There

are economic pressures; pressures that have to do with schedules,

competition, customer service, public image.

• Trade-offs between safety and other goals often have to be made

under uncertainty and ambiguity. Goals other than safety are easy

to measure (How much fuel will we save? Will we get to our

destination?). However, how much people borrow from safety to

achieve those goals is very difficult to measure.

• Systems are not basically safe. People in them have to create safety

by tying together the patchwork of technologies, adapting under

pressure and acting under uncertainty.

Trade-offs between safety and other goals enter, recognizably or not, into thousands of little and larger decisions and considerations that practitioners make every day. Will we depart or won't we? Will we push on or won't we? Will we accept the directive or won't we? Will we accept this display or alarm as indication of trouble or won't we? These trade-offs need to be made under much undertainty and often under time pressure.

p.63 (pdf page: 64/154)

****************************************

* *

* HUMAN ERRORS ARE SYMPTOMS OF *

* DEEPER TROUBLE *

* *

****************************************

Human error is the starting point of an investigation. The investigation is interesting in what the error points to. What are the sources of people's difficulties? Investigations target what lies behind the error──the organizational trade-offs pushed down into the individual operating units; the effects of new technology; the complexity buried in the circumstances surrounding human performance; the nature of the mental work that went on in difficult situations; the way in which people coordinated or communicated to get their jobs done; the uncertainty of the evidence around them.

Why are investigations in the new view interested in these things? Because this is where the action is.

source: The field guide to human error investigations, by Sidney Dekker,

Cranfield university press

filename: DekkersFieldGuide.pdf

(Sidney Dekker, The field guide to human error investigations, 2002, )

<------------------------------------------------------------------------>

Sidney Dekker, The field guide to human error investigations, 2002

p.4 (pdf page: 8/154)

Investigators intend to find the systemic vulnerabilities behind individual errors. They want to address the error-producing conditions that, if left in place, will repeat the same basic pattern of failure.

(Sidney Dekker, The field guide to human error investigations, 2002, )

<------------------------------------------------------------------------>

https://en.wikipedia.org/wiki/1945_Empire_State_Building_B-25_crash

https://en.wikipedia.org/wiki/Exercise_Tiger

Exercise Tiger, or Operation Tiger, was one of a series of large-scale rehearsals for the D-Day invasion of Normandy, which took place in April 1944 on Slapton Sands in Devon. Coordination and communication problems resulted in friendly fire injuries during the exercise, and an Allied convoy positioning itself for the landing was attacked by E-boats of Nazi Germany's Kriegsmarine, resulting in the deaths of at least 749 American servicemen.[1][2]

Because of the impending invasion of Normandy, the incident was under the strictest secrecy at the time and was only minimally reported afterwards.

____________________________________

Lee Allyn Davis, Man-made catastrophes, 1993 [ ]

From inside cover

• The most tragic maritime disaster of all time occurred in the Baltic Sea in 1945 when an unidentified Soviet submarine torpedoed the Wilhelm Gustloff, loaded with refugees. While the death toll from this incident is estimated to be nearly five times the number of fatalities of the Titanic tragedy, this disaster has gone virtually unrecorded.

• One of the most bizarre airplane accidents happened on July 28, 1945 when a U.S. Army Air Corps B-25 bomber flying in heavy fog collided with New York's Empire State Building.

• The worst train wreck in India's history was caused by an engineer's decision to brake for a cow on the tracks. This 1981 incidents near Mansi resulted in more than 560 deaths.

p.ix

Stupidity.

Neglect.

Avariciousness.

The three weird sisters, the archetypal three of man-made disasters, wend their way through practically every one of the several hundred entries in this volume, often in triplicate and duplicate.

p.ix

But more often than not, other forces have made that human error easy to commit, and certain to cause a cataclysm. Human sloth and corporate greed often figure in the faulty instrument provided the engineer in the doomed plant, in the failure to provide a proper evacuation plan for a nuclear facility, in the decision of a captain who goes to bed and leaves the bridge to a midshipman in treacherous waters, in the failure of the management of a building or a discotheque to provide the proper fire exits for its patrons, in the neglect of the owners of a shipping line to provide the proper number of lifeboats or the correct filling in the jackets for its passengers.

p.ix

If, then, there is any constant thread that weaves through the fabric of man-made disasters, it is the presence of those three weird sisters, Stupidity, Neglect and Avariciousness, their pervasiveness before, during and after the disasters and the uncomfortable truth that without them, some of the worst of these disasters never would have occurred.

pp.ix—x

But except for very few instances, these presences are secondary, and it is what occurs before or during these emergencies that matters in man-made disasters. The judgement of the captain of a ship or an airplane, the decisions made by fire chiefs or rescue squads, the advice given by experts to engineers fighting to bring an industrial plant under control spell the difference between disasters and accidents. And once those Shakespearian dominoes have been set in motion by that act of bad judgement, ignorance, badly placed cowardice or misplaced bravado, the dividing line between trouble and cataclysm is crossed. And there is no going back.

p.x

In his introduction to this play Death of a Salesman, Arthur Miller separates the merely pathetic from the truly tragic by using the image of a man being hit by a falling piano.

