By Bjorn Fehrm
November 18, 2020, ©. Leeham News: The FAA has declared the Boeing 737 MAX 8 and 9 safe to fly after a 20 months grounding. On March 10, 2019, the Ethiopian Air ET302 crashed after Boeing’s pitch augmentation software MCAS triggered erroneously and caused the aircraft to crash. This accident followed a similar accident of Lion Air JT610 on October 29, 2018.
Ethiopia grounded the MAX on the day, China the day after, and the FAA on March 13. The 737 MAX has been grounded worldwide since the FAA grounding.
It has been a gruesome 20 months for Boeing, where it’s gone from denial of guilt to a full acceptance of responsibility and a complete change of attitude. With changes to the MAX verified by FAA, EASA, Transport Canada, and Brazil’s ANAC, it’s now ready to fly again.
We will cover the return to flight of the 737 MAX in several articles, the first dealing with the question: Is the 737 MAX safe to fly?
Below we go through what went wrong and why this chain of events will not happen again on an updated 737 MAX.
Airliner safety has reached an unprecedented high standard over the last 20 years. The 737 has been part of this safety development. Before the 737 MAX crashes, the 737 had a good safety record spanning 50 years of service.
This comes from a sound base design with no particular vices or shortcomings. It’s an old design with the first version certified in 1967. Though its systems are old in their architecture, this is not necessarily bad for an aircraft.
The areas that needed updates are updated, and the world’s mechanics and pilots know the aircraft as their pocket.
It’s flight characteristics are consistent, with no quirkiness that has beset several of its contemporaries.
So for an aircraft with this good track record, what when wrong in the evolution to the 737 MAX version?
In the MAX modernization, the LEAP engines’ larger nacelles meant the aircraft’s pitch stability in a clean configuration decreased just before stall (the state when the wings stop producing additional lift). The ease of pulling the nose up further for the last degrees of Angle of Attack, AoA (the angle of the wing to the wind stream) was not acceptable to the certification rules from the FAA.
The airplane is perfectly flyable in this region for a pilot who knows about the quirk, but this is not good enough for an airliner seeking certification. It needed a fix from Boeing.
Boeing implemented a flight control software fix by extending an automatic pitch trim system already active on the previous 737 generations, the Speed Trim System. Speed Trim trims the aircraft so that a pilot flying the plane manually gets a better feel for the aircraft’s state when speed changes.
Now the Speed Trim algorithms were used to trim the aircraft nose down when AoA passed the threshold of reduced stability just before stall. It helps the Pilot from sliding into a stall if he, for instance, flies bruskly when exiting a high altitude circling pattern.
The nose-down trim by Speed Trim based on AoA was called MCAS (Maneuver Characteristics Augmentation System). It triggers when an AoA threshold is exceeded by the active AoA sensor in the 737 MAX (it had two AoA sensors in an active + standby concept).
MCAS was analyzed as non “hazardous,” so it was OK to use a single AoA sensor as the trigger. It’s a principle that has been used on other Boeing aircraft for non-hazardous functions without adverse effects.
The key to having a function triggered by a single sensor (that can malfunction or give wrong values) is that the activated function in itself is non-dangerous. This is where MCAS failed, with dire consequences.
To achieve the same yoke feeling for the Pilot all the way to stall, MCAS needed to trim 2.4 units nose down when passing the AoA threshold at the low speeds flown in a climb after takeoff.
An erroneous nose-down trim of 2.4 units is fully controllable for the Pilot in this situation as long as it stays at one trim action. And for the MAX stability problem, one trim action was enough. This trim state shall remain as long as the AoA is over the threshold, neutralizing the trim again with 2.4 nose-up units when passing below the threshold.
This is also how the updated MCAS works. It only trims once when the aircraft AoA goes over the threshold and back it out when passing down, to be ready should the AoA go up again.
Had the original MCAS behaved in this logical fashion, the accidents wouldn’t have happened, and 837 Boeing aircraft would not sit on the ground today.
The whole drama came from the omission of a few code lines in the MAX Flight Control Computers software.
Speed Trim, the host function for MCAS, has the pilot trimming as reset criteria. It’s logical as it augments the pilot’s feel around trimmed speed. When the Pilot trims, he changes the trimmed balance, and Speed Trim checks if it shall help the pilot at the new trim state.
For MCAS, this reset function is not OK. I asked my friend, Mentour Pilot, an experienced 737 training/examiner captain with a major airline, what he would do if MCAS triggering erroneously when in manual flight.
He would hold against the MCAS nose-down trim action (which is no problem), then trim the 2.4 units nose-up to get back to a normal aircraft. No drama, no hazard, but a look at the panel if there was an indication why the aircraft suddenly trimmed nose-down.
The original MCAS listened to the Speed Trim reset, “the Pilot trims,” instead of the correct “AoA is below the threshold again.” The result was MCAS trims, the Pilot trims, MCAS trims, the Pilot trims…. After 24 rounds in the Lion Air jet, the Pilots lost the race with MCAS.
MCAS went from a Pilot assist to a highly hazardous function by this single mistake in the MCAS software code.
I describe the above in sufficient detail so we can understand how little in MCAS needed change to take it from a hazardous function to one that would have caused no trouble if wrongly triggered.
In addition to this change, Boeing has made additional changes to increase safety further.
A single sensor no longer triggers MCAS. Both AoA sensors on the 737 MAX have to agree on the aircraft AoA, or Speed Trim including MCAS is deactivated (neither is needed to fly the plane. They are augmentation functions, i.e., good to have but not necessary).
The checking of the AoA values for the aircraft is no longer at the sensor level, but after the Flight Control Computers, meaning any slip-up in the processing of these values is also caught and deactivates Speed Trim/MCAS.
On top of the dual-sensor activation of MCAS, its global authority, no matter what, is limited. The Pilot always has enough pitch control to fly the aircraft.
To make MCAS safe, we only needed the correct reset criteria. But as the investigations dug deeper into how Boeing and FAA could miss how dangerous the original MCAS was, the requirements for changes grew. All eventualities, even remote ones, should be covered.
After two years of investigations and work on the MAX flight control system, flight tests flown by hundreds of test-, certification-, and airline pilots during 3,000 flight hours, it’s the most penetrated and honed flight control system of any 737 variant. One can comfortably say it’s now safe to fly.
In the course of the investigations, the matter snowballed to the most massive crisis in Boeing’s 100-year history. Contributing was the initial denial attitude of Boeing. It argued the Pilots should have handled the miss-firing MCAS. As more and more airline pilots flew simulators with misfiring MCAS, this attitude changed.
A Boeing more focused on business gains than its products’ ultimate safety gave way to a company assuming full responsibility, making the necessary changes to the aircraft but also to its organization and processes.
The Boeing that emerges from this crisis is a $20bn poorer Boeing (the end bill is in this ballpark) with a changed, humbler attitude, its reputation seriously tarnished by what happened.
Boeing knows it can only regain its customers’ and the flying public’s trust by a perfect execution from now on. It has to avoid a repeat of the MCAS fiasco at all costs.
To me this all comes down to the culture of Boeing and not necessarily the two crashes, awful though they were. Boeing were arrogant and dismissive both openly or covertly blaming and making complicit the pilots, airlines and regulators. If the senior management had held up their hands and admitted an issue with MCAS, preferably prior to the second crash, this would have been a relatively minor issue quickly forgotten. There may have been some on-costs relating to broken guarantees re cross certification but beyond that it would have been quickly resolved.
As it stands the ramifications for Boeing have been profound and I truly hope that they lead to a renewed emphasis on engineering excellence instead of chasing quarterly profits. The losses of somewhere in the region of $20bn are crazy and reflect on the appalling decision making by senior managers who have effectively been insulated from the losses by walking into the sunset.
It will go down as a classic example of toxic culture at the top and the consequences of being too driven by short-term impacts on share price. I sincerely hope this is a new beginning for Boeing, still time will tell on that, a reputation can be lost overnight but is built over many years.
Thank you Bjorn, this is a great summary. I too have listened to Mentour Pilot on the handling of the MCAS malfunction. Although like many pilots, he has avoided criticizing the accident pilots, he has both explained and demonstrated the memory checklist that uses the stabilizer cutout switch to interrupt the flawed MCAS sequence.. That is the procedure which will now be required training for returning MAX pilots.
that’s a great new. one challenge will be to regain Passengers confidence in the aircraft and to make sure, when returning back to service, Airlines and OEM have taken all appropriate actions to prevent any even minor flaw iwhich may happen after several months of grounding . I believe any incident, even minor ,will be covered by the medias
appologize for the french english
Bjorn:
While you are well supported on the technical end of the MAX and equally safe to return to service as an A320 is to stay in, I disagree on Boeing Management attitude.
Cost cutting at any price is still the MO and I have not seen anything that changes that.
When we have aircraft with FOD in the tanks and a complete failure of process on the tail of the 787, the evidence says Boeing Management is paying lip service and will pull the rug out from under safety when they think no one is watching.
I will continue to watch closely for any actual evidence that Boeing Management has actually changed.
Much like my favorite stat site (Fivethrityeight) when it does sports or political analysis, I would put the odds of Boeing having changed at 5%. Not impossible but highly unlikely.
Indeed.
If a startup airframer in Bangladesh or Guinea Bissau had assembled hundreds of airframes with metal shavings in the fuel tanks, we’d all be scoffing in disbelief. But this is (or was) a premium manufacturer in a developed superpower. It absolutely beggars belief. I wonder if there’s any shame at all in the Boeing boardroom? Or is there just an attitude of “make this go away so we can generate some revenue a.s.a.p.”.
I could not agree more.
We can site the Dream Capsule failure, 787 failures, 787 lightening system protection removal without approval (and stripping layers of lightening strike safety features ), KC46 on going issues (include FOD) as known failures that are 99% indicators that the culture has not change.
I have yet to hear Boeing is adding back safety experts or discontinuing their attempt to remove safety people.
To paraphrase the Captain of the Titanic, Icebergs be damned, full speed ahead.
Starliner software has been improved, just undergone extensive review and cleared for flight.
KC-46 FOD issues improved, recent reports say acceptance now up to par and has continued (small temporary exception for the rework line).
787 lightning protection issue dismissed
787 assembly issues improved for current aircraft coming off line, remediation underway for those earlier aircraft affected.
Boeing still has a long way to go on safety culture, but to say there is not improvement is not factual or valid.
This is also why SMS is so critically important, and outweighs any concerns about ODA. SMS directly impacts all the issues above.
TITANIC:
We have fixed all the issues, we have fired the captain , the ship is sunk so there is nothign to see here (well, ahem, literally) – see the sequel and pictures of what is on the bottom.
We are really sorry 1490 to 1635 people died (well you know how hard it is to keep tract of the riff raff below decks)
Now, people keep asking about those pesky issues. We refer you to the captain.
Bulkheads: We wish you would quit talking about it, not an issue.
We refer to all of this as sunk costs.
This is a quote from Dominick Gates and Seattle Times
“Even as the MAX is cleared to fly again, Boeing has not fully accepted the responsibility it has for the flawed flight-control system that caused the crashes.”
I believe it is by far the majority view.
Boeing has publicly admitted that they made mistakes, including related to MCAS, and those mistakes are confirmed by the changes that have been made to those systems.
Dominic is really looking for an admission of guilt, as are many Boeing critics, which Boeing will never provide while legal cases are pending. Dominic knows this and alluded to it in his further comments.
“Seemingly restrained by the caution of corporate lawyers, Boeing won’t publicly acknowledge that the aspects of the original MCAS design that it has fixed were actual flaws.”
That is the legal advice given for all forms of liability action. Mistakes and errors in judgement are all we are going to get from Boeing official statements on that. But actions speak louder than words, and the action has been to address and fix the flaws.
Bottom line, we all know there were flaws, but the legal consequence of that word still remains for Boeing. I’d be far more concerned if Boing tried to avoid the corrections. I have not seen evidence of that happening.
Agreed Rob: If it does not support your view the evidence does not exist, well at least in your bubble of non facts.
Got it.
note: Others vehemently disagree.
The ultimate test of safety, will be if the 737-MAX has any MCAS events/incidents/accidents from now on. And if so, how serious they turn out to be.
If Chesley Sullenburger was flying a 737-MAX instead of an Airbus 320 during the bird strike with the flock of Canadian Geese, AND both AOA’s were struck and damaged (a somewhat remote possibility or not?), along with the engines, would the outcome be as good as it was? Chesley has made a point of the ‘startle factor’ and trying to decipher multiple cautions and warnings correctly in a timely manner. Both 737-MAX accidents happened at low altitude
while in the takeoff phase, with very little altitude for any margin of error. This is when MCAS is armed (flying manually, flaps up, nose up), and STS is also working (flying manually, 10 seconds after takeoff, 5 seconds after release of yoke switches). How can a pilot tell if it’s MCAS or the STS moving the trim wheel? I assume the new MCAS software has a built in delay factor. If the AOA readings read over “X” degrees for “Y” seconds, then it activates, otherwise it might activate during turbulence. Boeing has mentioned that “MCAS will never override the pilot’s ability to control the airplane using the control column alone.”
