Boeing: What does the science say?
Safety science suggests that the long-term degradation of safety culture and 'defences in depth' is a complex problem, requiring sustained long-term medicine.
737 door ‘blow-out’
On January 5, 2024 at 1714, Boeing 737-9, N704AL, hurtled down the runway of Portland international airport, lifted itself from the ground and began its climb into the sky. When it had reached just 16,000 feet a loud bang sounded. The passengers’ ears popped and the captain and flight officers’ headsets were dragged from their heads as the air was violently sucked from the plane. The flight crew donned their oxygen masks and, struggling to hear themselves, declared an emergency to Air Traffic Control. One of the door plug units was gone, leaving a gaping hole in the middle, left hand side of the plane. Jolted into a well-practised drill, the pilot and flight officer methodically applied the ‘rapid decompression checklist,’ and thankfully the plane descended and juddered to a halt on the runway without further incident, albeit with a very shaken set of passengers and crew.
Missing bolts
The aluminium exit door ‘plug’ - that ultimately landed on the land of a Portland resident below - had been manufactured by Boeing sub-contractor Spirit AeroSystems. It was constructed in Malaysia and then taken to its site in Wichita, Kansas where it was installed and rigged to the 737 fuselage. This fuselage then arrived at Boeing’s Renton, Washington facility in August of last year, to be assembled into plane N704AL.
Once the door plug unit is in place it’s secured by four bolts, which are only ever intended to be removed for maintenance and inspection. Soon after the plane arrived in Renton, inspection found five damaged rivets on the edge frame of the door plug. Photographic evidence presented in the initial investigation report for the incident showed that after engineers from the supplier had fixed the rivets, the bolts were not put back, leaving the door plug unsecured.
More bad news
This accident, occurring to an industrial megalith like Boeing, would always be front page news. However it occurred while Boeing is still seeking to salvage its business, its reputation and the future of the 737 MAX plane following the catastrophic loss of two planes and 357 lives in accidents in Indonesia and Ethiopia in 2018 and 2019. Although the immediate cause of those accidents was the failure of a sensor in the plane’s new collision avoidance system (MCAS) that led to the plane pitching down into the ground, the broader diagnosis was of long-term drift in Boeing’s safety culture. Investigators and journalists have stated with conviction that over decades the company had degraded from being a safety pioneer that supported engineering excellence above all else, to an organisation whose values and behaviours had been hollowed out through corporate pressure, and the termites of financial penny pinching.
Airlines around the world had been gradually reassured by the actions taken by Boeing, the FAA and the US Government after the two crashes, including large fines, and the replacement of the CEO, Dennis Muilenburg. Orders for the 737 MAX had been returning. But this incident gives major pause for thought once again. As the head of Emirates Airlines recently said Boeing is now in the: ‘last chance salon.”
What’s the link?
The accidents happened to the same manufacturer, and to the same class of plane. But they were due to different causes. One related to the fundamental redesign of the plane and errors in its recertification. The root cause of the other was a maintenance error by a sub-contractor. But one obvious common theme is the need in both cases for robust independent checking. Of course its often said that ‘culture is how people behave when no one is looking,’ and this certainly rings true in Boeing’s current malaise.
The DOJ investigation that led to a $2.5 billion fine was scathing about the culture of secrecy and dishonestly that led to the two 737 MAX crashes. Acting Assistant Attorney General David P. Burns of the Justice Department’s Criminal Division said:
Boeing’s employees chose the path of profit over candor by concealing material information from the [Federal Aviation Administration (FAA)] concerning the operation of its 737 MAX airplane and engaging in an effort to cover up their deception.
But the FAA itself was not spared blame. Its policy of relying on self assessments of safety by Boeing employees - called ‘organization designation authorization’ - came under intense scrutiny as it emerged that it was largely unaware of the MCAS automated flight-control system that played a key role in the crashes.
Following this latest incident, the FAA has been forced to take action on door plug inspections, after safety concerns were raised by carriers who have now taken things into their own hands, by beefing up their own quality inspections for the new planes coming off the production line.
