The Abnormal Distribution

The Economist has of course a Briefing on the Effects of the Ash Cloud from Eyjafjallajökull on the political economy of flight, which informs its lead commentary in the April 24th 2010 edition, about this incident, entitled Earthly Powers.

Both articles recount that the “safe level” of ash was determined by the CAA (in Britain, but in fact the measure was coordinated across the continent) started out at zero, when the flight restrictions were first imposed on Thursday April 15th. And then it was changed on Wednesday April 21st to 2,000 micrograms per cubic meter. The Economist regards it as “suspicious” that the level was changed “in the face of an affluent cadre of displaced people, airlines feeling the pinch, a looming threat to some supply chains, and (in Britain) an election.” I don’t regard it as “suspicious” – I think, given the evolution of knowledge and experience, the sequence of administrative events was both coherent and justified, with the following caveat. The newspaper suggests, correctly, that how the new level was determined “is not clear”. The CAA apparently says it was set on the basis of data from equipment manufacturers, but no public data has been made available, and I agree with The Economist here that “Regulations without a clear and open argument behind them are worrisome”.

The state of knowledge about the safety of commercial airline operations as the situation evolved is well summarised by David Learmount in his blog entry of Monday, April 19th. I agree with much of what David says, and I think it serves to allay “suspicions” of administrative mismanagement of the event, such as hinted at by The Economist. The amount of uncertainty at that point on Monday of the risks involved, both likelihood and severity, was enormous. [Added 29.04.2010: I find David's article in Flight International, 27 April - 3 May 2010, pp8-9, largely identical with his 24 April article in Flightglobal on the subject, a careful recounting of the safety aspects of the event.]

By Tuesday, 20nd April, the ash had confined itself to lower flight levels; upper airspace was freed for flight, and by Wednesday 21st April new guidance had been issued and implemented. I still think that shows an exemplary reaction to the situation.

Now let’s look in a little more detail at the political economy involved. I had suggested in a note to the York Safety-Critical Mailing List, probably somewhat arrogantly, that people didn’t seem to be “conversant with probability or decision theory“. A respondent, Chris Hills, eminently confirmed my suggestion with his line of argument.

The Finnish Air Force went on a training sortie on Thursday 15 April and suffered apparent damage to some engines. FlightGlobal doesn’t say how long they were up for, but one might guess it was on the order of an hour. Recall from Learmount’s blog note that, on Monday 19th, it was not yet known what the severity of damage was to the Finnish engines – Learmount suggested they “may never power an aeroplane again“.

Suppose you are the CEO of an airline that wants to fly in closed airspace. Air Berlin, for example, takes in about €90 per passenger per flight from Paderborn to London Stansted if you book shortly before flying, a flight time of about an hour, and they use standard workhorses, which for trips inside Europe are the twin-engine Airbus A320 series and Boeing 737 series, with seats for between 150 and 200 passengers. The engines put out, I think, about three times as much thrust each as the military engines, but they are higher by-pass (meaning cold air which is propelled around and not through the core of the jet engine). Simple arithmetic shows us that the airline is taking in less than €20,000 for the Paderborn-Stansted flight. The cost of an engine rebuild or new engine (and, when one, then both!) lies well in the seven-figure range (I don’t know quite how much it might cost). That is, two orders of magnitude higher than the five-figure sum you are taking in. And until Monday 19th, after the research flights, no one really knew at what flight levels the ash was to be found. So, at a first guess, just to break even in monetary outlays only one flight in a hundred can have such problems. Or, to put it another way, if just one plane on that route has problems, then you have to have another 24 days of problem-free flying that route (two flights a day in each direction) to break even.

And, of course, this doesn’t take into account that, if one airplane has problems, you may well have to mandate the minute inspection of the engines of any other of your planes that flew part of that route around that time frame. And since airlines use a hub system, that means any planes which flew into or out of the hub into which the problem aircraft flew into or out of.

That doesn’t look hugely promising for deciding to fly, does it?

Here is a further way you might then think. Somebody else, associated with government, is telling you you can’t fly. So, whatever your actual evaluation of the risk, you can play grumpy, and argue that the decision-maker is proxy for the government, so the government should be sharing with you the enormous cost of your – forcibly, you say – not being able to do business. Even if you might not have wanted to have tried doing business in those conditions anyway.

So expect discussions about bail-outs.

And, if you are a CEO who read my last post on this topic, you will realise that the uncertainty inevitably led to even a good a priori decision about the risk being more cautious than it is likely that the actual situation warranted. So you could wait for the actual data to accumulate, knowing that you will, in all likelihood, be able to argue “see, it was less dangerous than you said; we told you so”. And you would be right, albeit disingenuously.