The situation is this:

A piano is being moved into a fifth-floor apartment via a block and tackle. It hovers outside a window, five stories above a city sidewalk.

An unsuspecting man turns the corner, whistling. He strolls down the sidewalk, and then, just as he gets underneath the piano, a rope breaks. The piano falls, crushing the man.

The next day, an article, headed "Man Hit by Falling Piano," appears in the newspapers. It reports the facts and nothing else.

Is that, asked Miller, pathetic or tragic?

It's pathetic, according to Miller, because you don't know where the man came from or where he was going. If, on the other hand, you knew, for instance, that he had just paid the last installment on his mortgage and was on the way to the jewelry store to pick up the engagement ring to give to the love of his life, it would be tragic. Summing it up, Miller concludes, "You are in the presence of tragedy when you are in the presence of a man who has missed his joy. But the awareness of the joy, and the awareness that it has been missed must be there."

pp.x—xi

... And there are disasters that, for one reason or another, either have not found their way into record books or, because of lack of information or withheld information, remain incomplete stories.

Take, for instance, the worst disaster at sea ever reported. Supposedly, 6,000 Chinese Nationalist soldiers lost their lives in the sinking of a troopship near Manchuria in 1949. But there are no official records, no eyewitness reports, no historians' loggings of this incident that this writer could find after exhaustive research.

Or take the strange case of the Wilhem Gustloff. Its sinking brought about the worst loss of civilian life at sea in all of history. And yet it has scarcely been mentioned in history books of its period, and finding even the few details available took considerable digging. That the Wilhelm Gustloff was a German hospital and troopship and that she was sunk by an unidentified Soviet submarine at the very end of World War II undoubtedly accounts for the lack of information. And yet here was a disaster with casualties that were nearly five times that of the Titanic, and the incident has remained buried for 45 years in some back room of history.

Finally, take the silence of the Soviet Union after the enormous explosion that shook the Ural Mountains, at a nuclear dump site near the city of Kasli, in 1957. Although the CIA and, presumably, the governments of other Western countries were aware of the explosion, no news of it leaked out until a Soviet scientist, Dr. Zhores Medvedev, emigrated to the West and published a reference to it in a scientific journal. And even then, heads of atomic energy commissions worldwide scoffed at the news. If it had not been for the determination of Medvedev to assert his newfound freedom of expresion, this catastrophe might well have remained buried under an international mountain range of official denials.

p.xi

... There is no necessity to cover up a natural disaster. But because of the origin of man-made disasters, there has often, unfortunately, been ample——if persuasive——reason to alter or suppress the facts, figures, origins and particularly, in the case of nuclear disasters, the implications of these catastrophes.

p.xi

And it is for this last reason, incidentally, that, except for four cases in which helpless civilians were the victims, disasters that took place during a war were omitted. War is, in itself, humankind's very worst self-created disaster. And the fact that humankind has not yet learned that war's endless horror and universal devestation are the most eloquent argument against its recommitment is yet another reason to exclude it from a survey of disasters created by human beings. It is, using Arthur Miller's definition, the most pathetic and least tragic of human enterprises culminating in disasters, one that brings to mind John Wilkes Booth's last words, "Useless, useless, useless . . ."

p.94

United States

Washington, D.C.

May 20—July 28, 1932

• • • • • • • • • • • • • • • • • • • • • • • • • •

World War I veterans, out of work during the Great

Depression, marches on Washington, D.C. in May 1932 to

demand that a bonus due them in 1945 be paid immediately.

On July 28, an army unit led by General Douglas

MacArthur cleared the veterans out and set fire to their

encampment. One (1?) veteran was killed; scores (20+?) were injured.

____________________________________

Nathan Rosenberg, Inside the black box: technology and economics, 1982

p.130

jet aircraft were flying at much greater speeds

The lengthening of the servicing and maintenance schedule, as in the case of the 707 ─ the early workhorse of the jet age ─ came only gradually as experience accumulated to strengthen confidence in the structural integrity of the aircraft.18

18 The lengthening of the time interval between maintenance checks required FAA approval.

p.130

Improved maintenance of the propulsion system is important in reducing the operating cost of aircraft systems.19 Overall maintenance typically comprises 30 per cent of all direct operating costs of labor and materials.

p.130

In terms of direct operating costs, maintenance costs for current jet vehicles are roughly equal between airframe and propulsion systems, although the activities are somewhat differentiated because airframe maintenance is more labor-intensive than engine maintenance.

p.131

Pratt and Whitney JT3D turbojet engine.21

21 see NASA document CR-134645, section II, fig. II-1.

p.131

The rise of maintenance costs during the first year of introduction reflects the impact of early design problems that were not anticipated prior to the rigors of actual on-line operations.

In the case of the JT3D, the design difficulties remedied through maintenance involved inordinate wearing of parts due to high operating temperatures relative to the thermal stability of the lubricants used. After this point, maintenance costs dropped sharply, typically to 30 per cent of their initial levels over a decade of operation. It is the determinants of this cost reduction after the introduction of a new engine that we seek to understand.

