In January 2024, a door plug blew off a Boeing 737 passenger jet, leaving a gaping hole in the cabin. The frightening incident was national news and raised questions about how such a thing could happen.

Many designers and project managers have been spooked by this incident and considered a haunting question: Could something similar happen with a design on my project? And if so, how do I prevent it? There are lessons I learned from my experience in helping to design the YF-22, the prototype of the U.S. Air Force F-22 Raptor.

Designing the YF-22

As a young engineer, I had a passion to design new, exciting things. At the beginning of my career, I had the opportunity to work for General Dynamics (now Lockheed Martin) to help design a new supersonic air-superiority fighter jet. We were still in the Cold War, and there was pressure to design a high-performance aircraft while following an aggressive schedule. For example, when an executive distributed a memo directing engineers to work 54 hours per week, my chief engineer clarified that the memo applied to wimps in other groups and that we were expected to work more. It was an intense environment, and we were under a lot of pressure to stay on schedule while using emerging technologies to create a high-performance aircraft with unprecedented capabilities.

One of my early, relatively straightforward assignments was to design a “fuel floor” to separate the fuel tank from a weapons bay below. Like the Boeing door plug, the fuel-floor access door filled a space large enough for a person to go through and was bolted onto the aircraft structure. As we’ve seen with Boeing, a problem with the door plug could cause it to be ripped off, making a hole in the airplane that would change the cabin pressure and could cause things (or people) to be sucked out. In the case of the fuel-floor access door, a problem with the seal could result in a fuel leak. And in this case, it wouldn’t be just any leak—the door separated the fuel tank from the weapons bay where missiles were carried and launched. If fuel leaked into the bay and a missile was launched, it could ignite the fuel, causing the aircraft to explode.

I performed the engineering analysis to ensure the door could withstand the expected pressures. My design was subjected to the usual brutal design review conducted by a group of more experienced engineers, and I modified the design according to their input. It then went through the gauntlet of required approvals by multiple specialized groups. I made suggested changes to secure the necessary approvals, and it was eventually sent off to be manufactured.

However, I still had reservations. It was bothering me that the door was below the fuel floor so that fuel pressure could push the door open, and if the bolts weren’t tight enough or the seal wasn’t good enough, then fuel could leak into the weapons bay. I’d talked to people about this concern during the approval process, and everyone assured me that it would function fine—after all, this wasn’t the first fuel floor ever designed. Nevertheless, the potential risks kept me up at night.

I came up with an alternative design with the door on top of the fuel floor so that fuel pressure would push the door closed, which would be more robust in the face of inconsistencies in installation quality. It would be safer because there were fewer things that would cause it to fail. Also, I would be able to sleep again.

An engineering change order would not be popular and would need the approval of my chief engineer, John Slaughter (name changed as a professional courtesy). Slaughter was a no-nonsense, old-school, intimidating manager on a mission to keep the aircraft design on schedule. I worked up the courage for the conversation with Slaughter, not knowing how it would go. The time came, and I explained my concerns and the change I wanted to make. He asked if I had designed the door to survive extreme loads and had my calculations double-checked by the stress group. I confirmed that I had. He said my proposed change would make it harder for mechanics to open the door. I agreed that they would have to use a handle to move the door once the bolts were undone but explained it wouldn’t take a lot more effort. He reminded me that we were under a tight schedule and that this part had already been approved and redoing it would be going backward on the schedule. I said that I would do the change on my own and would still do the work needed to keep my other assignments on task. He assured me that the chances of a leak and ignition were slim. I agreed, but unlike in other places, the consequences of fuel leak in this location could be catastrophic. He gave me permission to do the engineering change order. I made the change and ran it through the approval process again, repeatedly defending the change with each group.

Lessons Learned

I have often shared this experience with engineering students to prepare them to have the courage to do what they feel is right, even when it is difficult or unpopular. While I still believe that is a valid point to make to budding engineers, as I’ve had experiences managing project teams, I’ve noted another important point: other than his gruff, intimidating manner that made it difficult to discuss issues, John Slaughter’s response is a model for handling an engineer’s safety concerns. Here are a few points to consider:

1.     Listen to those working in the trenches. Slaughter was an exceptional engineer with impressive aircraft design experience. However, his experience also taught him that I was closest to the design and that no one had thought about it more than I had.

2.     Probe to understand the issue and the associated risks. Slaughter asked questions to evaluate the situation. He recognized that although this was similar to structures in the past, and the chances of failure were small, the consequences of a problem in this location necessitated additional caution.

3.     Take a long view of schedules and costs. We have all taken shortcuts that have cost more time in the end. The best thing would have been for me to have done the safer design in the first place,but the next best time was to do it as soon as possible. It is much easier to move a line on a drawing than to modify existing parts, and the tooling to make them, once they are already built. And of course, a catastrophic failure of the aircraft would have immeasurable consequences that could extend beyond this project alone. (The economic consequence for Boeing after the door plug incident is a case in point.)

4.     Be willing to change your opinion when new information is available. He was seasoned and respected, but he wasn’t arrogant. He listened to my reasoning and altered his decision despite not fully agreeing with my concerns. He also knew that hubris can lead to disastrous consequences in technical projects. The laws of nature have no respect for titles, authority, or charisma, and force of will cannot change them.

5.     Have the courage to make hard decisions. I knew it took courage for me to approach Slaughter with the problem, but it wasn’t until later that I appreciated the courage it took for him to authorize me to go forward with the change. He would have needed to defend the decision to his leadership in a schedule review, justify an unpopular engineering change order, and support a design that may have been more difficult to maintain. Despite those challenges, he did it.

Conclusion

One inconvenience about the work of preventing bad things from happening is that you seldom know if your preventive actions made a difference. It’s entirely possible that the YF-22 would have operated just fine with the original design, just like the majority of Boeing 737s don’t lose door plugs. But what I do know for certain is this: I was able to sleep better at night, and the YF-22 did not explode.