Boeing 737 and Lessons Learned for Medical Device Industry

Recent tragic crashes of two Boeing 737 Max airplanes have sparked ongoing investigations into what went wrong and how this can be prevented in the future.  Earlier this year on separate occasions, two Boeing 737 Max aircrafts were sent into irrecoverable nose dives, killing a combined total of 346 people by software that was originally designed to stabilize the aircraft under very rare, high-speed maneuver situations.  This blog will review some initial findings as reported by the New York Times (1) and draw an analogy to very similar processes relied on by the Medical Device industry for patient safety.

First, let’s get an understanding of the original design of the system that is thought to have caused both planes to nose dive, the Maneuvering Characteristics Augmentation System, or MCAS.  MCAS was originally designed to stabilize the 737 Max during high-speed maneuvers, but under very rare circumstances.  The original design collected three measurements (wind, angle and speed) from two different sensors and would assume control of the aircraft if very specific criteria were met.  After an early test flight of the 737 Max was bumpier than expected, engineers began looking for design enhancements to improve handling of the aircraft.

The MCAS was ultimately repurposed and reconceived well beyond the original intended purpose to address this newly-identified stability issue.  MCAS’ role was expanded to prepare for many more scenarios than originally planned, such as aggressively nudging the nose of the aircraft down,with notably less information from sensors. However, because the new MCAS design changes were not made readily apparent to engineers, pilots, analysts or regulators responsible for reviewing the change, the full impact and risk of the changes were not considered, and therefore could not be mitigated.

How does this relate to medical device safety?  

Best practices often cross industries but may vary in terminology, level of documentation and other slight process adjustments, but overall the intent remains the same.   Whether the purpose is patient safety or passenger safety, having effective quality processes such as change management, risk management, configuration management and design review are essential.  During development and post-market changes, medical devices may undergo significant changes that could impact patient safety if not properly defined, assessed and mitigated as needed.  It is vital that Subject Matter Experts (SMEs) actively participate in the development, evaluation and mitigation of comprehensive risk scenarios that could impact patient safety.

Thorough assessment of risks in any industry relies heavily on accurate and complete definition of a new device or change (i.e. change management and configuration management) and communication to the team responsible for the safety of a device, aircraft, etc.  The fact that “Changes weren’t fully understood” by the 737 Max team and the assumption that “MCAS relied on more than one sensor”[CD1] [DS2] led to an incomplete assessment of risk scenarios, safety precautions and ultimately significant loss of life. Similarly, in the case of devices, having a complete understanding of changes and the corresponding impact to the overall system (device) is essential to assuring change and configure patient safety.  Processes such as change, configuration and risk management, when designed properly and embraced by the organization, can reduce the likelihood of patient injury or death.

While preparing for scenarios with a high and low probability of occurring, it is critical to consider the lifecycle of the system or device. Just as there is a high probability of bird strikes and maintenance worker damage, there are risks/threats related to cybersecurity and data integrity that should always be considered during risk assessment.  Cybersecurity risks have garnered significant attention recently due to the increased number of networked devices[CD3] [DS4] [DS5] and the magnitude and severity of threats. Having standard considerations of risk scenarios for consideration not only facilitate the process but can also generate questions among assessors that can lead to important, documented modifications to the scope of a change.

In addition to having a robust risk assessment methodology, assembling a team of Subject Matter Experts that represent the various necessary perspectives and can effectively define and assess the scenarios are critical to completing  holistic, meaningful and comprehensive mitigations.  Identification of vulnerabilities during a cybersecurity-focused risk assessment will yield controls that protect against exploitation such as cybersecurity-related design controls, user manual updates, access controls, encryption, etc.  Additionally, other controls designed to ‘detect, respond and recover’ should be implemented as required and documented during the verification and validation phase.

It is important to learn from mistakes that have been experienced across industries, such as with the MCAS, and apply principles broadly, where possible, to promote and adjust best practices across other industries. Understanding the process failures related to the 737 Max crashes holds great importance for  process reminders for the medical device industry.  The below list highlights some of the best practices that failed in the Boeing 737 Max MCAS example and should be considerations for the medical device industry:

• Changes should be assessed both from a module AND a system-wide perspective
• When the intended use of a module changes, full definition of the change should be documented, assessed, tested, mitigated, communicated, etc.
• Testing should include real-world scenarios that may occur
• Risk assessment must correctly assess likelihood of occurrence
• Training materials should inform users of circumstances where human intervention may be required

21CFR Part 820 coupled with FDA’s draft guidance on cybersecurity include the above considerations and provide a robust framework to effectively assess risk for medical devices.   An organization, however, must embrace this process, integrate risk management into company operations, assign strong process leadership/ownership and assure independent oversight to fully achieve the desired outcome of safer medical devices.

1. New York Times June 1, 2019, Nicas, Gelles, Glanz