Boeing is in trouble. The American aviation giant finds itself in the middle of a storm that has culminated in the worldwide grounding of its latest aircraft model, the 737 MAX. There is an emerging picture of a major manufacturer botching a new aircraft design, with more than 300 people dead as a result. This follows two fatal accidents in the space of five months that seem to have occurred under similar circumstances.
The tragic crash of Ethiopian Airlines Flight 302 bears an uncanny resemblance to last year’s crash of Lion Air 610, a flight that went down eight minutes after take-off from Jakarta airport. The accident in Indonesia in October last year also killed all passengers and crew, a total of 189 people.
This earlier accident is widely believed to have been caused by repeated nose-down trim responses driven by the MAX’s so-called ‘Manoeuvring Characteristics Augmentation System’ (MCAS), which in turn may have been influenced by inputs from a faulty angle-of-attack (AOA) sensor. In plain English, and from my own limited understanding as a non-Boeing pilot: the crash was caused by a single faulty sensor in the 737 MAX models that poorly written software translated into automatically pointing the nose of the aircraft down to avoid a (non-existent) stall – when the so-called ‘angle of attack’ becomes too high and the plane loses all lift, in effect falling out of the sky – but about which the pilots had not been informed and which they were unable to override.
If that sounds like a pretty obvious design flaw, this is because it is exactly that. Yet after the Ethiopian Airlines disaster, Boeing’s own announcements showed an astonishing ignorance to the gravity of the situation. An official Boeing press release touted a MAX software update that would “make a safe airplane even safer” – which is more than slightly uncomfortable when set alongside the fact that more than 150 people just died in an accident involving that same aircraft. Following the Lion Air accident, Boeing essentially blamed the pilots. The company’s PR approach is one of “move along, nothing to see here”.
One air crash investigator is James E. Hall, chairman of the National Transportation Safety Board from 1994 to 2001. His recent opinion piece in the New York Times sheds some very interesting light on the cosy relationship between the manufacturer (Boeing) and the regulator (the Federal Aviation Administration – FAA):
“The roots of this crisis can be found in a major change the agency instituted in its regulatory responsibility in 2005. Rather than naming and supervising its own ‘designated airworthiness representatives,’ the agency decided to allow Boeing and other manufacturers who qualified under the revised procedures to select their own employees to certify the safety of their aircraft. In justifying this change, the agency said at the time that it would save the aviation industry about $25 billion from 2006 to 2015. Therefore, the manufacturer is providing safety oversight of itself. This is a worrying move toward industry self-certification.” (March 13, 2019)
Since this new regulatory scheme took effect, Hall continues, the aviation industry has introduced two new aircraft types, both of which have encountered serious problems. In 2013, Boeing’s 787 Dreamliner was grounded because of fires caused by lithium batteries. In that case, the agency quickly recertified the safety of the aircraft, even before the exact cause of the Dreamliner problems had been determined.
The manufacturer thus in essence becomes both the manufacturer and the regulator, because of the inability of government to do the job, which has outsourced that task beyond the regulatory agency. This has allowed aircraft manufacturers like Boeing to choose their own employees to be the designees who could help certify their planes. This has also led to the absurd situation where the FAA maintains offices inside Boeing’s factories, including those in Renton, Wash., and in Charleston, S.C.
Indeed, Boeing is a major military contractor with close ties with the American government, and is an influential lobbying force in Washington. Last year the company employed more than a dozen lobbying firms to advocate for its interests and spent $15 million in lobbying. The current Secretary of Defense, Patrick Shanahan, is a former Boeing executive. But don’t take our word for it, just take a look on Boeing’s own website, which has a document listing a year’s worth of “political expenditures”. It goes on for 14 pages and lists campaign contributions to lawmakers, ranging from a city councilman in Texas to Representative Nancy Pelosi of California, who is now the House speaker. ‘You scratch my back, I’ll scratch yours.’
One hack too far?
The original 737 became the best-selling airliner of all time and has been a real cash-cow for Boeing. Over the years, Boeing has introduced four distinct generations of the 737. The latest is the 737 MAX, which entered service in 2017. Thus far, Boeing has received orders for more than 5,000 737 MAX jets, an enormous amount, worth billions of dollars. The recent grounding puts all of this at risk.
