Dogged by Design Deficiencies

After the second fatal crash in less than five months — this time an Ethiopian Airlines B737-8 MAX with 157 aboard — the Boeing public affairs statements had the aura of triteness:

“Boeing is deeply saddened to learn of the passing of the passengers and crew on Ethiopian Airlines Flight 302 … We extend our heartfelt sympathies to the families and loved ones of the passengers and crew on board and stand ready to support the Ethiopian Airlines team.”

Note avoidance of the word “deaths” and the euphemism “the passing”. Boeing scrupulously avoided the reality: a crater dug out by the force of the plane’s impact and not one whole body to be found in the grisly depression.

Boeing’s sympathies are obligatory, one supposes, but one yearns for a statement like:

“We are very sorry for the loss of life surrounding the crash of Ethiopian Airlines Flight 302 and promise two things: adequate compensation to the victims’ families, and a rigorous, relentless campaign to smartly fix whatever investigators find deficient.”

The Lion Air Flight JT 610 crash in November 2018 brings to two fatal crashes of the new Boeing B737-8 MAX series. The airplane has been marketed aggressively by Boeing’s sale team. About 350 of the new airplanes are in worldwide service; the company has a backlog of orders amounting to some 2,900 of the B737 MAX series.

But in the intensely competitive arena of sales, Airbus has a distinct edge in safety. The MAX family record is now 0.13 crashes per million flights, as compared to 0.11 for the competitor’s A320 family. An 18% greater fatal accident rate does not inspire a glib confidence.

Moreover, the B737 has a long and discouraging history of fatal crashes. These disasters have imposed untold millions of dollars on the airlines to apply mandated fixes.

On April 28, 1988, an Aloha Airlines B737-200, flying from Honolulu to Hilo. Hawaii, to experienced an explosive failure in the top third of the fuselage. A flight attendant standing in the aisle was sucked through the opening and fell to her death in the Pacific Ocean, some 20,000 feet below. The pilots looked back and saw daylight beaming in to the passenger cabin, with torn aluminum panels and severed electrical cables buffeted by the wind. Fearing the whole airplane would come apart, they gingerly made a successful emergency landing at Maui.

Investigators found widespread corrosion, notably in the “lap joints” holding major pieces of the aluminum skin panels together. Some passengers, upon boarding this flight, noticed aluminum corrosion in the structure. So the degradation had been there for some time, but the airline did nothing and the Federal Aviation Administration’s (FAA) principal maintenance inspector did not catch the delaminating lap joint, either.

After the accident investigation, the airplane was sold off for scrap (to become high quality pots and pans, no doubt).

The accident spurred the FAA into major scrutiny of the aluminum structure on so-called “geriatric jets”. Fleet wide inspections of high-time jets were ordered. Where necessary, repairs were imposed to strengthen degraded structure.

Yet this heightened attention was not sufficient. In April of 2011 a Southwest Airlines B737-300 experienced a rapid decompression, peeling off a strip of fuselage skin some 60 inches long and 8 inches wide. None of the 122 passengers and crew was badly injured (a broken nose being the worst). The airplane was 15 years old.

The National Transportation Safety Board (NTSB) observed drily that Boeing asserted the lap joint featured a different design with an improved life.

The testing and independent verification of greater durability, which should have been performed by the FAA, are unknown. Manufacturing records (documenting skin panel installation and any factory re-work of the lap joints) were not retained.

Later that April, the FAA issued an emergency airworthiness directive (AD) requiring the lap joints on all B737s be inspected. Also that month, the FAA issued its first regulatory requirement for the retention of quality control inspection records during manufacture. As the NTSB observed, “(T)here were no regulatory requirements for the retention of manufacturing records, just a policy agreed upon between the manufacturer and the FAA.”

Additional crashes of the B737 resulted from a faulty rudder control. The rudder is that part of the tailfin that moves the airplane left and right. The actuator in the fin was of a weight and space saving single actuator design. Malfunctions of the rudder were noted by some flight crews; others did not survive to file reports.

In September 2000 Boeing announced a redesign of the rudder actuator. Allen Bailey, Boeing’s chief engineer for safety and certification of the B737 fleet, declared, “We’re taking action to assure a higher level of safety for this airplane.”

“This is a very ambitious program,” enthused the FAA’s John Hickey.

The glowing announcement was concurrent with the public release of an Engineering Test & Evaluation Board report of the then-existing B737 rudder control system. This report identified 15 possible failures and jams of the rudder control system. In Boeing’s proposed redesign, two independent servo valves would replace one, as well two input arms to replace one, among other changes.

