Aviation Safety
Taking the 737 to the Max
Summarized using AI

Taking the 737 to the Max

by Nickolas Means

The video titled "Taking the 737 to the Max" delivered by Nickolas Means at RubyConf 2021 delves into the contentious history and design decisions surrounding Boeing's 737 MAX aircraft, particularly in light of the two tragic crashes that occurred.

The primary focus of the presentation is to explore the critical choices made within Boeing during the development of the 737 MAX and how those decisions contributed to its failures, along with broader lessons on decision-making in engineering and management contexts. The talk weaves in detailed accounts of the Lion Air Flight 610 crash and the Ethiopian Airlines Flight 302 incident to illustrate the consequences of those choices.

Key points discussed include:

- Background on Boeing and the 737: The 737 is the best-selling commercial aircraft, and its design limitations necessitated adaptations for new, more efficient engines.

- Industry Competition: The 737 MAX's inception responded to Airbus's A320neo, which was gaining market share due to its fuel efficiencies, leading Boeing to hurriedly update the 737.

- MCAS (Maneuvering Characteristics Augmentation System): A critical software addition meant to mimic handling characteristics of previous 737 models, was a central factor in the crashes.

- Technical Failures and User Training: Analysis of telemetry data from the crashes revealed severe discrepancies in angle-of-attack readings, leading to misconceptions by the pilots, tied to inadequate training programs that resulted from rapid growth within air travel sectors.

- Organizational Culture Impact: The shift in Boeing’s culture post-merger with McDonnell Douglas, emphasizing profit over engineering safety, led to decisions that inadequately prioritized safety in design and certification processes.

- Post-Crash Reforms: The video concludes with a discussion on how these tragedies have resulted in changes to federal regulation and internal procedures at Boeing, ultimately leading to improvements in pilot training and system safety.

The overall message emphasizes the importance of understanding systemic impacts from individual actions and making well-informed decisions as engineers and leaders, showcasing how small decisions can lead to significant, tragic outcomes. The lesson is not just how to avoid a failure like the 737 MAX's but understanding the effects of various pressures in organizational contexts.

