Notes from a pilot's kid

The Role of Corruption - Comparing China's Train Crash to Air France 447

Evan Osnos wrote a fantastic piece in the New Yorker, describing how the 2011 train crash in Wenzhou uncovered multiple layers of corruption in an enormous government project. You should read it for his investigation of corruption in development projects in China, but I raise question with the premise of using the Wenzhou train collision as an outcome of the corruption he describes, and argue that connecting corruption in railway development with the cause of the crash helped the Communist party publicly resolve the scandal.

What happened with the Wenzhou crash

Based on the final investigation reports, lightning struck on-track equipment that falsely reported train 1’s speed and location, causing train 2 to be unaware it was headed straight for the halted train 1. The tragedy happened because of a system design flaw revealed by a thunderstorm. This is easy to see in hindsight, but at the time, it was an unknown unknown. The designers of the switch and the railway operators did not know that they would not know train whereabouts after a railway switch malfunction, and worse, they didn’t know they would be fooled by their computers into thinking that they did know what was going on.

Here are the questions that we ask in hindsight: how could this have been prevented? Did the contractors who designed the switch cut corners, or did the railway staff not get enough emergency training? And who can we hold responsible for this? As societies, we ask similar questions after all low-probability, high-toll tragedies and black swan events because we genuinely want to prevent them from happening again.

We ask these questions and notice that the Minister of Railways, Liu Zhijun, was dismissed from his position on allegations of corruption a few months before the train collision. As Osnos describes, high-speed rail development in China was riddled with corrupt project development practices from its onset. It’s intuitive to draw a connection between these corrupt practices and a design flaw that led to tragedy, and this connection conveniently aligns with an ongoing narrative about the societal costs of corrupt, authoritarian development practices in China (that both Western journalists and Chinese netizens contribute to). However, this was a design flaw in computer-automated transportation infrastructure systems uncovered by unlikely environmental circumstances. It was a flaw that led Osnos to look deeper into corruption in the Ministry of Railways, but it should also lead to a deeper look at similar cases of design flaws in automated systems as a point of comparison.

The Wenzhou train collision should be compared to Air France Flight 447

AF447, a nearly full Airbus A330 bound for Paris from Rio de Janeiro, crashed over the Atlantic ocean in 2009(1). Like the Wenzhou train collision, it also involved storms interfering with navigation and control systems. Both had near-record-breaking death tolls for their respective industry. Both required extensive investigation to uncover the true causes of the incidents. Both cited system design flaws as primary explanations for the failure, and had authorities move quickly to repair equipment to ensure that the same failures didn’t happen again.

I spoke with my dad the morning after Air France flight 447 went down. For something that remained a mystery for weeks in the news, my dad had a somber, immediate answer:

“I bet it was an air speed indicator issue. The plane’s computer thought it was stalling (air speed indicator reporting 0 knots), so the pilot flew it into the ground. Probably tore the wings off.”(2)

Well, that’s what happened (minus the part about the wings). The Airbus A330 is designed to be flown primarily through a central computer that the pilots manage, with little tactile feedback. During a turbulent storm, the air speed indicator became blocked by ice, which made the computer deduce that the plane was flying at dangerously low speeds. The computer disengaged autopilot, and the pilot, looking at wonky air speed readings and a stall warning, pulled up until the plane stalled and fell out of the sky.3 His attempts even exacerbated the problem, because he induced a stall that reduced the aircraft’s airspeed to the point that even a fully functional air speed indicator would not be able to provide accurate feedback. And in a computer-managed fly-by-wire cockpit, there was no tactile feedback to tell him or his co-pilot that the aircraft’s sustained high pitch was contributing to the problem.(4)

From a design perspective, this was another unknown unknown. An air speed reading of zero at high altitude and a stall warning can only mean that the plane is going to fall out of the sky, except for that case that’s never happened before when the air speed indicator fails. Engineers and pilots didn’t know that there’d be an emergency where human operators wouldn’t know if they should trust their flight computers. Just like railway staff during the Wenzhou train crash, these pilots trusted the computer system straight into a disaster.

(Both situations are great examples of what psychologist Laurette Bainbridge calls the automation paradox, described with examples in aviation and public transportation by Robert Charette: as computer automation becomes more sophisticated, human invovlement becomes more difficult and more crucial.)

Why do we treat the circumstances of these tragedies so differently?

Two similar design-related failures occur within two years of each other. One failure came from top-notch French engineers, which we’d assume to be free from nefarious state influence. The other, as Evan Osnos points out, comes from designers who were pressured on a project riddled with corruption. Here we are, with similar failures, similar tragedies, but quite different coverage and examinations of the events. Osnos writes:

Within days, the state-owned company that produced the signal box apologized for mistakes in its design. But to many in China the focus on a single broken part overlooked the likely role of a deeper problem underlying China’s rise: a pervasive corruption and moral disregard that had already led to milk tainted by chemicals reaching the market, and shoddy bridges and highways built hastily in order to meet political targets.

Yes, corruption affected many aspects of the high-speed rail project, and bribe money that went into people’s pockets could have gone to better safety testing for low-probability events like these, but if the same design failures happen in corruption-free production processes at world-class firms like Airbus, the high speed rail’s design problems are not likely due to corruption.