These concerns around rigour of inspection have, of course, arisen at a time when there is intense financial pressure on Boeing to catch up with the backlog of MAX orders created by the regulatory pause in accepting them.
Resident pathogens
So what’s going on? Any safety scientist can’t think about Boeing’s situation without organisational accident theory popping into their head. James Reason’s classic Swiss Cheese model describes the processes typically at work: When a major accident occurs in a complex organisation it’s because multiple controls have failed at different places to different people over time. Holes in the safety barriers line up - like holes in slices of Swiss cheese, allowing the accident to pass through all of them.
The model has often become a glib short-hand but actually it is much more than a picture. Reason wrote two books thoroughly exploring the model and its associated themes. And returning to my well thumbed copy of Reason’s ‘Human Error’ - with the pencil marks from my PhD study still evident - I was immediately reminded of how astonishingly useful it is in thinking deeply about the mechanisms at work here. All of the behavioural and cultural mechanisms that have been attributed to the demise of Boeing’s safety performance are carefully and clearly described. And so are their remedies.
Where you have many ‘defences in depth’ - as you do in the operation of a passenger airline - it may take a long time for their degradation to occur. But commercial pressures can create a prevailing trend towards their relaxation. If the criticisms levelled at Boeing are true, in the face of such a trend, the demise of its culture has been half a century in the making.
In ‘Human Error’ Reason likens a significantly degraded safety culture, and weakened organisational safety defences prior to the occurrence of a major accident, to resident pathogens in a body prior to a serious illness:
for the most part [latent errors] are tolerated, detected and corrected…But every now and again, a set of external circumstances…arises that combines with these resident pathogens in subtle and often unlikely ways to thwart the systems defences and to bring about its catastrophic breakdown.
An organisation with a degraded safety culture is therefore like the body of someone who has lived a very unhealthy life, ready to succumb to a major illness when the particular environmental triggers emerge. The fatal trauma that ultimately occurs may seem unlikely in itself - as unlikely as the failure of a collision avoidance system, or a door unit being jettisoned from a plane - but actually as the body is riddled with pathogens it is just a question of which environmental triggers happen first.
Long-term commitment
If this diagnosis is true then Boeing’s problems are indeed severe. As it took a long time for its safety culture to get here, it will very likely take a long time to correct it.
After the two crashes there was some fanfare about Boeing changing its governance to create a new safety oversight committee. It was supposed to restructure the company’s internal reporting lines, avoid conflicts of interest between departments and ensure the company’s executive worked more closely with its engineers on safety matters. And yet the door plug incident - an almost unthinkable failure for a passenger airline - still happened.
Lasting change will only come with sustained commitment at all levels of the organisation and its supply chain. Going back to Reason’s analogy, making short-term efforts to turn around a safety culture that has degraded over decades is a bit like eating junk food for years, and then going on a health kick by eating a few salads. What is actually needed is a complete and permanent lifestyle change. In response to the latest accident Boeing’s senior management has publicly acknowledged that it is accountable for what happened and that is, of course, the right place to start.
The latest proposal is for a not-for-profit technical oversight body. Such a body would need to ensure that it has both technical competence, and independence from Boeing’s delivery function to hold the line on safety in the face of intense commercial pressures, for the very long-term. This will be easier said than done. Even while recognising the need for improved quality assurance, customers have raised concerns that this will slow delivery of planes. RyanAir CEO Michael O’Leary recently said that:
there's no doubt that the increased supervision by the FAA (Federal Aviation Administration) in Seattle will slow things down.
I’m keen to build the network for Tech Safe Transport. If you know anyone who is interested in the safety of modern transport technology, and who likes a thought provoking read every few weeks, please do share a link with them.
Thanks for reading
All views here are my own. Please feel free to feed back any thoughts or comments and please do feel free to drop me an e-mail.
My particular area of professional interest is practical risk management and assurance of new technology. I’m always keen to engage on interesting projects or research in this area.