Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AA261: DevOps lessons in collaborative maintenance

Lindsay Holmwood
March 11, 2013
Technology
1
180

AA261: DevOps lessons in collaborative maintenance

On January 31, 2000, Alaska Airlines Flight 261 plunged into the Pacific ocean in an extreme "nose down" position, killing all 88 crew and passengers on board. The NTSB concluded AA261's horizontal stabiliser trim system's jackscrew was inadequately maintained, causing the pilots to lose all control of the plane.

There are striking parallels with the problems we face daily in IT operations & software development, and the 30 years of give and take between the aircraft manufacturer's engineers, airline maintenance staff, and federal regulators that preceded AA261's simple mechanical failure.

In this talk, Lindsay looks at the complex interplay between the parties in the AA261 crash through a DevOps lens, investigating the collaborative approach to maintenance and operation of the MD-83 aircraft, and relating the complexities back to the complex IT systems we build and maintain.

Lindsay Holmwood

March 11, 2013
Tweet

More Decks by Lindsay Holmwood

See All by Lindsay Holmwood
Your API ain't as secure as you think
auxesis
0
110
Footguns and factorisation: how to make users of your cryptographic library successful
auxesis
0
1.3k
Levelling up database security by thinking in APIs
auxesis
0
110
How to thwart your devops transformation with counterinsurgency doctrine
auxesis
1
67
Microservices are an antipattern
auxesis
0
170
Mirrors, networks, and boundaries
auxesis
0
81
Managing remotely, while remotely managing
auxesis
13
4k
Testing Conway’s Law in open source communities
auxesis
6
480
Building and scaling effective distributed teams
auxesis
4
190

Other Decks in Technology

See All in Technology
Microsoft Intune 勉強会 第 2 回目
tamaiyutaro
2
370
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
3.2k
Babylon.js JAPAN活動紹介 (2024/4)
limes2018
1
110
アクセシビリティを考慮したUI/CSSフレームワーク・ライブラリ選定
yajihum
2
1.1k
ルーターでプレゼンする
puhitaku
1
3.2k
2024春 注目のWeb系 OSS & SaaS 3選
makies
0
170
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
490
MapLibreとAmazon Location Service
dayjournal
1
170
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
How to do well in consulting–Balkan Ruby 2024
irinanazarova
0
120
AWSに詳しくない人でも始められるコスト最適化ガイド
yuhta28
2
280
One engineer company with Ruby on Rails
rstankov
2
410

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
5
3.4k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Rebuilding a faster, lazier Slack
samanthasiow
74
8.2k
Stop Working from a Prison Cell
hatefulcrawdad
267
19k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
The Illustrated Children's Guide to Kubernetes
chrisshort
32
46k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
11
1.5k
Happy Clients
brianwarren
92
6.4k
In The Pink: A Labor of Love
frogandcode
138
21k
Into the Great Unknown - MozCon
thekraken
14
1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
21
6.4k

Transcript

  1. AA261 DevOps lessons in collaborative maintenance

  2. Lindsay Holmwood @auxesis

  3. Software Manager @ Bulletproof Networks

  4. None

  5. Trigger warning: death

  6. Puerto Vallarta January 31, 2000

  7. Seattle

  8. Departed PVR at 13.37 PST

  9. Ascended to 31,000ft

  10. 2 hours into flight: Jammed horizontal stabiliser

  11. No trim control

  12. Redirected to LAX

  13. None

  14. Pilots unjammed horizontal stabilisers

  15. None
  16. None

  17. 2 pilots 3 crew 83 passengers

  18. None
  19. None
  20. None
  21. None

  22. This is a maintenance accident. Alaska Airlines' maintenance and inspection

    of its horizontal stabilizer activation system was poorly conceived and woefully executed. The failure was compounded by poor oversight... had any of the managers, mechanics, inspectors, supervisors or FAA overseers whose job it was to protect this mechanism done their job conscientiously, this accident cannot happen. -- John J. Goglia, NTSB Board Member

  23. hindsight != foresight

  24. [hindsight] converts a once vague, unlikely future into an immediate,

    certain past -- Sidney Dekker

  25. This is a maintenance accident. Alaska Airlines' maintenance and inspection

    of its horizontal stabilizer activation system was poorly conceived and woefully executed. The failure was compounded by poor oversight... had any of the managers, mechanics, inspectors, supervisors or FAA overseers whose job it was to protect this mechanism done their job conscientiously, this accident cannot happen. -- John J. Goglia, NTSB Board Member

  26. This is a maintenance accident. Alaska Airlines' maintenance and inspection

    of its horizontal stabilizer activation system was poorly conceived and woefully executed. The failure was compounded by poor oversight... had any of the managers, mechanics, inspectors, supervisors or FAA overseers whose job it was to protect this mechanism done their job conscientiously, this accident cannot happen. -- John J. Goglia, NTSB Board Member
  27. None

  28. “poorly conceived and woefully executed”

  29. None
  30. None
  31. None

  32. DC-9 -> MD-80 -> MD-83

  33. None

  34. Evolutionary product development

  35. Appropriated maintenance schedules

  36. Jackscrew lubrication interval

  37. None

  38. 1965 every 300-350 hours launch of DC-9 1985 every 700

    hours industry deregulation 1987 every 1000 hours industry standardisation 1991 every 1200 hours industry standardisation 1994 every 1600 hours industry standardisation 1996 every 8 months (2550 hours) Alaska Airlines policy change