00:00:10 Oh my goodness, everybody! Thanks so much for being here. It is so, so good to be on a stage in person again. I have missed this so much, and I think we all have, judging by the amount of fun we've all been having so far at the conference. My name is Nick Means; I lead engineering at a company called Sim, where we create tools to empower engineering teams to build security and compliance workflows that fit the way they already work. We're also hiring, like everybody else here, so please come say hi if that sounds interesting. Thanks to everyone at Sim for holding down the fort so that I could be here this week.
00:00:41 I also co-host a podcast on engineering leadership called "Managing Up." If you're a leader, whether you have an official title or not, the show is for you. I learn something literally every time we record, and I've got stickers, so come say hi if you'd like one.
00:01:00 Now, I want to start off with a brief content warning. This talk contains stories of a couple of plane crashes, one of them pretty vivid. So, if you're a nervous flyer already, this might not be the talk for you.
00:01:14 If you follow me on Twitter, you may know that I'm occasionally into plane spotting, especially when traveling. I love seeing planes that I've never seen before, like this unusual little Avro RJ85 that I saw at London City Airport. It has four engines for reasons, even though it only carries about 100 people. I also enjoy spotting special planes like Concorde, which is just hanging out on the tarmac at London Heathrow for anyone to see, if you're lucky enough to taxi out the right way.
00:01:38 But I also really like identifying planes in the air. One of the first ones that I learned to spot reliably was the Boeing 737. It's the best-selling commercial aircraft of all time, so it's everywhere. Once you know the trick, identifying this plane in the air becomes incredibly easy. The trick is that the 737 has no doors over its rear landing gear. So, if you see two tires poking out from the bottom fuselage of a plane and it's too big to be a regional jet, it's a 737.
00:02:00 You can see here on this one coming in for landing how the gear swing out from the wheel-shaped cavities in the center of the fuselage. So, why am I talking about plane spotting? Well, there's an interesting reason the 737 doesn't have rear landing gear doors, and that reason has everything to do with the problems with the 737 MAX.
00:02:20 We got our first hint that there was a problem with this plane with the crash of Lion Air Flight 610 off the coast of Indonesia on October 29, 2018. This is the Boeing 737 MAX 8, registration number PK-LQP, which operated Lion Air Flight 610 on that fateful day. In the picture, the plane is at Boeing's Everett, Washington delivery facility. It was taken in August 2018, just before the plane left on its final delivery voyage to Indonesia. This means the plane was just over two months old on the day of the accident—basically still brand new.
00:02:50 The captain for Flight 610 was Bhavya Sunija, an experienced pilot with over 6,000 hours of flying experience, most of that in the cockpit of a 737. In the right-hand seat was Harvino, who went by just one name—a common practice in Indonesia. He was another experienced pilot with almost as many hours in the 737 as Sunija.
00:03:00 Flight 610 was scheduled for a domestic service from Jakarta to Pangkal Pinang in Indonesia, departing at 6:20 in the morning and scheduled to arrive 50 minutes later. The easiest way to tell the story of Lion Air 610 is through data. This is the transcription of telemetry data from the plane's flight data recorder from the Indonesian NTSC's accident report, and it tells a very clear story. Let me walk you through it.
00:03:26 First, to get you oriented, the time stamps here at the bottom indicate intervals of one minute and 19 seconds apart. The reason for this is that they divided this chart into ten equal parts instead of the twelve minutes that the flight roughly lasted. Let me give us some more legible labels so we can navigate this chart. Let's start with the moment the plane gets airborne.
00:04:01 There are a couple of things that immediately indicate that this plane has a problem. First, as soon as the plane is in the air, the pilot's stick shaker starts shaking. Now, this is exactly what it sounds like—it's a vibration motor that shakes the yoke that the pilot is holding. It serves as the most urgent warning indicator on the flight deck, meant to get the pilot's attention when the plane's about to stall.
00:04:40 In this context, the stall refers to the wings' ability to generate lift, not the engines. When a wing is moving too slowly or at too steep an angle, vortices form on top of the wing, disrupting the smooth airflow that generates lift. This is clearly a bad thing in an airplane. When the plane senses it's at risk of this happening, it activates the stick shaker.
00:05:04 But the plane has just lifted off the ground and is climbing smoothly. Why does the plane think it's about to stall? Even stranger, why is it only the pilot's stick shaker that is going off? In an actual stall, you would expect both of the yokes in the cockpit to be shaking. The answer to both questions lies a few lines further down the chart.
