Schneier on Security

A blog covering security and security technology.

« Can Safes | Main | Hypersonic Cruise Missiles »

April 29, 2010

Frank Furedi on Worst-Case Thinking

Nice essay by sociologist Frank Furedi on worse-case thinking, exemplified by our reaction to the Icelandic volcano:

I am not a natural scientist, and I claim no authority to say anything of value about the risks posed by volcanic ash clouds to flying aircraft. However, as a sociologist interested in the process of decision-making, it is evident to me that the reluctance to lift the ban on air traffic in Europe is motivated by worst-case thinking rather than rigorous risk assessment. Risk assessment is based on an attempt to calculate the probability of different outcomes. Worst-case thinking these days known as precautionary thinking' -- is based on an act of imagination. It imagines the worst-case scenario and then takes action on that basis. In the case of the Icelandic volcano, fears that particles in the ash cloud could cause aeroplane engines to shut down automatically mutated into a conclusion that this would happen. So it seems to me to be the fantasy of the worst-case scenario rather than risk assessment that underpins the current official ban on air traffic.
[...]

Worst-case thinking encourages society to adopt fear as of one of the key principles around which the public, the government and various institutions should organise their lives. It institutionalises insecurity and fosters a mood of confusion and powerlessness. Through popularising the belief that worst cases are normal, it also encourages people to feel defenceless and vulnerable to a wide range of future threats. In all but name, it is an invitation to social paralysis. The eruption of a volcano in Iceland poses technical problems, for which responsible decision-makers should swiftly come up with sensible solutions. But instead, Europe has decided to turn a problem into a drama. In 50 years' time, historians will be writing about our society’s reluctance to act when practical problems arose. It is no doubt difficult to face up to a natural disaster -- but in this case it is the all-too-apparent manmade disaster brought on by indecision and a reluctance to engage with uncertainty that represents the real threat to our future.

Posted on April 29, 2010 at 6:40 AM • 69 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

VagabondJim • April 29, 2010 7:10 AM

"It imagines the worst-case scenario and then takes action on that basis. In the case of the Icelandic volcano, fears that particles in the ash cloud could cause aeroplane engines to shut down automatically mutated into a conclusion that this would happen."

But there have been real world examples of this actually happening.

http://en.wikipedia.org/wiki/...

http://en.wikipedia.org/wiki/KLM_Flight_867

So while the point of worst case thinking => social paralysis is likely true, the author needs to find better examples. A la Mr.Scneier's inference that this applies to the thinking of our beloved TSA.

Alex Stapleton • April 29, 2010 7:14 AM

I don't think this is a very good example of "worst case thinking."

The facts known at the time were that high quantities of volcanic ash can cause engine failure. And also that the amount of ash in the atmosphere over Europe was high, but less than previous situations in which ash had caused engine failure. And that some simulations had shown engine damage could occur at these ash levels. Closing air space based on that information doesn't seem unreasonable.

If you look at the time line of events there was not a single high altitude test flight of a commercial plane until the 19th. The CAA in the UK re-opened air space the next day.

Yes, there had been many other flights in restricted air space, but all at low altitudes following rules specifically designed to avoid the ash cloud and mitigate any damage that could occur.

Really the problem in this whole situation was a lack of immediate test flights using commonly used commercial planes (not fighter jets) to collect data. It's not worst case thinking that prevented that from happening. Simply lack of any organisation to collect evidence. No one has obvious responsibility for doing that and so everyone spent several days faffing around.

Suzanne • April 29, 2010 7:16 AM

I don't know how much this affects the exact level of risk in this particular situation, but it is known that the silica in volcanic ash *does* melt and re-solidify as glass in jet engines.

Clive Robinson • April 29, 2010 7:19 AM

Hmm,

I think the worst case is thinking is fully laden/fueled 747 dropping on central London.

The simple fact is we actually know next to 50D ALL about the effects of the various multitudes of volcanic ash types (think sulpher dioxide converting to sulfuric acid that appears to have been missing on this eruption).

So for lack of (unwanted) impirical evidence a cautionary aproach was taken...

Suzanne • April 29, 2010 7:23 AM

I agree that worst case scenario thinking gets us into trouble and can be ridiculous. But seriously, how much of a "disaster" was it that some people couldn't fly for a while? I don't think it was really much more than an inconvenience.

H. Wilker • April 29, 2010 7:24 AM

"Sadly, critics of traditional probabilistic risk-assessments have more faith in speculative computer models than they do in science’s capacity to use knowledge to transform uncertainties into calculable risks."

Both methods have advantages as well as disadvantages. None is inherently better. One characteristic shared by both methods is that the quality of the results depends strongly on the quality of the available data.

I am under the impression that society's capacity for accepting risk is decreasing. It is not that the methods are wrong; rather, the author makes a judgment about the conclusions people draw from them. He thinks people are wrong - that is different from using wrong or erroneous methods.

Alex Stapleton • April 29, 2010 7:25 AM

I just noticed this article was written on the 19th making it especially weird and presumptuous.

Clive Robinson • April 29, 2010 7:25 AM

Oh I forgot to mention,

According to some news reports the reason the UK Met Office had not flown test flights with it's prop driven aircraft was that it was undergoing maintanence.

