An international panel of air-safety regulators convened by the Federal Aviation Administration (FAA) released a damning report Friday that criticizes both Boeing and the FAA for how they assessed and approved the design of the 737 MAX automated flight-control system implicated in two fatal airliner crashes.
More broadly, the panel also questioned how systems on the the MAX were certified as derivative of a now-50-year-old aircraft design.
And it further recommended that airplane-safety systems address the new reality of increased cockpit automation by reducing the reliance on pilots to respond to emergencies, and instead designing protections as part of the systems.
The report from officials representing 10 different regulatory bodies carries the weight of the world’s aviation experts. Its findings point to glaring shortcomings in how Boeing’s 737 MAX was certified as safe, with the company effectively auditing its own design and and the FAA unable to fulfill its oversight role.
That’s a blow to Boeing’s reputation but also to the long-established primacy of the FAA among global aviation bodies. And the report raises serious questions as to how the regulatory system can be fixed to prevent similar accidents in the future.
The Joint Authorities Technical Review (JATR) panel found that the MAX’s new flight-control system, which played a central role in the accidents in Indonesia and Ethiopia that killed 346 people, was not properly evaluated in the certification documents that Boeing submitted to the FAA.
Echoing a Seattle Times report on March 17, less than a week after the second crash, the panel found that Boeing submitted to the FAA an inadequate technical description of the airplane’s new Maneuvering Characteristics Augmentation System (MCAS), lacking full details of when the system activated and the extent of its power to push an airplane nose down.
Boeing’s documentation of MCAS was fragmented and incomplete, the report said. When Boeing changed the design to make it more powerful and to reduce the trigger mechanism to a single sensor, that wasn’t fully communicated to the FAA.
The report also found that the FAA had “limited involvement” in the evaluation of MCAS and left most of the work of assessing the system to Boeing itself.
“MCAS should have been considered a novelty (and therefore clearly highlighted to the FAA technical staff) owing to the important differences in function and implementation it has on the B737 MAX,” the report declares.
In practice, FAA personnel had “inadequate awareness” of how MCAS worked, which “resulted in an inability of the FAA to provide an independent assessment.”
The report, confirming a Seattle Times report on May 5, also cites indications that Boeing employees working on the certification of the airplane on behalf of the FAA faced “undue pressure” from managers who prioritized cost and schedule.
The report recommends revision of the system whereby the FAA delegates much of the oversight of airplane certification to Boeing, a system known as Organization Designation Authorization. Under ODA, Boeing engineers who do the certification analysis and testing report to managers within the Boeing organization who relay the results to the FAA.
The JATR recommends adjusting this structure so that authorized engineers at Boeing have direct, “open lines of communication to FAA certification engineers without fear of punitive action or process violation” to ensure they “are working without any undue pressure when they are making decisions on behalf of the FAA.”
This recommendation mirrors the advice of experts cited in the May 5 Seattle Times story who advised the FAA to revert to elements of an earlier oversight structure — called Designated Engineering Representatives or DERs — in which the Boeing engineers who act on behalf of the FAA report to their technical counterparts at the FAA.
Pilots unable to cope
The panel also questions the assumption in FAA regulations that pilots will recognize something wrong within 1 second when flying the plane manually and will take corrective action within 3 seconds. The report indicates that the 737’s crew-alerting systems that tell pilots when something goes wrong may not be adequate for such an assumption.
The JATR noted that a system fault can result in cascading failures, and asked the FAA to assess the adequacy of both the certification process and of pilot training to address “the impact of multiple alarms, along with possible startle effect, on the ability of pilots to respond appropriately.”
Regulators need to ensure there’s adequate training so pilots can “respond effectively to failures that they may never have encountered before,” the report states.
Last week, the Seattle Times reported that Boeing pushed the FAA to relax certification requirements for crew alerts on the 737 MAX.
As a result, the JATR team determined, the certification process did not adequately address this issue of multiple clamoring alarms and the expected pilot response.
JATR therefore recommends a top-down reassessment of how airplanes like the MAX that are derivatives of earlier models are certified, to determine when an aging aircraft design is “incapable of supporting the safety advancements introduced by the latest regulations.”
The report states that the FAA raised concerns to Boeing about the cumulative effect of cockpit system changes from the previous 737 model to the MAX and suggested that might create a need for simulator level pilot training.
