Comments 1 - 11 of 11        Search these comments

2   anonymous   2019 Mar 17, 12:15pm  

Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system.

Federal Aviation Administration managers pushed its engineers to delegate wide responsibility for assessing the safety of the 737 MAX to Boeing itself. But safety engineers familiar with the documents shared details that show the analysis included crucial flaws.

As Boeing hustled in 2015 to catch up to Airbus and certify its new 737 MAX, Federal Aviation Administration (FAA) managers pushed the agency’s safety engineers to delegate safety assessments to Boeing itself, and to speedily approve the resulting analysis.

But the original safety analysis that Boeing delivered to the FAA for a new flight control system on the MAX — a report used to certify the plane as safe to fly — had several crucial flaws.

That flight control system, called MCAS (Maneuvering Characteristics Augmentation System), is now under scrutiny after two crashes of the jet in less than five months resulted in Wednesday’s FAA order to ground the plane.

Current and former engineers directly involved with the evaluations or familiar with the document shared details of Boeing’s “System Safety Analysis” of MCAS, which The Seattle Times confirmed.

The safety analysis:

•Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.

•Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.

•Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.

The people who spoke to The Seattle Times and shared details of the safety analysis all spoke on condition of anonymity to protect their jobs at the FAA and other aviation organizations.

Both Boeing and the FAA were informed of the specifics of this story and were asked for responses 11 days ago, before the second crash of a 737 MAX last Sunday.

Late Friday, the FAA said it followed its standard certification process on the MAX. Citing a busy week, a spokesman said the agency was “unable to delve into any detailed inquiries.”

Boeing responded Saturday with a statement that “the FAA considered the final configuration and operating parameters of MCAS during MAX certification, and concluded that it met all certification and regulatory requirements.”

Adding that it is “unable to comment … because of the ongoing investigation” into the crashes, Boeing did not respond directly to the detailed description of the flaws in MCAS certification, beyond saying that “there are some significant mischaracterizations.”

Several technical experts inside the FAA said October’s Lion Air crash, where the MCAS has been clearly implicated by investigators in Indonesia, is only the latest indicator that the agency’s delegation of airplane certification has gone too far, and that it’s inappropriate for Boeing employees to have so much authority over safety analyses of Boeing jets.

“We need to make sure the FAA is much more engaged in failure assessments and the assumptions that go into them,” said one FAA safety engineer.

Certifying a new flight control system

Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX’s new MCAS automatic flight control system was designed to act in the background, without pilot input.

It was needed because the MAX’s much larger engines had to be placed farther forward on the wing, changing the airframe’s aerodynamic lift.

Designed to activate automatically only in the extreme flight situation of a high-speed stall, this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s.



Boeing engineers authorized to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world.

The document, “developed to ensure the safe operation of the 737 MAX,” concluded that the system complied with all applicable FAA regulations.

Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor — a vane on the outside of the fuselage that measures the plane’s “angle of attack,” the angle between the airflow and the wing — triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.

On Wednesday, when announcing the grounding of the 737 MAX, the FAA cited similarities in the flight trajectory of the Lion Air flight and the crash of Ethiopian Airlines Flight 302 last Sunday.

Investigators also found the Ethiopian plane’s jackscrew, a part that moves the horizontal tail of the aircraft, and it indicated that the jet’s horizontal tail was in an unusual position — with MCAS as one possible reason for that.

Investigators are working to determine if MCAS could be the cause of both crashes.

System failed on a single sensor

The bottom line of Boeing’s System Safety Analysis with regard to MCAS was that, in normal flight, an activation of MCAS to the maximum assumed authority of 0.6 degrees was classified as only a “major failure,” meaning that it could cause physical distress to people on the plane, but not death.

In the case of an extreme maneuver, specifically when the plane is in a banked descending spiral, an activation of MCAS was classified as a “hazardous failure,” meaning that it could cause serious or fatal injuries to a small number of passengers. That’s still one level below a “catastrophic failure,” which represents the loss of the plane with multiple fatalities.

The former Boeing flight controls engineer who worked on the MAX’s certification on behalf of the FAA said that whether a system on a jet can rely on one sensor input, or must have two, is driven by the failure classification in the system safety analysis.

He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the “major failure” requirement, which is that the probability of a failure must be less than one in 100,000. Such systems are therefore typically allowed to rely on a single input sensor.

But when the consequences are assessed to be more severe, with a “hazardous failure” requirement demanding a more stringent probability of one in 10 million, then a system typically must have at least two separate input channels in case one goes wrong.

Boeing’s System Safety Analysis assessment that the MCAS failure would be “hazardous” troubles former flight controls engineer Lemme because the system is triggered by the reading from a single angle-of-attack sensor.

“A hazardous failure mode depending on a single sensor, I don’t think passes muster,” said Lemme.

Like all 737s, the MAX actually has two of the sensors, one on each side of the fuselage near the cockpit. But the MCAS was designed to take a reading from only one of them.

Lemme said Boeing could have designed the system to compare the readings from the two vanes, which would have indicated if one of them was way off.

Alternatively, the system could have been designed to check that the angle-of-attack reading was accurate while the plane was taxiing on the ground before takeoff, when the angle of attack should read zero.

“They could have designed a two-channel system. Or they could have tested the value of angle of attack on the ground,” said Lemme. “I don’t know why they didn’t.”