00:05:51 The angle of attack indicated on the pilot's instruments is about 20 degrees greater than the angle of attack on the copilot's instruments. Now, what is angle of attack? The plane's angle of attack is the angle at which the plane is moving through the air that doesn’t always follow the nose.
00:06:05 When the plane approaches a stall, the nose might be pointing up in the air while the plane is actually moving more parallel to the ground. The plane senses the angle of attack using a vein on each side of the aircraft, with each vein feeding the instruments on that side of the flight deck.
00:06:30 On Flight 610, the pilot's vein was malfunctioning, reading about 20 degrees steeper than the copilot's. This disagreement starts when the plane is still on the ground and persists throughout the flight. When the plane finally does take off, it immediately believes it's stalling.
00:06:56 About two minutes into the flight, Harvino asks air traffic control for clearance to a holding point. The controller quickly vectors him and inquires for a reason, to which he responds, 'We've got a flight control problem.' For some reason, however, he doesn’t declare an emergency.
00:07:17 A minute later, having reached their hold point, Captain Sunija becomes concerned about the plane's flaps—the extensions of the wings used to generate lift at lower speeds. He had been ignoring them up to this point due to everything else happening, but now he notices that they’re flying too fast to have the flaps extended, so he retracts them.
00:07:50 Almost immediately, the plane plunges 700 feet uncommanded. If you're a roller coaster fan, this drop is about three times the main drop of a modern hyper coaster. Captain Sunija finds himself pulling back on a suddenly very heavy yoke and realizes that the plane is out of trim.
00:08:19 Sure enough, there's a significant nose-down change in the trim reflected in the data. So, what is trim? Let's take a look at the tail of the 737. At the back of the plane is a sort of mini wing called the horizontal stabilizer, and at the back of the horizontal stabilizer is the elevator.
00:08:43 The elevator is the control surface that responds when the pilot pulls or pushes on the yoke to make changes to altitude or pitch. However, it would be exhausting to continuously pull back on the yoke for the entire climb phase of the flight. This is where trim comes in. If you look at the front of the horizontal stabilizer, you'll notice a metal track that allows the entire horizontal stabilizer to angle up or down.
00:09:18 This mechanism is what trim adjusts. It serves as a kind of cruise control for climbs and descents. Now, for some reason, the plane's auto trim made a pretty dramatic adjustment, pushing the nose of the plane down.
00:09:40 Captain Sunija quickly provides a manual trim adjustment to pull the nose back up, but a few seconds later, auto trim kicks in again, pulling the nose back down. There’s an unwritten rule in aviation that when you make a change to the configuration of the plane and it behaves in a way you don’t understand, you should undo that change.
00:10:06 So, that's precisely what Captain Sunija does. He extends the flaps again, hoping that the auto trim will stop—and sure enough, it does. There are a few routine adjustments, but no more dramatic drops. However, Sunija is still worried about his flaps, knowing they can’t complete the flight with them extended.
00:10:31 He is still intent on completing this flight, so he retracts the flaps again. Almost immediately, he is fighting auto trim again. At that time, Harvino asks air traffic control for a return to Jakarta. The return is granted, but there are strange aspects to this.
00:10:55 First, Harvino still doesn't declare an emergency; he's proceeding as if this is a normal flight. Secondly, the controller doesn't ask Flight 610 if it wants to declare an emergency—typically, if you're requesting a return to an airport, it's a question a controller would ask to facilitate the process.
00:11:19 Instead of clearing other planes out of the way and allowing 610 to focus on flying, air traffic control keeps giving them turns around other traffic, complicating their attempts to keep the plane in the air. Captain Sunija would keep fighting the plane for the next six minutes while Harvino scoured the flight manual for anything, anything that might explain what was happening and how to fix it.
00:11:45 For every auto trim activation, Sunija would counter with an equal burst of manual trim. Despite the oscillations, the trim averaged out to mostly even over those six minutes, and he managed to maintain altitude. It would have been terrifying to be in the back of the plane as it went up and down in increments of 100 and 200 feet.
00:12:09 Finally, not sure what else to do with the beleaguered plane, Sunija hands over the controls to Harvino so that he can look through the flight manual himself in hopes of finding something helpful. But he’s so flustered at this point that he neglects to tell Harvino what he has been doing to keep the plane level.