So expect to see that argument as the basis of discussions about bail-outs.

Now, about that 2,000 micrograms per cubic meter – we would really like to know where that came from, wouldn’t we?

BTW, it turns out the Finns’ engine problems were not terminal. Flight Global reports that the Finnish engines were healthier than they looked at first – on Friday 23rd April, a week after the ash encounter occurred and after Europe had returned to commercial flying.

The ash cloud over Europe seems to have abated somewhat, and commercial air traffic is returning to the air. The German DLR organisation (equivalent to the US NASA) sent up test flights of a Falcon 20E on Monday and Tuesday 19-20 April, to measure what was up there. The report, in English, makes interesting reading (Here is a local copy, for those having trouble accessing the original URL). There are pictures in which you can see the ash layers below the aircraft.

It has rained, very briefly, say spottily for 5 minutes, on Tuesday and Wednesday here. My windows are now covered with a fine yellowish film of what I take to be ash (I have some skylight-type windows as well as vertical ones). The temperatures in Bielefeld, Germany, where I am (about 100km west of Hannover) have also been unusually low for this time of year, say 10° during the day in the sunshine (though with significant wind chill) and getting near zero at night. Indeed, it even snowed briefly in some places near here yesterday (Wednesday). The light is unusually white in the sunshine, an effect particularly pronounced in the evening. People used to smoggy atmospheres (Los Angeles, San Francisco Bay Area) will be familiar with this phenomenon.

The debates now seem to be concentrating on whether governments (rather, their regulatory agencies) were too cautious, not cautious enough, or just right. The consensus appears to be that the reaction, essentially to close the airspace where the highest concentrations were known to be until Wednesday, may have been more cautious than the facts warranted, as the UK Minister for Transport, Andrew Adonis, said in this report on Wednesday. The political fallout has started, as in this report from The Times.

For the record, I think the reaction to this environmental phenomenon has been exemplary. First, the dangers of flying gas turbines through volcanic ash can be catastrophic, as I noted (with reference) in my first post on this topic. (David Crocker pointed out to me an article in Boeing Aero magazine from before the current phenomenon, which gives the necessary background information for those still searching for it.) Second, this phenomenon, that a major part of the world for commercial air traffic at all altitudes was affected, was unprecedented. Third, over the course of a few days, test flights taking measurements were organised and flown by the only organisations capable of producing believable results. Fourth, everyone was involved: manufacturers, regulators, and government. Fifth, the outcome so far has been as good as it could be for safety: no commercial air passengers have been killed or severely injured; there have been no train accidents injuring people who would have flown but were forced to take the train; ditto for ships.

And, sixth, the main point of this note: if everything is done “right” (whatever “right” may mean), and safety is prioritised, it follows with high likelihood that, in hindsight, when more is known, it will be seen that we have erred noticeably on the side of caution. This note is a qualitative argument using probability theory (but no math!) that this is so.

When the facts come in, hindsight is a wonderful thing. Safety is paramount to the regulators, by their charter, and also to the manufacturers of the equipment because of liability. The national governments chose to prioritise safety. The result could not have been better for safety. There was, last week, virtually perfect uncertainty as to the potential effects of this particular cloud. Standard industry practice, for many years if not decades, is to avoid all volcanic ash. So, at the beginning, this practice, evolved over decades of experience, was followed, in the face of considerable uncertainty. Within a very few days, various organisations had determined that it was likely safe to fly, say, research aircraft. Data were gathered, uncertainty was reduced, we are back to flying.

What could have been done differently? Safety was prioritised in the face of uncertainty. Should we not have prioritised safety? My answer is that prioritising safety was exactly the right move.

So what does prioritising safety involve? Risk is generally construed as a combination of likelihood and severity of untoward events. What was the risk involved in flying? Likelihood of a volcanic ash encounter over most airspace in Western Europe was certain (the various meteorological offices knew it was there), so there is no uncertainty there. The uncertainty with this risk resides, then, exclusively with the severity of the phenomenon (the effects of the ash cloud). Previous experience shows that the “worst case” is catastrophic, both for the people involved and (as it would be) for the government and agencies that would be said to have “allowed” an accident to happen. (Although severe accidents have not happened directly, losing all of one’s engines is defined to be a “catastrophic” in aircraft-certification terms, because after a loss of all engines only environmental circumstances can affect whether one lands on-airport or off-airport, and the least favorable plausible environmental circumstances, here an off-airport forced landing and its likely deadly consequences, are taken to define the severity.) Since experience had shown that severity (defined as worst-case) over the sample (all volcanic-ash-encounter incidents) is catastrophic, one can attempt to define the sample more narrowly, to reduce the uncertainty if you like. What is the range of possible effects? Let us say, from mildy increased maintenance costs on gas turbine engines, to heavily increased maintenance costs, to flame-outs and the ensuing necessary tear-down of all engines of that type on all aircraft, up to the consequences of any accident resulting from near-simultaneous flame-outs of all engines on an airframe. We could presume on general physical principles that these effects are some function of the type of ash (known, and variable, in the current eruption), its density, and the length of exposure. But we don’t know what function. Furthermore, for all flights, there is going to be a range of densities encountered as well as a variety of lengths of exposure.

