Safety Checks

Credit: Oleg V Belyakov

In the aftermath of the Ethiopian Airlines 737 MAX crash on March 10, but before the FAA issued its order grounding those planes, there was a media feeding frenzy because other governments had acted sooner, writes industry commentator Bob Poole.

Even respected Wall Street Journal aviation reporter Andy Pasztor penned a story headlined, Ethiopian Airlines Crash Highlights FAA’s Diminished Clout on World Stage. I disagree.

Until March 13, when FAA Acting Administrator Dan Elwell issued the grounding order, there were no real data linking the Ethiopian crash to last year’s Lion Air crash caused by pilots’ unfamiliarity with the MCAS stall-prevention system. That new data was provided to FAA that day by Nav Canada, which retrieved it from the new space-based ADS-B tracking system, Aireon, of which Nav Canada is part-owner.

It revealed erratic up and down flight movements by the Ethiopian plane prior to its crash, very much like those of the Lion Air 737. Both China and the European Union Aviation Safety Agency (EASA) acted without any data, and in EASA’s case, without following its normal procedures. Sandy Murdock, a former FAA chief counsel, provided an excellent overview of this subject in the March 18 issue of JDA Journal, concluding that FAA had acted prudently. Republican Congressman Sam Graves, ranking member of the House Transportation & Infrastructure Committee, and a private pilot, attributed EASA’s premature decision to emotion and political pressure. As for China, its officials likely seized an opportunity to one-up the capitalist West.

A second media frenzy followed soon after. Various safety and consumer advocates asserted that the Trump administration’s regulatory relief efforts had led to FAA being too lax with aerospace companies such as Boeing. The real story was unearthed by Seattle Times reporter Dominic Gates: There was a safety regulatory change that directly affected Boeing’s 737 MAX development and the MCAS, but it took place four years ago  in 2015), during the Obama administration.

Citing information from Boeing and FAA engineers, Gates discovered pressure from FAA managers to delegate more than the normal safety assessment and oversight responsibilities to Boeing. (It has long been standard industry-wide practice for certain details of safety review to be delegated to aerospace company engineers, but the 2015 decision increased the extent to which this was done for the 737 MAX, which Boeing was intent on getting into production rapidly so it could compete with the growing sales volume of the Airbus A320neo). Gates quotes an FAA engineer saying that halfway through the certification process, “we were asked by management to re-evaluate what would be delegated [to Boeing].” And he added, “There was constant pressure to re-evaluate our initial decisions.”

What I find particularly disturbing is what Gates reports about the MCAS System Safety Analysis. In my first job out of MIT, doing systems analysis at Sikorsky Aircraft, one of the first things I learned was called “failure modes and effects analysis”—a crucial aspect of engineering design. The MCAS for the 737 MAX depended on input from a single angle-of-attack (AOA) sensor. General commercial aircraft practice permits reliance on a single input only if the probability of a failure is less than 1 in 100,000 and the result of a failure would be only “major.” If the failure of the system is judged to be “hazardous,” then the failure probability must be less than 1 in 10 million—and then at least two sensor inputs are required. The System Safety Analysis allowed for just one AOA sensor input—a very serious mistake, given what we now know about “catastrophic” 737 MAX failures.

But there’s more. The horizontal stabilizer – which non-aviation people call a “tail wing” – moves up or down to change the plane’s angle of attack. The original System Safety Analysis showed the maximum stabilizer movement that MCAS could command was 0.6 degrees. After the Lion Air crash, Gates reports, Boeing’s bulletin to airlines said that the limit was actually 2.5 degrees – a huge difference. Both a former FAA safety engineer who had worked on the MAX certification and a former Boeing flight controls engineer who was delegated by FAA to work on it told Gates that the Safety Analysis was supposed to have been updated to reflect any changes resulting from flight testing prior to final certification – but neither knew whether this had been done. The 2.5 degrees would almost certainly have led to a re-definition of MCAS failure as “hazardous” or “catastrophic,” requiring at least two separate AOA sensor inputs and possibly other design changes.

These are serious problems, and Department of Transportation Secretary Elaine Chao made a wise decision in asking the DOT Office of Inspector General to audit FAA’s certification of the 737 MAX. What we don’t need, however, is congressional grandstanding on this critically important subject or calling people on the carpet prior to a careful, complete analysis of the facts. My guess is that some changes will be needed in the extent of delegation of certification responsibilities. But getting the right answers depends on a calm and serious assessment of what went wrong and what changes would ensure safe aircraft without imposing needless costs and delays.

1 Comment

  1. We should wait for the detailed reports on the two accidents to become available. Jumping to conclusions or commenting on uncertain factors and heresay in not acceptable.

Comments are closed.