Some commentators have suggested that the number of aircraft available was reduced to below critical by various UK Gov Treasury Office cutting back the financing required to maintain 365.25x24 coverage...

brazzy • April 29, 2010 7:28 AM

The problem with the volcanic ash cloud is that we *known* there is a risk of very bad outcomes if we ignore it - but because it's a rare phenomenon, we *don't know* the things on which proper risk assessment would have to be based on (how big the risk is or how to mitigate it).

Thus, erring on the side of caution is a perfectly sensible thing to do. What's *not* sensible is to be glad that it's over and forget about it. Unless they're willing to accept this kind of unpredictable disturbance for in the future, governments and airlines have to fund a programme to learn more about the effects of volcanic ash on airplane engines, whether engines could be designed to better withstand them, as well as what concentrations are dangerous
and how they can be measured.

Engineering Professor • April 29, 2010 7:30 AM

OK. I agree with the need for quantifying risks to reduce "worst-case thinking" and avoid paralysis.

What hangs in the balance is the value we place on a failed attempt. In a manufacturing scenario I might call this a "defect" and I will evaluate my risk on the basis of a number of (e.g. a million) opportunities. I can make a profit if I can offset the cost of failed attempts.

We place a high value on an individual human life and I think this becomes a quantity in a conversation no one will have. What risk can we tolerate? Should we write the risk in big letters on our cars? On our shoes? Our planes? Would that change our attitude towards a human life? If we lose one person out of a million can we, as a society, still profit?

If I require that I am safe 100% of the time, then worst-case thinking will ensure my safety in the domain of control that I enforce. Random events are still possible and loopholes that I have not forseen can still cause my demise, but, I can solve those problems by enforcing more security. This brings us to our present state of "reactionary security."

I don't think we can have a conversation about realistic risks until we decide that we are less important than the group. Is this a realistic goal in our society?

DayOwl • April 29, 2010 7:32 AM

I think in this case it wasn't an assessment of risk that led to the decisions to ground flights. It was based on the assumption of guaranteed safety that the public has come to expect. Also, it's pretty much guaranteed that if just one aircraft went down due to ash, heads would roll, lawsuits would bankrupt and a whole new set of onerous regulations would be imposed. Basically, the worst case scenario doesn't involve a simple loss of life on the aircraft. It would have repercussions felt for years, something politicians would rather avoid.

One could also point to the already heavy regulation in aviation (i.e. fixed flight paths), which doesn't allow for the kind of flexible solutions that could have been applied to reduce the risks even further.

Joe • April 29, 2010 7:33 AM

Another example of a near-tragedy caused by volcanic ash is British Airways Flight 9, where "the aircraft flew into a cloud of volcanic ash thrown up by the eruption of Mount Galunggung (approximately 180 kilometres (110 mi) south-east of Jakarta, Indonesia), resulting in the failure of all four engines. The reason for the failure was not immediately apparent to the crew or ground control. The aircraft was diverted to Jakarta in the hope that enough engines could be restarted to allow it to land there. The aircraft was able to glide far enough to exit the ash cloud, and all engines were restarted (although one failed again soon after), allowing the aircraft to land safely."
So it's not a case of "worst-case-scenario", it's just being prudent, and not wanting the deaths of 300 people on your hands.

Clive Robinson • April 29, 2010 7:50 AM

@ Bruce,

Keep your eyes open there are going to be a couple of papers published about global warming risk over this volcano and the lack of aircraft.

For instance the volcano only put out about 1/3 of the amount of carbon that the aircraft would have done, and there has been a marked change in the weather coincident with this flight ban (similar to that of 9/11)

Oh and there has been a paper published just a few days ago that indicates that there may well be an increase in volcanic activity due to man made global warming...

Before people say "not possible" the cause is being put down to the diminishing "ice weight" on places like Iceland, allowing an increase of venting (kind of like taking the weights of a pressure cooker).

I'll see if I can find an Online copy of the paper that's not behind a paywall.

Readyaimfire • April 29, 2010 7:53 AM

Volcanic ash can bring down an airplane, not all volcanic ash is equal in this, but it can also sand and acid eat the front windows that the pilots use to do their jobs, this has already happened, its not speculation.
The damage done to engines with deposits of glass on the turbine blades may not bring down the aircraft immediatly, but those turbine blades are carefully manufactured for balance and true shape, the glass interfers with that also, and could introduce a long term problem that would bring down an engine at a later time.
As Suzanne said, whats the big deal, a lot of priveleged people had to travel like its the 1940's, Well, get over it. Travel takes time, things happen, think of the people who went to crimea to photograph the eclipse in 1914, a war broke out and they were interned as german spies.
When you travel, things happen, deal with it get therapy, take a pill then get over it.

Daniel Wijk • April 29, 2010 8:04 AM

Clive Robinson: Have these studies accounted for the increased usage of other forms of transportations during the no-fly time?

Clive Robinson • April 29, 2010 8:08 AM

With regards Global warming causing volcanoes etc,

The press view (UK's Daily Telegraph),

http://www.telegraph.co.uk/earth/environment/...

An online outline of what it's about is at,

http://rsta.royalsocietypublishing.org/content/...

Clive Robinson • April 29, 2010 8:13 AM

@ Daniel Wijk,

"Clive Robinson: Have these studies accounted for the increased usage of other forms of transportations during the no-fly time?"

It's a good question and I look forward to reading the published papers to find out.

I know at least one is taking into account CO2 from cars at the airports (that is they recognise that the Aircraft alone does not generate the amount of carbon involved).

Justin • April 29, 2010 8:22 AM

There are other considerations besides the engines in terms of volcanic ash.

Primarily, the ash is abrasive and @ 450kts it has the effect of 'sandblasting' the windshield making a non instrument landing nearly impossible.

On smaller aircraft, the air intake is located right behind the propeller so this would almost certainly clog the air filter.

Clive Robinson • April 29, 2010 8:29 AM

As a counter point to the article Bruce has linked to is one from a person involved with volcano research also posted on the 19th.

http://www.ucl.ac.uk/news/news-articles/1004/...

kangaroo • April 29, 2010 8:40 AM

You can't do risk analysis if you don't have a large enough sample to confidently predict the pdf, and/or a sound theoretical reason to predict the pdf.

LET ME REPEAT THAT. You can't do risk analysis by pulling out probabilities from your ass.

In "most" situations -- situations outside of a repetitive series with a clear defined context -- YOU CAN'T DO RISK ANALYSIS.

Mind-boggling. Statistics is a form of math -- not a magic box that can do your thinking for you, plug & chug. If you treat it that way, your doing worse than nothing -- you're gaining confidence ("con") in random noise.

The lack of rigor is amazing -- but not surprising coming from a sociologist. Almost as bad as economists.

David Thornley • April 29, 2010 8:40 AM

There's also the matter of time involved. This was a case of a sudden risk coming up that could not be quantified, since so little was known about it. What we knew is that it could be very bad for the aircraft. In this case, with worst case known to be very bad, and no way of telling how likely, it makes sense to be cautious.

If Iceland blasts off some more ash clouds, we'll see how Europe handles it, and then we'll be in a better shape to see if they're handling risk rationally.

kashmarek • April 29, 2010 8:43 AM

This scenario is a win-win for the blame mongers.

If they hadn't shut down the flights, and there was a crash and/or significant engine damage, the blame mongers would have said that those who didn't shut down flights would be responsible for deaths and engine failures.

As it was, the blame mongers now say that those who shut down the flights are responsible for the inconvenience and economic impact (soon, they will be asking for money).

Let those who might be flying make the decision. For pilots/crew, a penalty free option to not go. For passengers, they already have that option. For the next time, ignore the complaints or change the rules.

alreadyonthelist • April 29, 2010 8:45 AM

Erring on the side of caution with known effects on planes is one thing. Fear and security theater are another.

The worst part about worst case scenario thinking is how fear affects the way we treat other people. Sticking terror/watch labels on folks you don't agree with about torture or politics without regard for truth, without judicial review, opens up a very dark side of human relationships. Terror watch lists are fear based, and bring out the worst in our citizens.

Louis • April 29, 2010 8:54 AM

Something strikes me wrong in the excerpt and no I did not read the article...

Risk analysis must also takes into consideration the impact. In this case, even with low probability, the impact would be the death of all passengers on an aircraft, which would yield high costs, with the likes of clean-up, insurance and not the least, lawsuits.

How much "worst-case" is that, compared to regular risk analysis where your chart includes the red zone of high impact and "low" probability, as opposed to rare...

Ian • April 29, 2010 8:54 AM

@DayOwl

Totally agree. It's all about the public's perception of the risk. How many otherwise intelligent, brave people out there are terrified of flying even knowing that it's statistically safer than driving by a huge margin? Add in a real increase in risk based on a very visible event and you'll have a huge number of panicked people asking why nothing is being done - and if a plane does go down, it could have a huge impact on the confidence people place in air travel regulators and carriers.

Rob • April 29, 2010 8:55 AM

2 points:

1. Right at the start of the flight ban, there was a guy (sorry, forget the name) who said that the problem is that there is just too little reliable knowledge abut the effects of ash on engines to be able to put safe lower limits on ash concentration. "We do not have enough data on which to make probability-based decisions". On the other hand, the consequences of a fully laden 747 coming down in any major city would be appalling. "The eruption of a volcano in Iceland poses technical problems, for which responsible decision-makers should swiftly come up with sensible solutions." In my book, that's exactly what they did.

2. As far as I know the Met Office computer models were not the problem; they predicted the spread of the ash with as much accuracy as could be expected for such a complex system. It was what to do with that prediction that was the problem. It seems to have become a fashion amongst journalists with no training or understanding of science that 'computer models' are 'speculative' or 'theoretical' (meant disparagingly). A 'computer model' is a computer program that solves mathematical equations. The mathematical equations are a formal representation of the best scientific knowledge (comprising observational evidence, scientific laws and common sense understanding) available. They are, in short, the best scientific theory (in this case about atmospheric behaviour) expressed in the most appropriate language: applied maths. A problem is that most commentators, in this case a sociologist, are not fluent in that language and therefore neither understand nor trust statements expressed in it. To them there becomes little distinction between between 'computer game' and 'computer model'. This is serious because such commentators have a wide readership and considerable influence and their views add to the general distrust in science.

