The other way to regulate the airline industry is not economic but operational—detailed governmental oversight of all the technical aspects of flight. This is an approach we have taken since the birth of the airlines, in the 1920s, and it is what we expect of the FAA today. Strictly applied standards are all the more important in a free market, in which unchecked competition would eventually require airlines to cut costs to the point of operating unsafely, until accidents forced them out of business one by one. A company should not overload its airplanes or fly them with worn-out parts, but it also cannot compete effectively against other companies that do. Day to day, airline executives may resent the intrusion of government, but in their more reflective moments they must also realize that they need this regulation in order to survive. The friendship that has grown up between the two sides—between the regulators and the regulated—is an expression of this fact, which no amount of self-reform at the FAA can change. When after the ValuJet crash David Hinson, of the FAA, reacted to accusations of cronyism by going to Congress and humbly requesting that his agency's "dual mandate" be eliminated, so that it would no longer be required by law to promote the airlines, he and Congress (which did as he requested) were engaged in a particularly hollow form of political theater.

The FAA's critics had real points to make. The agency had become too worried about the reactions of its allies in the airline industry, and it needed to try harder to enforce existing regulations. Perhaps it needed even to write some new regulations. Like NASA before the Challenger accident, the FAAneeded to listen to the opinions and worries of its own lower-level employees. But there are limits to all this, too. When, at a post-crash press conference in Miami, a reporter asked Robert Francis, of the NTSB, "Shouldn't the government protect us against this kind of thing?" the best answer would have been "It cannot, and never will."

The truth helps, because in our frustration with such system accidents we may be tempted to invent solutions that, by adding to the obscurity and complexity of the system, may aggravate just those characteristics that led to the accidents in the first place. This argument for a theoretical point of diminishing safety is a central part of Perrow's thinking, and it seems to be borne out in practice. In his exploration of the North American early-warning system Sagan found that the failures of safety devices and backup systems gave the most dangerous false indications of missile attack—the kind that could have triggered a response. The radiation accidents at Chernobyl and Three Mile Island were both induced by failures in the safety systems. Remember also that the ValuJet oxygen generators were safety devices, that they were backup systems, and that they were removed from the MD-80s because of regulations limiting their useful lives. This is not an argument against such devices but a reminder that elaboration comes at a price.

Human reactions add to the problem. Administrators can think up impressive chains of command and control, and impose complex double checks and procedures on an operating system, and they can load the structure with redundancies, but on the receiving end there comes a point—in the privacy of a hangar or a cockpit—beyond which people rebel. These rebellions are now common throughout the airline business—and, indeed, throughout society. They result in unpredictable and arbitrary actions, all the more so because in the modern, insecure workplace they remain undeclared. The one thing that always gets done is the required paperwork.

Paperwork is a necessary and inevitable part of the system, but it, too, introduces dangers. The problem is not just the burden that it places on practical operations but also the deception that it breeds. The two unfortunate mechanics who signed off on the nonexistent safety caps just happened to be the slowest to slip away when the supervisors needed signatures. The other mechanics almost certainly would have signed too, as did the inspectors. Their good old-fashioned pencil-whipping is perhaps the most widespread form of Vaughan's "normalization of deviance." The falsification they committed was part of a larger deception—the creation of an entire pretend reality that includes unworkable chains of command, unlearnable training programs, unreadable manuals, and the fiction of regulations, checks, and controls. Such pretend realities extend even into the most self-consciously progressive large organizations, with their attempts to formalize informality, to deregulate the workplace, to share profits and responsibilities, to respect the integrity and initiative of the individual. The systems work in principle, and usually in practice as well, but the two may have little to do with each other. Paperwork floats free of the ground and obscures the murky workplaces where, in the confusion of real life, system accidents are born.

It would be wrong to conclude that we should join the alarmists in their prophesies of doom. Flying will remain safe, and for conventional reasons, including the admirable reaction we have seen to the ValuJet crash. But it should also be clear that there are structural limits to flight safety, and that any dream of a zero-accident future is probably about as realistic as the old ValuJet promise to put safety first. If that is true, we had better get used to it. Conventional accidents—those I call procedural or engineered—will submit to our solutions, but as air travel continues to expand, we can expect capricious system accidents to blossom. Understanding why might keep us from making the system even more complex, and therefore perhaps more dangerous, too.

We want to hear what you think about this article. Submit a letter to the editor or write to letters@theatlantic.com.