May 11, 2019

The five points given below were taken from an excellent article written by Jacob Beningo and appeared in “Electronics & Test Aerospace”, May 2, 2019.  I have added my own comment relative to those five (5) points.  It appears, from what we know now, there were no mechanical failures causing both aircraft to crash.  The real failures were lack of training and possibly embedded electronic systems effecting on-board systems. 

Recently the news headlines have been dominated by two crashes involving Boeing’s new 737 MAX aircraft. Both of these tragedies occurred under similar circumstances and within six months of each other. The fallout from these disasters may only be starting as aircraft around the world have been grounded, production of the 737 MAX has been decreased and March sales of the aircraft dropped to zero. The damage to Boeing’s reputation as a safety leader has now also come into question as investigations have been opened into how the system at the center of the investigations, MCAS, was developed and certified.

The investigations into the sequence of events that led to the loss of these aircraft with resulting causes will take time to fully discover—maybe even years but certainly months. However, with the information that has currently been released, embedded systems companies and developers can look at the fiasco Boeing is currently going through and learn and be reminded of several general lessons that they can apply to their own industries and products.

Lesson #1 – Don’t compromise your product to save or make money short-term

There is normal pressure on businesses and developers today to increase revenue, reduce costs and ship products as fast as possible. The result is not always quality. It isn’t security. It isn’t user friendly. The objective is maximum short-term growth at any cost as long as the short-term growth is maximized.  The company needed to remain in good standing with Wall Street and their investors.  That seems to be the bottom line.  Boeing appeared to be under significant pressure from customers and shareholders to deliver an aircraft that could compete with the Airbus A319neo.  They may have started to cave to this normative pressure.

Lesson #2 – Identify and mitigate single points of failure

Boeing and the FAA are looking at embedded systems in trying to discover the root cause of both failures and how corrections may be made to eliminate future tragedies.  In any embedded system that is being developed, it’s important to understand the potential failure modes and what effect those failures will have on the system and how they can be mitigated. There are many ways that teams go about doing this, including performing a Design Failure & Effects Analysis (DFMEA) which analyzes design functions, failure modes and their effect on the customer or user. Once such an analysis is done, we can then determine how we can mitigate the effect of a failure.  This is common practice for systems and subsystems of any complexity.

Lesson #3 – Don’t assume your user can handle it

An interesting lesson many engineers can take from the fiasco is that we can’t assume or rely on our users to properly operate our devices, especially if those devices are meant to operate autonomously. Complex systems require more time to analyze and troubleshoot. It seems that Boeing assumed that if an issue arose, the user had enough training and experience, and knew the existing procedures well enough to compensate. Right or wrong, as designers, we may need to use “lowered expectations” and do everything we can to protect the user from himself.

Lesson #4 – Highly tested and certified systems have defects

Edsger Dijkstra wrote that “Program testing can be used to show the presence of bugs, but never to show their absence.” We can’t show that a system doesn’t have bugs which means we have to assume that even our highly-tested and certified systems have defects. This should change the way every developer thinks about how they write software. Instead of trying to expose defects on a case-by-case basis, we should be developing defect strategies that can detect the system is not behaving properly or that something does not seem normal with its inputs. By doing this, we can test as many defects out of our system as possible. But when a new one arises in the field, a generic defect mechanism will hopefully be able to detect that something is amiss and take a corrective action.  

Lesson #5 – Sensors and systems fail

The fact that sensors and systems fail should seem like an obvious statement, but quite a few developers write software as if their microcontroller will never lock-up, encounter a single event upset or have corrupted memory. Sensors will freeze, processors will lock-up, garbage-in will produce garbage-out. Developers need to assume that things will go wrong and write code to handle those cases, rather than if we will always have a system that works as well in the field as it does on out lab benches. If you design your system considering the fact that it will fail, you’ll end up with a robust system that has to do a lot of hard work before it finally finds a way to fail (if it ever does).

I had an opportunity to hear the chief engineering program manager discuss the “Dreamliner” and the complexities of that system.  They were LEGION. Extremely complex.  Very time-consuming to work out all of the “bugs” relative to all of the computer programming necessary for successful AND safe air travel.  Trying to make a system “simple” by making it complex is a daunting task and one that needs to be accomplished, but it is always a “push” to get this done in a timely fashion and satisfy management and Wall Street.


March 18, 2014

In 1986 I joined a Fortune 100 company as a product design engineer.    The company had an extensive safety program which included a three -day course with first aid and bio-hazard training.  The instructur made one introductory comment I will never forget.

“I don’t care if your time with us is five minutes or fifty years.  We want you safe while on your way to work, while you are here and then during your commute home”.

This statement, or some version of this statement, has probably been made thousands of times– with feeling.  No one wants injuries to occur whatever the environment and certainly not a workplace injury.  It is absolutely imperative employees perform their functions under safe conditions.  With that being said, the employee must realize accomplishment of this goal means he or she must meet the company half way.  Provisions for a safe working environment are a team effort.  OSHA (Occupational Safety and Health Administration) has specific guidelines relative to safe working conditions companies and individuals need to follow to avoid injury.  Each state has adopted guidelines to govern working conditions.  These may be more stringent than OSHA but generally, they fall along the same guidelines hoping to produce the same results.

