Philosophy of Flight Safety
Some ruminations on the philosophy of safety, professionalism and how we understand accidents.
Most of us in the business of flying airplanes easily recognize the narrow-minded, myopic approach to safety that is captured here, and the historically aware might also recognize a Victorian tone that dates the original construction of this axiom back to World War I or slightly earlier. We could easily dismiss it as quaint. But I think that too quick a dismissal underestimates the impact that this axiom has had on the history of our own work in safety and the paradigms that go with that work. Rather, a careful unpacking of the axiom is worth taking some time to do.
There are probably some pretty deep cultural undercurrents at work in this axiom. It is hard to overlook that tone, which subtly flavors the accident as a fall from grace, suggesting that whether an airplane crashes or not is largely a matter of free will. Indeed, I suspect the axiom is rooted in the broader social and religious thinking of the era, which tended to emphasize the role of free will in overcoming inherent depravity. At the time, this thinking was being steadily challenged by accelerating technology, the science that lay behind that technology, and the increasingly irrefutable role of determinism in that science. The frequent failures of early technology presented powerful emotional trials to society...witness the crash of TWA 599 on March 31, 1931, which cost the life of Knute Rockne, among others... particularly since the deterministic aspect to causality made the control of that causality more and more complex.
Yet the accident reports of the same era do not consistently reflect the tenth axiom at all. In the Rockne crash, the investigation centered on poor glue application during the lamination process of a wooden wing spar, and steered away from questions regarding the pilot's decision to depart, although that decision was debatable. In other accident reports, there are as many references to poor judgement as there are to newly understood technical phenomena, such as icing, radio range failures, and weather conditions seriously different from those forecast. Indeed, there are even some rather fantastic technical explanations...one of my favorites was the DC-3 crash near Lovettsville, Virginia in 1940, in which one of the hypotheses suggested that the concussion resulting from a nearby lightning strike had "smashed in" the windshields.
As it happened, a few years before my edition of the Flight Instructor's Manual came out, Jimmy Doolittle managed to destroy a brand new Lockheed Vega after he had loaded it up with his family and all their worldlies and then attempted to take off, overweight, from the rutted frozen mud of Mitchell Field. Not too long afterward, he snapped the ailerons off of a highly modified Travel Air while tooling down the runway with more airspeed than altitude...the modifications were not as well thought out as they might have been...leading to yet another successful parachute deployment. Of course both of these events took place some time after his first parachute jump, made after he pulled the wings off of a Curtiss P-1 Hawk fighter when attempting an outside loop, a maneuver coincidentally prohibited by his commanding officer. Although he himself made no excuses about these events in his autobiography, at the time he was considered rather capable and competent, having, after all, just demonstrated flight solely by reference to instruments. He had to have been something like that when he released the brakes on the lead B-25 off the deck of the Hornet.
Within two years of its publication in my copy of the manual, the tenth axiom was severely tested in the cauldron of World War II. Thousands of pilots, some perhaps marginally capable or even minimally competent, lost their lives making a somewhat more profound moral argument than one advocating the role of free will in preventing airplanes from "cracking up". In the meantime, on the home front, extensive research was being done to investigate such topics as pilot skill, judgement, and emotional control. In 1939, the Civil Aeronautics Authority was examining the relationship between breathing patterns and personality, with a view toward identifying the more extroverted candidates, characterized by one researcher as possessing "such features in their daily lives as simultaneous interests in a number of business enterprises, frequent entertainment, lack of interest in abstract thought, hearty dispositions and carefree attitudes"...a remarkably prescient description of an airline pilot if ever there was one. By 1943, The University of Rochester was researching "The Ability to Take It", which has always seemed to me a bit of a Bogartian title for a research paper, but nonetheless consisted of evaluating several different techniques for measuring human resistance to pain and fatigue, among them a continuous electrical shock of increasing voltage or having a wedge slowly clamped down between one's knuckles. Eventually, the shock technique, along with a procedure for measuring how long a man could hold sixty percent of his maximum grip strength, were recommended for further study. The knuckle wedge idea was dropped.