00:12:43 The auto trim continues to activate; Harvino counters with brief bursts of manual trim adjustment, but not nearly enough to counter the auto trim. Less than 30 seconds later, the plane reaches maximum nose-down trim. At this point in the flight, the cockpit voice recorder captures Harvino reciting a verse from the Quran, asking God for a miracle.
00:13:07 Sunija pulls back on the yoke as hard as he can, trying to pull this plane out of a dive, but it's too late. Flight 610 plunged 5,000 feet in 15 seconds, hitting the water at over 500 miles per hour and killing all 189 souls on board.
00:13:34 An absolute tragedy. The world understandably wanted to know what happened, but the other airlines flying the 737 MAX needed to know what had happened and if it could potentially happen to their brand-new 737 MAXes as well.
00:13:56 So, eight days later, Boeing sent its first message to the plane's operators, but it didn't convey much of importance. Basically, it indicated that the early information regarding Lion 610 pointed to an uncommanded nose-down trim as a result of a malfunctioning angle of attack sensor.
00:14:20 However, there was one problem: there was no documented system on the 737 MAX by which a malfunctioning angle of attack sensor could trigger nose-down trim—it simply didn’t exist. This bulletin didn't clarify that at all. Boeing received so many questions about this that four days later, they sent out another operator message.
00:14:49 This message contained the first public acknowledgment of the now-infamous Maneuvering Characteristics Augmentation System, or MCAS. This system was responsible for the uncommanded trim on Lion Air 610, and if you've followed the 737 MAX story at all, you've probably heard of it.
00:15:10 So, what is MCAS? To answer that question, we need to know a little bit about the history of the 737. The 737 was launched by Boeing in 1967—54 years ago now. Commercial aviation was still pretty young back then, and airlines wanted access to markets beyond the big cities with their large airports.
00:15:44 This meant they required a plane that could fly into smaller airfields that might not have jet bridges or baggage handling equipment. Consequently, the 737 was built low to the ground, enabling ground crews to load and unload bags directly from the ground without needing a conveyor or even a step ladder. This design is why the 737 doesn't have rear landing gear doors—there simply isn’t enough room; it’s too low to the ground.
00:16:05 Now, low clearance became a problem as engine technology evolved in the early 1980s when Boeing wanted to update the original low-bypass engines of the 737 with newer, more efficient high-bypass turbofans. They had to find a way to fit the new larger engines under the wings. This strange-looking, egg-shaped engine inlet was the solution they came up with.
00:16:32 They used the same solution again in the mid-90s to create the 737 Next Generation. In addition to upgrading from manual to electronic displays in the flight deck, the 737 Next Gen squeezed in a slightly more efficient engine under the wing using similar but not quite as dramatically shaped inlets. However, the low clearance went from an engineering challenge to a significant problem in 2011.
00:17:01 A year prior, in 2010, Airbus had introduced the A320neo. The A320 is the 737's closest competitor, carrying roughly the same 180 passengers along similar routes. The neo, short for new engine option, was the first major revision of the A320 since its launch, incorporating new CFM LEAP engines with a much higher bypass ratio, resulting in nearly 20% fuel savings over the older A320 and, crucially, the 737 Next Gen.
00:17:25 Boeing had long disregarded the competitive threat posed by Airbus, and that continued with the Neo. They were not too worried about it because they were planning to design a new plane from scratch for the 180-seat market, assuming current customers would continue buying the 737 Next Gen until the new plane was ready.
00:18:00 However, Boeing CEO James McNerney received a rude awakening with a phone call from American Airlines CEO Gerard Arpey. American was preparing to make its largest-ever aircraft order—400 planes in total—to replace its aging fleet of McDonnell Douglas MD-80s.
00:18:29 McNerney thought the deal was a sure win because American's modern fleet was largely Boeings, until Arpey informed him that American's first 200 planes would be a mix of A320s and A320 Neos from Airbus. This was a significant blow. However, there was good news: Boeing could still compete for the other half of the order.
00:18:54 But American wanted the same fuel economy as the A320neo and wanted it on the same five-year timeline that Airbus had promised. To fully grasp Boeing's response in this situation, we need to go back to 1997 when Boeing acquired McDonnell Douglas, another American aircraft manufacturer.
00:19:30 Boeing, led by CEO Phil Condit, had long been an engineering-driven company with airplane people at the top. In contrast, McDonnell Douglas was led by Harry Stonecipher, a graduate of Jack Welch's GE, who focused heavily on maximizing shareholder value.
00:19:58 Stonecipher quickly made his influence felt after joining Boeing as president. Boeing became more focused on profit margins and stock price. He also convinced Condit and the board to move Boeing's headquarters from Seattle to Chicago, which served to insulate executives making business decisions from the engineers who might push back.