The modifications did not fully meet the NTSB’s call for a “reliably redundant” rudder control system. One way to achieve this would be through the retrofit of a multiple-panel rudder with separate actuators for each panel to replace the single panel rudder. If, say, the lower rudder panel experienced an uncommanded deflection, the pilots could use the upper panel of the rudder to counter the aerodynamic force.

The B737 MAX series also mounts a single panel rudder system; to this day, the B737 rudder does not meet the safety board’s criterion of a “reliably redundant” system. Nor does the MAX offer a rudder position instrument in the cockpit as standard equipment, as does Airbus for the A320. Rather, such a basic instrument is available as a purchaser’s option.

In fact, FAA regulations still permit the use of a single panel rudder in designing “transport category” aircraft. The regulations seem impervious to the passage of time, hard experience and the availability of more modern technology.

All of which is by preamble to the recent history of the B737-8/-9 MAX series.

On June 30, 2012, Boeing applied to the FAA for an amended, derivative type certificate for purposes of gaining federal approval to market the B737 MAX to airlines. Boeing represented to the FAA that the design changes not so extensive as to require a new type certificate. Rather, the existing Type Certificate A16WE could apply. The FAA agreed.

The type certificate referred to applies to the original B737-100, which was certified for production and sales way back in 1967. The current model B737-8 MAX is essentially a new airplane, with larger, heavier engines, a greater take off gross weight (TOGW), new avionics, a new “glass cockpit” replacing the “steam gauges” of yore, plus winglets and other features not included in the original B737 because they did not exist 52 years ago.

A salient question for the FAA: at what point is an aircraft design so different from the original that a new type certificate — and the extra scrutiny it entails — would be both prudent and necessary. As a general statement, it would seem that a TOGW 10% greater than the original, a 10% or greater fuselage length or wingspan, a 10% increase in thrust, a 10% deviation in center of gravity at TOGW, and a 10% or greater increase in lines of computer code, or any combination thereof, should warrant review pursuant to a brand new FAA type certificate. For too long, aircraft manufacturers have been exploiting the “derivative” gambit to circumvent the costlier and time-taking original certification process. However, the process imports maximum oversight and safety assurance before the aircraft is allowed in commercial service.

The tabulation below shows the differences between the first and the latest model:

 

The Original & The ‘Derivative’
ItemB737-100B737-8 MAX
Length93 feet129 feet
Wingspan93 feet118 feet
Engine power (each)15,000 lbs.27,300 lbs.
Empty weight61,990 lbs.99,360 lbs.
Take off gross weight110,000 lbs.172,500 lbs.
Range1,720 NM3,550 NM
Passenger capacity96-124180-210

Other than some portions of the fuselage, the B737-8 MAX bore little relationship to the original B737-100. That the FAA blessed a supplemental type certificate does speed the approval process — Boeing was anxious to receive certification — but at the expense of detailed review of the many changes and their interaction on the final product.

An original type certification process would have assessed whether or not the MAX aircraft was capable of continued safe flight following a single point failure of the control system from an erroneous high angle of attack sensor input.”

A single point failure is the cardinal no-no in aircraft design. As Captain Michael Michaelis, the senior safety official at American Airlines and a B737 pilot exclaimed, “A single point of failure on a significant system that points my nose towards the ground? Now that to me seems just a little over the line.”

Redundancy is the much-preferred choice, whereby a single point failure is compensated by alternative load paths, alternative software logic, and so forth. In this case, the airplane has three angle of attack sensors, but only one feeds the logic in the flight control computer. If that sensor is putting out erroneous information, the computer has no countervailing data on which to ignore the bum sensor.

The horizontal stabilizers, the little “wings” on the aft end of the airplane, are the principal controls for climb and descent. There is evidence suggesting that so-called “breakout switches”, if installed, failed to stop uncommanded movement that fatally pitched the two accident aircraft downwards.

It is also evident that the MAX series did not feature a warning which was clearly distinguishable to the pilot, without requiring his attention, for any failure in the stability augmentation system which could result in an unsafe condition if the pilot was unaware of the failure.

Traditionally, when an airplane experienced an uncommanded nose down movement of the stabilizer trim, a pilot could pull back on the control yoke and raise the nose. In the normal flight mode, this action would activate breakout switches that stop any automatic movement of the horizontal stabilizer at the aft end of the airplane. However, there is evidence that on the B737-8 MAX airplane the breakout switches do not activate in this situation.