Now comes a little qualitative reasoning about likelihoods. This is the bit that people who haven’t studied the basics of probability and statistics don’t necessarily grasp, despite the best efforts of us professional educators over the decades. I am going to talk about a “bell curve”, and having just searched the WWW for “bell curve” it seems to me that we professional educators are somewhat to blame for this state of affairs, because the typical WWW explanations are technical enough to alienate anyone who doesn’t have a degree in higher mathematics, as we shall see in the reference immediately below! I will be avoiding any math here, but I do want to talk about “bump curves”.

A “bell curve” associates a range of possible values for a parameter (along the horizontal axis) with the frequency with which those values occur (on the vertical axis). The term itself is taken by technical people to refer specifically to the so-called Gaussian or Normal Distribution, in tech-speak. But actually I want to be more general than this. Take a look at the first graphic in that Wiki article, of “probability density function”, and you see four examples, in green, blue, red and yellow, of graphs I want to talk about. They are small at the ends and have a bump somewhere in the middle. Most uncertain phenomena look like this when you show values (horizontal) against frequency (vertical). When I say “like this”, I want now to allow that the “bump” can be pushed to one side, kinked, in all sorts of ways. Imagine that you had a Plasticine “bump” sitting on the floor, and you let your one-year-old stick hisher thumbs into it, push it around and so on, then you cut it in the middle with a knife and trace the outline of the cut on a piece of paper. It is going to be thicker nearer the middle and thinner near the edges. Let me call all these things “bump curves” for the sake of this note.

The particular “bump curve” I want to talk about is the “distribution” of severities of ash-cloud encounters. So on the “right hand side” we have all-engine flameouts (“catastrophic”); going to the left of that we have one-engine flameouts and consequent flight bans and tear-downs of all engines of that type; going further to the left we have highly increased maintenance (involving large costs and effort); moving further left we have mildly-increased maintenance; moving further we have insignificantly increased maintenance. Remember, we don’t know quite what this “bump curve” looks like, even whether it has “one bump or two”, and where the “bump” or “bumps” are. But let me assume it has, for all intents, one “bump”, to make it easier to follow my reasoning.

First, I want to make the “bump curve” more like a bell curve. I can do this as follows. Imagine I have drawn the bump curve on a rubber sheet. I have a metal frame, consisting of a horizontal track into which are inserted a succession of vertical rods. I can’t bend the rods or take them out of the track, but I can fix them anywhere I want on the track, as well as slide them left and right and then fix them in their new position. I glue my rubber sheet with the bump curve onto this frame of rods. Now, I slide the rods left and right, to stretch the sheet sideways more or less, to make it look more like the bell curve. So, for example, if the “bump” is to the right of center, then I stretch the sheet on the right of center until the curve on the right looks more like the curve on the left of the bump.

Now I have something that looks like the bell curve, but the scale on the horizontal is all distorted, because I have moved the rods around.

And now I draw a vertical line on the rubber sheet, at the point which divides the consequences which are not deleterious to safety (on the left) from those consequences which are deleterious (people killed or injured).

Suppose you are blindfolded, and some supernatural agent performs this manoeuvre I just described. You are blindfolded; you can’t see the curve, but you know it is more or less a “bell curve” because that is what the agent made it look like. You can feel the edges of the white board, so you know where the left side and right side of the curve lie (left edge: “insignificant”; right edge: “catastrophic”), and you can find the middle. But you don’t know how the rubber has been stretched, so you don’t actually know where the vertical “safety boundary” line is; whether it is to the left or to the right of middle.

Now you are given the following task. Put a mark on the board, as far to the right as possible, but to the left of the safety boundary line. Remember you don’t know where this line lies, because the agent has pulled the rubber in a way you didn’t and can’t observe. So you give it your best guess.