A serious question might have been asked, and apparently was asked at some point, about how many of the fellows who were actually "taking it" in the skies over Europe and the Pacific at the time of this research would have passed the shock test. I suppose the grip test might have been useful for trying to figure out whether a pilot candidate would be able to hold onto the cockpit window frame while reaching back into a disintegrating B-17 to grab the parachute that he had overlooked when climbing out, as was claimed in at least one instance. No doubt the breathing patterns of pilots who were being shot at could be of interest, particularly the "unconscious vocalizations" that CAA researchers had earlier associated with the more "extroverted" research subjects. I'd be willing to bet that some of the more introspective combat pilots, previously thought to be inclined toward a quieter form of "visual phantasy thinking", may have exhibited a few unconscious vocalizations as well. In any event, these kinds of studies characterize the type of the shot-in-the-dark research done during the pre-war and war periods toward methods of identifying that select group of human beings who were more naturally inclined to never allow an airplane to crack up.
In his book "The Psychology of Flight", published in 1950, Alex Varney goes into exhaustive detail about the disastrous effects of unchecked emotion, describing a bevy of behaviors that, when read in a contemporary context, seem far more likely to appear in illegal street drag racing than aviation. I don't think he seriously believed that a pilot attempting to fly the Atlantic would actually start off in the opposite direction in order to buzz the blonde working in the cigar factory, and then descend halfway across the ocean to circle a couple of icebergs, consequently running out of gas short of the destination. Nonetheless, examples of character weakness such as these, and his emphasis on the proper use of free will to overcome such weakness, continue to resemble an echo of that Victorian-era notion of depravity, perhaps now lightly salted with some of the Freudian fascination with the subconscious popular during the first half of the twentieth century. Varney even revisits the ever-recurring notion of accident-proneness, a subset of ineptness containing those folks who, by virtue of clumsiness, absent-mindedness and a general inability to navigate the more Hobbesian aspects of the day, are predicted to have regular accidents. On the other hand he makes the case that a strong character is reflected by the disciplined control of emotional response and the "training" of "reflexes" so that the aerodynamically correct action is taken without thought when faced with debacle. From whence, Steve Canyon.
So the tenth axiom persevered, appearing as late as 1958 in the Pilot Instruction Manual, having been slightly enhanced to state that, "A capable and competent pilot will never allow an airplane to crack up out of control". By this time industrial process management, developing from roots in Frederic Taylor's planning rooms and time-motion studies, had begun to offer the certainty of mathematics to the management of human behavior within organizations. Herbert Simon, building ideas that would shortly introduce the notion of artificial intelligence, believed that human thought could be characterized by mathematically predictable patterns of information processing. Shortly after World War II, Simon had argued that,
"Two persons, given the same skills, the same objectives and values, the same knowledge and information, can rationally decide only upon the same course of action. Hence, administrative theory must be interested in the factors that will determine with what skills, values, and knowledge the organization member undertakes his work."
In other words, a flow chart could be drawn showing how a person would think in any particular situation, and human performance could be predicted and modified deterministically, in much the same way as the operation of a machine might be. With this in mind, the capable and competent aviator could, in theory, be modeled. By carefully managing the aviator's skills and particularly by managing his knowledge and information, his decisions could be predicted and controlled. If accidents could not be eliminated through the autonomous pilot's proper application of free will, perhaps they could be eliminated through management systems that more or less dismissed the notion of free will altogether.
Just a few years after the improved 1958 edition, Chuck Yeager managed to "crack up" the Lockheed NF-104 at Edwards Air Force Base, dropping out of 100,000 plus feet about as out of control as could possibly be achieved. Perhaps a little too much free will pointed in one direction and not enough pointed in the other, and definitely a case of pretty skinny flight safety assessment; nevertheless, it would be hard to describe Yeager as anything but capable and competent. On the other hand, it is probably safe to say that Herbert Simon could have spent the rest of his life trying to model Yeager's thought processes.
