27 Billion Reasons to Get Serious About Risk Management

One high-tech aircraft, two fatal crashes, 346 dead.

$27 billion of value lost in 2 days.  

This is how much the Boeing Company lost in market value over just two days this week following the fatal crash of one of its best-selling 737 MAX 8 aircraft. The plane, operated by Ethiopian Airlines, crashed shortly after take-off killing all passengers and crew aboard.

Almost immediately, regulators in many countries including the EU and China grounded all 737 MAX aircraft in their fleet. After dragging its feet for a couple of days, the Federal Aviation Administration (FAA) in the US also made the same decision. More than 50 countries have now grounded these planes and banned them from entering their airspace.

A single accident, however tragic it may be, usually does not lead to such a swift backlash. There is the typical news coverage, statements issued by the airline and the manufacturer, and a prolonged investigation. After a few days, things return to normal except for those who are directly affected by the tragedy. When the report comes out, steps are taken to fix the immediate problem and additional rules are created by the regulators. Soon the whole incident is forgotten until it happens all over again.

This case is different. Just around 5 months ago, another 737 MAX 8 crashed minutes after take-off in Indonesia under similar circumstances. Initial clues confirmed many similarities between the two incidents, which led to the worldwide loss of confidence in the aircraft itself. Even the FAA acknowledged in their statement that “new data from the crash site taken together with newly refined satellite-based tracking of the aircraft’s flight path” had led them to believe there was a possibility of a “shared cause” between the two incidents.

This is more than just chance. There is a rationale for the swift worldwide backlash, clearly reflected by the loss in market value.

There will be a lot of speculation and expert commentary in the coming days while we wait for the official investigation report. Already, the Boeing Company is in the cross-hairs of the media and regulators worldwide. Some of their largest customers are seeking reimbursement for the lost revenue and while others are reconsidering their orders. This is, without a doubt, a serious business situation for the company.

My interest in the story is more from the perspective of potential weaknesses in the risk management system. Boeing is a great company with an excellent history of innovation and market success. They have the best engineers on the planet working on the latest, most sophisticated designs. What could lead to such a vulnerability in this aircraft and its operation? There is no doubt in my mind that Boeing did a lot of testing and played by the book in meeting the stringent certification requirements. Yet we must take a pause and question their diligence, especially after the first crash in October 2018.

No one sets out to deliberately ignore critical control points from design, yet, to quote Don Rumsfeld, there known-unknowns and there are unknown-unknowns. Engineers design a contingency cushion based on certain assumptions about the known-unknowns. What do we do about the unknown-unknowns? That is the real purpose of post-market safety surveillance, which must shine a bright light on these unknown-unknowns so we can take timely action and continuously reduce the risk.

Based on initial reports, Boeing designers did consider the design risks in the 737 MAX, when they implemented the new Maneuvering Characteristics Augmentation System (MCAS). This software-based control system is supposed to help stabilize the plane by automatically lowering the nose when the angle of attack (AOA) is too high so it doesn’t go into a stall. This feature could work against the pilot when the AOA sensor readings are inaccurate and the MCAS continues to issue “nose-down” trim commands even though the pilot manually tries to get the plane to nose-up. The FAA issued an Emergency Airworthiness Directive (AD) after the October 2018 Lion Air crash in Indonesia about this condition requiring changes to the airplane flight manuals.

Clearly, a potential vulnerability in the system had been identified after the crash. Boeing issued its own bulletin calling “attention to an AOA failure condition that can occur during manual flight only”, and instructing pilots to manually disengage the system according to “existing procedures” on Runaway Stabilizer Non-Normal Checklist (NNC). In short, Boeing seems to have relied on the pilot’s ability to recognize the issue and handle the situation according to normal procedures. At the same time, Boeing announced work on updating the software to add redundancies and better manage the MCAS activation trigger points.

There is nothing wrong in expecting pilots to be able to recognize problems and handle emergency situations. It is their job. What is potentially troubling is that the design relied on a single point sensor, and no redundancy in the system to ensure proper action in the event of sensor failure. In the coming days, there will be a lot of focus on whether Boeing made the right call in selecting a single point sensor input for the MCAS activation.

In short, the focus will be on risk assessment.

Even if the initial risk assessment lacked the expected rigor, we can offer a benefit of the doubt to the company. But in light of the Lion Air crash, the expectation would be to do more than just issue an advisory notice and announce work on a software update. This is where the failure of the risk management system should be suspected.

Boeing is right now fighting a raging fire. Most recent estimate for the new software deployment is within weeks, not the months it had already taken them since the October crash. Surely, they have a lot many engineers working on this now that the company is actually losing cash and could potentially lose billions in sales if pending orders are withdrawn by customers all over the world. Loss in confidence is hard to recover from and the value of brand equity cannot be overestimated.

It does not have to be this way. A strong Risk Management, which constantly learns from the post-market safety data and requires timely action before things go out of control, is no longer a nice to have, it is a necessity. We live in a world of increasing complexity and technological sophistication. We have to do more to uncover, understand and manage risks to improve safety. We cannot rely on the safety standards of the past and must strive for better performance.

Boeing’s latest statement is far from comforting. The CEO statement on the website posted on March 17, 2019 does not show the sense of urgency required and does not go far enough:

“Boeing is finalizing its development of a previously-announced software update and pilot training revision that will address the MCAS flight control law's behavior in response to erroneous sensor inputs.”

The world is watching.

Related Article: Dangerous does not equal Unsafe

++++++++++++++++++

Resources:

FAA order on Boeing 737-8 and 737-9 model aircrafts – March 2019

FAA Emergency Airworthiness Directive after Lion Air Crash – Nov 2018

Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system

Can Boeing trust pilots?

Photo Credit:

Clemens Vasters on Flickr via Creative Commons

++++++++++++++++++

I love to learn, share ideas and enjoy interesting conversations. I am happy to share my experiences and lessons I have learned along the way. I hope to learn from your experiences as well. If my articles spark your interest and curiosity, I would love to engage with you. Leave a comment below, or send an email from my LinkedIn Profile.

Let us help each other through fresh thinking on interesting questions.

If you would like to receive regular updates, sign up for my newsletter.