Would you feel safer in a plane or running a village Post Office?

By Tony Collins

Technology-related controversies involving Boeing and the Post Office raise similar questions  

Technology is cited as a factor in the crashes of two Boeing 737 Max aircraft in which a total of 346 people died.

Technology is also cited as a factor in suicides, bankruptcies, marriage break-ups and ruined lives of hundreds of former sub-postmasters and their families.

Journalist Nick Wallis reports this month on sub-postmaster Peter Murray  who had a stroke in December last year as the Post Office pursued him for alleged shortages of £35,000 shown on the Post Office’s Horizon branch accounts system.

Unknown to Murray when he took over a post office in Great Sutton, Cheshire, the previous sub-postmaster Martin Griffiths had taken his own life. An inquest heard that Griffiths was being pursued by the Post Office over alleged shortfalls shown on Horizon that ran into tens of thousands of pounds.

The scale of the tragedy in crashes of the two 737 Max aircraft cannot be compared to the Post Office’s Horizon controversy.

But anyone who has studied common factors in plane crashes, bridge collapses, Space Shuttle tragedies and other engineering, IT and human failures may see similarities in the complaints by pilots about the Boeing’s 737 Max technology and complaints by former sub-postmasters about the Post Office’s Horizon branch accounting system.

Excessive secrecy?

The Horizon and 737 Max controversies are marked by allegations of a cover-up of computer-related problems which Boeing and the Post Office deny.

The technology’s operators (pilots and sub-postmasters) complained that they were not being given the full facts after major incidents. Pilots expressed concerns direct to Boeing about the 737 Max’s MCAS anti-stall system. The pilots received assurances that any problems were not serious.

But the second fatal crash of a 737 Max happened after those assurances; and the MCAS system was implicated in both crashes. It transpired that pilots kept trying to raise the plane’s nose while MCAS anti-stall software kept pitching it towards the ground.

A known problem had not been fixed. It was known that MCAS could, in rare circumstances such as faulty sensor data, pitch down the nose even if the plane was not in danger of stalling.

In the two 737 Max crashes, some aviation specialists believe that MCAS  was being fed erroneous data from a faulty sensor. In one of the crashes, a sensor might have been damaged by a bird strike.

Usually with critical aircraft software, an alert is given to pilots when sensors are faulty; and pilots are trained in what to do. But if manufacturers do not judge new software to be safety-critical, they may not consider alerts and related training to be vital on all aircraft.

Sub-postmasters received repeated assurances from the Horizon helpline when they raised concerns about unexplained shortfalls shown the system. For them and their families, a series of life-changing events followed those assurances, culminating in some cases, in serious health-related events or worse.

Blame the operator?

After major incidents, Boeing and the Post Office have defended their technologies and pointed to the system operators: pilots and sub-postmasters.

Other common factors in complaints against technologies in the 737 Max and the Post Office’s Horizon system include:

• A questionable ability of the system operators – pilots and sub-postmasters – to be taken seriously when they raised concerns about the technology.
• Little or no statutory scrutiny of the technology in question although its performance could profoundly affect lives. Boeing self-certified the technology in use in the 737 Max. The Post Office’s Horizon system was not subject to any statutory or regulatory inspection. Horizon was scrutinised by forensic accountants Second Sight and the Post Office dismissed its partially unfavourable findings. It also ended Second Sight’s contract.
• Structural secrecy that prevented pilots and sub-postmasters understanding fully the technology they were required to use.
• Major incidents that were treated by Boeing and the Post Office as one-offs. Links between major incidents may not be immediately obvious because they are sometimes the result of a complicated combination of events that might not have congealed in exactly the same way before. But, even after two similar, fatal crashes of the 737 Max, the US Federal Aviation Authority said the aircraft was safe. When countries across the world including Britain grounded the 737 Max, the Federation Aviation Authority had no choice but to act. The aircraft remains grounded worldwide; and European and US regulators are at odds over the depth of the oversight changes required to avoid such software-related crashes again. It appears Boeing will end up having to change the way it operates. After hundreds of complaints about the Horizon system, the Post Office is facing a group litigation action. Former sub-postmasters are claiming damages for financial loss, personal injury, deceit, duress, unconscionable dealing, harassment and unjust enrichment. The Post Office disputes the whole basis of the claimants’ case and maintains that large numbers of sub-postmasters knowingly submitted false accounts. The Post Office maintains that Horizon worked perfectly adequately.