00:20:23 When Condit resigned as CEO in 2003, Stonecipher took over. He told the press, 'When people say I changed the culture of Boeing, that was the intent, to run it like a business rather than a great engineering firm.' This seems innocuous on the surface, but this cultural shift created a growing win-at-all-costs environment within Boeing.
00:20:44 Condit's resignation was actually a result of forced out after scandals involving competitor documents and violations of government procurement laws that occurred on his watch. McNerney took over from Stonecipher in 2005, just two years after Stonecipher's own ethical lapses.
00:21:05 The Boeing 787 Dreamliner project was suffering from manufacturing delays and battery problems, while the 737 was the only plane Boeing was actually delivering in the early 2010s. By this point, Boeing's stock price was already down due to the issues surrounding the 787.
00:21:33 American's threat of defection to Airbus would further drag it down and might inspire other airlines to buy from Airbus too. McNerney wasn’t going to let this happen, no matter the cost, and so, three months later, the 737 MAX was born.
00:21:52 Designing it was a frantic project within Boeing, with engineers working at double their normal pace. Boeing made some aerodynamic improvements and also incorporated the exact same CFM LEAP engines as the A320neo, matching it on fuel efficiency.
00:22:23 The proposal was successful; American ordered 737 MAXes to fill the rest of their order, but with one condition—the MAX had to be type-rated with the current 737 Next Gen planes, meaning pilots qualified to fly the Next Gen wouldn’t require costly simulator training to operate the MAX.
00:22:54 Southwest placed an order under the same condition, but they made it even stronger, insisting on a one-million-dollar rebate per plane if pilots required simulator training to operate.
00:23:23 The CFM LEAP engines achieve their efficiency through a higher bypass ratio, allowing more airflow around the core of the jet engine, which generates more thrust. However, the problem is that to accommodate these LEAP engines, they are much larger.
00:24:00 Common type rating wasn’t a challenge for Airbus, as it could simply swap in the new engine with a few other major changes. However, due to how low the 737 sits to the ground, it wasn't so straightforward for Boeing. Instead of fitting the engine under the wing, they adjusted its position forward, providing ample space for the larger engine.
00:24:28 While this was a great workaround, like most solutions, it came with drawbacks. They discovered the first issue during early wind tunnel testing: as the plane climbed in a steep banked turn—near stalling—the pressure felt on the yoke by the pilot did not match earlier 737 models.
00:24:50 Due to the extra lift generated by both the placement and increased power of the engines, when the MAX stalled, the experience was much less dramatic than previous models. Traditional low-speed stalls involve substantial buffeting and vibration, with a quick 30-degree nose-down drop once the stall occurs; however, with the MAX, the nose only descended gently by around 10 degrees.
00:25:24 This handling difference prevented the MAX from receiving a common type rating. Since this situation is one that passengers would almost never experience, Boeing once again reached for MCAS. Instead of a 0.6-degree activation, MCAS would add 2.5 degrees of nose-down trim as the plane stalled, mimicking the quick 30-degree drop of earlier 737 generations.
00:25:55 This solution worked effectively, making the MAX behave almost identically to its predecessors. Given that MCAS had already been classified as non-critical and this activation only expected to occur at low speeds when pilots had ample time to react, Boeing did not update the safety analysis documentation submitted to the FAA during the plane certification.
00:26:18 This lack of updating overseeing the certification documents proved critical; Boeing's chief technical pilot, Mark Forkner, was under immense pressure from company leadership surrounding type rating, so he suggested intentionally excluding MCAS from the 737 MAX flight manual.
00:26:43 The logic was that it operated in the background and pilots were not supposed to interact directly with it. The FAA agreed with this reasoning, allowing the omission, but did not fully consider the new low-speed stall activation scenario, as Boeing had not updated its safety analysis.
00:27:09 Furthermore, something that seemingly nobody accounted for was the possibility of MCAS activating repeatedly. The maximum adjustment for the 737's trim is 4.7 degrees, so it would only take two MCAS activations to reach maximum nose-down trim if the pilot didn’t counter it with manual adjustments.
00:27:31 Moreover, MCAS paused for only five seconds between each manual trim adjustment before it activated again. All of Boeing's analyses were based on single activation scenarios, assuming pilots could promptly spot and address any erroneous activation in about three seconds.