The truth is, the 737 is now more than 50 years old and is fundamentally an old aircraft with dated technology and ergonomics. Boeing itself realised this years ago and, as explained in this article on the Air Current website, the company actually wanted to replace the 737 with a completely new model designed from scratch.
Aviation is big business, however, and competition for worldwide markets is cut-throat. Airbus in particular, Boeing’s main competitor from Europe, has been chipping away at Boeing’s market share for decades. The Airbus 320 family in the 1980s pioneered the use of digital fly-by-wire flight control systems, as well as side-stick controls, in commercial aircraft, which was now becoming increasingly computerised.
Since then, Airbus has followed a more incremental strategy of evolving their existing designs and putting new, more efficient engines on their existing aircraft. Launched in December 2010, Airbus’s A320neo and subsequent A321neo have been a great commercial success and took Boeing by surprise. This forced Boeing’s hand and it had to put new engines on the 737 to stay even with its rival.
Unfortunately for Boeing, all signs are there that they didn’t implement the re-engining properly, or have gone “one hack of an outdated system too far”. The larger engines also generate more lift, causing the nose of the aircraft to pitch higher than usual, and change the aerodynamic characteristics of the aircraft. The risk Boeing found through analysis and later flight testing was that under certain high-speed conditions, that upward nudge created a greater risk of stalling. Boeing’s solution was the previously mentioned MCAS software that is meant to automatically trim the horizontal stabiliser to bring the nose down, activated with ‘Angle of Attack’ data. This is what is at the centre of the Lion Air investigation and the recent Ethiopian crash.
Profits before safety
It would appear the tweaks to the existing 737 Classic and NG have reached a qualitative leap where it in effect becomes a completely new aircraft type that should never have been certified by the authorities.
Boeing convinced airlines and the FAA that the planes were essentially interchangeable with earlier models of 737, and therefore pilots who were already trained in flying older 737s would not need comprehensive additional training on the new aircraft (a two-hour training session on an iPad was meant to be sufficient). Until the Lion Air crash, no 737 MAX pilot had ever heard of this completely new MCAS system, which was not documented anywhere, never mind trained for in the simulator. In fact, this was one of the main selling points that helped Boeing secure the 5,000 orders for the 737 MAX: no expensive separate type rating – on average a 5-6 week training involving full-motion simulators, which are very expensive to run – needed for your existing 737 pilots, who can keep making your company money.
Today’s 737 is a substantially different aircraft than the original developed in the 1960s. Boeing strengthened its wings, integrated various new technologies and put in modern avionics. Over the years, the FAA has implemented new and tougher design requirements, but a derivative or “variant” gets many of the designs grandfathered in. This is also the case for the 737 MAX and its predecessors, which held against today’s certification requirements, would not pass certain tests. This obviously doesn’t mean that the popular 737 Classics and NGs flying all over the world are unsafe (well maintained, they are very fine aircraft), but it indicates the dangers associated with this grandfathering system, which to a great extent relies on the self-certification of the manufacturer.
And this is where it seems to have gone wrong, as confirmed by an investigative article published yesterday in the Seattle Times. Current and former engineers directly involved with the evaluations or familiar with the original safety analysis that Boeing delivered to the FAA for the new MCAS flight control system on the MAX, shared details of Boeing’s “System Safety Analysis” of MCAS. The engineers, speaking anonymously to the Seattle Times, found several flaws in the design and disagreed with the safety analysis that was eventually approved. It is worth quoting a few technical notes:
“The safety analysis:
- “Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.
- “Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.
- “Assessed a failure of the system as one level below ‘catastrophic.’ But even that ‘hazardous’ danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.”
This is quite a damning assessment by engineers directly involved with the system. The article reveals how several FAA technical experts said in interviews that as certification proceeded, managers prodded them to speed the process:
“Development of the MAX was lagging nine months behind the rival Airbus A320neo. Time was of the essence for Boeing.
“A former FAA safety engineer who was directly involved in certifying the MAX said that halfway through the certification process, ‘we were asked by management to re-evaluate what would be delegated. Management thought we had retained too much at the FAA.'”
