[The following piece is transcribed verbatim from “A Demon of Our Own Design”, by Richard Bookstaber. It's one example of complexity with feedback loops which make systems chaotic. Systems like this that are “tightly coupled” and have no slack in them become unpredictably vulnerable to catastrophe. Think space shuttles, Three Mile Island and market crashes everywhere. This example is a very good one because it also illustrates a crucial point. When a system is so complex and so tightly coupled, then adding extra (safety) systems doesn't help, and may make it worse.

Right now it seems that most things are already complex enough that new safety systems hurt more than they help. And things are getting more complex. It's like our world - society, ecology, everything - is a machine running in the red zone. We keep thinking that if we just get the machine to do a little bit more this will somehow mean it is running at a safe level. Of course what really happens is that the chance of getting sideswiped by some black swan just tends towards 1. So far, this isn't a problem I have a solution to.]

In the early afternoon of May 11, 1996, a ramp agent at the Miami airport loaded cargo into the bins of ValuJet flight 592. Passenger bags were loaded in bin 2 first, and once it was filled, the remaining bags were put in bin 1, along with 60 pounds of US mail and some company-owned material that was headed back to ValuJet's parts and components department at its Atlanta headquarters. The material included three airplane tires - two inflated - and five boxes marked “Oxy Canisters - Empty”. The ramp agent loaded one of the two large tires first, laying it flat on the floor with the small tire wedged upright inside it. The boxes, each weighing about 50 pounds, were then positioned around the smaller tire to keep it upright. Then the third tire was put into the bin upright against the compartment wall and leaning over the other tires and the five boxes. As the agent was stacking one of the boxes he felt its contents move and heard a clinking sound.

Flight 592 to Atlanta pushed back from the gate at 1:40pm, and was cleared for takeoff at 2:03pm. Seven minutes into the flight, the captain heard a sound like a chirp along with a simultaneous beep on the public address system. The flight-data recorder later showed that this conincided with a sudden pulse of high pressure - it was likely one of the tires exploding in the hold. Almost immediately the instruments indicated an electrical failure. The captain radioed to the controller, “We got some electrical problem,” followed by a rapid succession of increasingly desperate trasmissions: Five seconds later she radioed that “We're losing everything,” two seconds later “We need, we need to go back to Miami”; then seconds later came background shouts of “Fire, fire, fire, fire,” followed by an unidentified male voice shouting, “We're on fire, we're on fire.” The jet turned around to head back to the Miami airport, but in just over a minute disappeared from radar. Two witnesses fishing in the Everglades described the twin-engine DC-9 descending in a steep right bank, the bank increasing until the nose dropped to near vertical before impact. They rushed to the accident site, but all that remained were the engine parts, scattered papers and other debris. The Everglades had swallowed the rest of the plane whole.

The five boxes contained oxygen generators that were all beyond their expiration dates. They had been removed from three used MD-80 jets ValuJet had recently purchased and was refurbishing. Each generator supplied emergency oxygen to two or three of the masks above each seat on the aircraft through a chemical reaction: sodium chlorate is converted into sodium chloride, releasing oxygen as a byproduct. The oxygen passes through a number of filters and then to the masks. The process is initiated when a retaining pin is pulled, allowing a spring-loaded hammer to strike a percusssion cap that has a small explosive charge that ignites the reaction. Tugging firmly on the mask when it appears over the seat, the instruction familiar to all air passengers from the preflight safety review, pulls the retaining pin.

The chemical reaction that produces the reaction is exothermic, meaning that it liberates heat. When the generators are properly shielded and ventilated to dissipate their heat, the temperature still rises beyond 500 degrees Farenheit. If they are placed in a confined space without this ventilation, the temperature can exceed 1000 degrees. Investigators determined that a pin fell out of at least one of the canisters, igniting a smouldering fire that was fed by the abundant flammable material - the cardboard boxes, mail, and, most importantly, the tires. The pure oxygen generated by the container then turned the fire into a blow torch.

The inherent danger of the oxygen canisters is well known, and a host of safeguards and checks protect against fire. The MD-80 maintenance manual provides a six-step procedure for removing expired canisters. The work card that requires sign-off when maintenance is performed on the canisters delineates a seven-step process. Step 2 in both procedures states, “If generator has not been expended, install safety cap over firing pin.” Both the manual and the work card also contain warnings about the hazards of the generators. And the newer canisters include a label stating in all upper-case letters, “Warning. This unit gets hot! When removing unit install safety cap over primer. Do not pull lanyard. If activated place on surface that won't burn.”

The work card for the generators was signed off by a mechanic who had just come onto his shift. He removed 10 generators; another 30 or so had been removed in a previous shift, so he signed for those as well. He then looked around for the safety caps, but was informed by his supervisor that there weren't any. Both the mechanic and the supervisor were focused on the airworthiness of the planes, not on the disposal of old equipment, so the mechanic placed the generators on their side in a cardbox box, piling one on top of the other, and got back to the other work at hand. The work card required three other signatures, ending with the maintenance supervisor, who signed the “Final Inspection” line, and aware that the generators needed safety caps, alerted the lead mechanic on the floor.

Before anyone applied the safety caps, the boxes made their way to Shipping and Receiving, where they sat unlabeled. On May 8, a stock clerk with some time on his hands asked the director of logistics, “How about if I close up these boxes and prepare them for shipment to Atlanta?” “Okay, that sounds good to me,” the supervisor replied. The stock clerk repacked the generators, laying them side to side with some bubble wrap on the top of each box, and taped the boxes shut. He then labeled the boxes “aircraft parts” and the next morning sent them to the receiving clerk. The stock clerk told him to write “Oxygen Canisters - Empty” on each box for parts identification and attach a label with the ValuJet Atlanta headquarters address. The receiving clerk put the word “empty” in quotes, probably because he suspected that a 50-pound box held something more than empty canisters. They sat in the shipping area two more days because the driver was busy, but on May 11 he loaded the items on his truck and drove them to the ValuJet ramp area, where he was told to put them on a baggage cart. With the shipping ticket signed by a ValuJet employee, the driver left.

Though potentially hazardous, the oxygen generators are a critical part of mandated airplane safety equipment, and the regulation also mandates their occasional replacement. The hazards were clearly identified in both the instruction manuals and the workd cards. The work card was signed off in all four blocks. In the process of their removal and preparation for dispoal, the oxygen canisters passed under the inspection of at least two floor mechanics, a senior mechanic, a supervisor, an inspector, a program manager, several technical representatives, and the director of logistics. With the possible exception of the last of these, all were aware of the risks posed by the oxygen generators, and all understood the need for the safety caps.

Flying an airplane is by nature fraught with tightly coupled processes. You can't pause the flight in midair to do some reengineering if something goes wrong. The tightly coupled process that caused the ValueJet accident was sparked by the physics of the oxygen generators and the fire that flashed through the airplane. The complexity of the process came from the human factor, layers of checks that became too burdensome to execute. This illustrates a critical aspect of “normal” accidents. Normal accidents are borne of complexity, so adding safety checks to try to overcome these accidents can be counterproductive, because they add to the compexity.