With the destabilizing effects on global aviation of huge fuel price inflation and unprecedented Russian military aggression in Europe, worsened by post-pandemic staffing shortages, it’s amazing that international commercial air transport works at all right now.
International cooperation has never been more crucial. Yet in the UK, an example of how NOT to do aviation – especially right now – has just been highlighted.
UK-based eVTOL developer Vertical Aerospace will be certificated by the UK CAA according to EU rules despite having separated from EASA
The reason international aviation is still working despite global instability is because the world wants it to, and has set up robust systems to enable it. Like commercial shipping, commercial aviation is naturally a global industry.
That’s why both those industries have specific United Nations agencies devoted to overseeing globally agreed standards and operating practices (SARPs). These agencies are the International Maritime Organization and the International Civil Aviation Organization. Total regulatory unity doesn’t prevail worldwide, but a high degree of harmonization does.
The world’s two most influential national/regional aviation authorities responsible for turning ICAO SARPS into national law are the European Union Aviation Safety Organisation (EASA) and the US Federal Aviation Administration (FAA). These two have worked together for decades to improve the harmonization of their regulations, making them identical where possible. They still meet regularly. Most of the world’s national aviation authorities (NAAs) more or less copy the regulations of one or the other into their own NAA rules.
All the EU states have always had their own NAAs – and still do. But since the 1980s they have worked together on harmonizing their aviation regulations to make Europe’s aviation industry work better.
In the early 2000s, EASA was born out of its predecessor the European Joint Aviation Authorities, to unify Europe’s interpretation of all those ICAO SARPs.
Back in the early 1980s, believe it or not, Boeing had to build almost as many variants of its 737 series as there were countries in Europe, because some nations insisted on safety systems than the FAA did not require, and some of these specifications were unique to each country. For example, one of the UK’s additional requirements – then – was for a 737 stick-pusher.
Today the UK Civil Aviation Authority (CAA) is faced with the consequences of returning to the bad old days because of the UK’s departure from the European Union. Although Theresa May, the UK prime minister preceding Boris Johnson’s election, had instructed the CAA to remain an associate member of EASA following “Brexit”, when Johnson came in his government insisted on ideological purity, thus no CAA association with Europe’s multinational agency.
Meanwhile, right now the CAA has to prepare its reaction to the imminent arrival on the world stage of a new form of commercial air transport: eVTOL (electric vertical take-off and landing), also known as Urban Air Mobility. Expected to take the air taxi world by storm and make it sustainable, the UK plans to be involved in all aspects of this new industry, including manufacturing.
At a time like this, when the world has agreed to harmonize rules associated with another massive new aviation development – drone operation – it does not make sense for any nation to declare unilateral independence from the world rule-making processes.
The CAA, fully aware of its dilemma, has released a statement pledging that it will follow exactly the EASA rules on certification for eVTOL. Of course, it has to duplicate the regulation in UK law, and any UK eVTOL products or services will be subject to scrutiny by EASA to ensure that it does just that. Hence the UK’s promising eVTOL manufacturer Vertical Aerospace is having to undergo identical parallel certification by two agencies: the CAA and EASA. You couldn’t make it up, could you?
Meanwhile the bureaucratic burden placed on the UK agency is evident from this script heading pages on the CAA’s website: “UK-EU Transition, and UK Civil Aviation Regulations:To access current UK civil aviation regulations, including AMC and GM, CAA regulatory documents, please use this link to UK regulation. Please note, if you use information and guidance under the Headings below, the references to EU regulations or EU websites in our guidance will not be an accurate description of your obligations under UK law. These pages are undergoing reviews and updates.”
The Covid-19 pandemic’s dramatic effect on air travel has accelerated aircraft retirements, particularly older long-haul types. This, of course, includes the undisputed Queen of the Skies, the Boeing 747, the withdrawal of which has been the cause of many misty-eyed moments among aviation romantics.
