Episode 5 – The Structure of Failure: MCAS is Conceived
Here, we examine the design of MCAS in detail. This gets technical, as it needs to be if you want to understand precisely how a dangerous system came to be. The details of the story reveal many questionable decisions made during six years of routine engineering work.
What were the needs that led to MCAS? What precisely did this system need to do, and how did it work? How did design, engineering, and testing unfold?
The story's details demonstrate that Boeing took the simplest route to solve a flight problem. However, they don’t demonstrate an overt intent to deploy an unsafe system, nor do they disclose any violation of regulations; rather, they show that engineers followed the rules narrowly without sufficiently questioning the outcomes.
The Structure of Failure has two episodes. This episode describes why and how MCAS was created based on a specific need identified in 2012. The next episode describes consequential changes made in MCAS due to a new need discovered in 2016.
I have broken this episode into three sections:
The aerodynamic problem leading to MCAS. This includes a technical overview of airplanes to explain the problem and the fix.
MCAS’s requirements and design. This explains what MCAS is and how it works.
Safety testing for MCAS. Here, we see how MCAS was designated as a relatively low risk, setting the stage for subsequent decisions that came back to haunt the MAX.
Please share your views, insights, and opinions through the MAX8 Podcast Comments form. Episode 12 will be dedicated to feedback from listeners such as you.
-
EPISODE HIGHLIGHTS:
(0:49) – Introduction – what a detailed explanation of MCAS’s design offers you.
(2:28) – Moving from the Context of Failure to the Structure of Failure.
(4:29) – The problem faced by Boeing in early 2012 that led to MCAS.
(8:41) – A brief technical overview of key airplane components.
(12:32) – MCAS requirements and its design.
(22:35) – Other significant design changes affecting the pilot experience.
(29:13) – “Classifying” MCAS.
(33:48) – MCAS safety testing.
KEY POINTS:
What is the “Structure of Failure”?
The Structure of Failure represents an arrangement of people and technology that creates the explicit cause-and-effect “apparatus” for an accident or disaster. It consists of two spheres – one inside the other. The inner sphere is the tangible socio-technical mechanism itself – a “mousetrap” of sorts – that generates a failure when triggered.
The outer sphere represents the business and technical events that directly shape the “inner sphere” mechanism's creation, validation, and approval. These include the design and engineering processes and subsequent safety and risk evaluations, testing, and certification activities.
What problem did Boeing face that led to MCAS?
Because the MAX’s new engines had to be moved forward and up on the wing, a tendency emerged for the plane’s nose to pitch upward during an extreme, rare, high-altitude, high-speed maneuver called a “wind-up turn.” The stick suddenly lost its tension momentarily, causing a noticeable weakening of the “feel” of the column’s force in the pilot's hand.
FAA regulations call for a consistent and manageable increase in the stick’s force, called the “gradient,” in the pilot’s hand as the maneuver intensifies. This issue relates to the pilot’s experience flying the airplane and highlights what are called “control handling differences” between the MAX and prior 737 NG. This issue had to be addressed to avoid a major certification problem.
The design of MCAS.
While the design was ultimately flawed, the events explain why the designers thought and acted as they did.
The first design decision was to rely on only one AOA and one G-force sensor for data input into MCAS. This violates a widely used “good design principle” that requires validating sensor data.
Regarding system backup, designers relied on an assumption that came to haunt this story: that pilots would perceive a failure in MCAS as something else – as a "runaway trim" malfunction and react within 4 seconds as per their training. However, the engineers decided that pilots didn’t need to know about MCAS.
I also address two related MAX design changes that affected pilot controls and discuss the decision to classify MCAS as a software modification to a related flight system rather than to declare it a distinct new system, which may have shown a bright light on MCAS.
Safety testing for MCAS leading to FAA approval.
Testing is a fundamental step in the design process. It demonstrates that the engineered solution meets its stated design requirements as well as regulatory and safety standards.
Safety assessment methodologies are essential for determining whether products are safe to sell and use. They involve identifying potential failure hazards and determining the degree of impact or harm that would result from a failure.
The goal of assessment is not to eliminate the possibility of failure but to prioritize where engineers work to reduce the impact and likelihood of failures and to make “reasonable” decisions about safety. Risks are mitigated, not eliminated. We don’t appreciate the power of risk methodologies and tools to influence management attention and decisions about “how safe is safe enough?”
Takeaways.
I leave it to you do decide if Boeing developed new software and associated it with an existing somewhat related handling system to avoid safety assessments and pilot training, perhaps justifying this approach because they viewed MCAS as a simple fix to a minor stick-handling compliance issue.
It does not appear that Boeing violated regulations. However, it did reject a safety-first philosophy and instead focused on addressing the problem as simply as possible. It also found convenient ways to minimize MCAS’s visibility to outsiders.
USEFUL EPISODE RESOURCES:
Joint Authorities Technical Review. Boeing 737 MAX Flight Control System.
Peter Lemme. Satcom Guru blog. “Flawed Assumptions Pave a Path to Disaster.”
The Seattle Times, “Boeing altered key switches in 737 MAX cockpit, limiting ability to shut off MCAS”. May 10, 2019.
THING YOU CAN DO:
Let me know your thoughts.
Please share your views, insights, and opinions. Episode 12 will be dedicated to feedback from listeners such as you.
You can contact me through the MAX8 Podcast Comments form. While I may not be able to respond to all comments, I will read each one carefully. I’m very interested in your thoughts.
Download my Framework of Failure description.
The Framework of Failure is summarized in a six-page PDF that can be downloaded. Access is at the bottom of the Home Page at BradIvie.com.
Subscribe for updates and announcements.
Please sign up to receive periodic email communications from me, primarily announcements of new podcast episodes and (in the future) blog posts. The signup form is at the bottom of all web pages on BradIvie.com.
Share this episode with friends and colleagues.
This podcast is created for many audiences: business professionals, management consultations, aeronautics industry professionals, aviation enthusiasts, policymakers, and the general public. Please share this episode.
with those who you feel would be interested in this story and benefit from the information provided and the analytic approach taken. Or perhaps the video trailer for the series.