“’There was constant pressure to re-evaluate our initial decisions,’ the former engineer said. ‘And even after we had reassessed it … there was continued discussion by management about delegating even more items down to the Boeing Company.'”
“Even the work that was retained, such as reviewing technical documents provided by Boeing, was sometimes curtailed.
“’There wasn’t a complete and proper review of the documents,’ the former engineer added. ‘Review was rushed to reach certain certification dates.’”
The competition with Airbus was probably the decisive factor. It’s not an accident that the FAA was dragging its feet when the Europeans grounded their MAX fleet. The reputational and financial damage for Boeing is going to be severe, and it could have a noticeable impact on the US economy. Aircraft and parts represent 6 percent of US exports. The market for short-to medium-range aircraft is estimated to be $3.2tn over the next 20 years, which is 54 percent of the total market for aircraft, and Airbus was edging ahead. Boeing needed a success with their new MAX to keep up. Undoubtedly this led the US state to hasten the FAA approval of the model. The Chinese were the first to ground the MAX, probably as part of their tit-for-tat spat with the US over trade.
The decision by the FAA is now under investigation by the Ministry of Transport. They appear to be looking at two elements of the certification process: the engineering side, and the pilot training side. This shows the scale of the scandal. The US state needs to repair the damage it has caused to the authority of the FAA, which until this point was the authority on airplane safety, and their recommendations were followed by others worldwide. If the Europeans or the Chinese were able to seize that mantle, it would mean that Boeing would find it more difficult and costly to certify its new models. It is indicative that the Ethiopian government refused to let the FAA download the data from the cockpit voice recorder and the flight data recorder, in spite of US diplomatic pressure. Instead they let the French BEA carry out the task, and the FAA was only allowed to witness.
Short-sightedness and incompetence
A similar process of “soft corruption” and conflict of interest can be seen in the financial industry in various countries across the world, made worse by deregulation. The Airline Deregulation Act of 1978 started a process of removing government controls over the airlines and manufacturers in the USA. This was done to encourage competition and lower the ticket prices, but the end result has been the monopolisation of air travel to the point where four major carriers control 80 percent of US air traffic. Tickets did become cheaper but travelling by plane has generally become a miserable experience worldwide and the workforce – from pilots and cabin crew to dispatchers, baggage handlers and office workers – is more exploited, underpaid and demoralised than ever.
Combine this with the majority of establishment politicians sitting on the boards of private companies and you have a clear recipe for disaster. It is a cosy club where everybody looks after each other: regulators, manufacturers and politicians. Obviously, for any airline or manufacturer, any serious incident or accident is bad publicity and is to be avoided. The general level of safety in aviation since the 1980s has been relatively good, and numerically speaking, flying remains the safest method of transportation. Under capitalism, however, with profit as the primary goal, there will be a never-ending battle of short-term expense versus long-term safety, where the latter finishes a long way behind.
This short-term thinking ties in with the increasing short-sightedness and sheer incompetence of the political elite worldwide. In the UK we have the Brexit circus, in the USA we have Trump. The Twitter president was quick last week to send yet another bizarre tweet saying that “airplanes are becoming far too complex to fly” and that he doesn’t want “Albert Einstein to be his pilot”. This comes from a man who doesn’t know how to close an umbrella upon entering the presidential 747 and who last year nominated his own pilot, John Dunkin — the man who flew Trump planes, not Air Force One — to head the FAA. As the Financial Times put it:
“When the Senate laughed him off as unqualified to lead an $18bn agency, Mr Trump failed to come up with a new name. The FAA has been flying without a pilot, so to speak, for more than a year. Little surprise America’s partners have lost trust in its direction.” (March 13, 2019)
Yet, like a broken clock that is right twice a day, Trump in this instance has a point, even if we can’t suspect him of having any real level of comprehension of the matter at hand.
When HAL says no
Amongst the general public there is a lot of confusion about automation in aviation. This is not the place to go into great detail about this, but suffice to say automation has undoubtedly improved the safety of air travel over the last decades. However, there is a reason why you still see two qualified pilots at the front of the plane when you board: for all the talk about replacing pilots with “computers that don’t make human errors” (the wet dream of accountants and certain professors in aeronautics), the relationship between human and machine remains a very complex one. Artificial intelligence is often not very intelligent at all (garbage in, garbage out) and having flown both smaller “hands-on” aircraft for several years without any auto-pilot at all, and highly computerised jetliners with very advanced “flight management systems”, we can say this for sure: we pilots are not going anywhere any time soon.