Employers that invest in workplace safety and health related activities can expect to reduce fatalities, injuries, and illnesses. This will result in cost savings in a variety of areas, such as lowering workers’ compensation costs and medical expenses, avoiding OSHA penalties, and reducing costs to train replacement employees and conduct accident investigations. In addition, employers often find that changes made to improve workplace safety and health can result in significant improvements to their organization’s productivity and financial performance.  If an employee knows the company he or she works for is involved with providing a safe working environment on a day to day basis, that employee will work with less tension and less fatigue at the end of the day.   With this in mind, let us take a look at several rules that may govern workplace safety.

The following safety rules are admittedly somewhat “generic” but definitely apply to commercial concerns working to insure safety of personnel in the physical facility and in areas such as parking lots and out buildings.  It is imperative that companies examine and develop their safety methodology depending upon need.  This list might be a very good place to consider and begin.

  • Report all incidents or injuries immediately to your supervisor or lead coordinator.  Failure to report may result in additional medical problems that could have been prevented.  Never “work through” an injury.  Never “push on” thinking the condition will get better as time goes by.  Seek medical attention immediately to forestall additional difficulties.
  • Be alert at all times and never take shortcuts that conflict with safe procedures.  When in doubt, seek advice from supervisory personnel or lead coordinator.
  • Safety devices, such as interlocks and machine guards are not to be removed or made inoperative unless under the control of safe maintenance practices and lockout/tagout procedures are being utilized.
  • Report defective machinery, equipment or unsafe conditions immediately to your supervisor or lead coordinator.   It is recommended that a written, as well as verbal, communication be used when discussing the problem.
  • Safety procedures and personal protective equipment (PPE) must be utilized as specified by the safety committee or safety coordinator.  All necessary PPE; I e., gloves, safety glasses, steel-toed boots, hard hats, hearing protection, respirators, wrist bands, protective sleeves, waist belts,etc. must be worn at all times and never removed when in the work cell.
  • Make sure you are dressed appropriately for the environment you are working in.  In most industrial facilities, wearing short pants, open-toed shoes, sandals, high heels, loose or baggy clothing, tank tops, halter tops, etc is prohibited.
  • Long hair extending beyond shoulder level can be very hazardous when operating moving machinery.   It must be pulled back.  (Use common sense.)
  • Use proper lifting techniques.  Consider the load, keep your back straight and use your legs for lifting.  Seek help if the load is too heavy.  Don’t do the macho-man thing and assume you can lift a load over forty (40) pounds.    Anything over forty (40) pounds requires assistance.
  • Good housekeeping practices are a must in an industrial environment.  Keep your work area clean and free from clutter.  Keep all aisles clear and all items stored properly in specified locations.  Be aware of boxes and components protruding into work areas and remove as needed.
  • Walk—do NOT run in the facility or on facility grounds.
  • Horseplay is definitely never condoned and practical jokes may cause injury to you or your co-workers.  DON’T DO IT.
  • Always be aware of overhead work such as cranes and conveyor equipment performing overhead work.  Make sure you are not directly under an elevated conveyor system carrying parts through the facility. (NOTE:  Industrial engineering departments and personnel must NEVER position a pedestrian walkway directly under an overhead conveyor.)
  • If you are operating an overhead crane, always use a fall-protection device such as a safety belt or guard rail.
  • Seatbelts MUST be worn while operating forklifts. Operators must drive at safe speeds and sound their horns when approaching ALL intersections.  All forklift rules must be followed implicitly. NEVER DRIVE WITH FORKS ELEVATED.
  • Compressed air must never be used to clean dust from your clothing.  Hand-actuated air nozzles must not exceed the OSHA thirty (30) PSI maximum pressure rating.
  • Safety glasses or safety goggles combined with face shields MUST be worn while using pedestal bench grinders, portable grinders, reciprocating saws, skill or circular saws and jig saws.  Appropriate gloves must also be worn.
  • Follow all plant security procedures while entering and exiting the facility.  Keep your personal belongings stored and secured in a way that does not invite theft.
  • Be committed to safety by creating a workplace free of recognized hazards.  Work as a team to improve safety and reduce “at risk” behavior.
  • NEVER “ride” a conveyor, static or moving.  Use the appropriate “step-overs” when moving from side to side.
  • In many facilities robotic systems are used for processes.  Always be aware of equipment movements and the path those movements may take.  If safety barriers around robotic systems become inoperable, report this to your supervisor and DO NOT OPERATE until the condition is fixed.
  • Do not allow extension cords to lie on floors where abrasion and tearing can occur.  Equipment should be hard-wired where insulated wiring runs through conduit.  Temporary wiring should be located above floor level and never placed on the floor.  Call your supervisor when problems of this nature arise.
  • Anytime ladders are needed they must be in good repair AND non-skid feet firmly placed against flooring.  Never use a ladder on a sloping surface.  Never use a ladder to reach excessive heights.  Scissor lift or “cherry-pickers” are much preferred.


It is imperative that any vendor or contractor be advised of safety rules within your facility.  They must abide by the very same rules you adopt for safety.  THIS IS A MUST.

I certainly hope you benefit from this very brief write-up and would enjoy your comments.

%d bloggers like this: