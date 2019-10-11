An international panel of air-safety regulator experts convened by the Federal Aviation Administration released a damning report Friday that criticizes both Boeing and the FAA for the way they assessed and approved the design of the 737 MAX automated flight control system implicated in two fatal airliner crashes.

The Joint Authorities Technical Review (JATR) panel found that the system, which played a central role in the accidents in Indonesia and Ethiopia that killed 346 people, “was not evaluated as a complete and integrated function in the certification documents that (Boeing) submitted to the FAA.”

As first reported by the Seattle Times on March 17, the panel found that Boeing submitted to the FAA for evaluation an inadequate technical description of the airplane’s new Maneuvering Characteristics Augmentation System (MCAS) that lacked full details of when the system activated and the extent of its power to push an airplane nose down.

The report states that technical details of MCAS were “not updated during the certification program to reflect the changes to this function within the flight control system.”

“In addition, the design assumptions were not adequately reviewed, updated, or validated; possible flight deck effects were not evaluated; the (System Safety Assessment) SSA and functional hazard assessment (FHA) were not consistently updated; and potential crew workload effects resulting from MCAS design changes were not identified.”

“The lack of a unified top-down development and evaluation of the system function and its safety analyses, combined with the extensive and fragmented documentation, made it difficult to assess whether compliance (with safety regulations) was fully demonstrated,” the report states.

The report also found that the FAA had “limited involvement” in the evaluation of MCAS and left most of the work of assessing the system to Boeing itself.

“In the B737 MAX program, the FAA had inadequate awareness of the MCAS function which, coupled with limited involvement, resulted in an inability of the FAA to provide an independent assessment of the adequacy of the Boeing-proposed certification activities associated with MCAS.”

The report, confirming a Seattle Times report on May 5, also cites indications that Boeing employees working on the certification of the airplane on behalf of the FAA faced “undue pressure” from managers who prioritized cost and schedule.

“Signs were reported of undue pressures on Boeing … engineering unit members performing certification

activities on the B737 MAX program,” the report states. It recommends that such authorized engineers at Boeing be provided “open lines of communication to FAA certification engineers without fear of punitive action or process violation” to ensure they “are working without any undue pressure when they are making decisions on behalf of the

FAA.”

The report attributed the undue pressure within Boeing to “conflicting priorities and an environment that does not support FAA requirements.”

The panel also addresses the assumption in the FAA regulations that pilots will recognize something wrong within a second during manual flight and will respond with corrective action within 3 seconds. The report indicates that the 737’s crew alerting systems that tell pilots when something goes wrong may not be adequate for such an assumption.

“The 3-second reaction time may not be appropriate, depending on the cockpit alerting philosophy and trim system architecture and controls,” the report states.

The JATR recommends that, when a system fault or inappropriate operation results in cascading failures and multiple alarms the FAA should address “how adequately the certification process considers the impact of multiple alarms, along with possible startle effect, on the ability of pilots to respond appropriately.”

“Inherent in this issue is the adequacy of training to help pilots be able to respond effectively to failures that they may never have encountered before, not even in training,” the report states.

Last week, the Seattle Times reported that Boeing pushed the FAA to relax certification requirements for crew alerts on the 737 MAX.

JATR was convened in April by the FAA to independently evaluate all aspects of the design and certification of MCAS.

Chaired by former National Transportation Safety Board (NTSB) Chairman Christopher Hart, the panel is made up of technical safety experts from the FAA and NASA along with the civil aviation authorities of Australia, Brazil, Canada, China, the European Union, Japan, Indonesia, Singapore and the United Arab Emirates.

Boeing did not directly address the report’s findings Friday but said in a statement that it “is committed to working with the FAA in reviewing the recommendations and helping to continuously improve the process and approach used to validate and certify airplanes.”

FAA Administrator Steve Dickson issued a statement thanking JATR for its “unvarnished and independent” report.

“I will review every recommendation and take appropriate action,” Dickson said. We welcome this scrutiny and are confident that our openness to these efforts will further bolster aviation safety worldwide.”

EASA, the European Union Aviation Safety Agency, called the report “thorough.”

“We will analyse all recommendations made to assess their relevance to the European system and take action wherever necessary,” EASA said in a statement.

MCAS consists of new flight control software added to the MAX. If a sensor that measures the jet’s angle of attack, the angle between the wing and the oncoming air flow, indicates that the nose of the aircraft is pitching up, MCAS is designed to swivel the jet’s horizontal tail — called the horizontal stabilizer — so as to push the nose of the aircraft back down.

Boeing has prepared a redesign of MCAS that addresses the inadequacies of the original design, which was activated by a single angle-of-attack sensor. On both crash flights, the accidents were initiated by a false signal from that one sensor.

The updated MCAS software will be activated only if both such sensors on the aircraft show the same high angle of attack. In addition, the system is now redesigned so that it can activate only once.

And Boeing has changed the overall software system architecture to compare readings from both flight control computers, instead of using only one, and to shut down in less than a second if the computer disagree.

But as regulators evaluate those improvements and the pilot training that will be required, the 737 MAX remains grounded worldwide seven months after the second crash.