And behind you in line are another ninety-nine people who will try to perform the same task. All of you are perfect “rational agents”. In other words, you all think straight, think deep, are perfect at statistical and probabilistic reasoning, and do as well as you can at the given task. You are all trying to put your point as close to, but left of, the safety boundary line as you can guess. In other words, you are basically trying to guess where the line is.

I predict the outcome: almost all of you are going to place your point well left of center. If you don’t believe me, try it out with your “perfectly rational” group of friends!

Let us see what this means. Remember, we don’t actually know how the agent has stretched the curve, because we don’t know how the curve looked to start with. Suppose we now ask for the likelihood distribution of the position of the vertical “safety boundary” line. What is it going to look like? On general principles, it is going to look like some sort of “bell curve”. The bell curve is symmetric about its middle. But you and all your pals put your best guess as to where this line is on the left. That means that most of the area under the curve (which represents likelihood) is going to lie to the right of where you all put your points. That means that, when you don’t know where it is, it is most likely that the safety boundary line lies to the right of where you all put your points.

That means that your conjoint best guess as to where the safety boundary lies most likely errs noticeably towards the cautious (left) side. When somebody removes your blindfolds and you can see the curve (translated into our problem terms: somebody does the research so we know more about concentrations of ash in the atmosphere as well as what such concentrations might do to engines) you would expect to see that your choices are well to the left of the safety boundary line.

The moral of this story: if everybody were perfectly rational and used an appropriate risk-based approach with safety paramount, Lord Adonis’s statement is to be expected: the authorities should expect that they have guessed well left of the safety boundary line.

I hope to have shown you the following. Erring definitively on the side of caution is an expected outcome of a rational approach, in a situation of great uncertainty, to a risk of which the value ranges from insignificant to catastrophic.

The biggest political problem of the week seems to be that airlines have stopped flying in Europe, because of the ash cloud from the volcano Eyjafjallajökull. I must say that in Bielefeld it is wonderful to see the sky without the usual 15 or so condensation trails and the ensuing cirrus, but my wine/tea/coffee merchant and his son are stuck in Namibia at the end of a hunting holiday and desperately need to get back to work, so I understand well the economic side of this also.

Those who don’t understand what volcanic ash can do to gas turbine engines might want to check out this 2003 NASA report concerning damage to the engines of an aircraft which flew through an ash cloud on its way to Europe some years ago. The cloud was not visible to the pilots, and visual inspection of the engines on landing revealed no damage. But the engines were severely damaged. Many thanks to Robert Dorsett for finding this reference.

I have been reading a lot of half-thought-out commentary, but little that enumerates the issues. So here goes.

1. Volcanic ash contains a high proportion of silica. This particular eruption sequence has shown concentrations from just under one-half to about two-thirds, depending on the type of eruption (an eruption sequence is not necessarily uniform in type or composition), if some unnamed geologist cited by an anonymous poster on a forum is to be believed. (For those who wish to troll through the 90 pages of chatter on this on PPRuNe, I recommend in particular the contributions of the gentleman or lady name of “Sunfish”, who appears to be an Australian engineer, for example this one.)

2. The ash is very fine stuff.

3. The silica melts in some parts of the turbine, and gives other parts a nice glass coating as a consequence.

4. There are almost no data points for the behavior of engines under exposure to volcanic ash. There are just the occasional damage reports, as above. It is known that higher concentrations will cause flame out and seizing, but I doubt that the effect on engines of lower concentrations has been determined by anything much in the way of testing. For example, behavior on exposure to volcanic ash is not part of the certification requirements for engines. It looks like if you fly through it for a couple of hours then everything is OK on a visual inspection (thank you BA), but I doubt anyone knows what might happen if you fly through it for a week (an order-of-magnitude increase in exposure).

5. Suppose some engine, somewhere, has a problem. Then standard safety regulatory action would be to take the engine type out of service until it has been determined what the problem is. In this case, until one can rule out that flying numbers of hours through an ash cloud was not a causal factor. If it was a causal factor, then the fleet is grounded until all the engines can be rebuilt. That could take rather a long time – months, not weeks. And if the engine happens to be an intercontinental one, flying under ETOPS, then what do you do about ETOPS approval for that type, for those engines exposed to ash? ETOPS is predicated on independent failures, not on common-cause failures such as flying through ash.

6. Airlines dependent on transatlantic traffic to generate revenue, such as BA, are going to be hurting. But it would hurt a lot more to have ETOPS rescinded on the airline’s entire 777 fleet pending rebuild/overhaul of the engines.

7. The likelihood that one engine, somewhere on one wing, in Europe, will have a problem in the next couple of weeks, is, just on general experience, not small. For the consequences of that, see point 5 above.