The post-collision cleanup was mishandled

After the collision, the Chinese government moved quickly to hide the event because it tainted the image of a rail system that was supposed to be the envy of the world; with US President Barack Obama praising China’s high-speed rail achievements in his 2011 State of the Union address, one mistake with a train and other nations may suspect that there are more dangerous cracks to be found in the country’s recent impressive achievements. Internally, a quarter of a billion migrant workers who rely on the railways as one way to travel home for holidays are supposed to see high-speed rail as an improvement to their lives, not an added danger. So the government engaged in rapid damage control.

Evan Osnos, Adam Minter, and CCTV anchor Qiu Qiming have highlighted the poor handling of the post-collision cleanup that followed. China’s embarrassing attempts to quickly bury the fallen train cars were exposed through social media by people at the scene. Simultaneously, the Central Propaganda Department’s release of strict instructions on how to downplay the tragedy was no secret to active Weibo users. Millions of Chinese saw a young girl, still alive, pulled out of a half-buried train car. They may also have noticed that the tragedy they heard about on Chinese social media didn’t show up on the front page of their local newspaper the next day. The illumination of the cover-up and propaganda notice revealed that the interests of the government were in conflict with the interests of those affected by the tragedy.

Two independent criticisms

Corruption surrounded the development of China’s high-speed rail, and Evan Osnos’s investigation and criticism was worthwhile. Additionally, the post-crash cover-up to protect the image of one of China’s biggest achievements is a more direct form of corruption also deserving of criticism. The former, as Osnos mentions, is a common byproduct of economies experiencing drastic growth through large government investments. The latter is a symptom of image-conscious insecurity in a one-party system that is worried about its future.

These independent cases of corruption come from different parts of the Communist party, but by many they were mended together and attached directly to the crash as one larger criticism of the government5. While combining the two should have delivered a more damaging blow to the image of the party, it actually made the scandals easier for the party to hurdle over. The Chinese government saw in the crash an opportunity to protect the party’s sovereignty: they quickly moved to isolate and convict toxic members of the party (some who had already been dismissed from their positions). This is the party’s showcase of a semblance of the transparency and social justice that people demanded. Afterwards, they can claim that they’ve expunged the rails of danger and the party of corruption.

Footnotes:

  1. This isn’t the only case of a flight crash due to computer systems design issues. It’s disputed, but the Air France Flight 298 crash at an air show in 1988 was a tragically ironic demonstration of Airbus’s new fly-by-wire system. In the show, the pilot flew at very low altitude in front of a crowd to show off the aircraft. As the plane approached such low altitude, the computer automatically forced the plane to point down further to prevent the plane from stalling, and didn’t allow the pilot to increase thrust. The plane thought it should be in  ”landing mode,” which caused the subsequent crash.[[1]]
  2. My father knew the cause of the crash so instinctively because this was not the first time an air speed indicator issue had been reported on Airbus aircraft, (see page three of the summary of the report) and many Boeing pilots are notoriously suspicious of such issues on Airbus aircraft. Previously, the issues had been reported in good weather conditions during daytime, so pilots were able to overcome the lack of information.
  3. ]This is a simplification of a much more complicated event that took two years and US$25M to explain. Some other factors: (1) Airbus flight controls work in “normal law” which ignores any human input that would stall a plane, so pulling back on the control stick indefinitely would not induce a stall, except that the airspeed indicator error disengaged “normal law” and made a human-induced errors possible. By nature of the design of the flight control system, no pilot onboard any Airbus aircraft would have training with flying Airbus aircraft without normal law outside of a flight simulator. (2) The air speed indicator error caused the pilot flying to distrust any subsequent airspeed indicator reading, even after it started working again, because he didn’t know if it could be trusted. Instead, he relied on other instrument readings, such as his vertical speed, which told him he was falling from the sky, and reacted by indefinitely pulling up on his control stick (a major but believable error under pressure). All three pilots, to some extent, ignore the stall warnings and think that pulling up is how to bring the plane back into control. (3) Pilots usually cross-check readings and controls, and this didn’t happen in the heat of the moment. Again, in most planes flight control stick movement is the same for both seats in the cockpit (by analog design or by simulation), but Airbus flight control systems do not mimick flight sticks, therefore making it more difficult for the second pilot to see how his partner was flying the plane. Comprehensive coverage in Popular Mechanics.
  4. The fundamental design of the Airbus A330 cockpit is a disadvantage in emergencies with sensor or instrument failure, because all flight controls are electronic. The throttle levers and control stick are simply input mechanisms to the computer, whereas in other aircraft, these mechanisms would provide analog feedback to the pilot (they could more easily feel how the plane is flying through the mechanism). This disadvantage is well-known in aviation and well-described here by risk management specialist Robert Charette.
  5. the issue was treated this way by many journalists, vocal Chinese on the social web, and news anchors like Qiu Qiming. Osnos quoted Qiu Qiming in his article, but he left out two statements that entangled the issues of corrupt government projects and corrupt attempts to save face (see the full quote here)