Old technology?

There’s also the question of whether the controversies might have been avoided if ageing designs had been replaced entirely rather than modified to keep pace with business imperatives.

Boeing’s 737 design goes back to 1960s and the Horizon system to the 1990s. But fundamentally new designs would have required hugely costly retraining programmes for pilots and sub-postmasters. .

Normalising the questionable 

A further common consideration – as in the loss of the Challenger Space Shuttle – is whether questionable institutional practices and behaviour had become normalised. A fascinating 575-page book on this problem, “The Challenger launch Decision” shows in minute detail how NASA managers did not violate their procedures. Instead they set and followed bad precedents – what the author Diane Vaughan called the “normalization of deviance”. She said,

“It was not amorally calculating managers violating the rules that were responsible for the tragedy. It was conformity.”

Vaughan found that it is easier for large organisations to blame the technology operators for institutional failures rather than identify structural and cultural causes of disaster. She warned of the dangers of seeing organisational failures as the result of individual actions.

“… taken-for-granted aspects of organisational life created a way of seeing that was simultaneously a way of not seeing”. She added,

“Any remedy that targets only individuals misses the structural origins of the problem.”

The organisation’s culture is “supremely important” in allowing constructive criticism to be heard. But Vaughan concludes in her book that NASA’s economic pressures and cultures leading up to the Challenger disaster are still there.

Arguably, it is almost impossible for a large organisation to change its culture unless change is forced on it. When a subsequent Space Shuttle mission [Columbia] ended in disaster, an official report highlighted NASA’s underlying organisational and cultural issues that contributed to the accident.

Clearly, it is possible for everyone involved in the design and implementation of technology for large organisations to do everything right according to long-established procedures – and still have a succession of disasters.

Boeing

A comprehensive account of what went wrong with the design and development of Boeing’s 737 Max software has been published in The Verge. It is headlined, “The many human errors that brought down the 737 Max”.

It explains how Boeing needed to modernise the ageing 737 design – but not too much because major changes would have required a retraining of thousands of pilots, which would have added to costs for potential customers.

Instead of a new design of airframe, Boeing put larger and more efficient engines on an aircraft that remained essentially the same. The heavier engines needed repositioning, further forward, on the wings, which affected handling of the 737 in certain circumstances, but any aerodynamic changes were made largely invisible to pilots by new MCAS software.

The modified aircraft was an apparent winner. It required less than three hours of computer-based training. Boeing sold a record-breaking $200bn worth of the 737 Max before the first prototype took to the skies.

But pilots became concerned after the first fatal crash. Captain Laura Einsetler, who has flown for over 30 years, including on 737s, told The Verge she was not told the full facts on how the new technologies worked.

“I don’t have the schematics. I don’t have the cockpit panels. I don’t have an instructor that I can ask questions to,” she said, “You’re hoping that the first time you see the Max is on a nice clear day. But sometimes it’s not, and you’re showing up at night or in bad weather into an airplane that has all these changes.” Pilots were not told about the MCAS anti-stall system.

This secrecy meant that the aviation world was not generally aware that, at the time of the first fatal Max crash in October, if MCAS was being fed incorrect data from a faulty sensor, 737 pilots could end up fighting against the plane’s software for control of the aircraft.

A Boeing 737 Max, Lion Air Flight 610, with 189 passengers and crew, went into the Java Sea 12 minutes after taking off from Jakarta, Indonesia in October last year. Nobody survived.