Just as some design problems, such as the lubrication difficulties of the JT3D, are solved under the guise of maintenance, so are maintenance aspects of the future engines carefully examined and prepared for during the design phase. This activity includes preparing of instruction manuals and tools for repair, ordering and inventorying spare parts, training personnel, and so on. These are complementary, although simultaneous, technological advances in the introduction of the new engine.

p.132

But there is also a broad spectrum of complementary changes, with significant cost consequences, that cannot be anticipated when the propulsion system is designed. One striking aspect of this technological development is that, to a surprisingly large extent, it is not readily identified with new and innovative forms of hardware. Rather, the maintenance history of particular engines, especially turbojet engines, strongly reflects learning by using, where prior knowledge based upon reciprocating propeller engines was largely inadequate to anticipate the durability and reliability of the gas turbine engines (indeed, that earlier experience turned out to be positively misleading). This problem was further exacerbated by the fact that jet maintenance occurred first in the military, where costs were not of overriding significance. These procedures had to be modified to conform to the commercial constraints of the civilian sector.

p.132

Early jet engine maintenance programs were based upon specifications of allowable time between overhauls (TBOs), measured in hours of operating time. These were strictly enforced and were extendable only in incrementss of 200 hours, and then only after extensive testing of several devices. Although this practice was justified initially, due to safety considerations and ignorance of the capabilities of the new technology, these programs were extremely expensive because unnecessary maintenance work was done at excessively short intervals.

p.132

p.133

time between overhauls (TBOs), measured in hours of operating time.

Although this practice was justified initially, due to safety considerations and ignorance of the capabilities of the new technology, these programs were extremely expensive because unnecessary maintenance work was done at excessively short intervals.

When this was realized, the next stage was a modified TBO program that removed the obligatory disassembly conditional upon various tests and inspections. Today, there are no mandatory schedule; reconditioning now takes place as indicated by routine tests that are performed while the aircraft remains on-line. Such examinations include the use of borescopes to check wear, analysis of used lubricants, and visual examination. This trend can also be seen at other levels. For example, inspections of the Boeing 707, which were initially required daily, have been stretched out to routine weekly surveillance.23

23 Boeing commercial aircraft company, document B-7210-1-418, p. 3

p.133

Thus, engine maintenance on a need-only basis quickly pinpoints the factors that limit durability. Redesign efforts are then focused upon these elements. Further, because it is no longer necessary to recondition an engine as a complete unit, the use of interchangeable modules has resulted in reduced costs. In addition, significant technological advances have been made in the diagnostic hardware used to ascertain the advisability of maintenance. For example, more sophisticated borescopes using television transmitters for monitoring, internal accelerometers to monitor vibrations, and isotope pellets to detect metal fatigue and stress have all been introduced in the diagnostic phase of maintenance.

p.133

This is shown in Figure 3, where a decline is noted for each of the first ten years. After this point, the engines reach the durability limits of major structural members, requiring increasingy frequent removal in later years.24

(Inside the black box./ Nathan Rosenberg, 1. technological innovations., 2. technology─social aspects., HC79.T4R673 1982, 338'.06, first published 1982, )

____________________________________

Nathan Rosenberg, Inside the black box: technology and economics, 1982

p.284

For some years, commercial aircraft manufacturers were able to limit development costs by adopting new technologies only after they had been produced and operated for some years by the military. The Boeing 707 was a civilian version of the KC-135 military tanker, an aircraft that had been produced in large numbers for the military, and even the 747 benefited from the development experience Boeing derived from its unsuccessful bid in the C-5A competition.

With the increased focus upon missiles, however, the military and commercial sectors have diverged. Commercial firms now confront costs of the order of magnitude of $1 billion in developing a new generation of widebodied jets and have less direct financial support from earlier military technologies. In 1981, McDonald-Douglas refused an offer by Delta Airlines to undertake the development of a new commercial aircraft, despite Delta's willingness to place an order of over $1.5 billion.

pp.284-285

Thus, in the commercial aircraft industry, participating firms confront extremely high development costs in addition to the costs of production.

p.174

The crucial aspect of federal policy throughout this 50-year period is the fact that it has exercised an impact upon both the supply of and demand for innovation. Military support for new aircraft development provided important technical skills, knowledge, and innovations that could be utilized by manufacturers in commercial aircraft. Subtaintial channeled research support for both military and civilian applications was also channeled through the NACA. Government demand for new designs, pushing at the outer limits of available technologies, was no less crucial in bringin about the rapid embodiment of new technical knowledge or isolated breakthroughs in some subsystm in a new aircraft design. The assurance of a market for a successful military aircraft gave manufacturers a strong incentive to pursue and utilize rapidly the technical and scientific knowledge acquired at federal expense. This assurance of the demand for innovative technologies is very important in understanding how technical breakthroughs were embodied so quickly in new aircraft.

On the other hand, the modest success of such programs as the NASA technology utilization program or federally funded demonstration projects aimed at increasing the supply and availability of commercially useful knowledge, reflects in part the uncertainties about demand faced by the potential utilizers of this knowledge. The NASA program was also hampered by the often limited applicability of its technologies for civilian use. In the military aircraft market, which generated considerable commercial spillovers, such demand uncertainty was minimal.