The black box data provided in the preliminary investigation report shows that readings from the two sensors differed by some 20 degrees not only throughout the flight but also while the airplane taxied on the ground before takeoff.

No training, no information

After the Lion Air crash, 737 MAX pilots around the world were notified about the existence of MCAS and what to do if the system is triggered inappropriately.

Boeing insists that the pilots on the Lion Air flight should have recognized that the horizontal stabilizer was moving uncommanded, and should have responded with a standard pilot checklist procedure to handle what’s called “stabilizer runaway.”

If they’d done so, the pilots would have hit cutoff switches and deactivated the automatic stabilizer movement.

Boeing has pointed out that the pilots flying the same plane on the day before the crash experienced similar behavior to Flight 610 and did exactly that: They threw the stabilizer cutoff switches, regained control and continued with the rest of the flight.

However, pilots and aviation experts say that what happened on the Lion Air flight doesn’t look like a standard stabilizer runaway, because that is defined as continuous uncommanded movement of the tail.

On the accident flight, the tail movement wasn’t continuous; the pilots were able to counter the nose-down movement multiple times.

In addition, the MCAS altered the control column response to the stabilizer movement. Pulling back on the column normally interrupts any stabilizer nose-down movement, but with MCAS operating that control column function was disabled.

These differences certainly could have confused the Lion Air pilots as to what was going on.

Since MCAS was supposed to activate only in extreme circumstances far outside the normal flight envelope, Boeing decided that 737 pilots needed no extra training on the system — and indeed that they didn’t even need to know about it. It was not mentioned in their flight manuals.

That stance allowed the new jet to earn a common “type rating” with existing 737 models, allowing airlines to minimize training of pilots moving to the MAX.

Dennis Tajer, a spokesman for the Allied Pilots Association at American Airlines, said his training on moving from the old 737 NG model cockpit to the new 737 MAX consisted of little more than a one-hour session on an iPad, with no simulator training.

Minimizing MAX pilot transition training was an important cost saving for Boeing’s airline customers, a key selling point for the jet, which has racked up more than 5,000 orders.

The company’s website pitched the jet to airlines with a promise that “as you build your 737 MAX fleet, millions of dollars will be saved because of its commonality with the Next-Generation 737.”

In the aftermath of the crash, officials at the unions for both American and Southwest Airlines pilots criticized Boeing for providing no information about MCAS, or its possible malfunction, in the 737 MAX pilot manuals.

An FAA safety engineer said the lack of prior information could have been crucial in the Lion Air crash.

Boeing’s safety analysis of the system assumed that “the pilots would recognize what was happening as a runaway and cut off the switches,” said the engineer. “The assumptions in here are incorrect. The human factors were not properly evaluated.”

More: https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/
3   anonymous   2019 Mar 17, 4:09pm  

Kakistocracy says
FAA certified the suspect 737 MAX flight control system.


Wonder who is/was in the White House when this certification took place ? Could it be the Golden Golem ?
4   rocketjoe79   2019 Mar 17, 11:03pm  

Ok that's a full ignore for KAk now. Bringing POTUS into a safety discussion. Really? bye!
5   anonymous   2019 Mar 18, 1:24am  

rocketjoe79 says
Ok that's a full ignore for KAk now. Bringing POTUS into a safety discussion. Really? bye!


Awww - The FAA is part of "safety" for aircraft and airlines - my bad - I took the name of thy lord god and saviour in vain by thinking he might be responsible for something

As for the ignore...

7   FortWayneAsNancyPelosiHaircut   2019 Mar 18, 9:40am  

Russian bots still use windows 95?

Damn dated tech.

Kakistocracy says
rocketjoe79 says
Ok that's a full ignore for KAk now. Bringing POTUS into a safety discussion. Really? bye!


Awww - The FAA is part of "safety" for aircraft and airlines - my bad - I took the name of thy lord god and saviour in vain by thinking he might be responsible for something

As for the ignore...

8   Tenpoundbass   2019 Mar 18, 9:43am  

tovarichpeter says
FAA said Boeing had “ too much sway” over approval of 737


I thought it was Odd last week Rush Limbaugh was defending the Airliner and Boeing in a broadcast. Stating that even though the plane shouldn't have so much computerized automation, keeps the nose up. He was cheerleader that Boeing would fix this and go on to sale the thousands of planes on order.
I think he was channeling John McCain.
10   MrMagic   2019 Mar 18, 3:18pm  

Kakistocracy says
Kakistocracy says
FAA certified the suspect 737 MAX flight control system.


Wonder who is/was in the White House when this certification took place ? Could it be the Golden Golem ?


I knew he'd get around to blaming Trump for building such a faulty airplane.

TDS... Folks, it real (and getting WORSE).
11   Bd6r   2019 Mar 18, 3:23pm  

Kakistocracy says
As Boeing hustled in 2015 to catch up to Airbus and certify its new 737 MAX, Federal Aviation Administration (FAA) managers pushed the agency’s safety engineers to delegate safety assessments to Boeing itself, and to speedily approve the resulting analysis.

Kakistocracy says
Wonder who is/was in the White House when this certification took place ? Could it be the Golden Golem ?

Please register to comment:

api   best comments   contact   latest images   memes   one year ago   random   suggestions