  39. 1965 every 300-350 hours launch of DC-9 1985 every 700

    hours industry deregulation 1987 every 1000 hours industry standardisation 1991 every 1200 hours industry standardisation 1994 every 1600 hours industry standardisation 1996 every 8 months (2550 hours) Alaska Airlines policy change

  40. 1965 every 300-350 hours launch of DC-9 1985 every 700

    hours industry deregulation 1987 every 1000 hours industry standardisation 1991 every 1200 hours industry standardisation 1994 every 1600 hours industry standardisation 1996 every 8 months (2550 hours) Alaska Airlines policy change

  41. 1965 every 300-350 hours launch of DC-9 1985 every 700

    hours industry deregulation 1987 every 1000 hours industry standardisation 1991 every 1200 hours industry standardisation 1994 every 1600 hours industry standardisation 1996 every 8 months (2550 hours) Alaska Airlines policy change

  42. 1965 every 300-350 hours launch of DC-9 1985 every 700

    hours industry deregulation 1987 every 1000 hours industry standardisation 1991 every 1200 hours industry standardisation 1994 every 1600 hours industry standardisation 1996 every 8 months (2550 hours) Alaska Airlines policy change

  43. 1965 every 300-350 hours launch of DC-9 1985 every 700

    hours industry deregulation 1987 every 1000 hours industry standardisation 1991 every 1200 hours industry standardisation 1994 every 1600 hours industry standardisation 1996 every 8 months (2550 hours) Alaska Airlines policy change

  44. 1965 every 300-350 hours launch of DC-9 1985 every 700

    hours industry deregulation 1987 every 1000 hours industry standardisation 1991 every 1200 hours industry standardisation 1994 every 1600 hours industry standardisation 1996 every 8 months (2550 hours) Alaska Airlines policy change

  45. Decrementalism

  46. Complex system constraints Jens Rasmussen

  47. None

  48. workload

  49. workload economy

  50. workload economy safety

  51. None

  52. time

  53. time cost

  54. time cost quality

  55. workload economy safety

  56. workload economy safety

  57. workload economy safety

  58. workload economy safety

  59. workload economy safety

  60. workload economy safety

  61. workload economy safety

  62. workload economy safety

  63. economy safety workload

  64. economy failure of foresight safety outside: workload

  65. economy failure of foresight trade-offs in direction of greater efficiency

    safety outside: inside: workload

  66. trade-offs in direction of greater efficiency

  67. trade-offs in direction of greater efficiency

  68. Constraints on knowledge

  69. Why would they make bad decisions intentionally?

  70. Decisions seemed rational

  71. Local rationalisation

  72. “people make what they consider to be the best decision

    based on available knowledge at the time”

  73. This is a maintenance accident. Alaska Airlines' maintenance and inspection

    of its horizontal stabilizer activation system was poorly conceived and woefully executed. The failure was compounded by poor oversight... had any of the managers, mechanics, inspectors, supervisors or FAA overseers whose job it was to protect this mechanism done their job conscientiously, this accident cannot happen. -- John J. Goglia, NTSB Board Member

  74. economy safety workload

  75. time cost quality

  76. None

  77. Devops constraints

  78. “God, our ops team are arseholes. I just want to

    deploy this change and go home!”

  79. “God, our ops team are arseholes. I just want to

    deploy this change and go home!” workload economy safety

  80. “God, our ops team are arseholes. I just want to

    deploy this change and go home!” workload economy safety workload economy safety

  81. What are the circumstances?

  82. Where are the tensions?

  83. Have ops been burnt before?

  84. Is there deployment friction? Why?

  85. Is deployment high-risk?

  86. Is deployment time consuming?

  87. Is deployment important to the business?

  88. None

  89. “It’s 3am an the pager has gone off again. Why

    can’t these devs just write code that works?”

  90. workload economy safety “It’s 3am an the pager has gone

    off again. Why can’t these devs just write code that works?”

  91. workload economy safety “It’s 3am an the pager has gone

    off again. Why can’t these devs just write code that works?” workload economy safety

  92. [hindsight] converts a once vague, unlikely future into an immediate,

    certain past -- Sidney Dekker

  93. What are the circumstances?

  94. Where are the tensions?

  95. Why didn’t the dev know the code would fail like

    this?

  96. Why weren’t you involved when the code was written?

  97. How is code reviewed?

  98. Is the infrastructure anti-fragile?

  99. Is the code anti-fragile?

  100. None

  101. Hindsight bias

  102. [hindsight] converts a once vague, unlikely future into an immediate,

    certain past -- Sidney Dekker
  103. None

  104. What are the motivations?

  105. “amoral actors”

  106. workload economy safety

  107. workload economy safety

  108. “root cause” is simply the point you stop looking --

    Sidney Dekker

  109. What are the circumstances?

  110. Where are the tensions?

  111. Thank you!

  112. Thank you! Liked the talk? Let @auxesis know!

  113. Sidney Dekker [books] Field Guide to Understand Human Error Drift

    Into Failure Just Culture Dan Manges [blog] How incidents affect infrastructure priorities