On the demand side, the commercial aircraft market was also affected by government policies.

(Inside the black box./ Nathan Rosenberg, 1. technological innovations., 2. technology─social aspects., HC79.T4R673 1982, 338'.06, first published 1982, )

____________________________________

Charles Perrow, Normal accidents : living with high-risk technologies, 1999 [ ]

p.8

DEPOSE components (for design, equipment, procedures, operators, supplies and materials, and environment).

p.168

Air Safety Reporting System

The Air Safety Reporting System, ASRS, was established in 1975, and receives over 4,000 reports a year on safety-related incidents and near accidents. Similar systems had been established in Europe, tried in the United States, and used by at least one U.S. airline, United Airlines. In fact, in 1974, a TWA flight crashed on a Virginia mountain top as a result of a confusing map and misinterpretation of ATC reports. In the subsequent NTSB investigation in turned out that United pilots had been warned of the hazard by their program. The FAA had sponsored a program but TWA had no such program. The FAA had sponsored a program in the late 1960s, ostensibly nonpunitive in nature, but pilots and controllers did not support it. After the Virginia crash, they sponsored another, but this time allowed the respected National Aeronautics and Space Administration to supervise it. NASA selected the Battelle Memorial Institute as the contractor. This insured considerable independence from the FAA, and with guarantees of immunity except in extreme cases, the program succeeded.

p.169

As is true of all accident reporting systems, this is clearly a “political” data source in some respects, but neither I nor others involved find any reason to doubt its overall accuracy. Indeed, the extent of mea culpa in the reports is striking, as it the objectivity of the analysis. Once de-identified, a report is part of the public record. I have used these reports to a limited extent myself to investigate incidents where airline management was somehow involved; the cooperation of the ASRS was exceptional.

It would be extremely beneficial if such a virtually anonymous system were in operation for the nuclear power industry and the marine transport industry.

p.309

The field acknowledges the difference between voluntary risks such as skiing and hang-gliding, and involuntary ones such as leaching of chemical wastes.10 But it does not acknowledge the difference between the imposition of risks by profit-making firms who could reduce the risk, and the acceptance of risk by the public where private pleasures are involved (skiing) or some control can be exercised (driving).

p.382

The accident rate for Africa, for example, is twenty-six (26) times that of the U.S., yet air travel is growing very fast there.

p.382

In 1996, 70 percent of the accidents occurred in only 16 percent of the world air carriers! (All figures are from the excellent Flight Safety Digest, published by the Flight Safety Foundation [Matthews 1997].)

( Normal accidents : living with high-risk technologies / Charles Perrow, 1. industrial accidents., 2. technology--risk assessment., 3. accident., HD7262 P55 1999, 363.1--dc21, 1999, )

____________________________________

Sidney Dekker, The field guide to human error investigations, 2002

p.20 (pdf page: 23/154)

Focusing on people at the sharp end

Reactions to failure focus firstly and predominantly on those people who were closest to producing and to potentially avoiding the mishap. It is easy to see these people as the engine of action. If it were not for them, the trouble would not have have occurred.

p.20 (pdf page: 23/154)

Blunt end and sharp end

In order to understand error, you have to examine the larger system in which these people worked. You can divide an operational system into a sharp end and a blunt end:

• At the sharp end (for example the train cab, the cockpit, the surigical

operating table), people are in direct contact with the safety-

critical process;

• The blunt end is the organization or set of organizations that supports

and drives and shapes activities at the sharp end (for example the

airline or hospital; equipment vendors and regulators).

pp.20-21 (pdf page: 23-24/154)

The blunt end gives the sharp end resources (for example equipment, training, colleagues) to accomplish what it needs to accomplish. But at the same time it puts on constraints and pressures (“don't be late, don't cost us any unnecessary money, keep the customers happy”). Thus the blunt end shapes, creates, and can even encourage opportunities for errors at the sharp end. Figure 2.3 shows this flow of causes through a system. From blunt to sharp end; from upstream to downstream; from distal to proximal. It also shows where the focus of our reactions to failure is trained: on the proximal

p.21 (pdf page: 24/154)

Figure 2.3: Failures can only be understood by looking at the whole system in which they took place. But in our reactions to failure, we often focus on the sharp end, where people were closest to causing or potentially preventing the mishap.

p.22 (pdf page: 25/154)

Why do people focus on the proximal?

Looking for sources of failure far away from people at the sharp end is counter-intuitive. And it can be difficult. If you find that sources of failure lie really at the blunt end, this may call into question beliefs about the safety of the entire system. It challenges previous views. Perhaps things are not as well-organized or well-designed as people had hoped. Perhaps this could have happened any time. Or worse, perhaps it could happen again.

source: The field guide to human error investigations, by Sidney Dekker,

Cranfield university press

filename: DekkersFieldGuide.pdf

(Sidney Dekker, The field guide to human error investigations, 2002, )

____________________________________

Robert Trivers, The folly of fools, 2011 [ ]

p.183

Disasters are always studied in retrospect.

p.184

Air Florida Flight 90-- ....