Does this mean that MCAS will be overridden by the yoke trim switches? Or that only one shot of trim down by MCAS, will still allow the pilot to control the aircraft?
Or is there an absolute limit in degrees that MCAS can move the stabilizer, no matter how many additional MCAS activations?
Again, as long as there is some delay factor so that no choppy turbulence causes MCAS to activate once, then drop below the reset threshold and then activate again.
I’m assuming this sequence has been thought out and tested, for example a micro burst or getting into and out of another planes wake vortices. I agree with the EASA future requirement of a 3rd AOA sensor. There have been situations of two AOA sensors freezing up. A third synthetic AOA might be helpful. I’ll end by adding my main gripe about the MCAS system. There is a physical off switch available for the MCAS system to be wired into. There are currently Two Stabilizer Cutoff switches, but, both currently have the same functionally. I say use one of those switches strictly for the yoke column manual switches, and the other switch for all autopilot/STS/MCAS signals. The way it was in all previous 737 models. Without a true OFF switch for MCAS, any FCC / MCAS software errors can only be solved by killing the electric motor
to the stabilizer, leaving you stuck with the smaller, mechanical trim wheel in an emergency. Wouldn’t that be fun to try and operate in time, in another Flight 1547, bird strike type incident?
Richard, if you read the AD preamble issued today, it talks about all these issues. The FAA responded to every comment (nearly 300), including yours, over almost 90 pages. It’s very thorough and complete.
The dual simultaneous AoA sensor failure scenario was considered, was found not to create an unsafe condition with the required AD changes.
Richard
Do you mean that the flaps are up 10 seconds after takeoff in a normal MAX takeoff?
Steve
Richard:
I fully believe the MAX is now as safe as an A320. I anticipate travel next summer (vaccine allowing) and AK will be flying the MAX then. I will board with no more concerns than I have about aviation safety in general.
I continue to have deep concerns on the manual trim system and it being slathered over.
My take is its a political aspect as you would have to deal with any aircraft flying (including thousands of 737s) that use this system.
Rob: A mistake is soldering up a board and getting a bad solder joint even though you were very careful and followed all the process and procedures. Hand soldering is rife with error as it does not lend itself to quality control.
Deliverat3e actions to suppress, corrupt the FAA and rush an aircraft to service are not mistakes, those are deliberate actions.
My actions have always had consequences.
Clearly what I should have done was formed a corporation or become a government agency with letters, then I could avoid being held accountable.
Sadly, growing up, I believe my folks (based on their other actions ) would have ignored my Corporate papers or Government agency letters and paddled my butt like it deserved at the time.
As my father was a CAA/ FAA employee, he might have felt his letters beat my letters.
Steve, I was referring to STS being active 10 seconds after takeoff.
For STS to come alive…
=====
STS activates:
– Between 100 KIAS and Mach 0.60 (fading to zero after M 0.68)
– 10 secs after takeoff
– 5 secs after releasing trim switch(es)
– N1 >60%
– Autopilot disengaged
– Trim required
A short manual trim selection overrides the speed trim and will inhibit it for around 10 seconds, just in case that the speed trim inadvertently provides an incorrect input.
Only tangentially related to the present article (the airline has a fleet of Boeings, including MAXs), but important enough to mention here in a cut-in:
“Norwegian Air files for bankruptcy protection in Ireland”
https://www.theguardian.com/business/2020/nov/18/norwegian-air-files-for-bankruptcy-protection-in-ireland
Another victim of the endless waiting around for a magical solution to present itself on a silver tray.
Bryce:
I assume you mean Covd?
Are you advocating for some kind of implanted Chip to certify you are Covd free and proud? Have you modeled how fast you can designed a fail safe system vs a vaccine?
Please note the Chinese will have hack your system.
Or is Norwegian a victim of its own corporate stupidity? My reading says they were in deep trouble before Covd.
No implanted chips required.
