Flawed Analysis, Failed Oversight: How Boeing, FAA Certified the Suspect 737 MAX Flight Control System

In one of the most detailed descriptions yet of the relationship between Boeing and the Federal Aviation Administration during the 737 Max's certification process, the Seattle Times reports that the U.S. regulator delegated much of the safety assessment to Boeing and that the analysis the planemaker in turn delivered to the authorities had crucial flaws. 0x2A shares the report: Both Boeing and the FAA were informed of the specifics of this story and were asked for responses 11 days ago, before the second crash of a 737 MAX. [...] Several technical experts inside the FAA said October's Lion Air crash, where the MCAS (Maneuvering Characteristics Augmentation System) has been clearly implicated by investigators in Indonesia, is only the latest indicator that the agency's delegation of airplane certification has gone too far, and that it's inappropriate for Boeing employees to have so much authority over safety analyses of Boeing jets. "We need to make sure the FAA is much more engaged in failure assessments and the assumptions that go into them," said one FAA safety engineer. Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input. It was needed because the MAX's much larger engines had to be placed farther forward on the wing, changing the airframe's aerodynamic lift. Designed to activate automatically only in the extreme flight situation of a high-speed stall, this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s.

Boeing engineers authorized to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world. The document, "developed to ensure the safe operation of the 737 MAX," concluded that the system complied with all applicable FAA regulations. Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.

[...] On the Lion Air flight, when the MCAS pushed the jet's nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again. The black box data released in the preliminary investigation report shows that after this cycle repeated 21 times, the plane's captain ceded control to the first officer. As MCAS pushed the nose down two or three times more, the first officer responded with only two short flicks of the thumb switches. At a limit of 2.5 degrees, two cycles of MCAS without correction would have been enough to reach the maximum nose-down effect. In the final seconds, the black box data shows the captain resumed control and pulled back up with high force. But it was too late. The plane dived into the sea at more than 500 miles per hour. [...] The former Boeing flight controls engineer who worked on the MAX's certification on behalf of the FAA said that whether a system on a jet can rely on one sensor input, or must have two, is driven by the failure classification in the system safety analysis. He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the "major failure" requirement, which is that the probability of a failure must be less than one in 100,000. Such systems are therefore typically allowed to rely on a single input sensor.

Questions for the system designers here

[quote]only two short flicks of the thumb switches[/quote]

In the systems you design, typically how many times is the user expected to press the Stop Trying To Kill Us button before the system leaves off trying to do so?

Re:Questions for the system designers here

[fahrbot-bot]

If an engineer designs a plane so it overrides pilot inputs and pushes the nose down based on input from a single sensor, that engineer deserves to go to prison and be barred from practicing engineering for the rest of his life.

I'd argue that the Boeing and FAA managers that approved such a system should get locked up while the engineer should be sent back to engineering school and learn how to say "no" if asked to design such a system again.

Now I am even more worried...

[mrlinux11]

The statement of using only one sensor is scary especially for something that automatically adjust the flight path, but even having two is scary. With 2 sensors how does the software know which is right when they disagree ? For true fault tolerance you need a minimum of 3 sensors

Collusion between Govt and Business

This smells like a collusion between Boeing and the US Government (FAA) in order to rush through certification to be anti-competitive to the Airbus product that was ready for this area.

The resulting hundreds of dead is a testament to failed oversight and cost-cutting, lack of redundancy, and what appears to be basic lying to other air regulators.

Almost certainly this will come back to bite Boeing badly - firstly the lawsuits from the families of the dead, second with sales on what many people would consider a flying death trap of a plane design. It will take a while for this taint to be forgotten, assuming that it is fixed, redundant systems are installed on all planes, and that they pass more robust certification processes around the world.

Part of the problem ...

Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input.

Part of the problem is Boeing didn't want pilots to have to retrain and certify under a different type of aircraft.

So they've jiggled things around to make it look like it's just like any other 737, but it now has different flight characteristics.

So now Boeing has created a situation where they wanted this to appear seamless to the pilots, but that it apparently doesn't work and is anything but seamless to the pilots. They took something which wasn't fly by wire, and made it fly by wire.

What we're seeing now is a case where the FAA let Boeing decide there was no material difference for pilots, when there actually was ... in which case their attempt to not have to force pilots to re-certify in type has now potentially led to two crashes.