On the afternoon of January 13, 1982, Air Florida Flight 90 took off from Washington, D.C.'s National Airport in a blinding snowstorm on its way to Tampa, Florida. It never made it out of D.C., instead slamming into a bridge and landing in the Potomac River--74 people died, and 5 survivors were fished out of the back of the plane. Perhaps because one of those who died was an old friend of mine from Harvard (Robert Silberglied), I was listening with unusual interest when soon thereafter the evening news played the audiotape of the cockpit conversation during takeoff.

p.186

Here is the critical moment in which the copilot timidly advanced his takeoff strategy, which presumeably was to floor it--exactly the right strategy--but the pilot cut him off midsentence and said, ...

p.186

Note that the copilot began with a true statement--they had a false sense of security based on a de-icing that did not work.

pp.186-187

A famous geologist once surveyed this story and commented: “You correctly blame the pilot for the crash, but maybe you do not bring out clearly enough that it was the complete insensivity to the copilot's doubts, and to his veiled and timid pleas for help, that was the root of all this trouble. The pilot, with much more experience, just sat there completely unaware and without any realization that the copilot was desperately asking for friendly advice and professional help. Even if he (the pilot) had gruffly grunted, ‘If you can't handle it, turn it over to me,’ such a response would have probably shot enough adrenaline into the copilot so that he either would have flown the mission successfully or aborted it without incident.” It is this dreadful, veiled indecision that seems to seal the disaster: the copilot tentative, uncertain, questioning, as indeed he should be, yet trying to hide it, and ending up dead in the Potomac.

p.187

Likewise, many more accidents occur when the pilot and copilot are flying for the first time together (45 percent of all accidents, while safe flights have this degree of unfamiliarity only 5 percent of the time).

pp.187-188

The notion is that the copilot is even less likely to challenge mistakes of the pilot than vice versa, and especially if the two are unfamiliar with each other.

p.188

Consider now an interesting case from a different culture. Fatal accident rates for Korea Airlines between 1988 and 1998 were about 17 times higher than for a typical US carrier, so high that Delta and Air France suspended their flying partnership with Korea Air, the US Army forbade its troops from flying with the airline, and Canada considered denying it landing rights.

p.188

An outside group of consultants was brought in to evaluate the problem and concluded, among other factors, that Korea, a society relatively high in hierarchy and power dominance, was not preparing its copilots to act assertively enough.

p.188

In any case, since intervention, Korea Air has had a spotless safety record. The key point is that hierarchy may impede information flow--two are in the cockpit, but with sufficient dominance, it is actually only one.

p.189

The solution was very simple. Empower nurses to halt an operation if the surgeon had not washed his hands properly (until then, 65 percent failed to do so). Rates of death from newly contracted infections have plummeted wherever this has been introduced.

p.194

(If accidents were not isolated incidents, we would not get on airplanes.)

p.194

The fiction is that the FAA represents the so-called flying public; the truth is that it represents the financial interests of the airlines and represents the general public only reluctantly and in response to repeated failures.

p.194

ice overpowers the pilots; airlines overpower the FAA

p.195

This was an accident that did not need to happen. This kind of airplane (ATR 42 or 72 turboprops) had a long history of alarming behavior under icing conditions, including 20 near-fatal losses of control under icing conditions and one crash in the Alps in 1987 that killed 37 people. Yet the problem kept recurring because safety recommendations were met by strong resistance from the airlines--which would have to pay for the necessary design changes--and the FAA ended up acting like a biased refereee, approving relatively inexpensive patches that probably reduced (at least slightly) the chance of another crash but did not deal with the problem directly. As one expert put it, “Until the blood gets deep enough, there is a tendency to ignore a problem or live with it.” To wait until after a crash to institute even modest safety improvement is known as tombstone technology.

p.196

The deeper changes are the more threatening because they are more costly. They require more of our internal anatomy, behavior, and logic to be changed, which surely requires resources, may be experienced as painful, and comes at a cost.

p.197

Rather, the passengers know they have a 0.99999 chance of being perfectly safe even if they do nothing. Let someone else pay.

p.197

The point is that for trivial sums of money, the airlines routinely put passengers at risk.

p.198

In pursuing a path of denial and minimization, the FAA traps itself in a world in which each successive recommendation concerns more and more pilot behavior than actual aircraft design changes. Thus does self-deception lay the foundations for disaster.

p.199

matching passengers with bags (routine in Europe at the time)

p.199

The key fact is that there is an economic incentive to obsure the truth from others--and simultaneously from self.

p.200

So his administration had a particular interest in focusing only on the enemy, not on any kind of missed signal or failure to exercise due caution.

p.201

Once the United States reached the moon, NASA was a $5 billion bureaucracy in need of employment. Its subsequent history, Feynman argued, was a dictated by the need to create employment, and this generated an artificial system for justifying space travel--a system that inevitably compromised safety. Put more generally, when an organization practices deception toward the larger society, this may induce self-deception within the organization, just as deception between individuals induces individual self-deception.