00:27:56 This assumption stemmed from the fact that MCAS activation closely resembles another control problem that pilots practice for, known as runaway trim.
00:28:23 In a runaway trim scenario, the automatic trim of the aircraft begins adjusting trim to one extreme and doesn’t stop. It continuously runs out until it reaches maximum activation. At this point, two manual trim wheels, located on the console between the pilot and co-pilot, begin to spin significantly.
00:28:45 These wheels turn about 40 times during a 2.5-degree MCAS activation and even more during a runaway trim event. In this situation, these wheels will just spin endlessly, and the recovery process should be straightforward.
00:29:06 First, the pilot would turn off the two stab trim cutout switches, disabling the electrical stabilizer trim of the plane and reverting to complete manual control. Next, the pilot would pull back on the yoke to keep the plane level and finally use the manual trim wheels to set the plane back into trim for level flight.
00:29:41 We know Captain Sunija recognized he had a trim problem on Lion Air 610 because he continuously countered MCAS's nose-down adjustments with manual nose-up trim. So why didn’t he or Harvino hit the stab trim cutout switches?
00:30:04 Aviation journalist William Langewiesche argues in his New York Times Magazine article that this boils down to pilot training. Due to the rapid growth of global aviation, there were more flight decks to fill than there were pilots to man them.
00:30:30 Airlines like Lion Air had to expedite training programs and develop pilots swiftly just to keep their planes in the sky. Langewiesche asserts that pilots trained quickly often learn by rote, instead of experiential learning, resulting in graduates who know how to operate planes but lack knowledge on addressing non-standard situations.
00:30:54 The astonishing 95% graduation rate of Lion Air's training academy seems to back up this lack of rigorous training, which is an extraordinarily high graduation rate for a pilot academy. Moreover, Indonesia was one of the fastest-growing aviation sectors worldwide, accounting for over 15 times more passenger fatalities per million flights than the global average.
00:31:16 The contention is that because the situation presented to Sunija and Harvino didn’t match anything in their training, they were incapable of responding effectively. Rather than having recognized the MCAS pulsing on and off as an emergency, they were unsure what to do.
00:31:40 This troubling pattern repeated itself less than five months later with Ethiopian Airlines Flight 302. This incident occurred after Boeing published bulletins on MCAS. The pilots were entirely aware of the issues that plagued the aircraft, as a malfunctioning angle of attack sensor resulted in the pilot's stick shaker operating for nearly the entirety of the flight.
00:32:00 MCAS activated shortly after the pilots retracted the flaps. Although the Ethiopian pilots hit the stab trim cutout switches, they had to turn it back on as the aerodynamic load on the horizontal stabilizer was so significant that they couldn't manually adjust the trim. They attempted to turn it back on to trim the plane again and subsequently switch it back off, but as they attempted to do this, MCAS activated again.
00:32:25 Tragically, they crashed shortly thereafter, killing everyone on board. This second crash led to a worldwide grounding of the 737 MAX, leading to scenes like this of undelivered 737 MAX planes parked at Boeing's plant in Renton, Washington.
00:32:51 At this juncture, one might question whether it was Boeing's fault for the added MCAS feature on the 737 MAX, or the FAA's fault for failing to certify it more rigorously. Was it the pilots’ fault for the initial failure, or does the blame trace back to the Boeing-Douglas merger and the resulting culture change at Boeing?
00:33:10 Danielle Meadows, in her remarkable book, "Thinking in Systems," provides us with tools to dissect the situation using systems thinking. Meadows introduces the concepts of stocks and flows: stocks are the fundamental units of a system that you can quantify and measure; they react slowly to changes. Flows are the elements that increase or decrease these stocks.
00:33:35 To visualize this, consider the water in a bathtub as a stock, while the spigot acts as a flow that can increase the presence of that stock, and the drain reduces it. The system is also subject to feedback loops that affect flow rates.
00:34:00 In this case, we'll consider the stock as safety. While it's challenging to quantify, the bathtub analogy holds: certain factors increase or decrease safety in this system and provide an overall measurement.
00:34:25 The clouds shape the boundaries of our system, and instead of pondering where safety originates or departs, we focus on what influences the rates of safety increase or decrease within the system. We cannot eliminate everything that reduces safety, so the goal is to ensure that the rate of safety increases sufficiently to compensate for the decrease.
00:34:50 Let’s start with pilot training. It’s clear that safety in the system rises with the quality of pilot training. High-quality pilot training feeds the flow of safety into the system in a beneficial feedback loop.