British Airways’ last 747-400, in retro BOAC livery, on its way to retirement
The “other jumbo”, the Airbus A380 was already suffering a crisis of its own before Covid’s arrival, and the pandemic motivated the manufacturer to put the trickling production line out of its misery.
The A380 – technically an excellent, if over-engineered aircraft – was the victim of a miscalculation by Airbus way back in the late 1980s-early 1990s about the shape of future global air transport. The A380 was to replace the 747, but the belief that a replacement would be needed at all was based on an assumption that the industry would continue to develop much as it had in the previous three decades.
Emirates, by far the A380’s biggest user, will certainly be able to continue flying many of them
That didn’t look like a bad decision at the time, but Boeing’s predictions turned out to be far more accurate. The US manufacturer foresaw the diminution of the importance of hub-and-spoke networks feeding the world’s major airports where they sit astride the globe’s air travel arteries – the traditional trunk routes. The A380 was ideal for serving these.
But the American manufacturer’s crystal ball showed smaller widebody twins taking over from thirsty quads, and carrying passengers who wanted it straight past the massive hubs directly to the secondary cities. The 767 was already showing the way in the 1990s, with American carriers on transatlantic routes, but the 777 and 787 extended the possibilities. Darwin had smiled on Boeing.
Although Airbus was also ready for many of these long-haul twin opportunities with its flexible A330 twin series (and now the A350), in the mid-1990s the four-engine A340 had initially become much more popular than Airbus had predicted. Europe, culturally less of a risk-taker than the USA, was not yet ready to fly twins over extended oceanic routes, or over endless Arctic and Siberian wildernesses. In a quad, an engine failure raises the crew’s blood pressure a bit, but they can elect to continue to destination. In a twin, it means an instant diversion.
Meanwhile, across the Atlantic, in July 1995, Boeing and the Federal Aviation Administration were ready to gamble on bringing a brand-new big twin, the 777, into service with pre-cleared permission to fly over oceanic or wilderness regions where the nearest diversion airport could be up to three hours away at single-engine flying speed. That extension from the previous 2h meant there were hardly any routes a twin couldn’t fly. Boeing and its FAA partner went for it; and what’s more they got away with it. A single early-days disaster would have put paid to that policy, but it didn’t happen, and now everyone takes 180min ETOPS (extended twin engine operations) for granted. Darwin had smiled on Boeing once more.
Today, in the pandemic, the Airbus A340 is suffering a fate similar to the 747’s, but there will be fewer tears simply because it could not have achieved the iconic status the 747 had won through its status as the world’s first jumbo jet, its sheer longevity, and its unique shape.
Among today’s widebodies, Darwin will continue to smile on the newer big twins, and the few remaining tri-jets and the older big twins will be parked or converted to freighters before their time would normally be up. Meanwhile, the marketplace that the new big twins have had to themselves for some time is to be invaded by what may turn out to be a particularly timely product: Airbus’ single-aisle venture into long-haul, the A321XLR.
Another anomaly brought by the pandemic is that air cargo has been the saviour of many airlines during the pandemic, because unlike passenger traffic, cargo has hardly been affected. For example, Taiwan’s China Airlines has just announced an operating profit for 2020 on the back of cargo, and recently took delivery of a new 777F.
Short-haul – and thus the single-aisle fleet – has not been hit as hard as long-haul simply because domestic air travel is free of the border restrictions that nation states impose on travellers when they fear the spread of infection from abroad. But as in their long-haul fleets, airlines are still disposing of the earlier versions of their 737s, A320s and regional aircraft.
Exceptionally on a global scale, the US domestic carriers are forecasting break-even levels of passenger business by June, with strong demand from the leisure travel market, although there is slightly less confidence in a business travel rebound. Domestic carriers elsewhere, in less geographically large countries – particularly those with mature high speed rail networks – will take longer to recover than the likes of American, Delta, United and Southwest, and may not have had the government injection of survival cash the US airlines have had – plus the boost from the fact that the USA has successfully accelerated its Covid vaccination programme. Is that Darwin smiling on America again, or just on big, prosperous nations? He may well be smiling on China too.