The space program, Feynman argued, was dominated by a need to generate fund, and critical design features, such as manned flight versus unmanned flight, were chosen precisely because they were costly.

____________________________________

General Principles of Systems Design

Gerald M. Weinberg

Daniela Weinberg

formerly titled On the Design of Stable Systems

1979

pp.159-162

([

The Structure-Regulation Law says the following:

Stability is made possible by the process of regulation; regulation is made possible by the existence of stability., pp. 157-158

But system parts don't just remain stable without reason. It is incessant process of REGULATION that keeps them stable. But conversely, it is their stability--their structure--that makes regulation possible in the first place!, pp. 157-158

])

For the purposes of mathematical modeling, we may PRETEND that these hidden "somethings" aren't there, just so long as we don't forget the Structure-Regulation Law. But from an engineering point of view, there's no particular reason to distinguish the numbers in the matrix from the numbers in the vector. ANYTHING that changes any part of the system is a potentially ([potentially, NOT actual]) damaging "input." The matrix part in a linear system seems PARTICULARLY vulnerable to such change.

When engineers or social planners build their linear idealizations into physical realities--a communication network, a chemical processing plant, a traffic control system, or a health-care delivery system--they must plan that the components will never be quite so fixed as their linear model had to assume. Resistors change in the value or "drift" over time. Valves get sluggish or don't quite close. Timing relays([electrical systems, electronics systems, micro electronic systems, electro mechanical systems]) sometimes skip a step, or "bounce" and introduce an extra step. Patients take all their pills at once, or use a suppository as a pill.

Quite often, the difference between a successful and unsuccessful engineered system is precisely in the successful system's low sensitivity to real-world "accidents" or "decay." Usually, the designer has to sacrifice some "efficiency" to get such structural stability, and the system may not seem to do such a good job when working. But if it keeps working when alternative systems fail, it may be the only POSSIBLE system for us to consider applying in a critical situation.

Probably the greatest single cause of computer system "disasters" lies in the failure of their designers to consider structural stability. Simple calculations are made to show the "feasibility" of the new system, then these calculations are refined to show how every last drop of "efficiency" will be squeezed out. Unfortunately, structural stability is never considered in these "refined" calculations, so it([structural stability]) may be squeezed out along with the efficiency drops. Things run so efficiently that the designers win awards. Then comes the first "structural" failure, usually blamed on the operators, rather than the designers.

But it is the designers who--in for the glory--have forgotten to consider the Structure-Regulation Law. The prudent designer-- the true systems thinker--will interrupt thoughts of glorious "efficiency" long enough to ask, "What regulates the structure matrix?" Even more generally, the designer will put the Structure-Regulation Law into the form of a question paraphrasing the old Roman dictum:

"Who regulates the regulator?"

...

In fact, potential systems thinkers might test themselves by asking a few "simple" questions, such as:

"Do plants move?"

"Do rocks move?"

Those who fail this part of the test might try spending some time in the woods with a copy of Walden--for quiet comtemplation of the environment.

The physical structures in our environment do move in response to forces acting on them, though the magnitude and time scale of their movement may be out of range of our casual observation. Even the pressure of a hand on a wall moves that wall, as can easily be detected with an interferometer. When the wall moves, its state changes, but within a range acceptable to us. When we remove our hand, the wall may move back, either all or part of the way. Because the movement is so small, and because many leanings will not accumulate much distortion in the wall, we simply imagine that the wall is "solid" and stationary, that it does not regulate.

Perhaps the most striking evidence of regulation by "solid" objects comes when that regulation fails. A wall falling is most spectacular, but a more impressive demonstration may be seen, for instance, on the steps of ancient temples. For the steps, the regulatory problems posed by a single humble pair of human feet or knees is not great, and the builders of the temple probably thought that their granite was immortal. But, over thousands of years, and millions of feet each year, the steps begin to show that they cannot quite--on this time scale--perform the regulatory job for which they were built. Crumb by crumb, step by step, they turn to dust and are carried off by the wind.

General Principles of Systems Design

Gerald M. Weinberg

Daniela Weinberg

formerly titled On the Design of Stable Systems

May 1979

____________________________________

• After visiting with Mother Teresa [Agnes Gonxha Bojaxhiu 1910─1997],

Jampolsky asked if he could fly with her on her

way to Mexico City. With a gentle smile, she

replied, “...I would have no objection about your

joining me . . . . But you said you wanted to learn

about inner peace. I think you would learn more

about inner peace if you would find out how

much is costs to fly to Mexico City and back, and

give that money to the poor.”

Compact Classics

Volume I

Compact Classics, Inc.

Lan C. England, Publisher

Stevens W. Anderson, Editor

Compact Classics, Inc.

P.O. Box 526145

Salt Lake City, Utah

84152-6145

Love is letting go of Fear

by Gerald G. Jampolsky, M.D.,

Celestial Arts, Berkeley, CA., 1979

“There must be another way to go through life

besides being pulled through it kicking and screaming.”

says Hugh Prather. Gerald Jampolsky agrees. A

former heavy drinker who denied responsibility

for his or her own emotions and actions, Jampolsky overcame

his bouts of depression, guilt and anger by

finally recognizing the source of his feeling. He

found, however that to follow life's “better path”

required of him a willingness to change his goal.