Which brings us to the last couple of decades, in which James Reason, among many others, has argued tirelessly that human error is a universal condition. He has distinguished between the "person" approach to safety, which "focuses on the errors of individuals, blaming them for forgetfulness, inattention, or moral weakness", and the "system" approach to safety, which "concentrates on the conditions under which individuals work and tries to build defenses to avert errors or mitigate their effects". In this latter approach he disrupts Simon's notion of consistent human behavior, departing from the attempt to create that predictable, repeatable working environment and instead striving to build an resilient environment which is capable of tolerating inadvertent deviation. In his 2000 essay for the British Medical Journal, "Human Error: Models and Management", Reason explained that in particular, high reliability organizations are "constantly preoccupied with the possibility of failure", which is the first of the five characteristics of a high reliability organization cited by Karl Weick and Kathleen Sutcliffe in their pathfinding work on the subject.
Yet today, we still borrow freely from the tenth axiom and some of the ideas Varney presented when we use terms such as "discipline" and "excellence" in opposition to words like "complacency" and "apathy". On the other hand, we borrow from Simon and administrative theory as we simultaneously create structures designed to manage error, manage risk, and manage culture. Like many disciplines, we have become engaged, perhaps even a bit enthralled, with "big data", and we struggle to understand the single catastrophic outlier that escapes statistical prediction. Events such as Asiana at San Francisco, or the Dreamlifter landing at the wrong airport in Wichita, get caught in the whirlpool between the notions of a capable and competent pilot as described by the Flight Instruction Manual and the contemporary systems management ideas that have evolved from Taylor, through Simon and into the world of big data.
The whirlpool persists in part because the cultural argument over the primacy of either free will or determinism just won't go away, no matter how progressive our analysis. The argument is nearly as old as dirt, and it remains hotly relevant today as neuroscience and other disciplines explain more and more of human behavior from a deterministic point of view, rendering the search for the source of free will even more problematic (though hardly pointless). The argument inevitably stalls on the issue of moral responsibility, and it is here that we debate the role of the system, complexity, and organizational behavior as explanatory in contrast to individual incompetence, willful violations, or the "bad apple" described by Sidney Dekker. To veer too far toward a fully deterministic interpretation is to risk doing away with personal and moral responsibility altogether, dispersing into the so-called "blunt end" on a Simonesque mission to preset the variables to fail-safe values, while inadvertently begging the question of where, along the continuum of systemic determinism, anyone will apply the free will required to effect the management of anything. Reason himself, in later work, has argued that the "pendulum may have swung too far", and that a re-examination of the role of those people at the "sharp end" may be in order.
It is indeed hard to remember, after so many years of administrative theory and systems management, that our capable and competent aviator actually remains a fully autonomous actor in the whole scheme of things. The regulatory obligation is and always has been that the pilot is the final authority as to the operation of the aircraft and command of the crew, no matter how much a whole cast of corporate characters would like to water him down. That authority presupposes a role for free will and transcends the conditions of employment, making the pilot-employee something of a greased pig for all styles of management.
But the whirlpool may also persist because of the structure of thought itself, particularly the ways in which we are constrained to think about accidents as distinguished from how they actually occur. Part of that constraint is obscured by the clarity of hindsight, which we regularly recognize but then just as regularly marginalize, on the notion that it is a previously stipulated, universally recognized condition..."hindsight is twenty-twenty"...or words to that effect. But the impact of hindsight on our interpretation can scarcely be overstated, for the simple reason that, in all cases, you cannot think of a thought until you think of it. This is a genuine conundrum, conditionally but nonetheless thoroughly overwritten by hindsight. We then tend to marginalize this idea as well, while routinely attempting to out-flank it, under the nearly unconscious assumption that the particular thought must actually exist somewhere and is simply not being acquired, usually through a lack of diligence, foresight or will. Sidney Dekker refers to this as a
"...naive Newtonian scientism: total knowledge of the world is achievable; the world is 'out there' as an object entirely separable from observers. People will know the truth if they are fully rational, once the correspondence between the picture in their mind and reality in the world is perfect ."
The psychologist Jerome Bruner, in his book "Actual Minds, Possible Worlds", describes what he believes are the two principal modes of human thought: the narrative and the paradigmatic. The paradigmatic mode, Bruner says, "attempts to fulfill the ideal of a formal, mathematical system of description and explanation". It is the language of logical argument. The narrative mode, on the other hand, "deals in human or human-like intention and action and the vicissitudes and consequences that mark their course". A good narrative features a sudden reversal of circumstances, often referred to in literature as a peripeteia. In his paper, "Culture and Human Development: A New Look", Bruner argues that, "These narratives typically depict a canonical state of things and a deviation from that state. Stories are means for making these deviations comprehensible, if not acceptable."