A triple testing strategy as suggested by AA/BA this week could have been put into place months ago.
As regards a vaccine: until a sufficient percentage of the population has actually been vaccinated, we’re going to be months, and probably more than a year, further. Waiting around for that length of time is going to see many other airlines go belly up.
As regards Norwegian being in deep trouble before CoViD: that same could be said of many corporations. That doesn’t mean that such corporations should just be left to face their lot as a result of inexcusable inaction.
Bryce:
My point is, by the time you have a viable cross check system, vaccination will (highly likely) be here and by about July (again if all goes well) we will be protected.
On the other hand, coming up with a viable system that proves you are not infectious when traveling ignores a couple of huge issues.
1. Testing delay. By the time you get results, you can be infectious. Quick tests are still in their infancy (see how effective that is per the Trump administration and its on going infections)
2. The only likely hack proof or computed (fake documents) process is a Government passport system. Getting that in place for Covd is going to take how long?
I had family travel in this crisis. They did get tested before flying, but they also had to get tested 5 days after arrival to confirm they had not come down with it or were infected when flying (or on getting to or from the airport )
If this looked like a protracted issue, I would agree on working on a system. It very much looks like it is not.
Until they unravel and review the data, I am not going to say its a slam dunk. But it looks promising.
Also keep in mind, something along the lines of 6 vaccines are in the que, all of who have ramp up plans in parallel to the creation and testing of the vaccine.
The 20 million to be protected or so by end of Dec could well be 500 to a billion by February or March.
As for Norwegian, if the day Coved was realized to be the issue cold they have come up with a viable travel certificate system to save them?
I don’t think so. Would anyone trust a certificate out off China or Russia? Zimbabwe? Iran? Syria? Etc.
We can’t even trust the US FAA to do their job and the US is a relatively (or was) corruption free country.
On FG:
“Questions persist after 737 Max recertification”
https://www.flightglobal.com/airlines/questions-persist-after-737-max-recertification/141201.article
Bryce:
If you follow the 787 battery debacle, once the RTC stepped in, set standards, Boeing then complied and we have had (one?) incident since then and it was a venting not a fire.
While I disagree with Boeing Management as well as the FAA as its currently is setup, I believe the MAX has had almost all its issues correctly addressed
I continue to be deeply concerned about the manual trim.
Its not like the stab trim system suffers the kind of failure AOA do and Boeing fully was aware of, its the possibility of a failure there and can it be handled?
Mostly it seems to be the authorizes attitude that the cow has bolted the barn and nothing we can do about. it.
Sad but true but is an example of the Ostrich with its head in the sand aproach.
Regarding the 737’s safety history, I sometimes wonder
who is living in an alternate reality:
‘Boeing 737 rudder issues’:
“During the 1990s, a series of rudder issues on Boeing 737 aircraft resulted in multiple incidents. In two separate accidents, pilots lost control of their Boeing 737 aircraft due to a sudden and unexpected movement of the rudder, and the resulting crashes killed everyone aboard. A total of 157 people aboard the two aircraft were killed.[1] Similar rudder issues led to a temporary loss of control on at least one other Boeing 737 flight before the problem was ultimately identified. The National Transportation Safety Board determined that the accidents and incidents were the result of a design flaw that could result in an uncommanded movement of the aircraft’s rudder.[2]:13[3]:ix The issues were resolved after the NTSB identified the cause of the rudder malfunction and the Federal Aviation Administration ordered repairs for all Boeing 737 aircraft in service..”
https://en.wikipedia.org/wiki/Boeing_737_rudder_issues
Yes, whenever there is talk about the B737 models’ good safety record, which it indeed is totally, I can’t help thinking about those very nasty rudder hardovers accidents! I remember there was a lot of talk about that problem, with crew bulletins etc. All the aircraft went through modification work, and it apparently solved the problem. But it is a deep scratch in the B737’s reputation, regardless of an excellent safety record of the first three generations otherwise.
And those of us old enough, will of course never forget the Hawaian cabriolet B737-200 that miraculously landed safely without breaking up (but with one casualty, a cabin crew member). 😱 Fortunately it was a once and only accident, but I remember all our B737’s had to be checked in the wake of it.