Most of us want to rid ourselves of pain and

frustration and experience peace of mind, but, at

the same time, we want to control and predict

future events and maintain our old self-concept.

Consequently, we resist any real change or human

contact and continue to feel isolated and unloved.

Jampolsky's book is a compilation of therapeutic

methods and practical applications for

making a “personal transformation towards a life

of giving and Love, and away from getting and

fear.” We can dissolve fear, it says, through consciously

establishing peace as our goal and forgiveness

as its vehicle.

Preparation for Personal Transformation

What is real? Too often we accept feedback

from our physical senses as the only “realiy.”

However, ‘love’, though intangible, is real; and so is

the fear (ego, 'I'(Ich)) that frequently thwarts love.

Our minds constantly replay all our memories,

like a videotape. Included are tons if distorted

and obsolete guilts and fears, which squeeze

out the joy of the present. But “Love is letting go of

fear.”

Even in the present, our priorities frequently

become scattered and filled with conflict, as we

try to juggle too much at once. But by choosing a

single life goal - that of inner peace - we become

better able to focus our energies. Peace of mind,

however, demands mind control. Judging people

come naturally; it's more difficult to love them.

Yet, if we start by ‘forgiving’ them, it will become

more and more apparent that “other people do not

have to change for us to experience love and peace

of mind.”

Jampolsky offers several “themes to live by,”

centered around peace of mind, forgiveness, inner

direction and active choice. He asks us to “retrain”

our minds; to make active choice and “self-examination”

a daily habit: ‘Do I choose to find love or find

fault? Do I choose to be a love giver or a love seeker?’

Ingredients of Personal Transformation

‘We are what we believe.’

‘We are always expressing either love or fear.

Fear is really a call for help ... a request for love.’

‘Fear and love can never be experience at the

same time . . . . By choosing love more consistently

than fear, we can change the nature and quality of our

relationship.’

Such “true concepts,” if we are mindful of

them, allow us to shake negative thoughts and

feelings.

Lessons for Personal Transformation

Below, in brief, are some of Jampolsky's

lessons and examples, designed to help us apply

true principles of inner peace.

Lesson: All that I Give is Given to Myself.

“I was mistaken in believing that I could give anyone

anything other than what I want for myself. Since

I want to experience peace, love and forgiveness,

these are the only gifts I would offer others...”

After visiting with Mother Teresa,

Jampolsky asked if he could fly with her on her

way to Mexico City. With a gentle smile, she

replied, “...I would have no objection about your

joining me . . . . But you said you wanted to learn

about inner peace. I think you would learn more

about inner peace if you would find out how

much is costs to fly to Mexico City and back, and

give that money to the poor.” Her's was a powerful

lesson in giving and receiving.

Lesson: Forgiveness is the Key to Happiness.

“I cannot forgive myself unless I am willing to forgive

others ...” Bitterness is a mixture of distorted

perceptions. And holding grievances or

speaking condemning words doesn't help anyone;

it only brings more bitterness. But forgiveness

opens new doors in both hearts. Neither “guilt”

nor “innocence” should play a part in our forgiveness.

On one occasion, Jampolsky consciously

determined to bury his long-kept anger over a

client's unpaid bill, informing him that no more

bills would be sent. Surprisingly, the may paid the

money, and Jampolsky was able to give it to someone

who was in real need. Thus, by the vehicle of

forgiveness, many hearts were healed.

Lesson: I Am Never Upset for the Reason I Think.

It's easy to presume that “the outside world is the

cause and we are the effect.” But this thinking is

backwards. The world doesn't “cause” feelings.

“Peace of mind begins with our own thoughts and

extend outward.”

All negative feelings (jealousy, anger,

resentment, etc.) in reality represent some form of

fear. And fear frequently triggers other problems.

Back pain is sometimes a manifestation of habored

hatred or envy, for instance. So, “...whenever

you are tempted to be fearful, remind

yourself that you can experience Love instead.”

Lesson: I Am Determined to See Things Differently.

A “fearful past will extend into a fearful

future,” making us feel vulnerable and out of

control. This cycle of fear holds the assumption

“that anger occurs because we have been attacked.

It also assumes that counter attack is justified...”

But we are not robots; we are free to follow our

inner guidance and respond with understanding

and love.

Jampolsky once was put in the position of

saving a tubercular woman's life by giving her

mouth-to-mouth resuscitation. Where before he

had felt “attacked” by his patients and lived in

continual fear of catching the dreaded disease,

now it suddenly dawned on him that he had just

learned a valuable lesson: “... When I was totally

absorbed in giving, I felt no fear.”

Lesson: I Am Not the Victim of the World I See.

“Attacks” orginate in the mind. Replace thoughts

that others are hurting you with love thoughts.

“To be consistent in achieving inner peace, we

must perceive a world where everyone is innocent

... I can see the world differently by changing my

mind about what I see.”