Bruner makes the case that a story has a skeleton. It begins with the canonical state of things, experiences the peripeteia, and this is followed by an action, an attempt to undo the peripeteia. The action is followed by a resolution, either the restoration of the canonical state or its replacement by another canonical state. Finally, the story contains a coda, or a discourse in the lessons learned. Returning to "Culture and Human Development", Bruner says that "narrative seeks to render the ordinary as if it were not only majoritarian but also obligatory, whereas the ultra-ordinary is made to seem optional and subject to choice."
Herein lies the actual constraint on how we think about accidents. The management of risk, of error, and of culture, essentially the entire system approach to safety, is organized and executed within the paradigmatic mode of thought. In the accident investigation discipline, we make a dedicated effort to produce a paradigmatic description of the accident, in order to identify and control the variables that have conspired to align the holes in Reason's cheese. We commit a lot of ink to investigations into oversight, culture, training, and even more specific aspects such as operational control and the approval of supplemental type certificates. Nevertheless, one way or another, we always make time to stop and visit issues of character, as reflected by the flight crew's behavior. It is virtually impossible to separate the details of the accident paradigmatically from the "human or human-like intention and action and the vicissitudes and consequences that mark their course". There is a story there, waiting to be told. The accident is clearly differentiated from routine operations by a peripetia, a deviation from a canonical state. Our capable and competent aviator is a protagonist, or perhaps an antagonist, depending on one's point of view, in a story that is inescapably interpreted through the narrative mode of thought. And there is always a coda, a moral of the story, usually embedded in the probable cause statement.
Both the paradigmatic and the narrative modes of thought work to create certainty where none exists, either a calculated, repeatable certainty or a certainty derived from comprehensibility, from knowing the whole story from beginning to end. We have a strong need to trust the day...the sun comes up, the sun goes down...and the overwhelming sense of deceit experienced through proximity to a serious accident or its immediate aftermath is demoralizing, heartbreaking and completely fractures any trust in the day that we might have had at breakfast. Such feelings create a powerful incentive to put as much emotional distance between ourselves and the breakdown of certainty as we possibly can. One way of doing that is to isolate the event, place it under a glass case and stare at it from the outside, while developing a narrative structured to remove the sense of deceit, the apparent unpredictability, as well as the irrevocable impossibility of a second chance, and replace them with a mechanical, structured comprehensibility that offers the hope of a sort of do-over, as in I'll never let that happen to me, thereby reinstating trust in the day.
But Bruner goes on to point out that authentic narrative also contains two different landscapes: "One is the landscape of action, where constituents are the arguments of action: agent, intention or goal, situation...The other landscape is the landscape of consciousness: what those involved in the action know, think, or feel, or do not know, think or feel." Consciousness does not lend itself easily to paradigmatic investigation; thus, an accident report is typically pretty long on the landscape of action and somewhat short on the landscape of consciousness. The initial story will usually be rather flat and may not do much to assuage our need for comprehensibility. What we can discern about the participant's state of consciousness may be incomplete, truncated, or worse still, offer absolutely no precursory perceptions that might serve to warn of what we already know about the rest of the accident.
Where was the flaw in the knowledge or thought processes that led to an undesirable aircraft state? Surely there must have been a flaw. What kinds of signposts in those thought processes should we be looking for that will forewarn of such a catastrophic outcome? We'll never know of course, since the crew have ended up, in the memorable words of the fictional Squadron Leader Colin Harvey, "spread from one end of this field to the other like strawberry jam" ...and to make matters worse, they foolishly failed to vocalize their entire day's thinking for posterity on the cockpit voice recorder.
But since the tenth axiom, and similar tropes, can introduce an element of presupposition into the narrative, voids in the landscape of consciousness can easily be backfilled to make the narrative work, to make the "deviations comprehensible, if not acceptable". We backfill the landscape of consciousness with what we believe the consciousness must have been, what the participants must have known or felt, and these beliefs are constructed almost entirely from our knowledge of the outcome and from an instinctual suspicion that the crew, in one sense or another, must have fallen from grace.