Andy Dingley • April 29, 2010 8:59 AM

I disagree with both the ban, and the author's explanation of it as "worst case thinking".

Ash in engines is bad, m'kay? There's no wiggle room here. No truthiness, no sociological explanation for it (if there is, I suggest Sokal should write it up). Ash in engines is bad.

Where the ban went wrong wasn't in banning flights through ash, it was in basing the ban and its extent on a flawed predictive model for the ash plume. Most particularly, it was a badly framed ban with no end conditions. It made no allowance for errors in this prediction and revising the ban extent based on actual measured ash data. It banned flights but then had no adequate self-limitation for this ban.

Politically that then left us in the situation where we needed a politician with the cojones to call a halt to it, once it had become painfully obvious that this very real crisis was more localised than we'd feared. That took several days more than it should have lasted.

Rob • April 29, 2010 9:05 AM

I'm also cynical (from time to time) and I suspect that there is a fairly simple trade-off calculation to be done.

You run an airline with N aircraft, each with M engines, each costing D $ to replace including parts, labour and downtime. You are pretty damn sure that you will have to face this cost if you repeatedly fly through ash and accumulate damage even if the planes don't fall out of the sky. The replacement cost is C = N x M X D.

The costs of not flying is F $ per day; the ban lasts T days. While C > F x T you sit tight and hope it all blows over (sorry). When C

Yes, real-life is a bit more complicated than that, but nothing a spreadsheet and an hour or so of typing can't handle.

Now, does anyone know the figures to test the theory?

tanuki • April 29, 2010 9:14 AM

@Clive Robinson: the UK research aircraft that was flown to sample the ash-cloud was a turboprop Dornier 228:

http://www.nerc.ac.uk/press/releases/2010/...

The aircraft that did not fly was the BAe 146 which was stripped and undergoing a refit at the time:

http://www.faam.ac.uk/index.php/news/...

AppSec • April 29, 2010 9:17 AM

@Daniel Wijk:

The data that I had heard (it was on the radio, sorry that I can't post reference): was that the ash actually reversed the effects. It wasn't so much that the lack of traffic, it was that the ash itself insulated the earth.

I think it was in Super Freakanomics that it was referecned, but I can't remember.

phred14 • April 29, 2010 9:20 AM

I see the real risk being in maintenance policy. Regularly flying through the ash cloud, while it may not be near-catastrophic like the Mount Galunggung incident, WILL have maintenance implications. It may also cause major parts like engines and windshields to be scrapped and replaced well ahead of normal schedules. Deciding where to draw the line on "adjusted maintenance schedules" will be the hard part. "How well does that pilot really need to see when he's IFR-rated, anyway? So what's just a little scouring on the windshield?"

HD • April 29, 2010 9:27 AM

I think there is worst-case scenario decision making going on, but it's the worst case for one person. If I'm the person making the fly/no-fly decision, I lose my job or go to jail for letting the planes fly should one crash. If I ground the planes, no one crashes. Some people holler but I get to keep my job and I don't go to jail, and as an added benefit, no one dies.

Sven Türpe • April 29, 2010 9:40 AM

Let's try some appreciative thinking:

Isn't worst-case thinking what we expect from bureaucracies and why we put them in certain positions? Isn't worst-case thinking the basis for a proper immediate reaction to an imminent threat, buying us time to carefully assess the situation and make informed and good decisions? Wouldn't we design safety measures in just this way, overreacting towards the safe side but keeping their reactions correctible? Is it really so unacceptable to shut down air traffic for a few days?

NobodySpecial • April 29, 2010 9:48 AM

As people have said the problem is the lack of data. We have one data point, a dense ash cloud caused all the engines of a 747 to fail within 10minutes.

So does an ash cloud 1% as dense:
Cause them to fail in 10*100 minutes?
Cause 1% of the engines to fail?
Reduce the life of the engine by 1% ?
Or does it just mean you need to check the engines after a flight.

If you have to check the engines - is that a quick boroscope check, an ultrasound or a stripdown?

Just to complicate matters the airlines often don't own the engines, they are on a service+maintenance lease from RR. If you fly into an ash cloud what does that do to your bill?

rjh • April 29, 2010 9:55 AM

I'm more impressed by the lack of understanding by so many people. The North Pacific route has had major aircraft damage from ash. It has dangerous eruptions almost every year. The US, Japan, and Russia established set of procedures and standards for dealing with volcano ash. The AVO was put in place in 1989, and since then there has been a lot of experience with ash clouds and aircraft on a heavily traveled route.

But it appears that these lessons and routine operational methods did not make it over to Europe. Instead of a coordinated method of selective closure, pilot training, and flight re-routing to avoid the dangerous clouds, there was a blanket closure of airspace.

This is more an example of unpreparedness and insular thinking than it is an example of worst case thinking. The ash clouds are extremely dangerous. There are much smarter ways to avoid them.

In Medicine • April 29, 2010 9:58 AM

A similar reaction happens all the time with drugs - especially vaccines.
If a drug has a side effect the only response is to ban it, however useful it would be.

For example we can't currently prescribe thalidomide to 60year old men - because it causes birth defects in pregnant women.
Fortunately a few useful drugs got established before this policy - penicillin wouldn't be approved today because of potential reactions.

Shane • April 29, 2010 10:01 AM

IMHO, if it prevented additional extreme-condition wear-and-tear on hundreds (if not thousands) of aircraft, put a dent in the constant onslaught of CO2 emissions in the atmosphere, and humbled the world's elite into realizing that mother nature still runs the show, I'm all for a ban on air-travel until conditions clear, hard consistent data or not.

So another couple hundred "Fabulous Fabs" didn't get to cut their shitty deals with their EU counterparts in person, no worries, they'll get 'em next month, surely, and probably profit off of manipulating the markets in light of the new ban anyhow.

As for vacationers, oh effing well.

Course, I don't really fly :P

FP • April 29, 2010 10:03 AM

There is a good article in the current edition of the german Spiegel magazine (print edition, I did not find it online).

From the two incidents referred to above, we know that volcanic ash is dangerous. But it's all a matter of concentration. Volcanic ash or other contamination (like smog) is pretty much everywhere, but usually not dense enough to pose any threat.

Up to this event, volcanic ash eruptions were rare and/or occured over less densely populated areas, and it was a simple enough matter to just close the affected airspace entirely. Flights could just be routed around.

That's one reason why there has never been a limitation on how much ash it is safe to fly in. There wasn't much data, and nobody wanted to spend the money to gather data. Engine manufacturers did not want to specify any safe limits that they could be held to. And there was no pressure on them.

With the lack of a safe limit, it was assumed to be zero, and consequently all airspace was closed where the concentration was larger than zero.

Now that this oversight has cost billions, and lots of data has been gathered by ferry and test flights into the ash cloud, everyone is suddenly agreeing on a safe limit of 100 micrograms of ash per cubic meter.

It's a separate issue that the extent of the ash cloud was not measured but only based on simulations.

JRR • April 29, 2010 10:05 AM

I saw some graphs about CO2 released by volcano versus by planes not flying. This is interesting but hopefully this simplistic analysis is not all that is considered.

- Those flights are mostly just delayed - those people are still stranded and will eventually fly home, though perhaps on fewer flights since the planes will certainly be totally full.

- volcanoes also release methane in large quantities in addition to CO2, and that's a far worse greenhouse gas than CO2, and is not released by planes and cars. It might be released in greater quantity by humans trapped where they don't want to be, under stress and eating cheap food though...

NobodySpecial • April 29, 2010 10:16 AM

I think the author has a point, but the main cause is media and the public's response.

Wind shear crashes planes, it's crazy to try and land in a thunderstorm. But thunderstorms are common and don't make for dramatic news - so we don't close Texas airspace for the summer.

It's the same every year's flu season - people don't get a shot because the news has a story with some photogenic kid that died. While we are happy to kill 50,000/year on the roads.

Anon • April 29, 2010 10:22 AM

The thing I found funniest about the whole thing is that all the comments I read from actual aviation engineers were variants of "You couldn't pay me enough to fly right now", whereas the comments from economists, sociologists, politicians, and others outside the field all assume it's a gigantic overreaction.

paul • April 29, 2010 10:29 AM

For pictures of the inside of a jet engine that flew through part of the dust cloud, see
http://www.flightglobal.com/articles/2010/04/16/...

That's going to need some refurbishment.

747 engines cost somewhere north of $20 million each, and a complete teardown and rebuild can be in the low millions per engine depending on how much needs to be replaced. So there's a pretty good argument that the $200 million a day that airlines lost from the flight ban is rather less than they would have spent on inspection and repair of all their engines. Note also that the world doesn't have enough maintenance hangers to do that much inspection (much less repair) on a timely basis.

Dave • April 29, 2010 10:47 AM

I think it's important to look at the author when considering this kind of article: Frank Furedi is notorious for this kind of contrariness. Doesn't mean his points are invalid, but he's got form.

BF Skinner • April 29, 2010 11:04 AM

I personally tend to assess unknown risks as high.

My prefered response to the "it's possible" crowd is to cite the real possibility that all the air in any given room will jump to one half at the same time leaving whoever is on the wrong half trying to breath hard vacume. I think we agree, professionally, that possible ain't likely. But do we act that way? The first thing that occured to me when the airlines started bucking to fly again was "Sure it's not your life your gambling with is it? And this unknown risk compared to the certain loss you're seeing by not flying daily makes your judgement suspect."

Although Furedi says we've changed our methodology perhaps what we're seeing is fewer people who know how to calculate risk at all.

But are there uncalculable risks? Risks neither quantifiable nor qualifiable? (like the LHC dropping a singularity into the center of the planet)

We've listed here risks that we don't know enough about to quantify/qualify. I guess that would count.

So in the face of the unknown when we've still got to act isn't the risk really, always, 50/50?