As I read this assessment, it implies that if MCAS software would have checked whether the angle-of-attack had returned to nominal values before triggering a second time that the airplane would have been safe. If this is the situation, it doesn’t fit the narrative that there is some type of culture problem at Boeing or that there was an over-emphasis on profits over safety. It seems more like a basic technical error in software requirements definition.
I’d like a pilot’s perspective on whether the ET302 pilots would have been able to address an MCAS movement of the stabilizer under the situation that unfolded.
Jeff, I agree that the emphasis placed by commenters here on Boeing management and profit seeking is excessive. There is no evidence for that, but it’s firmly established in their cult thinking. It’s not the result of an objective thought process.
When it comes to safety culture, there is evidence that Boeing needs to improve. But also evidence that they are improving, and trying to improve. Commenters here tend to emphasize the former and ignore the latter.
With regard to your main point, that MCAS was a basic technical error, you are correct. The tie to safety is the way in which it occurred (assumptions that didn’t need to checked), and also the fact that it wasn’t caught, either by Boeing or the FAA.
I am not a pilot, but it’s clear that recovery from the MCAS malfunction on ET302 was possible, as it occurred on the JT043 flight. It required correct execution of the runaway trim checklist, which is a required memory item for all pilots.
The issue that occurs with commenters here, is an unwillingness to accept the role of the pilots in the accidents. That dovetails nicely with the anti-Boeing sentiment that borders on hatred.
The good news is that this bias does not exist in the regulators or investigative agencies. So they have correctly identified pilot training and reinforcement of the runaway trim checklist, as a mandatory requirement for piloting the MAX.
The need for this was somewhat known already and has been documented extensively as pilot reliance on automation, and deterioration of manual flying skills. That is a work in progress but it has the focus of most aviation safety agencies around the world now.
One result of these accidents is that Congress has mandated the FAA help develop worldwide pilot standards, and also work with other countries to more fulsomely vet the qualifications of their pilots.
Quote: “I am not a pilot, but it’s clear that recovery from the MCAS malfunction on ET302 was possible, as it occurred on the JT043 flight.”
I strongly disagree that this is clear at all. I have flown 3 generations of B737’s, up to the NG. One can theoretically say that it could have be saved if they had done this or done that – provided they understood what the hell was going on. Which I am not sure I would in this situation, with the continuous stick shaker adding to the confusion. But the runaway trim checklist, which they actually tried at one point, proved to be _completely useless_ in the situation. It is plain impossible to move that trim wheel manually when the other pilot is applying full back pressure on the yoke! And he couldn’t let go on that back pressure at the speed and altitude they had.
The MCAS as it was deployed, was disastrous. Not only that it relied on 1 sensor, and repeated the trim applications again and again, but that it was braindead enough to apply more than 2 units of trim at 400+ knots – assuring the disaster. I don’t think the aircraft would have been grounded for 20 months if it was only the pilot’s applications of the procedures that was the problem…
I do believe that the Max is safe now though, after all the time and effort they have put in.
My question: how can we know that Boeing’s “culture” has been confined to the MCAS system?
It’s not limited to just MCAS, I’m not aware that anyone has claimed that it is. The more relevant point is truthfully identifying issues in the Boeing safety culture, and addressing them. That’s the purpose of the Safety Management Systems (SMS) that Boeing is trying to institute, and that FAA is trying to enforce.
The SMS model has been very effective at airlines, which is the environment Steve Dickson came from, so he knows their value and has pushed Boeing in that direction. So hopefully Boeing will realize the same benefits as the airlines have, but it’s still a work in progress.
SMS was introduced by Airbus over the last 20 years ago, in all divisions. Embraer also has implemented it yrs ago.
Did you know, Rob?
Keesje, I’m very happy to hear that. It’s a wise decision and the right thing to do.
I assume as well that they have updated their systems over time, to the current standard employed by the airlines, which Dickson wants to push throughout the manufacturing sector.
If Airbus and Embraer already have those systems in place, they are well-positioned and will not have to make many changes to achieve compliance.
Rob contends the Fox can guard the hen house when the carnage in the hen house refutes that. I think the following site is more appropriate for Rob.
https://freewillastrology.com/horoscopes/pisces
Reality is all Rob has is Boeing said. That is not remotely factual as to meaning anything. Rob contends it is but the facts say its pure speculation on his part and is totally non factual.
Boeing history in fact contradicts what Boeing says. The weight of evidence says at minimum you don’t know and you can use benchmark to see how they are handing issues not in the public eye.