About five months later, Ethiopian Airlines Flight 302, with 157 passengers and crew, crashed six minutes after take off from Addis Ababa. Nobody survived. Minutes before each crash, pilots had been fighting against MCAS to lift the nose but MCAS kept pointing it towards the ground. It was the software that had the final, tragic say.

One of the lessons from the crashes is that the US Federal Aviation Authority may include software in its certification tests in future rather than leaving delegated authority with Boeing.

Post Office control

In the case of Horizon, the Post Office has remained in full control.

When some sub-postmasters faced with unexplained shortfalls ended up in prison, the Crown Prosecution Service and police were not always involved in their cases. It was the Post Office that was the investigating and the prosecuting authority. Nothing sub-postmasters could say to the Post Office about Horizon would shake its belief in the system.

However, the Post Office is facing criticism by High Court judges. In the litigation between sub-postmasters and the Post Office, the Horizon trial judge Mr Justice Peter Fraser has been strongly critical of the Post Office, its behaviour, actions and most of its witnesses. In his “common issues” judgement, he said that some of the Post Office’s submissions “seem to have their origins in a parallel world”. The Post Office has appealed the common issues judgement.

Has the Post Office’s control gone unchecked for too long? Would the Post Office, like Boeing, benefit from having its technology subject to close statutory scrutiny? Particularly when, like Boeing, it controls technology that has the power to change the course of people’s lives.

Comment

The safety culture in the aviation world has much to teach the designers and operators of business systems generally.

Aircraft design has evolved over decades on the basis of trying to anticipate the improbable and even the impossible. On rare occasions, all the main engines on Airbus and Boeing flights have failed and passengers have emerged from the incidents unscathed.  Examples include British Airways Flight 9 (a Boeing 747), US Airways Flight 1549 (an Airbus A320) and Taca Flight 110 (a Boeing 737)..

This aviation industry’s safety culture means that when things go tragically wrong, lessons are usually learned. There are currently congressional hearings in the US into the two fatal crashes of the 737 Max; and lengthy statutory investigations by the National Transportation Safety Board are underway.

Worldwide media coverage of new disclosures about Boeing’s 737 Max technology has been relentless. Boeing has been compelled to act. The regulators may also change their practices. There remains in Europe a deep distrust of the competence of the Federal Aviation Authority.

The Post Office is not accustomed to being told what to do. Its much earlier predecessor, the General Post Office, was an arm of government and had its own special investigations unit responsible for intercepting letters as part of British intelligence service operations. Some of the Post Office’s work today falls within the scope of the Official Secrets Act. It is not answerable to shareholders (except a single government representative on the board).

Even with a legal challenge from Justice for Subpostmasters Alliance and solicitors Freeths, who represent sub-postmasters, the Post Office has sought to exercise control.

In 2017, the Post Office opposed the sub-postmasters’ application for a Group Litigation Order. The judge granted it. In 2018, the Post Office sought to strike out between about one quarter to one third of all of the evidence served by the sub-postmasters. It said the evidence was irrelevant to the first trial. The trial judge disagreed and ruled that the evidence stay.

In 2019, the Post Office has sought to have Peter Fraser removed as the trial judge. It said he was biased. The Court of Appeal disagreed, which means the judge will stay for the remaining three trials. The Court of Appeal issued a 17-page judgement against the Post Office. The Law Society Gazette described the ruling as “scatching”.

The Post Office remains in control, however. Being 100% government-owned, it can spend money without fear of going bust. Taxpayers would have to bail it out in any financial crisis. It has the power to seek to appeal every major judgement, or appeal refusals to grant a right of appeal, all of which could extend the proceedings for years. Judge Fraser expressed a concern about escalating costs in his judgement in March 2019 when he said,

“The Post Office has appeared determined to make this litigation, and therefore resolution of this intractable dispute, as difficult and expensive as it can.” [Par 544).

