Indulge an aging Sherm with a read of this little ramble please. I haven’t had time to edit, focus and re-write but I do think there’s some good points in this if you have the time to look closely. Hope so. Now read on………
One of the phrases often used in management circles these days is “pressure testing”. It, in many of those circles, is an amateurish phrase derived from the far more rigorous world of engineers, people like boilermakers, mining and submarine engineers etc. In that world it actually means something. I watched “Das Boot” a few nights back and saw the reality as the U-Boat had to get way below design depths to escape an attack. They had their “Red Line” on the depth gauge, then the design structural limit, then the limit of the gauge and then beyond that the structure itself started to scream that it was near its absolute limit, as with all the right creaks and groans from a tortured hull the leaks started. Even then though the boat just held together. So-the ultimate “pressure test” worked, as did the capabilities of the experienced crew who manned the boat.
D.P. Davies (of “Handling the Big Jets”) once wrote that in all his aircraft testing and approval he was aiming to be sure that an aircraft and its procedures were safe for the life of the aircraft when flown by below average crews on a below average day. The certainly would be what Sherm would expect to see when inspecting a CAR 217 Training organization or approving a new type certificate or AOC amendment. Even in “Handling the Big Jets” itself you read that Davies believes there is nothing inherently frightening about the tasks involved in flying because the aircraft are certified to robust standards with lots of redundant capability. Certainly in Sherm’s beloved 777 there is so much redundancy that few if any pilots would ever actually reach the end of the envelope. Even in the terrible BA fuel icing crash the structure worked and the passengers and crew got out. Similarly the Air France 340 crash at Toronto…….a well trained crew did get all the pax out of the exits in about the required 90 seconds.
So….where’s the lesson and the moral guidance in all of this? Hopefully there’s no need to go further for the professionals who are reading this. But for others who haven’t actually ever been strapped up in the front left hand seat of something where the price of error could be the blood hundreds of innocents let me go on….
There is a world where it is acceptable to design something, a system or program, build it or implement it, and wait until it “springs a leak” to see where the flaws are then fix it. That sort of reactive strategy might work for example when building a rabbit hutch (unless the rabbit was dear to some little heart), when figuring out how many sausages you need for the footy club BBQ or even something much bigger like a program to offer free Australian flags to every household in the country. In each case if you get it wrong, how bad could it be….just fix the problems as they show up. Get another rabbit, buy more beer, make more flags.
In World War 2 it was so important on all sides to keep the production lines going that even dodgy designs got into production and then were scrapped or relegated to training or target towing because there was not enough time to fix things before they happened. "Build first, fix afterwards" was OK and an acceptable risk and indeed produced some wonderful aircraft after initial disasters.
However, the above most certainly does not apply today to many, many areas of life especially things like designing an Intensive Care Unit, a dam wall, a subsidized roof insulation program!!, and most importantly for we in aviation, it
DOES NOT WORK AND NEVER WILL in the management of aviation safety.
Now, before the BCG analysts who might read this have a collective fit. This does not mean to build so much costly redundancy into a system that it can never fail. No. Those days are gone and we all understand the need for actuarial assessments and engineering calculations to assess what is in fact the design limit and beyond that, the actual absolute failure limit. Sensible, even aggressive, cost management is good stewardship and good management. No problems with that at all.
But there are limits: as all sensible professionals know.
An airline is an organism, not just an organization chart. It needs to be designed for robustness so that for example, the Operations Centre can manage two separate crises (e.g. the Icelandic volcano ash over Europe, and a cyclone threatening massive diversions to alternates on the other side of the world. All while running the rest of the operation well. That comes from the fundamental design philosophy, embedded in the inspections for the issue and renewal of an AOC. That cannot come from routinely operating at the edge of the envelope.
Reports from crews are not an “Early Warning System”. They are “after the fact” indicators of whether the system designers need to rebuild or strengthen. They are NOT a substitute for doing it right first time. In many cases the report will not be of any use at all to the airline, the damage will be already have been done.
On 11 May 1996 Valujet got an “early warning” that its procedures for supervising the carriage of oxygen generators was inadequate. The warning was in the form of the Purser screaming to the crew that “the galley floor is getting hot”. Minutes later they were all dead.
Here’s a transcript of the “early warning” that Alaska Airlines got over the adequacy of their changes to the MD-80 stabilizer lubrication program, an "early warning" to the inadequacies of Alaska and the FAA which involved the killing of 88 passengers and crew:
Ok, we are inverted... and now we gotta get it….
1619:59
CAM-1 push push push... push the blue side up.
1620:14
CAM-1 push.
1620:14
CAM-2 I'm pushing.
1620:16
CAM-1 ok now lets kick rudder... left rudder left rudder.
1620:18
CAM-2 I can't reach it.
1620:20
CAM-1 ok right rudder... right rudder.
1620:25
CAM-1 are we flyin?... we're flyin... we're flyin... tell 'em what we're doin
CAM-1 gotta get it over again... at least upside down we're flyin.
1620:40.6
CAM [sounds similar to compressor stalls begin and continue to end of recording]
1620:49
CAM [sound similar to engine spool down]
1620:54
CAM-1 speedbrakes.
1620:55.1
CAM-2 got it.
1620:56.2
CAM-1 ah here we go.
1620:57.1
[End of recording]
OK….here’s the point. To get and hold an AOC management are required to have a robust and functioning organism which meets at a minimum the black letter rules and also functions well no matter what stresses and strains come. Simply saying that
“We don’t get many reports complaining of fatigue” is not remotely connected to adequately fulfilling the responsibilities required of AOC Post Holders.
ICAO document 8335 “Manual of Procedures for Operations Inspection, Certification and Continued Surveillance” sets out the world standard:
“The operator has a responsibility for the safe conduct of operations and for compliance with any laws or regulations which the State of the Operator may promulgate. These laws and regulations, which are the means by which the State implements the provisions of the Annexes, are not in themselves sufficient to provide the operator with comprehensive and detailed instructions on which to base an operation. The responsibility for the development of operating instructions necessary for the safety, regularity and efficiency of an operation therefore rests upon the operator”
Note the two parts: must operate safely AND be compliant. The written limits are not enough. They are not operating norms. Never were meant to be. This is why 8335 says:
“A sound and effective management structure is essential. It is particularly important that the operational management should have proper status in the organization and be in suitably experienced and competent hands”
When that little yellow canary in the cage stops singing and starts to waver, its already time to leave the coal mine. It is not time to have a management meeting to see what to do next.
Monitoring symptoms is of course a necessary part of airline management.
BY ITSELF IT WILL NEVER BE ENOUGH.
Safe flying
Sherm