Black Box Thinking: What Aviation's Safety Culture Teaches Software Engineering
aviation software-engineering safety incident-analysis culture

Black Box Thinking: What Aviation's Safety Culture Teaches Software Engineering

10 min read
IQLAS

When a commercial aircraft accident occurs anywhere in the world, investigators will spend months or years reconstructing exactly what happened and why. They will recover the flight data recorder and cockpit voice recorder. They will interview crew, ground staff, maintenance personnel, and air traffic controllers. They will run simulations. They will publish their findings in meticulous public reports that are read by manufacturers, regulators, and airlines worldwide. And then — in every serious aviation authority — they will ask: what changes to procedure, training, regulation, or design will ensure this never happens to any aircraft, anywhere, again?

This is not how most software organizations treat failures. And that gap — cultural, structural, epistemic — costs us more than we typically measure.

The Flight Data Recorder Mentality

The flight data recorder (FDR) does not exist to assign blame. It exists to establish fact. Modern FDRs capture over a thousand parameters — control positions, surface deflections, engine performance, hydraulic pressures, electrical state — at resolutions high enough to reconstruct the flight second by second. The cockpit voice recorder captures the crew’s words, tone, and ambient sounds for the last two hours of flight.

When something goes wrong, investigators have the full story. Not a story filtered through memory and self-interest. Not a story shaped by who was on-call or who had most to lose. The full story.

Most software systems have nothing like this. Application logs are frequently incomplete, rotated too aggressively, or simply not designed to support incident reconstruction. The equivalent of a cockpit voice recorder — a record of what the humans were doing, saying, deciding, and assuming in the minutes before the outage — almost never exists.

What Good Observability Actually Means

The analogy cuts deeper than it first appears. Aviation’s data richness is not accidental. It was designed, mandated, and continuously expanded as new failure modes were identified. Every new category of incident produced new recording requirements. The system’s capacity to learn was deliberately built and deliberately protected.

Software observability — structured logging, distributed tracing, metrics, user session recording — has the same potential. The difference is intent. Aviation records data because the culture demands accountability to truth. Software teams build observability when their manager asks for an SLA dashboard. The former produces systems that get safer. The latter produces systems that get expedited.

Just Culture: The Prerequisite for Learning

The most important concept aviation has contributed to safety science is not technical. It is the idea of a just culture — an organizational environment where people are encouraged and even rewarded for providing safety-related information, but where a clear line is drawn between acceptable human error and blameworthy conduct.

In a just culture, a pilot who makes a genuine mistake under pressure and reports it is protected. A pilot who takes a deliberate unacceptable risk is not. This distinction sounds obvious until you consider how rarely it is actually operational in software organizations.

The post-mortem meeting where engineers are visibly afraid to speak. The on-call rotation where admitting confusion is career-limiting. The sprint retro where blame travels quietly to whoever was on shift. These are not pathological edge cases in our industry. They are the modal experience.

Why Blame Feels Good and Is Useless

When a system fails, identifying a person to blame provides immediate psychological relief. It closes the question (“a tired engineer pushed bad code”), it restores our sense that the system is fundamentally sound, and it requires no systemic change. This is its appeal and its catastrophic failure mode.

Aviation learned this lesson through tragedies that are now in the historical record. For decades, aircraft accidents were attributed to “pilot error” — a category that is technically accurate and analytically worthless. Yes, the pilot was the proximate cause. But the pilot was also inadequately trained on the failure mode they encountered, flying an aircraft whose automation behavior violated their mental model, under commercial pressure that encouraged accepting a degraded maintenance state, in an organization that had no mechanism to escalate concerns. Every one of these contributing factors is actionable. “Pilot error” is none of them.

Software’s equivalent is “human error” — the load-bearing abstraction that holds up an enormous structure of uninvestigated system failures.