He also said that the Post Office appears, at least at times, to conduct itself as “though it is answerable only to itself”.

 If the Post Office has no fear of going bust in any financial crisis, could it control the outcome of the proceedings by appeals and extensions that may eventually drain the other side of its private financing?

Would you feel safer in a plane or running a village Post Office?

It is reassuring for airline passengers to know that plane makers can be held to account if things go wrong. At an ordinary domestic level, homeowners would want to be able to hold a roofer or a central heating company to account if things went wrong. It can be argued that any company is only as good as its reaction when things go wrong.

If anything goes seriously wrong when you are running a village post office, you are in the hands of the Post Office. If the computer says, inexplicably, that you have debts totalling £30,000, £50,000 or £80,000, your options may be limited: pay in full, go bankrupt, lose your home and your health or worse.

Culture

It appears the Post Office has shown little or no compassion to most of those who have complained about shortfalls shown on Horizon. Its corporate mindset is that Horizon cannot be the cause of discrepancies. Nobody can change an institutional mindset or force it to change.

After decades of IT-related failures in Whitehall, some costing billions of pounds, such as the £10bn National Programme for IT in the NHS (NPfIT) secretive institutional cultures and mindsets have remained unchanged. Indeed, health officials in recent months have sought to to re-introduce facets of the NPfIT that were discredited years ago, such as central control of locally-based IT.

Even if the Post Office eventually loses the Horizon case and ends up with costs and damages exceeding £100m – and possibly a much larger sum – it could not be compelled to change its culture. The Post Office’s board and senior officials may change. But not the culture.

Why flying is so safe

If Boeing and Airbus were able to treat every major incident as a rare one-off and hold the pilots responsible every time, it is doubtful flying would be as safe as it is. Statute, rules, government-imposed investigations, a safety culture and the risk of the flying public boycotting airlines perceived as unsafe forces manufacturers and airline engineers to learn lessons from accidents.

The result is that accidents and fatalities are a fraction of what they were in the 1990s. A person could fly once a day for four million years before succumbing to a fatal crash, according to Arnold Barnett, a professor of statistics at the Massachusetts Institute of Technology (MIT).

As for those running a village post office, there are no official statistics on how many sub-postmasters have been affected by unexplained deficits shown on Horizon. What is known is that about 550 former sub-postmasters are party to a legal action against the Post Office over the system and a further 500 or so former sub-postmasters are said to have had similar problems but are not in the group litigation. That is a total about one in eleven of all the 11,000 people who are running post offices in the UK.

The chances of being in an intractable dispute with the Post Office over unexpected shortfalls remain very low, however; and the chances of being in an intractable dispute that is a factor in suicide are infinitesimal. A recent unofficial survey indicated that the majority of sub-postmasters regard Horizon as reliable.

But some of the 1,000 or so former sub-postmasters who have been pursued for deficits have suffered life-changing experiences. In most major incidents on aircraft, passengers and crew walked off unscathed.

Statistics can mean little at the best of times and probably nothing when trying to answer whether you would feel safer in a plane or running a village post office. If perception rules your choice, the answer would be obvious: running a village post office is surely much safer than flying at 35,000 feet in a metal tube.

Once you realise, however, that when you have board an aircraft you are highly likely to emerge unscathed from any major technology-related incident, the answer is not so obvious.

Thank you to David Orr for your emailed link to an article on Boeing’s 737 Max that suggested senior management were not aware of the plane’s technology problems.

**

The Post Office claim I owe them £35,000, despite never showing or telling me what I have done wrong – Nick Wallis’s postofficetrial blog

Post Office applies to appeal damning judgment in first Horizon trial – Computer Weekly’s coverage of the Post Office trial

Post Office Limited and the money tree – campaigner Tim McCormack’s blog

Appeal Court throws out Post Office bid to remove judge

The many human errors that brought down the 737 Max – The Verge