Brian • April 29, 2010 11:18 AM

@VagabondJim - Exactly what I was thinking.

"Mayday" did an episode on the BA Flight 9 incident.

Really, the reaction wasn't an overreaction if you know about the other incidents of volcanic ash. The writer should have done better research.

Clive Robinson • April 29, 2010 11:29 AM

@ FP

"With the lack of a safe limit, it was assumed to be zero, and consequently all airspace was closed where the concentration was larger than zero.

Just one problem,

Volcanic ash certainly at that level does not show up on most RF Radars (you need laser based devices which are not in general use), which brings you back to flying test flights by one of the nine VAAC centres of which the UK Met Office is one.

And as has been noted one of the two Met aircraft needed was not available at the time.

@ rjh,

"But it appears that these lessons and routine operational methods did not make it over to Europe. Instead of a coordinated method of selective closure, pilot training, and flight re-routing to avoid the dangerous clouds, there was a blanket closure of airspace."

First off the UK was working to an internationally agreed protocol which has now been changed (see above). It is standardised throughout the world and is the tool that triggers the aviation and meteorological institutions to follow procedures set in place by the International Civil Aviation Organisation (ICAO). ICAO, along with the World Meteorological Organisation (WMO), established the International Airways Volcano Watch (IAVW), which is responsible for dealing with volcano ash warnings from scientists. They have divided the world's airspace into nine Volcanic Ash Advisory Centres (VAAC).

Secondly there is a significant issue of airspace, the UK is one of the busiest airspaces for it's size in the world, there is currently not "alternative routes" available to do the re-routing.

Thirdly not all of Europe was subject to a "blanket closure of airspace" there is another VAAC responsible for continental Europe, and planes upwind of the volcano where still flying in and out of Iceland.

Fourthly have a look at a globe and use a bit of cotton to show the 'curtain effect' the winds from Iceland to the south of the UK makes and consider that nearly all Western Continental European flights go through that part of the UK airspace.

I suspect that now the problem has happened there will be a reconsideration of airline routes to take this into account, provided the European Gov's will agree to it (think huge vested interests).

Oh and the system in the US does not work that well as I found out when flying into Seattle when Mt St. Helens in Washington State was having a rumble one Xmas not so long ago (which reminds me it's 30 years in 19 days since it did the big one).

EdT. • April 29, 2010 12:28 PM

I think part of the reason for "worst-case thinking" is "risk-avoidance" - which is actually a euphamism for "liability" avoidance. While it seems pretty silly to shut down all air travel due to a volcano (or even a terrorist incident), if nothing was done (or the most severe restrictions were not imposed) and something went wrong, the liability incurred would likely bankrupt any private company, and probably most national governments.

So, maybe a more rational approach to liability (e.g. a real tort reform) is in order.

~EdT.

yt • April 29, 2010 12:30 PM

@paul: thanks, I was trying to find those pictures without much success. At least in Finland's case, there was clearly something up there that would be better not to fly through.

bruce • April 29, 2010 1:09 PM

Here in the UK the ban was only lifted after a well-publicised test flight by a BA 747 with the Co. CE on board, and subsequent concerted joint action by the airlines. It may be significant that allegedly there were neither pilots nor vulcanologists on the government bodies making the decision.

In the southern UK we are well over a thousand sea-miles from Iceland. I seem to remember that 'Speedbird 9' was routed close to or right over the Indonesian volcano, which may have had ATC implications.

Mithrandir • April 29, 2010 2:41 PM

"Worst case thinking" is a very unwieldy term. I suggest we call the thing what it is: cowardice.

Cowardice is a vice, much like it's polar opposite, foolishness. We as a society have allowed this vice to take hold of our seats of power and paralyze us.

There is a middle ground between cowardice and foolishness. It is a virtue that has sadly fallen out of fashion in recent decades, but a virtue nonetheless.

They call it "courage".

Richard Schwartz • April 29, 2010 3:52 PM

Look at the consequences of not engaging in worst case thinking in this particular case.

Imagine that the authorities have knowledge of elevated risk, or at least potentially elevated risk. And let's assume that even with the elevated risk, the prevailing belief is that the risk is still pretty low -- but not zero.

So.... the aviation authorities can leave the airspace open, or they can close it.

If they leave it open, they can tell the public about the elevated risk, or not tell the public.

If they do tell the public, many people will choose not to fly and the airlines will be forced to cancel flights anyhow for economic reasons, so many people will still be inconvenienced and the airlines will still lose money.

If they don't tell the public and the improbable does happen, then people die, high-ranking people in the aviation authorities will be be sacked, and the next time there's even a slight volcanic ash cloud everyone would refuse to fly anyhow and the airlines will lose money then.

But if they close the airspace, the airlines do lose money and the public is inconvenienced, but nobody dies, nobody is sacked, and people will continue to trust their ability to fly if there's a lesser volcanic ash cloud that the aviation authorities don't consider risky.

So even if it is a case of worst-case thinking, it is still the rational decision.

Davi Ottenheimer • April 29, 2010 5:05 PM

@Andy Dingley

Spot on. Couldn't say it any better.