No-one can be sure of the post-Covid shape of the world’s commercial air transport industry. Truisms, abound, like the contention that the strongest carriers will survive, and that the pandemic’s result will be further consolidation and fewer airlines. One of the unknowns is whether people’s travelling priorities will have changed, especially in the light of growing concern about climate change. Will long-haul, in particular, be a victim of such a concern?
But at present, whenever there is a hint that lockdown may be eased, people are rushing to book holiday travel. Air travel will indeed survive, the question is: what will it look like?
The European Union Aviation Safety Agency (EASA) has published a Proposed Airworthiness Directive (PAD) , signalling its intention to approve the Boeing 737 MAX’s return to Europe’s skies “within a matter of weeks” – probably about mid-January.
But Europe is specifying a few requirements that the US Federal Aviation Administration (FAA) has not demanded.
It was on 20 November that the FAA approved the aircraft’s return to America’s skies, but US carriers have many preparations to complete before resuming commercial services with the Max. American Airlines reckons it will be ready by the end of December.
EASA, however, wants to see the application of some operational measures that the FAA does not require. It insists, nevertheless, that the Max airframes in America and in Europe will be the same. The agency explains: “The [PAD] requires the same changes to the aircraft as the FAA, meaning that there will be no software or technical differences between the aircraft operated by the United States operators and by the EASA member states operators.”
The EASA PAD is a consultation document, and all responses have to be received by 22 December. EASA executive director Patrick Ky is at pains to point out that the agency, while cooperating with the FAA on correcting the anomalies in the Max’s manoeuvring characteristics augmentation system (MCAS) (see immediately preceding blog entry), insisted on looking independently at the whole issue.
Ky explained: “EASA’s review of the 737 MAX began with the MCAS but went far beyond. We took a decision early on to review the entire flight control system and gradually broadened our assessment to include all aspects of design which could influence how the flight controls operated. This led, for example, to a deeper study of the wiring installation, which resulted in a change that is now also mandated in the [PAD].” That, basically, is a requirement to bring the venerable 737’s design up to date, and is a signal that the days of “grandfather rights” – a dispensation to build the 737 Max as earlier versions of the 737 were constructed rather than as new aircraft have to be designed – are numbered.
The Max airframe design came through all the handling tests satisfactorily, as Ky explained: “We also pushed the aircraft to its limits during flight tests, assessed the behaviour of the aircraft in failure scenarios, and could confirm that the aircraft is stable and has no tendency to pitch-up even without the MCAS.”
Two principle differences between the FAA and EASA requirements are explained as follows: “EASA explicitly allows flight crews to intervene to stop a stick-shaker from continuing to vibrate once it has been erroneously activated by the system, to prevent this distracting the crew. EASA also, for the time being, mandates that the aircraft’s autopilot should not be used for certain types of high-precision landings [and approaches such as RNP-AR]. The latter is expected to be a short-term restriction.”
The crew intervention mentioned would allow the pilots to pull the stick-shaker circuit breaker. The stick-shaker – a system designed to alert pilots to an approaching stall – was one of the distractions that faced the Lion Air and Ethiopian Airlines crews before they lost control of their aircraft, despite the fact that the shaker was triggered by a false warning.
The FAA doesn’t see the need for this intervention, because the modifications have ensured that a single sensor failure will not trigger the stick-shaker any more.
Boeing and EASA say they have agreed to continue tests to see if they can further strengthen the aircraft’s systems’ resilience to angle of attack (AoA) sensor failures – the causal trigger for the two fatal Max accidents, and Boeing has also made this promise: “Boeing will also conduct a complementary Human Factor assessment of its crew alerting systems within the next 12 months, with the aim of potentially upgrading these to a more modern design approach.”
After nearly two years of grounding, Boeing’s 737 Max series has been cleared by the US Federal Aviation Administration to carry fare-paying passengers once again.