00:35:17 However, we also see that the rising safety of air travel has dramatically increased the amount of travel—meaning more people fly each year. This increases the demand for pilots, which adversely affects training quality and consequently decreases system safety.
00:35:40 Moreover, this increased travel drives up the number of planes required by airlines annually. This has multiple impacts: first, it incentivizes technological advancement as more planes sold facilitate investment recovery, generally promoting safety improvements.
00:36:00 However, the escalating demand for planes also creates an economic landscape conducive to consolidation, yielding cost-saving opportunities while diluting Boeing's commitment to engineering and safety excellence. This trend contributes to a decline in perceived safety, as engineers may opt to relax standards for profit.
00:36:30 Furthermore, the increasing number of planes in demand intensifies competitive pressure, forcing Boeing to catch up with Airbus. This necessitated speedier design processes, often perceived as being safe due to the prevailing safety standards. However, this ultimately compromised design quality.
00:37:00 Lastly, the prevailing level of safety in the system allowed Congress to instruct the FAA to increase certification delegation. This included changes to MCAS that ended up compromising safety.
00:37:25 Every feedback loop identified in this system is rooted in the existing safety. So what are the implications? Ultimately, safety caused the problems with the 737 MAX.
00:37:50 In the introduction to "Thinking in Systems," Meadows posits that individuals and entities within a system can operate according to their best intentions and rationality, yet these well-meaning actions can collectively produce disastrous outcomes. That precisely describes the situation here: each participant in the system—empowered by modern aviation safety—borrowed a little safety to optimize some other facet.
00:38:20 It’s a delicate balance since the only way to ensure perfect safety in aviation is not to fly at all. Many of the actions undertaken were logical given their incentives and motivations, yet cumulatively, they led to tragedy. This serves as a lesson for us.
00:38:55 If we attend only to isolated events and the actions of individual players rather than viewing the system as a whole, we will struggle to make sense of the results we are generating. In practical terms for teams, if your team is having difficulty shipping and you respond by pushing individuals to work harder without understanding the systemic issues hindering their efforts, you will just exhaust everyone.
00:39:30 Or if an incident occurs and you focus solely on individual accountability rather than exploring underlying causes, it’s likely you’ll fail to learn anything and merely repeat the error. You don’t have to be in a leadership role to adopt this perspective; anyone can bring it to the discussion table.
00:40:00 All of life operates in systems, and enhancing your capacity to perceive and think within these systems will yield substantial benefits in achieving your objectives. Let me conclude on a positive note regarding the 737 MAX.
00:40:26 Systems typically adapt and seek self-preservation, and this situation is no exception. Following the two crashes, several developments have taken place: first, the drop in safety within the system compelled Congress and the FAA to reconsider their approach to delegation.
00:40:54 Manufacturers can no longer self-certify novel or unusual design features, and the FAA must approve the individuals whom manufacturers delegate certification authority to. This should enhance safety within the system.
00:41:22 The crashes also impacted both design speed and quality at Boeing—both directly and indirectly in relation to changes in FAA delegation and certification practices. The 737 MAX was grounded for one year and eight months while Boeing took the necessary time to revise the aircraft to ensure it was correct, effectively implementing improvements they should have made during the initial design phase.
00:41:50 Other software and wiring issues were likewise identified and resolved during the recertification efforts, clearly enhancing safety. The version of MCAS now active on the MAX can only activate once in a stall event and will only do so if the pilot and copilot's angle of attack sensors are in agreement.
00:42:14 Finally, the crashes highlighted the necessity for pilots to undergo simulator training to operate the 737 MAX, which benefits training quality and further improves safety in the system.
00:42:37 The system has effectively balanced itself and has adjusted in response to these tragedies. It’s likely that at least one person in this audience will be flying home on a 737 MAX, and I don’t want to leave you anxious about that.
00:43:04 So if that’s you, rest assured—the MAX has undergone extensive scrutiny at this point, and it might actually be the safest plane in the air. As you go forth, good luck in learning how to see and influence the systems surrounding you. This knowledge is your path to achieving meaningful change.
00:43:27 Thanks so much for coming!
Explore all talks recorded at RubyConf 2021
+92