The subtle, quiet effect of backfilling the landscape of consciousness is that we never doubt our own grip on comprehensibility. We are not in the least bit inclined to consider possibilities that remain incomprehensible, at least to the extent of the available knowledge. It is as though we expect to be able to invert the narrative, casually walk around to the other end of the lens through which we view the past, and look forward into the future, fully anticipating that the lens works both ways. It doesn't; it never has. The morning of the day of the accident looks the same as any other morning; the evening looks like no other evening at all.
In 1978 I was working as a flight instructor in central New Hampshire. On a warm, cloudless, and quite calm summer evening, a friend of many years and I were flying a Grumman trainer a few hundred feet above the terrain to the north of Lake Winnepesaukee, having just flown a practice approach at Moultonboro. We were following a route that would take us to the east of the hills on the north shore of the lake and point us back toward Laconia.
At some point, something went terribly wrong. Despite the absence of any surface winds or forecast winds aloft, I had a strong sensation that we were starting to sink, and it did not appear that we would clear the next ridge. I took control of the airplane, applied full power, and established a climb attitude. This did not appear to help the situation, and I began a long turn to the right, upslope initially but away from the most proximate terrain, with the intention of turning approximately two hundred forty degrees to a downslope route.
I was not successful. The airplane clipped the trees and came to rest deep in the forest, hardly breaking a branch as it fell. The following evening the ELT was picked up by a passing SAS DC-8, and the next afternoon, after about forty three hours, we were located by a USAF UH-1 Huey, which dropped in a couple of PJs to initiate a rescue. By that time, my friend had passed away. I was in rather serious condition, with shattered ankles and a crushed vertebra as well as serious lacerations, a broken collarbone and a collapsed lung...but, thanks to something like six or seven combined tours dropping out of similar helicopters into the Vietnamese jungle, I was successfully packaged up, lifted through the forest canopy into the old Huey and flown to the hospital to begin a lengthy recovery.
To this day, over thirty five years later, I still do not know what actually happened. My perception was that we had encountered a downdraft, as I had experienced that before, but I have never understood how that energetic a downdraft would have occurred on such a calm summer afternoon. I suspect that, in the turn, I managed to induce an accelerated stall. The official investigation did not bother with any of those questions, or tear down the engine, or even visit the crash site. They were content with my hospital bed interview and the popular accident report refrain of "failed to maintain flying speed". No kidding.
The narrative mode of thought is dependent on the landscape of consciousness, but the landscape of consciousness will not actually respond to naive Newtonian scientism. Backfill after the fact as we may, the entire frame of thought is hostage to the hidden axiom, so to speak, the axiom that more or less plays the joker in the deck of axioms, trumping all the rest. That axiom says that you will never, ever, not even in a million years, see the one coming that gets you.
Of course you won't. If you saw it coming, you wouldn't let it get you.
This is a pretty unsettling proposition; it has unsettled me for decades. It is a corollary to the idea that you cannot think of a thought until you think of it. The accident cannot be experienced in the narrative mode of thought, because actual comprehensibility is not possible until the narrative is complete, at which point it is obviously too late. The only way we can interpret experience in real time is by correlating a developing sequence of events with one or more known narratives, in order to identify a likely comprehensibility, but to do this we must still make an educated guess as to the outcome. The probability of accurately guessing the outcome improves with experience and education, but it will always require us to make the correct correlation with known narratives, and it will always require us to assume a conclusion not yet in evidence. Acting on that conclusion before it has manifested requires an acceptance of persistent vulnerability, the opposite of certainty, and persistent vulnerability has no place in either the tenth axiom or administrative behavior...or, for that matter, to anyone's trust in the day.
Yet the term "will never" in the tenth axiom is an absolute term, addressing all which has not yet happened, leaving no room whatsoever for errors of perception, presumptively requiring that the aviator, by virtue of being capable and competent, will always see the accident coming, as if he could just eyeball a line of holes right through Reason's cheese. This is the net effect of a lifetime of trust in hindsight, of an entire body of experience built from comprehensibility. In fact, the aviator who actually has the accident, regardless of whether he is capable or competent, is never going to know what hit him.