In rare but dangerous situations, MCAS may well override control inputs from the pilot unless it is switched off. During the minimal transition training Boeing recommended for B737 pilots upgrading to the MAX, the attenuated curriculum did not even mention the existence of MCAS. In a November 2018 submission to the NASA-maintained Aviation Safety Reporting System a pilot opined:

“I think it is unconscionable that a manufacturer, the FAA, and the airlines would have pilots flying an airplane without adequately training, or even providing available resources and sufficient documentation to understand the highly complex systems that differentiate this aircraft from earlier models.”

When an uncommanded nose-down movement occurs on earlier B737s, the pitch down automatically activates breakout switches that stop the movement.

The B737-8 software appears to be a step backward in this respect. What were the Boeing software experts thinking, given the automatic breakout feature on earlier models of the B737? Not to mention, whose signatures at Boeing and at the FAA approved this software? In all likelihood, such paperwork exists.

Design of warnings is critical to aiding in pilots’ rapid decision making. Boeing originally designed the same warning for a takeoff configuration problem and a failure of the cabin pressurization system for the B737. In 2005 the pilots of a Helios Airways B737 thought the warning was for improper takeoff configuration, when it was in fact for cabin pressurization. All aboard, save one flight attendant with a portable oxygen bottle, suffered from hypoxia; all 121 aboard were killed when the airplane plunged into the foothills around Athens after the flight on autopilot from Cyprus. The accident spurred a change to the warning system to distinguish the two conditions. As evidence of its snail’s pace oversight, not until 2011 did the FAA order all B737-100 through -500 to be fitted with two additional warning lights. One would indicate a take off configuration failure; the other light was for pressurization malfunctions.

Unambiguous and attention-getting warnings to the pilots clearly are necessary for all potentially fatal situations. A thorough review of the adequacy of warnings, across the board to encompass all aircraft, not just the B787-8 MAX, appears long overdue.

The B737-8 was marketed to the airlines as an airplane easily mastered by pilots transitioning from earlier B737 models, with only a minimal amount of conversion training. Thus, pilots undergoing transition training to the MAX were not briefed on the Maneuvering Characteristics Augmentation System, or MCAS.

The MCAS feature was added to minimize added training in handling the airplane when operated by foreign pilots, who would not necessarily come to the cockpit with the education or experience of U.S. or other “first world” airmen. Let the record show that the Lion Air B737-8 MAX was operated in Indonesia and the pilot-in-command was 31-year old Captain Bhavye Suneja; the Ethiopian pilot-in-command was 29-year old Captain Yared Getachew. Given their relative youth, these pilots were precisely the target airmen justifying the MCAS, which was not even mentioned in the attenuated upgrade training recommended by Boeing.

No less than President Trump, hardly an aviation expert, tweeted a sensible perspective:

“Split second decisions are needed, and the complexity creates danger … I don’t know about you, but I don’t want Albert Einstein to be my pilot. I want great flying professionals that are allowed to easily and quickly take control of a plane.”

There are now ominous rumblings in Congress for hearings into the B737-8 MAX certification process.

Leading this effort is Representative Peter DeFazio (D-OR), chairman of the House Transportation & Infrastructure Committee.

“This is essentially a different airplane, and how is it that it was certified without requiring pilot retraining?” he said he asked the FAA.

The FAA responded that it was decided by a “consensus decision”.

Dissatisfied with the FAA’s weak response, Defazio and Rep. Rick Larsen (D-WA) issued this statement:

“Despite repeated assurances from the FAA in recent days, it has become abundantly clear to us that not only should the 737 MAX be grounded but also that there must be a rigorous investigation into why the aircraft, which has critical safety systems that did not exist on prior models, was certified without requiring additional pilot training. While a lot of data has yet to be recovered that will help explain why Ethiopian Airlines flight 302 went down, as Chairs of the Committee and Subcommittee with jurisdiction over the FAA … we plan to conduct rigorous oversight with every tool at our disposal to get to the bottom of the FAA’s decision-making process.”

Critical to this effort is the FAA’s decision to subcontract the certification process to Boeing. The legislators may be astonished to learn of the degree to which the FAA willingly has handed over the certification process to the very same entities requesting certification. Thoughts of granting the fox keys to the henhouse come to mind.

Every county in the country has separate officials, on the public payroll, to certify that the work of construction contractors satisfies building codes. Yet the FAA has encouraged aircraft manufacturers to self-certify compliance with Federal Aviation Regulations.

Independent checks and balances are utterly lost. Now the FAA and Boeing will have to answer to an independent Congressional committee. If the FAA and Boeing offer “consensus decisions” as the best guarantor of safety, expect fireworks at the hearing.