This is relevant to the Boeing 737 MAX tragedies as certainly the Lion Air crash is an example of how a simple computer can order a command on the basis of false inputs that dooms an aircraft and all persons on board. Incidentally, this almost happened on an Airbus as well. In 2014 a Lufthansa Airbus A321-200 was climbing through 31,000ft out of Bilbao about 15 minutes into the flight, when the aircraft on autopilot unexpectedly lowered the nose and entered a sudden descent. Luckily an alert crew knew the logic of the system and managed to disable the faulty systems causing this descent.
The problem with these recent tragedies is that Boeing didn’t bother to provide the flight crew with the necessary information to truly know their own aircraft. And this goes against one of the basic rules amongst aviation professionals: know your aircraft. Boeing thought they would get away with cutting corners, but as we can see, this has fatal consequences.
Reports have started to emerge of confidential reports submitted by Boeing 737 MAX pilots in an anonymous NASA database, with NASA serving as a neutral third party for reporting purposes. This database is a very useful tool that improves safety, and most reports are fairly mundane. Nevertheless, it contains some telling testimonies about Boeing’s latest aircraft, summed up in this article. It starts off with this incident:
“As I was returning to my PFD (Primary Flight Display) PM (Pilot Monitoring) called ‘DESCENDING’ followed by almost an immediate: ‘DONT SINK DONT SINK!’ I immediately disconnected AP (Autopilot) (it WAS engaged as we got full horn etc.) and resumed climb. Now, I would generally assume it was my automation error, i.e., aircraft was trying to acquire a miss-commanded speed/no autothrottles, crossing restriction etc., but frankly neither of us could find an inappropriate setup error (not to say there wasn’t one). With the concerns with the MAX 8 nose down stuff, we both thought it appropriate to bring it to your attention. We discussed issue at length over the course of the return to ZZZ. Best guess from me is airspeed fluctuation due to mechanical shear/frontal passage that overwhelmed automation temporarily or something incorrectly setup in MCP (Mode Control Panel). PM’s callout on ‘descending’ was particularly quick and welcome as I was just coming back to my display after looking away. System and procedures coupled with CRM (Resource Management) trapped and mitigated issue.”
Another report from a First Officer talks about how ‘the aircraft pitched nose down after engaging autopilot on departure’.
In a separate report, a Captain complains about Boeing’s lack of documentation:
“This description is not currently in the 737 Flight Manual Part 2, nor the Boeing FCOM, though it will be added to them soon. This communication highlights that an entire system is not described in our Flight Manual. This system is now the subject of an AD. I think it is unconscionable that a manufacturer, the FAA, and the airlines would have pilots flying an airplane without adequately training, or even providing available resources and sufficient documentation to understand the highly complex systems that differentiate this aircraft from prior models. The fact that this airplane requires such jury rigging to fly is a red flag. Now we know the systems employed are error prone–even if the pilots aren’t sure what those systems are, what redundancies are in place, and failure modes. I am left to wonder: what else don’t I know? The Flight Manual is inadequate and almost criminally insufficient. All airlines that operate the MAX must insist that Boeing incorporate ALL systems in their manuals [my emphasis].”
“Criminally insufficient” is an apt summary of Boeing’s weak attempt at damage control. We would go further and describe this as criminal negligence. How else to describe certifying an aircraft with a brand new critical system that (a) wasn’t documented to the pilots strapping themselves every day to these million-dollar machines, and (b) was not built with the necessary double or triple redundancy that is standard in the industry?
Boeing’s new aircraft should never have been released in the way that it was. It is clear that Boeing cut corners to get the model out as soon as possible, and with as little expense to the airlines as possible. They needed this to avoid falling behind Airbus. To this end, the US regulator, which works hand-in-glove with Boeing, certified the design when they should not have. This is what prepared the way for two completely avoidable accidents, and it shows what the profit motive does to the safety standards of aviation.