It is a hard problem. The problem arises from (a) the environment – the fact that the ash cloud is there; (b) long established procedures for regulating aviation safety, which requires that a fleet be grounded upon evidence of a problem; (c) the unknown but tangible likelihood that some problem will occur; (d) the severe consequences of such a problem, given the established procedures for regulating aviation safety; (e) the severe economic consequences of closing down airline travel in such a busy part of the world.

I have no solutions. And I very much doubt that anyone else has any, either. As a safety person, I favor keeping aircraft out of this stuff until it goes away.

Postscript.

1. Thomas Netter pointed out to me a broadcast on France Culture today by Olivier Duhamel (available today, Tuesday 20 April, from the France Culture daily programming site, see time 07:55, and I take it later from the archives), who, Thomas said, pointed out that risks were evaluated with respect to aircraft, rather than taking a systems approach to aircraft travel and evaluating the general social cost of grounding. So let’s do it, superficially. Let the general cost of grounding for everyone be X per week. We have so far suffered X. If one engine shows up with ash damage, that will cost 2-4X, right there, since regs will require the fleets be town down and inspected, and I doubt that can be done in less than, say, a month. If we then ignore the regs, and have an aircraft lose both engines mid-Atlantic, that’s €300m – €1 billion out of insurers’ pockets (for which all air travellers have to pay, even though they might think it is only one airline). Not to speak of the political consequences for those who decide to let aircraft fly, when one is then lost. So those are the severities (some of them). Unless you can evaluate the likelihood of (a) discovering damage to one engine somewhere, and (b) having an ETOPS aircraft lose two, sometime in the future, due to ash damage, you cannot evaluate the social risk (usually taken as the multiplication of likelihood with severity for all hazards). I don’t hold much truck with saying that something isn’t being done, when no one can do it.

2. John Rushby just pointed out a thread in PPRuNe TechLog, which contains this interesting comment on what happens to gas turbines in ash clouds, by MFgeo.

3. The International Herald Tribune aka New York Times has this story today dealing inter alia with the politics. Apparently, [begin quote]The region is grappling with a new blow to its ability to act decisively during an emergency. ……… Most noisily, the head of the International Air Transport Association said before the announcement to partially lift the aviation ban that “the decision Europe has made is with no risk assessment, no consultation, no coordination, no leadership.” The industry group’s director general and chief executive, Giovanni Bisignani, went farther, saying that the crisis is a “European embarrassment” and “a European mess.”[end quote]

I think, in contrast to these suggestions, that the individual countries in the EU, which have legal responsibility for their airspace, have acted decisively, with “risk assessment” and “leadership” and what have you: the airspace is more or less closed; some flights with minimal possible exposure are taking place. You can’t get much more decisive than that. People who disagree with these measures could make their divergent risk assessments public. How about it, IATA?

The archives of the University of York Safety-Critical Systems Mailing List start on 19 May, 1995, 15 years ago.

I took a look at some of the older archives, up until December 2001, and remembered many names of former avid contributors. Two notable regulars, Peter Mellor and Peter Amey, no longer contribute because they are no longer. I miss them and their contributions, public and private. I followed Peter A’s cancer blog assiduously, and sadly, and hope it will remain a record of a singular life and an inspiration and comfort to others in that predicament.

Numbers in what follows are approximate. I hope I haven’t forgotten people.

In 1995 there were 77 messages. Those still contributing in 2009, fifteen years later: Martyn Thomas, myself, Nancy Leveson, Brian Wichmann, John McDermid (twice) and Chris Johnson (thrice).

In 1996, 144 messages. Tim Kelly, Tom Anderson and Peter Bishop are 2009 contributors who started then.

In 1997, 213 messages. Add Tony Foord, Mike Holloway, Jon Hind.

In 1998, 396 messages. Add Mark Bowell, Stuart Palin, Felix Redmill, Jens Braband, Andy Ashworth and Barrie Reynolds.

In 1999, 250 messages. Add Gerard Le Lann, Bill Black, Dewi Daniels.

In 2000, 655 messages. Add John Spriggs, David Tombs, Bev Littlewood, Rolf Spiker, Bertrand Ricque, Rod Chapman, Mike Ellims. This year is also when the late Peter Amey joined in.

Up to this point, the list was moderated by Jonathan Moffett. In 2001, Tim Kelly took over. With the exception of a blip in December 2001 (see below), moderation policy has been «hands-off», and the charter never invoked, on a list with hundreds of contributors and many more non-contributing readers.

In 2001, there were 755 messages. Add Olof (Olle) Bridal, Eric Scharpf, Des Nutt, Dock Allen, Robin Cook, Francois Taiani, Andy Farnsworth, David Crocker.