Boeing’s response to this concern, which the FAA accepted, was that there was “no precedent” for a demand for enhanced training in previous certifications of derivative models.
In a teleconference call Friday, JATR chairman Christopher Hart, former chair of the National Transportation Safety Board (NTSB), said that the increasing prevalence of automation on aircraft means that the problems with the MAX are “not just an airplane problem, but an airplane/pilot problem,” which he said complicates decisions about grounding and ungrounding an aircraft and is likely to become a major issue in the future.
“As automation becomes more and more complex, pilots are less likely to fully understand it and more likely to have problems and more likely to encounter scenarios in real operations that they haven’t seen even in a simulator,” he said.
Hart called on the FAA and regulators worldwide to recognize and address “this new reality of super-complex automation and pilots not necessarily understanding how to operate it.”
The JATR report says that as systems become more complex, the certification process should ensure that aircraft incorporate “fail-safe” designs, meaning that any system failure triggers an automatic default into a safe mode.
The goal is to eliminate or mitigate hazards “through design, minimizing reliance on pilot action as primary means of risk mitigation,” the report goes on.
The panel separately recommends that “the FAA should review the natural (bare airframe) stalling characteristics of the B737 MAX to determine if unsafe characteristics exist.”
This implies JATR wants the FAA to assess the safety of the plane without MCAS in operation. Boeing has said that the purpose of MCAS is not to prevent a stall but simply to make sure it handles exactly like the earlier model 737 when going through certain stall testing.
Some criticism of the company on social media has been skeptical of this, proclaiming the MAX “inherently unstable” because it needs software to fly safely.
To demonstrate otherwise, Boeing test pilots this summer repeatedly flew that required stall test on the MAX — an extreme maneuver called a “wind-up turn” — both with and without the revamped MCAS operating. Boeing says it is satisfied with the results.
The FAA and overseas regulators will conduct their own flight tests, likely next month.
JATR was convened in April by the FAA to independently evaluate all aspects of the design and certification of MCAS. The panel is made up of technical safety experts from the FAA and NASA along with the civil aviation authorities of Australia, Brazil, Canada, China, the European Union, Japan, Indonesia, Singapore and the United Arab Emirates.
Boeing did not directly address the report’s findings Friday but said in a statement that it “is committed to working with the FAA.”
FAA Administrator Steve Dickson issued a statement thanking JATR for its “unvarnished and independent” report.
“I will review every recommendation and take appropriate action,” Dickson said. “We welcome this scrutiny.”
MCAS consists of new flight-control software added to the MAX. If a sensor that measures the jet’s angle of attack, the angle between the wing and the oncoming air flow, indicates that the nose of the aircraft is pitching up, MCAS is designed to swivel the jet’s horizontal tail — called the horizontal stabilizer — so as to push the nose of the aircraft back down.
The JATR report notes the failure in communication between Boeing and the FAA during the certification process as MCAS evolved “from a relatively benign system to a much more aggressive system.”
The result was a failure to address the potential unintended consequences that resulted from “designing software for one scenario — in this case, high-speed windup turns — and then modifying the software for a different scenario — in this case reducing the pitch-up tendency at higher angles of attack at low speeds.”
Boeing has prepared a redesign of MCAS that addresses the inadequacies of the original design, which was activated by a single angle-of-attack sensor. On both crash flights, the accidents were initiated by a false signal from that one sensor.
The updated MCAS software will be activated only if both such sensors on the aircraft show the same high angle of attack. In addition, the system is now redesigned so that it can activate only once.
And Boeing has changed the overall software system architecture to compare readings from both flight control computers, instead of using only one, and to shut down MCAS in less than a second if the computers disagree.
But as regulators evaluate those improvements and the pilot training that will be required, the 737 MAX remains grounded worldwide seven months after the second crash.
On Friday’s teleconference, FAA spokesman Lynn Lunsford said that because the FAA is doing an entirely new safety analysis of all the changes to the MAX before giving the plane clearance to return to service, “the majority of the return to flight issues that have been raised by JATR are being addressed.”
“We are going through the recommendations one more time to make sure that any of them that aren’t being addressed will be as part of the current review,” Lunsford added.