On November 18, 2020, the U.S. Federal Aviation Administration cleared the Boeing 737 MAX for flight, but the history of how Boeing got to this point remains disturbing.1 Back in September 2020, the U.S. House of Representatives released a 238-page report on the 737 MAX debacle, concluding an 18-month investigation.5 The report blamed the two crashes in October 2018 (Lion Air, in Indonesia) and January 2019 (Ethiopian Airlines, in Ethiopia) on the computerized flight-control system called Maneuvering Characteristics Augmentation System (MCAS). The 737 MAX had been Boeing's fastest-selling plane in history before government authorities worldwide grounded the fleet of nearly 400 aircraft—but only after the second crash. A technical system failure was the proximate cause of the disasters, which cost billions of dollars in losses to Boeing and the airlines, and, much more tragically, the lives of 346 passengers and crew.
Founded in 1916, Boeing remains one of the world's most renowned engineering companies. Were the 737 MAX crashes truly a failure of technology, an advanced aircraft-control system? Or was it a failure of management? Of course, at many levels, technology and management are inseparable. Nonetheless, executives, managers, and engineers at Boeing were not stumped by the complexity or unpredictability of a new technology. In a series of decisions, they put profits before safety, did not think through the consequences of their actions, or did not speak out loudly enough when they knew something was wrong. Let's look at the evidence.
At the Safety Critical Systems Symposium in York in February 2020, Dewi Daniels made the point that, in part, the Boeing 737 Max 8 crashes were due to incorrectly classified requirements.
Because the MCAS system was initially only expected to be needed in cruise flight, its limit was set at 0.6 degrees and its DO-178C criticality was set at DAL-C (Major), rather than DAL-B (Hazardous) or DAL-A (Catastrophic).
When it was realised that the MCAS would also be needed in slow-speed flight and its limit was increased to 2.5 degrees, no change was made to the DAL. Engineers and assessors will spend more time examining DAL-A subsystems, than DAL-C ones (or, for automotive systems, will spend more time on ASIL-D subsystems than on ASIL-A subsystems).
I think that there is an argument that incorrect classification of a requirement played a role in the crashes that occurred.
[The following comment/response was submitted by Michael A. Cusumano. --CACM Administrator]
Yes, I am sure there were lots of problems with how Boeing managed the MCAS requirements process and changes, especially as engineers and test pilots learned more about what the system needed to do in slow-speed flight after takeoff.
Displaying all 2 comments