Some more numbers: 2002, 689 messages; 2003, 651 messages; 2004, 853 messages; 2005, 418 messages; 2006, 639 messages; 2007, 723 messages; 2008, 483 messages.

In 2009, there were 1,131 messages, from 177 contributors. 36 of those contributors had first contributed to the list between 1995 and 2001. Amongst 2009 contributors, Martyn, Nancy and myself were still prominent, joined by mid-timers Bertrand Ricque and Thierry Coq, and later-comers Paul Cleary, Nicholas Lusty, Jeff Payne and Chris Hills.

From December 1st-15th, 2009, there were 31 people contributing 231 messages! Then came a topic on «Civility in Discourse», introduced by a young researcher on the York faculty, Andrew Rae. His thread enticed 34 people (21 of them only for this thread) for 80 comments over three days, 15-17th December, by any measure a success. And then stopped. From 17th – 31st December there were only 64 messages, a quarter of the total in the first half of the month.

In January 2010, there were 32 messages from 19 people, 10 of whom had not contributed in December.

In February 2010, there were 36 messages from 22 people, 13 of whom had not contributed in December 2009 or January 2010.

In March 2010, there were 33 messages from 17 people, 6 of them who had not contributed in December, January or February.

So what happened here in 2009, to generate so much interest, followed by a comparative drought?

Here follows a personal account.

From about the middle of the year, Martyn Thomas and I made a concerted attempt to engage committee members and opinionators on the international E/E/PE Functional Safety standard IEC 61508 in, as we see them, the significant (according to Martyn, dangerous) failings of the standard concerning software development and assessment. International Committee members Bill Black, Rolf Spiker, and Bertrand Ricque engaged, as did others who consult on and work with the standard. The debate was intense and, as Martyn would say, robust. Some of it was off-line – Rolf asked me for an opinion on a proposed Appendix to the new version of the standard, and I referred him to Bev Littlewood, who is the leading authority on the techniques therein, for a three-way discussion. Bertrand Ricque circulated a polemical note of mine to members of the International Committee on the SW part of IEC 61508, and a discussion started amongst various of us in private. I was invited by the Chairman of the German national committee responsible for involvment in IEC 61508, DKE Committee GK 914, to air my concerns and make constructive proposals for development of the SW standard (IEC 61508 Part 3) which work is ongoing. I met Bertrand Ricque in Paris in December to talk about the issues, and I imagine we shall meet again soon.

So robust discussion on the York list initiated various consequential actions amongst people and groups responsible for a major international standard (indeed, I understand it is the IEC’s best-selling standard). That must be a Good Thing, indeed what many mailing-list maintainers dream about. And indeed it is one reason that I valued the York list highly. Martyn does also, I believe. (Nancy opines that the things which are most important do not admit of effective discussion on email lists. Of the other two founding members who still contributed in 2009, Chris Johnson indicates it to his students «for amusement», and John McDermid has mostly moved on to what he regards as more consequential activities.)

But that doesn’t suit everyone. Andrew Rae was disturbed by what he regarded as incivility, hence his thread. He opined that one should not use words such as «nonsense» and «silly» in «professional» discussion. Nonsense, some of us said, how silly! Sometimes people say silly things, such as a suggestion one should not say «silly» – now that does sound a bit nonsensical, doesn’t it? Andrew singled me out as a – the – malfeasant, and conducted an on-line «poll» on verbal comportment, in whose informal results I was singled out for anonymous collective disapproval.

Andrew’s thread was a hit! 34 contributors in three days and three times that many subscribing to the anonymous poll. I wonder that opinions about writing style are seen more worthy of technical support such as on-line polls than are substantial matters and disagreements in system safety, which is what the list is supposedly about. For these are literally matters of life and death, whereas opining that a view is «silly» or «nonsense» is not. Think of a poll, say, on what people think of the SW Part 3 of IEC 61508, particularly in view of the strenuous, and to my mind inappropriate, constraints on commentary on the standard imposed by the IEC.

Whatever. It seems, at least in the short term, that the days of robust discussion are over. Because it tolerated robust discussion, the list was a public source of information on topics which do not otherwise occur in the open literature, such as the appropriate application of IEC 61508.

The issue raised by Andrew’s thread is whether one can regulate language so that no words with socially perjorative or negative connotations are used – I take it there is nothing “wrong” with positive connotations – but substantial debate is still possible. I don’t think so, many of the colleagues whom I rate most highly don’t think so, and as far as I can tell most of my linguist and philosophical colleagues don’t think so either. It disturbs me that a number of engineers, who cannot as a class be regarded in any way as expert on the subject, somehow think it is, without consulting linguistic or argument-theoretic expertise on the matter.