Herein lies the fundamental flaw contained within the tenth axiom. By creating the impression that the capable and competent pilot will always see the crack-up coming, it also promotes the contrapositive idea. The contrapositive says that, if you reside within the set of capable and competent pilots, then the threats that you see, that you become aware of and can identify, are the only threats that exist. This is precisely what Dekker means by naive Newtonian scientism. Total knowledge of the world is achievable...people will know the truth if they are fully rational...ergo, if you are fully rational, thus capable and competent, then you will see all possible threats.
Yet if the hidden axiom is true...if you really won't ever see the one coming that gets you...then why would that particular shortcoming be limited to the single threat that manifests into an accident? Is that the only threat that you won't see? Is it possible for threats to remain unseen while never manifesting into anything at all? If you won't see the one coming that gets you, is it also possible that you may not see dozens, hundreds, of "ones" coming that go right by you? And if that is true, how can our capable and competent aviator ever hope to apply free will in any way to manage such unseen threats?
One way to do so is by initiating, constructing and maintaining resilience. Resilience is the anti-matter to persistent vulnerability, wild enough to trump the joker. In the cockpit, building a foundation for resilience begins with aggressively protecting the margins.
Margins are typically understood by pilots within the context of aircraft performance. From 1.3 Vso on final approach, to adjustments to Vref on gusty days, to planned reserve fuel arriving over the final approach fix at the alternate, to net vs. gross takeoff performance, through 1.3g cruise altitude capability all the way to 167% of the landing distance...margins are our daily bread.
Yet the concept of margins extends well beyond aircraft performance. Early in the post-war research done on human factors in aviation, Stanley Roscoe identified the concept of residual attention. He said that, "During routine flight operations a pilot's attention capacity exceeds the moment-to-moment demand by varying amounts..." He then explained that "a blunder occurs because the perceptual, judgmental, and motor demands of the moment exceed a pilot's momentary attention capacity." Protecting the margin of residual attention is critical, and is precisely what rules pertaining to such things as a sterile cockpit are aiming at.
Indeed, the concept of margins is much, much broader still. Rene Amalberti, the original head of human factors and flight safety at the European Joint Aviation Authorities, has pointed out that "workers operate within an envelope of possible actions which is influenced all the time by wider organizational and social forces". The capable and competent aviator of today is suspended somewhere between the Tayloristic, one-best-way prescribed procedures, a need for efficient, expeditious application of labor, and the struggle, in a proceduralized world, to retain an identity of craftsmanship, of artisanship really, through the application of free will. From a utilitarian perspective, it can be very easy to conflate economic efficiency and expeditious labor with craftsmanship, but this is misleading; the former is simply one of several outcomes resulting from the latter. Further, the "lack of interest in abstract thought, hearty dispositions and carefree attitudes" noted by the CAA in 1939 can promote an almost Yeager-esque, right stuff understatement of risk. The tension between these three ideas creates a drift, beginning at what Amalberti calls the "initial safe space of action", and migrating toward the "borderline tolerated conditions of use", the absolute edge, a position which appears to optimize efficiency and economic benefit while retaining an acceptable level of risk, but beyond which there is no further margin, no safe space of operation at all. Conveniently, these days the drift toward borderline tolerated conditions of use is monitored by flight operations quality assurance (FOQA) programs...but a FOQA flag comes to this point rather late in the game. It is the drift that must be constrained from the outset, indeed zeroed out to the extent possible, in order to protect the margin, because the margin is the foundation on which to build resilience.
Amalberti describes the initial space of safe operation as "designed to operate according to a set of rules and procedures with...many constraints and fail-safe procedures...introduced to act as defenses against error and violation and constrain the limits of human action". In other words, standard operating procedures define the centerline of the safe operating space. Standard operating procedures construct margins that can absorb variation in external influences, random deviations and normal imprecision. Well designed procedures are constructed with carefully crafted error traps built into them; these error traps are designed to capture the inadvertent excursions into the margins, first arresting and then ejecting human error harmlessly over the side. We track the centerline of the runway for a reason. While nothing particularly bad will happen simply by landing with the right main wheels to the left of the centerline, something rather different may occur when the left main tires and/or brakes fail, which of course, we will have no reason to see coming, or perhaps a wind gust combines with less-than-stellar tire friction and directional control. We track the centerline to remain centered within the safe space of action, and protect the seventy five foot margin between where we are and the rather pronounced "borderline tolerated condition of use"...the edge of the pavement. Resilience is constructed upon a foundation created by protecting the margins, tracking down the centerline, so-to-speak, of the safe operating space.