This is the first step in a redemption process for one of the world’s truly great engineering companies. Like a boxer who dropped his guard for just a second, Boeing has taken a punch that has knocked it to the canvas, and the referee had started counting.
Now, air traveller reaction is nervously awaited. Will the public believe claims by the FAA and Boeing that, together, they have confined to history the flaws that caused the 737 Max fatal crashes in 2018 and 2019?
The FAA – blamed along with the manufacturer for the lapses in design oversight that led to the two accidents – has declared the aircraft safe to operate in America. One by one, other national aviation authorities (NAA) are expected to follow suit.
Oversight of the type’s rehabilitation continues to be the FAA’s responsibility, but decisions on the systems and software changes applied to the Max have been made by multinational teams. Bodies formed to decide what changes were needed – and then to see them implemented – included the Joint Authorities Technical Review (JATR) representing nine nations plus the European Union Aviation Safety Agency (EASA) – and the Joint Operations Evaluation Board.
The relationship between the FAA and Boeing was much criticised in the accident investigations and the JATR review process . For that reason, the reaction of EASA to the Max’s clearance to fly is seen as critical.
Not only is EASA the agency that oversees safety in the region containing the largest group of aerospace industries outside America, but its contribution to the JATR recommendations made clear EASA was not happy with the FAA’s former piecemeal approach to certifying critical changes applied to the 737 Max.
Its opprobrium was directed particularly at the FAA’s approval of the flawed Manoeuvring Characteristics Augmentation System (MCAS), unique to the Max, and not used in earlier marques of 737. It recommended “a comprehensive integrated system-level analysis” of the MCAS, and of its integration into the total system-of-systems that constitutes a modern aircraft (for more detail, see “The Failures and the Fixes”section following this article).
So it was with heartfelt relief that Boeing heard EASA’s executive director, Patrick Ky, report on Max progress to the European Parliament Transport Committee on 29 October. Ky told them: “We are fully confident that, given all the work that has been performed, and the assessments which have been done, the aircraft can be returned safely to service.” Ky’s statement suggests EASA will re-certificate the 737 Max in Europe soon after the FAA’s announcement.
Meanwhile, out in the real world, Covid-19’s near-immobilisation of commercial air transport worldwide has rendered the Max’s long grounding almost invisible to the media and the public. Because of the far lower level of air travel activity, the airlines have been able to live without the 387 Maxes already delivered to them, and also without the additional 450 that have rolled off Boeing’s Renton, Washington production line since then. The latter are all in storage, awaiting any updates not already incorporated, and ultimate delivery.
Although clearance to fly has now been delivered, even in the USA the airlines will not instantly be re-launching their already-owned 737 Max fleets. The status of all the proposed software and hardware modifications to the type will not have been confirmed until the moment the FAA signs it all off.
American Airlines has said it hopes to start getting its Max fleet airborne before the end of December.
REUTERS/Nick Oxford/File Photo
Once the FAA has done that, getting the Max fleet ready for the sky will be an aircraft-by-aircraft, crew-by-crew process. In many airframes, a knowledge of what changes were coming has enabled a great deal of the work to be done. But also, because of the hardware and software changes to the Max, the crews have to be trained to use the new systems.
Incidentally, while the Max series was grounded, the FAA decided to order some additional modifications – completely unrelated to the crashes – to bring the type fully in line with modern safety regulations. For example, one of these involves the re-routeing and separation of wiring looms that the 737 had previously been allowed to sidestep under “grandfather” rules.
The number of lessons for manufacturers and regulators to learn from this aerospace drama is legion.
The failures and the fixes
The failures
Just a reminder: the 737 Max series fleet was grounded in March last year as a result of findings from the investigations into to the Lion Air and Ethiopian Airlines fatal crashes, respectively in October 2018 and March 2019.
The primary causal factor of the Lion Air Max crash was erroneous triggering of its manoeuvring characteristics augmentation system (MCAS) by a faulty angle of attack (AoA) sensor, according to the Indonesian final accident report. It is at the MCAS that Boeing’s corrective efforts have mostly been directed.