Harry Johnston • April 29, 2010 5:36 PM

What interests me most about the crisis is how little I've seen about measures taken to alleviate it ... as far as I can tell from the news reporting, no additional trains, buses or boats have been running. (Except for one article I saw about the UK Navy taking people across the channel.)

Surely there was some sort of semi-organised effort to provide alternative forms of transport where that was feasible? Presumably including using ground/sea transport to get people out of no-fly areas and rerouting overseas flights accordingly?

Skorj • April 29, 2010 5:39 PM

@ BF Skinner "I personally tend to assess unknown risks as high."

Indeed. The chance of all the air rushing to one side of the room is exactly zero (it would violate a couple laws of physics). The chance of the LHC destroying the world is also zero - it will be creating events more energetic than man cas created before, but still quite small compared to events created by nature all the time.

There is a certainty of bad policy when unknown risks are assesed as "I dunno, so it's 50/50", especially when the actual risk is 0!

@Mithrandir

Wise words indeed. Courage is a very *unfashionable* virtue these days.

BF Skinner • April 29, 2010 6:31 PM

@skorj "the actual risk is 0"

But that's not really how we value risk is it?

I have to make a choice. But without fact I don't know what the odds of 'actual risk' is so brain says either it happens or it doesn't. so brain sees - 50/50.

peri • April 30, 2010 5:08 AM

Good news! Conditional probability just might be within reach of the masses. Steven Strogatz's most recent weekly NYT Opinionator column discussed the work of Gigerenzer:

http://opinionator.blogs.nytimes.com/2010/04/25/...

Clive Robinson • April 30, 2010 8:34 AM

@ BF Skinner, Skorj,

"I dunno, so it's 50/50"

Risk is based on the "probability" of an outcome not the number of potential outcome states...

When you buy a lottery ticket you are buying an unknown "chance to win".

Prior to the draw the ticket is in a unknown state (ie not won/ not lost).

But also as long as the tickets are on sale you do not know how many tickets are going to be sold thus you cannot assign any probabilities to the two outcome states (won / lost).

However after the ticket sales have closed and prior to the draw the probability of a ticket being in the "it won" state is 1/(number of tickets purchased).

When the lottery is actually drawn each ticket can only be in one of two states "it won" or "it lost", but there is no longer any probability involved (other than "Oh F*** where is my winning ticket" and "darling have you put my trousers in the wash?" ;)

It is important especially when designing fault tolerant systems to remember what you are talking about and importantly at what point in time.

For instance if a jet engine has two states working/failed a four engined 747 has 16 states for the engines to be in at any one point in time.

Each one of these states has a probability of occurring at any given time. But completely different probabilities when moving from one state to another...

That is an engine has a higher probability of failing if another engine has already failed.

So going from a "one failed" state to a "two failed" state has a higher probability of occurring than going from a "none failed" state to the same "two failed" state.

That is once started a cascade fail is more likely and thus harder to stop...

However the probability of some state changes are completely improbable, that is from "none failed" to "four failed" engines at the same time is very very small for truly independent faults (like expecting four links in a chain to break simultaneously in a single load fault test).

However due to the "bath tub" curve the probability of it happening is greater at certain times than others, hence we have preventative maintenance.

On of the joys of being a design engineer is pointing out to "mathematical types" that in "all probability, there is no probability" for some reason it appears to upset them ;)

Oh and as for the air jumping to one side of a room you need to employ a little demon ;)

BF Skinner • April 30, 2010 1:01 PM

@Clive "you need to employ a little demon"

Got one. I named him Clive.

DanT • April 30, 2010 2:19 PM

The Economist reports that the models used for ash cloud dispursion were originally developed for nuclear fallout.

The model reports to stay out of the ash cloud - completely appropriate for nuclear fallout.

The problem is in the repurposing of the model for non-radioactive ash clouds. The model still reports "stay out of this area".

Sean • April 30, 2010 11:21 PM

@NobodySpecial

Depends on how badly the hot section gets glass coated. Aside from abrasive action, ash melts, starts coating turbine fins and plugging cooling passages. And as has been said, we don't have statistics on civillian aircraft flying in ash, though military operations in sand probably can get you a ballpark.

Bill Durodie • May 2, 2010 2:49 AM

It seems to me that the key point the author is making is that the decision to act on the basis of worst-case scenario thinking is increasingly common nowadays, irrespective of the specifics of any particular situation.

And, contrary to what some assert here, such 'precautionary' measures are not risk-free.

For instance, air-ambulances across large parts of Europe were grounded, thereby leading to actual loss of life. Likewise, many doctors were left stranded overseas, unable to perform emergency operations or treat their patients.

Those who view such incidents as mere inconveniences reveal how superficial their understanding of our interconnected world is.