The margins, when they are engaged, function more or less in the dark, which is not the same thing as saying they function in a vacuum. This is a real fly in the ointment for the bean-counting population, themselves stuck in a paradigmatic mode of thought, their own version of "naive Newtonian scientism", because they cannot measure the success of safety, or the value of the investment in safety, without being able to "see" at least a representative sampling of these unfulfilled catastrophes. Pilots, too, can easily misinterpret excursions into the margins, beginning with the premise that any landing you can walk away from is a good one.
Procedures are, of course, eminently malleable, and thus become irresistable to management as tools for the exertion of control over employees, obfuscating the true role procedures play in the work of constructing and protecting the margins. The almost reflexive response to a mishap in an audit-centered universe is to install one more line of code, still banking on Simon's premise of tweaking "the same knowledge and information" so that "Two persons...can rationally decide only upon the same course of action."
On the other hand, a willful imposition of drift toward the borderline conditions can be used as a means of usurping top-down control and preserving an identity of craftsmanship. In conventional human factors parlance this willful imposition of drift is made up of routine and optimizing violations. In fact, rather than demonstrating craftsmanship by artfully bending and folding procedures, the craftsmanship inherent in professional airmanship actually lies with the skill used to track squarely down the centerline of the safe operating space when organizational and social forces exert strong pressure to drift over somewhere near the edge, the borderline tolerated conditions of use.
When I'm having a particularly irreverent day, I've always thought that the real goal of a professional pilot is to arrive at the Pearly Gates, checking in for eternity, and find yourself standing in line just ahead of one of those bean-counters. The fellow at the desk checks off your name, and as you are about to step through the Gate, he says, "Hey, hang on a minute. We've got something for you...". He reaches into a cabinet behind his desk, pulls out a fat roll of newsprint, reaches across the desk to hand it to you, in so doing inadvertently clubbing the bean-counter in the back of the head. The roll of newsprint turns out to be about a hundred yards long, containing line after line of ten point font, each line a description of every disaster that did not happen because of your lifetime of meticulous airmanship.
Alas, in the earthly scheme of things, a more practical axiom, one that we could use to replace the classic tenth axiom, may be that offered by Karl Weick in his study of high reliability organizations, when he said that, "Reliability is a dynamic non-event".
So how does our meticulous pilot facilitate a dynamic non-event? Start by not misreading James Reason. We work in a complex, highly deterministic system, while remaining entrusted with an almost completely autonomous free will. A system approach does not obviate the pilot's singular responsibility as the final authority over the operation of the aircraft. As a first guideline, we can use that authority in a manner to establish and preserve resilience.
Resilience, at the organizational level, is defined by Weick as the organization's "capability to investigate, learn, and act without knowing in advance what they will be called to act upon." This definition is easily migrated to the individual and crew levels. Weick expands his definition to say that resilience is the "capacity to do quick study, to develop swift trust, to engage in just-in-time learning, to imagine detailed next steps, and to recombine fragments of potentially relevant past experience."
In Weick's model, a commitment to resilience is one of five basic tenets, and it is strongly supported by the preceding three: a preoccupation with failure, a reluctance to simplify, and a sensitivity to operations. It is augmented by a fifth tenet, a deference to expertise. These comprise the principals of a high reliability organization, but the ideas that lie within them are powerful tools for individual strategy toward facilitating a dynamic non-event, as well as a strategy applied to the cohesive behavior of the cockpit and cabin crew.
Beyond the establishment of resilience, we can use the authority vested in the pilot-in-command to effect four additional important principles. We can use our authority to consistently practice prudence, to replace the misinterpretation of experience with mindfulness, and to anticipate the threat posed by the normalization of deviance. Perhaps most importantly, in order to ensure that there is room for resilience to function, we must use our authority to protect the margins of the safe operating space.
And from the outset, we can anchor the execution of that authority by understanding when, and how, to say no.