And such expertise is to my mind sorely needed. There is a standard saying amongst computer scientists – for all I know, engineers in general – that, when one writes a paper, one says first what one is going to say, then one says it, then one says what one has said. One of the results of that is that I frequently get papers to review, say of about 14 pages, which have two to three pages of real content. Believe me, it is not only the trees that suffer! I much prefer the style of, say, John Searle or David Lewis, philosophers known for their succinct style, who say things just once, and in the right order – during their lifetime, as far as they can manage it. Writing styles differ, sometimes considerably. A style is a writing tool. It is somehow odd to see engineers thereby arguing for fewer tools by restricting writing style.

It is true that there is in many engineering-society codes of conduct a clause requiring that members not criticise other members of their profession in public. I guess it may be reasonable to require members not to insult other members in public, for insults serve largely political or social purposes. But suppressing criticism, an activity in which one subjects engineering behavior to scrutiny and pronounces judgement on it, thereby suppresses necessary debate on contentious technical matters, of which in computer-related safety there are very many. And the behavior can hardly be separated from the actor, the individual engineer or engineers who engaged in that behavior. The recent Haddon-Cave report on the Nimrod was praised for «naming names», by which was meant saying who was responsible for, inter alia, the regrettable history of safety cases which accompanied the structural modifications for air-to-air refuelling. Now, it was other engineers who showed Haddon-Cave what was wrong with those safety cases. Does it become OK if you, as an engineer, rather than going public with your misgivings in violation of your code of conduct, tell your story to a third person, a lawyer, who then goes public with it? When engineers are accused in a French court, as they are at the moment in the Concorde trial, of inappropriately fitting a titanium strip to a Continental Airlines engine cowling, when an aluminum strip is specified, then the debate, which is open, is about whether they may have or should not have, and is conducted, we would hope, under the direction of the judge primarily by engineers and not lawyers. And some of those engineers would thereby be theoretically violating professional codes of conduct. What happens, practically, is that «we» agree not to apply that code in such cases. But that means that someone judges when it is appropriate to apply a code and when not, and when such selective application takes place it raises the question of who selects and for what purposes, and the question then becomes not one of professional ethics but one of politics. Indeed, the basis of most criticism of such clauses in professional codes of conduct is that historically they have served primarily political ends.

Oh, I almost forgot about December 2001. That was when I got thrown off the list for my conduct of a discussion on rhetoric and its uses for safety argumentation, which started with a note of mine on 24th October, which elicited all sorts of interesting opinions and discussion, which one can read in the archive (best go to «thread view» and look at threads with the occurrence of the word «Rhetoric» in the label). Some correspondents had little patience for that style of discussion, and complained to the York department chairman, Alan Burns, who removed me from the list, indeed removed the list for some days. He repented, after being approached on one side by friends of his who suggested my contributions were valuable, and on the other by me with the argument that the list had a charter, which I had not broken, and if certain styles of discussion were to be proscribed then it should be explicitly in the charter, that being what charters are for. Alan agreed, the charter was modified, and I was reinstated.

Both these incidents have to do with argumentation and its forms. There is an academic discipline – maybe even set of disciplines – entirely concerned with argumentation (actual argumentation, and its actual as well as wished-for properties). It is often called Argumentation Theory and may be traced back to Steven Toulmin’s 1958 book The Uses of Argument. I don’t have a lot of interest in much of the work in the field, but I have recently found the work on Argumentation Schemes by Walton, Reed and Macagno both useful and very readable. A related discipline, even the same one, is called Informal Logic, and there is a readable and helpful entry on Informal Logic by Leo Groarke in the on-line Stanford Encyclopedia of Philosophy, which by the way is an astonishing and wonderful resource for all matters philosophical.

My own technical favorite in the field is an article by the UCLA philosopher Terence Parsons, What Is An Argument?.

In the engineering of safety-critical systems, a lot rests – indeed must rest, according to various civil and military standards – on arguments for the truth of certain assertions: that a particular component or subsystem will not fail catastrophically more than once in one billion operational hours, for example. These arguments are not decisive, by any of the criteria known to logic, but they are rated as better or worse, as adequate or inadequate, by regulators and clients. For example, «proven in use»: you have a component which has been installed on aircraft and run operationally for, say, one million flight hours, and has never failed. What is the worth of the argument to the conclusion that it will not fail catastrophically in one billion flight hours? Not very good, you might think. What if is has run for 60 million flight hours? Is it better? But then you learn that the software which governs the behavior of the component has changed versions every six months: that is, the SW has been modified and reinstalled. So is that the same kit, or a variety of different kit, that has operated for 60 million hours? If you think that history allows it to count as the same kit, do you say that because you think that the latest version of the software is in some sense «more reliable» than previous versions? Many SW engineers would think: «new version; expect new bugs». Then, what counts as a «bug», and what a «feature» to be addressed by operator behavior? Despite such issues, which are far from being resolved, the moniker «proven in use» for an argument type is officially sanctioned by, for example, the international standard on E/E/PE Functional Safety, IEC 61508.