When the pilot is saying up, and the system is saying down ... bad things happen.

And clearly, despite Boeing saying it would fly exactly the same, it doesn't.

Stick pusher...

[b0s0z0ku]

Why not just use a stick pusher, like any other non-FBW aircraft with stall issues? Design it so it can be overridden with appropriate back force on the control wheels. Using trim for this is stupid, since with full down trim, you might not have enough elevator authority to recover quickly from a dive (i.e. even if the system is turned off, trim may have to be cranked back manually before the plane can recover).

This looks like criminal stupidity on the part of Boeing engineers.

Re:Disabling the system is okay. I designed one

> This system is designed to detect when the pilot has seriously screwed up, pointing the nose way too high.

Not even close! The plane NATURALLY wants to stand on it's tail at high power output. That's what moving the engines CAUSED. To compound the matter, the engine nacelle shape itself at certain AoA adds to the lift which can exacerbate the problem till it's no longer recoverable. Put your RC plane near vertical and watch what happens... (Well, RC planes generally have massive imbalance of thrust to weight ratio unlike real planes so doubtful you can actually demonstrate the problem)

I don't know if I'd call it self regulation

[rsilvergun]

"regulation" implies a neutral third party. The Credit Card Industry has PCI. Video Games have ESRB. Movies the MPA. None of those things are as immediately lethal as a busted airplane though.

But I wouldn't call it "regulatory capture" either, since Boeing were left to their own devices. They didn't have anything to capture.

No, what we have here is plain, good 'ole deregulation. These days regulation > deregulation is automatic in most people's minds. Between this, Flint Mi, and the 2008 crash I hope folks are starting to change their minds in that regard.

Re:I don't know if I'd call it self regulation

[Solandri]

That's a rather convenient argument. When regulation succeeds, you laud it. When regulation fails, you blame it on deregulation. Therefore regulation can never fail and is thus always good. Brilliant. Successful regulation requires proper implementation of regulations. Failure to implement those regulations properly is a regulatory failure, not a failure due to deregulation.

It should be noted that lots of other regulationors offload the work (and thus the cost) of implementing those regulations onto the companies being regulated. The EPA doesn't test the mileage of every car model that's made to come up with the official EPA mileage ratings. The leave it up to the car companies to do that themselves. The EPA only double-checks the mileage of a few random car model to keep the car companies honest. You may recall the scandal a few years back when Kia and Hyundai were caught cheating on these MPG ratings.

Likewise, Americans calculate their own tax returns. The IRS only does some basic cross-checking of your return (the W-2 from your employer), and does a few random in-depth audits to keep people honest. By your reasoning car fuel mileage and tax returns are deregulated, and thus the EPA mileage ratings and IRS tax returns are useless?

In cases like this where implementation of the regulation is mostly left up to the entity being regulated, it's done as a cost-saving measure. You accept that occasionally someone will cheat while self-regulating, because over time the cost of that occasional cheating is less than the cost of regulating with an iron fist and having regulators duplicate all the testing/calculating work that the company/individual did to comply with the regulation. If you insist that regulation be so ironclad that there is zero incidence of cheating, the cost of implementing the regulation balloons far in excess of the gain from eliminating occasional cheating. That is, the marginal decrease in cheating for each additional dollar spent enforcing regulation becomes smaller as the incident rate of cheating approaches 0%. So the most cost-effective regulatory point is not at zero cheating.

So while it's regrettable that lives were lost due to this cheating incident, overall, airliner travel remains the safest mode of transportation by far. So I'd say the FAA's approach of judiciously allowing self-regulation has on the balance been successful. Understand that if you opt for more stringent FAA regulation, that higher cost will show up both as higher taxes (to fund the FAA) and higher airfares (manufacturers, airlines, and airports having to do more work to comply with the more stringent enforcement). Sometimes this is worth it, sometimes it is not. In the case of air travel, IMHO the money would be much better spent on improving regulation of the most dangerous form of transportation - passenger cars and motorcycles.

Re:They have been working for a while you know

[thegarbz]

This issue seems like something the pilots can work around if they know what is going on, which the U.S. pilots seem to.