So far the Fox insists it can guard the hen house and the FAA has gone along with that.
SMS is only as good as the people doing it and the management.
As we have seen, Boeing has been on a long trajectory to corrupt the certification’s process and succeeded (787 battery is another prime example)
So in the case of the 787 battery, FAA allowed Boeing to self certify. What they came up with was you drive a nail into the batter to prove its good to go. We saw the results.
The RTC certification requirements are dozens of tests and confirmation, all based on science and engineering.
Reading what they do now vs the nothing Boeing did on the battery, literately Boeing did all they could to ensure failure.
The ODA was an example of how you could work with Boeing and still get the goal of building an aircraft done. But Boeing wants to cut costs regardless of costs.
In the gun world you have a proof test, you have cartridge tht is loaded up to 150% and see if it damages the gun.
Proof test for Boeing is voluntary asking congress to return the law to ODA. They can hire as many people as they want to ensure fast progress.
But they won’t do that and deny its an issue though Independent assessment says it is.
In fact, I don’t claim ODA would catch all issues either. But it is a separate layer of safety. Something grossly obvious as MCAS would be caught. The 737 rudder issue no.
I worked on boilers for 40 years. Every year an agency (either the State or Factory Mutual) inspected those boilers to ensure I was going my job on the various safeties (over temperature and high pressure relief) .
I not only entouraged it, I noted many times that Factory Mutual was not as good as the State. Why? Factory Mutual did not have you lift the safeties, the state did.
So, the FAA is much in that same position. FM is paid by the same people they insure.
FM take was we don’t want to cause problems.
A boiler has energy potential equivalent to hundreds of pound of TNT (more or less depending on size, I have seen the pictures. I saw where a 55 gallon water heater blew out an entire classroom (40 x 40 roughly) in a school house and my boilers had far more than 55 gallons of fluid in them)
So, the very nature of FM being bought and paid for influenced their tests (or lack of testing)
The State did not care. They only inspected in the summer and if the safety leaks after the test, so what? You just replace it and that is the end of it. Safety is the goal, not the cost of safety device.
So what Rob insist is no more than we don’t need a SEC, or even the police. Just ask a criminal if they are guilty and when they say no, we can be sure they in fact did not rob (pun intended) the banks.
Another real situation. I was involved with a Hangar built up here as a company representative .
While the specifications said tht the welds on the structural steel had to pass a seismic 4 area standard, there was no checks, the structural steel mfg just sent the stuff to the site.
The on site inspector found a section that when tested, was only 60% of the spec.
That turned out to be one of the best pieces, some were as bad as 20%.
When asked why, the structural supplier told them, sure we saw the spec, but you did not ask for X rays and you did not have a test system in place, so we ignored it.
In that case no one died, the Structure people were fired, they hauled an entire 747 hangar worth of steel away and replaced via a different firm a year latter with an structure that was inspected with test proofs.
Two years ago we got hit with a 7.7 quake. The Hangar had a couple of cross bars that showed flex but no damage,.
The inspectors said, that is as close as you come and not have a failure.
History is beyond rife that says you can’t trust people to self inspect, so you have independent agencies and regulators to ensure its done right.
Yes they fail from time to time but its vastly harder to pull wool and most of the time they succeed. Either what they are given is done right because the mfg knows it has to be or they catch it and make them.
Good article, but I would just like to comment on one particular issue: Quote: “An erroneous nose-down trim of 2.4 units is fully controllable for the Pilot in this situation as long as it stays at one trim action”
At low speeds this is of course fully controllable. But 2,4 units trim at the speeds the Ethiopian flight had in the end (more than 400 knots if I remember correctly), is extreme – and lethal.
My question has therefore all the time been not only why the MCAS relied on a single sensor, but how they could design a system which is allowed to apply such extreme trim applications regardless of airspeed!
BTW I have flown B737’s for about a hundred years (ok, 30…), all generations except the Max, and I’m not sure at all whether I would have managed to save those doomed flights. I won’t be flying the Max, as I have just converted to A320 Neo (my airline decided to replace the B737 fleeet with Airbus long before the accidents), but I agree with the conclusion in the article – With all the investigation, testing and modifications they have made to the Max, I believe it is now as safe as any other B737, which is generally a very safe aircraft type.
Thank you for those informed comments, Geir A.