The 'better safe than sorry' maxim that now shapes the minds of policy-makers and so-called 'experts' everywhere is a liability that leaves us no safer but much sorrier.

moo • May 2, 2010 8:01 AM

@paul: I think you're right on the money here. Assuming they allowed planes to fly through "minor" amounts of the ash, those planes would probably incur more wear and tear on their engines. Inspections would need to be stepped up, and the added maintenance costs might make the flights economically unviable. Without a much better understanding of how much damage was likely to be incurred at various concentrations of ash, grounding all flights is not necessarily an overreaction. Imagine the boondoggle if none of them had crashed, but it was revealed a week or two later that hundreds of millions of dollars of damage had been done to the
engines of a thousand or more planes. Leaving tourists stranded for a few days does not seem that bad in comparison.

@DanT: The purpose of the model is to predict where the volcanic ash will spread to and in what concentrations. For this purpose, it is very similar to nuclear fallout: a cloud of lightweight particles being carried around by air currents. Also no one says that the model was re-used without change -- surely anything they know about differences between the spread of nuclear fallout and volcanic ash would be integrated into the model. Predicting the effects of volcanic ash is their full-time job, give them *some* credit.

RonK • May 3, 2010 8:22 AM

@ In Medicine

There are at least _some_ countries where thalidomide is routinely prescribed for treating multiple myeloma.

I think you're confusing effectiveness risk analysis, which the _science_ of medicine is relatively good at, with the economic risk analysis which causes, for example, obstetricians to do more Cesarean sections than a straight risk analysis would require, because it is less likely the pregnant woman might die (and that outcome can be very, very expensive economically --- in court).

Or, for example, why we can't have our Vioxx --- Merck f**ked up the trials, and now cannot afford to produce it, even if it is probably a useful drug for a relative large segment of the population. Oh, and no one else can produce it, since it's patented.

Mark • May 3, 2010 1:54 PM

@Clive Robinson
I think the worst case is thinking is fully laden/fueled 747 dropping on central London.

The only way a plane is going to "drop" is if the wings come off.
Even large airliners glide perfectly well. As did BA flight 9 and KLM Flight 867, which flew through volcanic ash.
Air Canada flight 143 and Air Transat flight 236 were able to land with no possibility of restarting any engines.
Finally there's BA flight 38 which crash landed just short of runway 27 Left at Heathrow and US Airways flight 1549 which crash landed on the Hudson River in New York City.

Mark • May 3, 2010 2:21 PM

@Joe
Another example of a near-tragedy caused by volcanic ash is British Airways Flight 9, where "the aircraft flew into a cloud of volcanic ash thrown up by the eruption of Mount Galunggung (approximately 180 kilometres (110 mi) south-east of Jakarta, Indonesia), resulting in the failure of all four engines. The reason for the failure was not immediately apparent to the crew or ground control.

This happened nearly 30 years ago. We now know what it looks like to fly through a volcanic ash cloud at night due to the crew (and passengers) describing what they saw.

@Joe
The aircraft was diverted to Jakarta in the hope that enough engines could be restarted to allow it to land there. The aircraft was able to glide far enough to exit the ash cloud, and all engines were restarted (although one failed again soon after), allowing the aircraft to land safely."

The aircraft was not "away" from the ash cloud it was below it. Uncontaminated air most likely playing a major part in restarting the engines. The reason for an engine failing again was that the initial ATC instructions involved climbing. (The most direct route required clearing some mountains.) Which took the plane back into the ash cloud. As soon as the crew realised this they descended and took a different route to the airport.

Mark • May 3, 2010 2:32 PM

@rjh
The North Pacific route has had major aircraft damage from ash. It has dangerous eruptions almost every year. The US, Japan, and Russia established set of procedures and standards for dealing with volcano ash. The AVO was put in place in 1989, and since then there has been a lot of experience with ash clouds and aircraft on a heavily traveled route.

Including to gliders, balloons, etc. Where it could not possibly have been an issue. As well as low altitude VFR flights in piston aircraft.

Greg • May 3, 2010 7:39 PM

Wait, isn't "Worst-case thinking" the ultimate strategy behind Madison Avenue's advertising model?

another anonymous poster • May 4, 2010 1:32 PM

What rubbish!

Problem into drama!

The guys is missing the point!

This isn't about some poxy computer system going into production and maybe failing - this is about life! The CAA/JAR/FAA etc will not risk life - which is absolutely right - it just needed them to let flights go and then one crash and then guess what......they get the blame.

Sometimes its so easy to sit from afar and make judgemental calls and broadcast to the world and miss the point completely

Thanks for sending me this and continue to, keeps me updated on views and opinions even if i believe they are completely wrong!

This statement for example again is completely wrong!

''Worst-case thinking encourages society to adopt fear as of one of the key principles around which the public, the government and various institutions should organise their lives. It institutionalises insecurity and fosters a mood of confusion and powerlessness. Through popularising the belief that worst cases are normal, it also encourages people to feel defenceless and vulnerable to a wide range of future threats.''

Not once has it been said this is normal circumstances!

Grrrr

Why spoil a good story with the truth eh!

Randall • May 4, 2010 2:07 PM

All I needed to hear was that "based on a computer simulation" to know that they did not have a clue-again. Just like the "global warming crisis"-let's not wait for facts or reality let's appear to be all knowing and looking out for you.
Yes ash can shut down jet engines, under the right conditions. How about check it out before shutting down Europe for a week based on a simulation.
Typical bureaucratic morons.

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D