Based on:

That's a lot of flights they have done with the plane, so it's not like the plane is inherently unsafe

You can't draw that conclusion from the data they presented you. This isn't like a plane that is hard to fly. What we are talking about here is pilots responding to a very specific instrumentation problem. The only relevant statistic for how well U.S. pilots can cope with this is how many times Southwest Cargo pilots have suddenly had MCAS fail on them and try to trim down the nose, and how many times in the face of this problem they successfully disabled the system and landed safely. The total number of hours in the air is entirely meaningless to what your pilots know or are capable of.

so it's not like the plane is inherently unsafe

Indeed the plane is not inherently unsafe, however it presents an incredible risk to crew and cargo when a very specific instrumented failure occurs.

Re:wrestling with automatic systems

[turbidostato]

"but I think knowing the root of the design decisions points up another failing -- the company's tendency (or perhaps industry's tendency) to reuse old airframes for new designs."

Only this has nothing to do with current situation. Of course incremental development is inherently cheaper and safer and of course too, when time comes a new development is due, which Boing perfectly knows.

This was just because of time and time only: they wanted to fight in the current wave of companies' renovation against Airbus, which, because of timing too, was on the market with a more modern system (it will probably be the other way around in, say, five years): they couldn't reach the market on time with a new airframe but they could do if they just scratched a bit more from the bottom of the old barrel.

They tried, and it's just OK for them to do so.

But then, all checks and balances were outplaced: instead of letting FAA do their job, more and more parts where self-assessed by Boing itself (what could possible go wrong? duh!): "Good" for Boing, which could reach their goal date, and "good" for the overwhelmed FAA which was strongly pressured to do more with less.

As basically with any other accident, a lot of circumstances need to get aligned for the fatality but then, corporate greed and corporate greed alone put those planes much more near the tragedy line than they should.

* An old airframe design already squeezed.
* Pressure for passing approval at speed.
* Pressure for more and more processes to be pushed to Boing's side so they can reach their dates
* Business interest to offer the new MAX to be just like the old NG so there would be no re-training for pilots (not only cheaper, but also sooner and, you know, time is money)
* Moving posts for the approval process (0.6 to 2.5 degrees)

* ...and to top it all, the quite minor mistake among all this rush and changes, of forgetting that the final MCAS implementation would end up having full authority instead of just either 0.6 or even 2.5 degrees which in "standard" circumstances wouldn't fly past the first or maybe second reviewer.

So you ended up with a system categorized as non-critical (which it wast, by first draft), with (indirectly) full authority, and that was not even mentioned at least in the first batch of training manuals (because we made the new MAX to feel-fly exactly like the older NG for your convenience).

A magnificent example of the effects of modern capitalism in action.

Re:This is going to be one of the biggest lawsuits

[Humbubba]

The underlying problem is the FAA has a revolving door to the Aviation Industry where people, regulation and oversight passes through unobstructed by responsibility or moral conscience.

On a side note, this story from the Seattle Times shows how important investigative reporting is to society. If the government ever gets serious about regulating private enterprise again, it will be due to stories like this, and the resulting public outrage. We are yet again in their debt.

Re:This is going to be one of the biggest lawsuits

[cayenne8]

The underlying problem is the FAA has a revolving door to the Aviation Industry where people, regulation and oversight passes through unobstructed by responsibility or moral conscience.

It isn't just the FAA, this is a problem with many if not MOST of the Federal Regulatory agencies....

Look at the FDA rosters, and you can easily see why we won't ever get sensible food regulations/recommendations the would actually help address obesity, etc....in the US.

Re:This is going to be one of the biggest lawsuits

[Tough+Love]

Boeing did all these dodgy hardware and software hacks just to avoid the time and cost of certifying a new type. This was a panicked rush to market, to compete with Airbus 320neo. Which isn't crippled by stubby landing gear like the 737, so its engines can placed in an inherently aerodynamically stable position.

Because it wasn't a new type, FAA did not require that pilots be certified. And furthermore Boeing buried the details of how to fully return the plane to manual control, because that would conflict with the story they told the FAA about unchanged flight characteristics. Unfortunately for all involved, Max 8 really did have a new flight characteristic: falling out of the sky under computer control.

So yes, Boeing is going to pay out the biggest settlement in aviation history. There is just no way to escape culpability. And we have a huge indictment of Trumpist deregulation too: industry didn't win by weakening FAA oversight, rather it lost big league.