As Boeing hustled in 2015 to catch up to Airbus and certify its new 737 MAX, Federal Aviation Administration (FAA) managers pushed the agency’s safety engineers to delegate safety assessments to Boeing itself, and to speedily approve the resulting analysis.
But the original safety analysis that Boeing delivered to the FAA for a new flight control system on the MAX — a report used to certify the plane as safe to fly — had several crucial flaws.
That flight control system, called MCAS (Manoeuvering Characteristics Augmentation System), is now under scrutiny after two crashes of the jet in less than five months resulted in last Wednesday’s FAA order to ground the plane.
Current and former engineers directly involved with the evaluations or familiar with the document shared details of Boeing’s “System Safety Analysis” of MCAS, which The Seattle Times confirmed.
The safety analysis:
— Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall.
When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.
— Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.
— Assessed a failure of the system as one level below “catastrophic.”
But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.
The people who spoke to The Seattle Times and shared details of the safety analysis all spoke on condition of anonymity to protect their jobs at the FAA and other aviation organisations.
Both Boeing and the FAA were informed of the specifics of this story and were asked for responses 11 days ago, before the second crash of a 737 MAX last Sunday.
Late Friday, the FAA said it followed its standard certification process on the MAX.
Citing a busy week, a spokesman said the agency was “unable to delve into any detailed inquiries.”
Boeing responded on Saturday with a statement that “the FAA considered the final configuration and operating parameters of MCAS during MAX certification, and concluded that it met all certification and regulatory requirements.”
Adding that it is “unable to comment because of the ongoing investigation” into the crashes, Boeing did not respond directly to the detailed description of the flaws in MCAS certification, beyond saying that “there are some significant mischaracterisations.”
Several technical experts inside the FAA said last October’s Lion Air crash, where the MCAS has been clearly implicated by investigators in Indonesia, is only the latest indicator that the agency’s delegation of airplane certification has gone too far, and that it’s inappropriate for Boeing employees to have so much authority over safety analyses of Boeing jets.
“We need to make sure the FAA is much more engaged in failure assessments and the assumptions that go into them,” said one FAA safety engineer.
Certifying a new flight control system going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX’s new MCAS automatic flight control system was designed to act in the background, without pilot input.
It was needed because the MAX’s much larger engines had to be placed farther forward on the wing, changing the airframe’s aerodynamic lift.
Designed to activate automatically only in the extreme flight situation of a high-speed stall, this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s.
Boeing engineers authorised to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world.
The document, “developed to ensure the safe operation of the 737 MAX,” concluded that the system complied with all applicable FAA regulations.
Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor — a vane on the outside of the fuselage that measures the plane’s “angle of attack,” the angle between the airflow and the wing — triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.
Last Wednesday, when announcing the grounding of the 737 MAX, the FAA cited similarities in the flight trajectory of the Lion Air flight and the crash of Ethiopian Airlines Flight 302 last Sunday.
Investigators also found the Ethiopian plane’s jackscrew, a part that moves the horizontal tail of the aircraft, and it indicated that the jet’s horizontal tail was in an unusual position — with MCAS as one possible reason for that.
Investigators are working to determine if MCAS could be the cause of both crashes.
The FAA, citing lack of funding and resources, has over the years delegated increasing authority to Boeing to take on more of the work of certifying the safety of its own airplanes.
Early on in certification of the 737 MAX, the FAA safety engineering team divided up the technical assessments that would be delegated to Boeing versus those they considered more critical and would be retained within the FAA.
But several FAA technical experts said in interviews that as certification proceeded, managers prodded them to speed the process.
Development of the MAX was lagging nine months behind the rival Airbus A320neo.
Time was of the essence for Boeing.
A former FAA safety engineer who was directly involved in certifying the MAX said that halfway through the certification process, “we were asked by management to re-evaluate what would be delegated. Management thought we had retained too much at the FAA.”
“There was constant pressure to re-evaluate our initial decisions,” the former engineer said.” And even after we had reassessed it there was continued discussion by management about delegating even more items down to the Boeing Company.”
Even the work that was retained, such as reviewing technical documents provided by Boeing, was sometimes curtailed.
“There wasn’t a complete and proper review of the documents,” the former engineer added.” Review was rushed to reach certain certification dates.”
When time was too short for FAA technical staff to complete a review, sometimes managers either signed off on the documents themselves or delegated their review back to Boeing.
“The FAA managers, not the agency technical experts, have final authority on delegation,” the engineer said.
Related Story