And of course when things go wrong, compensation claims come to court, and in that venue come yet more styles of argument into play.

Despite the central role played by argument in the development of safety-critical software-based systems, in the education of most engineers working in the field there is not one course on argument (only philosophy students must generally take compulsory courses in logic, either formal or informal or both). Many of the arguments used in safety-critical systems engineering are statistical or probabilistic, and there is often a compulsory course on the basics of probability and statistics in most engineering curricula. However, the probabilistic and statistical arguments used in safety cases are not necessarily routine, formulaic arguments such as those which social scientists might use, but are often special (even specious) – let us call them «bespoke». Generating bespoke arguments requires an understanding of fundamentals, but there is no compulsory course on the foundations of probabilistic or inductive argumentation (based, say, on Ian Hacking’s wonderful book An Introduction to Probability and Inductive Logic) in any engineering curriculum of which I am aware; nor courses on discursive argument – or indeed on writing. Engineers, not necessarily the people picked out by their high-school teachers for their talents in argumentation and writing (those would likely be students who later went on to study philosophy, law and literature), are apparently supposed to pick all this up by osmosis.

What is picked up by osmosis is very variable amongst cultures. Not only that, but in my experience argument forms regarded as persuasive vary considerably between cultures. I spent about the first twenty years of my life in the UK, the next almost-twenty in California, and have been fifteen years in Bielefeld, Germany, with some time in between working in German, Swiss, Scottish and French universities and research institutions. So I do have some experience of the differences in what is regarded as persuasive in discussion, and of the consequences of those differences for social and political organisation. They are sometimes enormous.

In 2001, Martyn suggested to me that a small change in writing style would be beneficial. The issue revolves around how one refers in writing to a view which one does not support, as well as the person who proposed it. I used to write things such as «X said M, and this just can’t be right». Now, I explicitly separate person and view: «X expressed the view M. Let’s look at M. I don’t think M can be defended». To me, the change in content of these two styles is minimal or zero, and I regard the second as lengthier than the first. To some others, the first represents something more like a personal insult, and so the second is the most succinct acceptable form. So I have done that now for almost a decade, in various fora, and reaped the social benefits of so doing, as Martyn correctly surmised. (However, you can’t please everyone. Here is Chris Hills reacting to a summary essay I wrote of an argument sequence occurring in the list during 4-10 September 2009, with a claim that it – he means my behavior in compiling it – is “unethical”.)

Almost exactly nine years later it’s dejà vu all over again. This time around I’m happy to be the bogeyman, or Sündenbock as we say here, for, as my neighbors here in Germany know, every social organisation needs one. So let it be my fault, whatever it is. The consequent eightfold reduction in list traffic and reduction in contribution of some eminent commentators will be welcomed by some list members.

Postscript.

Some may see in the previous line the use of an argument form known as «post hoc ergo propter hoc» that is often regarded in informal logic as a «fallacy»: see the entry «post hoc fallacy» in the index of Walton et al., op. Cit., for example. Now, some think informally of a «fallacy» as an argument that does not establish its conclusion (see, for example, this on-line dictionary entry). But this cannot be right, because «circular reasoning» (Assume A: conclude A) is also often regarded as a fallacy (e.g., Walton et al., op. cit. call it the «fallacy of begging the question») but it is in fact a logically valid argument, the very epitome of an argument which does establish its conclusion! Parsons, op.cit., has some insight into the difference between fallacy (said of argument forms) and invalidity (said of inferences).

Whatever one may say of fallacies, my last line is not one – in order to classify it so, one read the word “consequent” as meaning “causally following”. But of course “consequent” can also mean “following in time”. So read, my statement is a simple empirical truth.

Postpostscript

It was pointed out by John Spriggs that Sündenböcke and Bogeymen are quite different. Indeed they appear to have different ranges, so he must be right. The Sündenbock is circumpolar, whereas the Wikipedia entry for Butzemann or Bogeyman puts the range as Southern Germany or Switzerland, although the subject of the ethnographical study by Raymond Briggs is undoubtedly an English variant.