Often, as we go through our maturing processes,

we also tend to learn the art of distrust. We

become paranoid of life itself, not to mention

distrustful of others (work associates, sales clerks,

car dealers, etc.). But when we let go of this sense

of “victimization,” then our relationships become

based on genuine respect and love.

Joe, a 15-year-old boy whose head was

run over twice by a tractor, was life blind and

paralyzed. How does he maintainhis optimism? “Oh,

I just look at the positve things in everyone - and

pay no attention to the negative things, and refuse

to believe in the word, 'impossible'.” Joe refuses to

feel sorry for himself, and miracles have followed.

“He could feel that the world had dealt him a horrible

blow. However, he chooses peace instead of conflict.”

Lesson: Today I Will Judge Nothing that Occurs.

“Tunnel vision”: it makes us prone to “pigeonhole”

people upon first meeting them. “We just see

a fragment of a person and our mind often interprets

what we see as a fault.” Faultfinding is a habit;

but focusing on the strengths of others is

also a habit. “See everyone you meet or think of as

either extending love, or as being fearful and

sending out a call for help, which is a request for

love.”

For example, in a restaurant we might feel

inclinded to correct (attack) a rude waitress. If,

instead, some voice whispered the truth in our ear

- that the waitress' husband had died two days

before, or that she's worried about finances, or

that her oldest child was recently arrested for

dealing drugs - then we could see the waitress,

not as rude, but as fearful and calling out for love.

With any person, we have the innate capacity for

unconditional love. The highest gift we might be

capable of offering is to overlook his or her

weaknesses and demonstrate total acceptance.

Lesson: This Instant is the Only Time There Is.

As experienced adults, we may find ourselves continually

recycling old judgments, vulnerability and

guilt. To break this distorted cycle, we must look

upon the past as “archeological garbage” with no

recycling value. “The past is over ...” Peace is

found “only in this instant.” But in order to concentrate

on the present, we must release “others

and ourselves from all the errors of past pain and

suffering.”

The exasperated parents of a chronic

schizophrenic 35-year-old son once asked

Jampolsky how they could apply the principles of

love. “Spend as much time as you can before

tomorrow ridding yourself of all the past, painful,

guilty, fearful thoughts and experiences you have

had with your son,” he responded. “Release youselves

from any guilt you have about your son's

condition.” He urged them in imagine themselves

stuffing their built-up pain into a trash can

attached to a yellow helium balloon, and letting it

float away. “Pay attention to how much lighter

you feel. ...Look past what your eyes and ears

report. Choose to see your son only through the

window of Love...” Soon after, the parents wrote

to say that day they “experienced the most

peaceful visit with their son they had ever had.”

Lesson: I Could See Peace Instead of This.

Is your happiness or unhappiness based on events or

people or “luck”? It is a natural response to use

blame as defense, absolving ourselves of responsibility.

But when we see the bits and pieces of a fragmented

world, it is only a reflection of the chaos we see

in ourselves. “Peace of mind is an internal ... matter.”

Accordingly, “whenever you feel that your

peace is threatened by anything or anyone,” repeat

in your mind, “I could see peace instead of this.”

In sickness, for example, each of us has the

tendency to focus only on our own discomfort -

and we complain loudly to reinforce our hopelessness.

Jampolsky suggests, rathr, that we direct

our minds away from our bodies and center all of

our attention on serving others. By doing this, we

cease to see our own suffering, finding meaning in

the maxim, “To give is to receive.”

Lesson: I Can Elect to Change All Thoughts that

Hurt. One technique to leaving worries and problems

behind is to retreat from them. Visualize

yourself in a favorite hid-away. Imagination,

selectively released, often brings about fresh

solutions to problems. Still, remember: “We are

never presented with lessons we are ready to learn

them.”

Jampolsky perceived a club-wielding psychiatric

patient, “gone berserk” one day, as a personal

threat. The patient was scared; but when the

doctor openly admitted that he too was frightened,

a “common bond” was created between the

two, and they were able to compose and help each

other.

One final, brief Lesson - “I Am Responsible

for What I See” - capsulizes ‘Love is Letting Go of

Fear’:

‘I Am Responsible for What I see’

‘I choose the feelings I experience, and I decide

upon the goal I could achieve.’

‘And everything that seems to happen to me.’

‘I ask for, and receive as I have asked.’

‘Teach only Love for that is what you are.’

Compact Classics

Volume I

Compact Classics, Inc.

Lan C. England, Publisher

Stevens W. Anderson, Editor

Compact Classics, Inc.

P.O. Box 526145

Salt Lake City, Utah

84152-6145

“”─“”‘’•─“”

<------------------------------------------------------------------------>

“”─“”‘’•─“”

No part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior permission of the publisher.

NOTICE: In accordance with Title 17 U.S.C., section 107, some material is provided without permission from the copyright owner, only for purposes of criticism, comment, scholarship and research under the "fair use" provisions of federal copyright laws. These materials may not be distributed further, except for "fair use," without permission of the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml

____________________________________

··<---------------------------------------------------------------------------->

how we learn reading room

Thursday, September 15, 2022

near-catastrophic incidents

No comments:

Post a Comment

737 rudder issue

Search This Blog