The OODA Loop and Incident Management

Aviators are trained in the OODA loop — Observe, Orient, Decide, Act — as a framework for decision-making under time pressure. What makes this valuable is not its novelty but the discipline it imposes: you cannot act well without having first observed accurately and oriented correctly. Skipping steps produces confident wrong action, which is worse than confused hesitation.

During software incidents, teams frequently skip straight to Act. The alert fires, someone kubectl delete pods, the symptom disappears, the incident is closed. What was observed? What was the state of the system? What alternatives were considered? What was the causal chain? None of this is documented because the fire is out and everyone is tired.

The incident report is filed: “Database connection pool exhausted. Restarted pod. Resolved.” In six weeks the same thing happens. And six weeks after that.

Five Whys Done Right

Root cause analysis methodologies like “Five Whys” are borrowed in software from manufacturing and safety research. They are also frequently used wrong. The goal of Five Whys is not to identify a single root cause — complex systems rarely have one. It is to trace a causal pathway deeply enough that the contributing factors become visible.

Aviation’s equivalent — the accident investigation report — does not stop at five whys. It produces a causal web: technical factors, human factors, organizational factors, regulatory factors, design factors. This is more expensive to produce. It is also what actually produces improvement.

Checklists and the Myth of Expert Memory

Pilots use checklists not because they are novices who might forget the steps, but precisely because expertise does not protect against the failure modes checklists prevent. The checklist catches the thing you know perfectly well but did not do because you were interrupted, fatigued, under stress, or simply moving too fast.

This insight — codified by Atul Gawande’s work in medicine and the broader safety literature — is resisted in software for the same reason it was initially resisted in aviation: it feels like an admission of inadequacy. Senior engineers should not need a deployment checklist. Experienced DevOps practitioners should not need a rollback procedure document. The confidence itself is the hazard.

The software industry has made progress here. Runbooks exist. Deployment gates exist. Feature flags exist. But the cultural weight of “we don’t need checklists for this, we know what we’re doing” remains, and it keeps producing the same categories of entirely preventable incidents.

Building the Infrastructure for Learning

Aviation’s learning infrastructure is not accidental. It was assembled over decades:

Mandatory occurrence reporting. Incidents below the threshold of accident must be reported to national aviation authorities. The data is aggregated and analyzed for emerging patterns.

Confidential safety reporting systems. In the US, the Aviation Safety Action Program (ASAP) and NASA’s Aviation Safety Reporting System allow anyone to report safety concerns confidentially, with legal protection from enforcement action.

Independent investigation. Accident investigation is structurally separated from prosecution. The NTSB does not assign criminal liability. This is not a loophole — it is the mechanism that makes truth-seeking possible.

Global data sharing. Safety-critical information is shared between airlines, manufacturers, and regulators internationally. A failure mode discovered in Australia informs operators in Norway.

Software has nothing analogous at scale. Some companies publish post-mortems publicly. The SRE community has developed strong norms around blameless retrospectives. But there is no mandatory occurrence reporting. There is no confidential safety reporting system. There is no independent body that investigates significant software failures with the systematic rigor applied to aviation accidents.

The consequences land on users — interrupted service, lost transactions, leaked data, failed medical systems, collapsed financial calculations — without producing the institutional learning that might prevent the next occurrence.

The Case for Seriousness

Aviation is serious about safety because the alternative is visibly, immediately, irreversibly catastrophic. Software has the advantage that most failures are recoverable — but this has made us complacent about building the discipline that serious systems require.

As software becomes the substrate of more and more critical infrastructure — power grids, hospital systems, financial rails, transportation networks, election systems — the stakes are becoming aviation-level without the culture that aviation has spent seventy years developing.

The tools exist. The knowledge exists. What aviation offers, above all, is an existence proof: a high-stakes, complex, human-involved domain that chose to take its own failures seriously, built the institutions to investigate them, and became measurably, demonstrably safer over time.

That is a choice. It is not inevitable. We have not yet made it in software, at least not at scale.

We probably should.