In both the accidents, the aircraft’s AoA sensor that feeds data to the MCAS wrongly indicated a very high AoA soon after take-off. The system reacted by providing nose-down stabilizer rotation that took the pilots by surprise. They did not understand the reason it kicked in, and their efforts to reverse the strong nose-down pitch did not succeed. Both these events occurred soon after take-off, and because the MCAS kept repeating the nose-down stabilizer in response to the continued erroneous high AoA sensor signal, the loss of height quickly resulted in impact with the surface.
During the examination of all the issues arising from the accidents, the JOEB was aware there were solutions to the situation in which the crews found themselves. But the fact that two crews in different regions of the world were so confused by what the MCAS was doing that they lost control had totally eclipsed pilot failings as the main issue.
MCAS was designed to trigger only in a specific flight configuration that causes the Max’s centre of lift to move slightly further forward, delivering a slight nose-up moment that can be countered by flight controls. This configuration is a combination of relatively low airspeed, flaps up, with the aircraft being flown manually. In the case of the Lion Air and Ethiopian flights, the pilots decided to continue to fly the aircraft manually during the early climb, rather than engaging the autopilot, so this precise flight configuration was encountered as soon as the flaps were fully retracted.
With flaps up, and still at a fairly low airspeed, the aircraft would be at a high angle of attack, and not far above the stall. FAA regulations require that, in the proximity to the stall, one of the “feel” cues to the pilots is that there should be a linear increase in the required control column force versus elevator displacement response, but the Max’s aerodynamics in this configuration had negated this effect, and MCAS was designed to restore that pilot cue automatically.
The JATR decided that MCAS’ fatal design weakness, above all, was that it was triggered by a single AoA sensor with no backup in case the unit had a fault or suffered damage. It seems Boeing and the FAA had overlooked that possibility, and had not explored the potential effects of erroneous inputs. Their excuse at the time was that the system was not seen as a critical one, rather as a refinement.
The fixes
The 737 Max had always been fitted with two AoA vanes, but originally only one was wired up to MCAS, and there was no flight deck indication of a disparity between the two sensors if a difference developed, which could have warned the pilots of a potential vane fault.
The hardware fix agreed by the JATR was that both AoA sensors would now feed into the MCAS, there would be an automatic comparison between them, and if there was more than a small disparity the MCAS would be locked out completely, because the aircraft can be flown without it.
The software fix also ensures that – now – the MCAS only operates once per high AoA event, so the repeated nose-down pitch demand by the stabilizers that led to the two accidents would not occur. In addition, the two flight control computers (FCC) now continuously cross-monitor each other.
After the hardware and software changes, the final improvements – overseen by the multinational JOEB – are to pilot training and cockpit drills for the Max series.
Now, even if the pilots are coming to the Max from the very similar 737NG series, pilots must undergo a one-off training session in a Max full flight simulator. This involves recovery from a full stall, dealing with a runaway stabilizer, practice manual trimming at high speeds (and therefore high trim loads), and crew cooperation on all these exercises.
Non-normal checklists have now been compeletely revised, and contain updated procedures that concentrate particularly on the operation of the horizontal stabilisers and trim controls, both in normal operation and in the case of all potential faults. The drills deal with runaway stabilizer, speed-trim failure, stabilizer out of trim, stabilizer trim inoperative, airspeed unreliable, altitude disagree, and AoA disagree.
Computer based training (CBT), containing video of crew exercises using the real controls, teaches drills for the following: airspeed unreliable, runaway stabilizer, the speed trim system, trim controls, and differences between the autopilot flight director system (AFDS) in the NG series and the Max series.
Testing the changes
Boeing and the FAA say they have put in 391,000 engineering and test hours developing the solutions, which have then been tried for 1,847 hours in simulators and for 3,000 airborne hours in the real aircraft.
Very soon – perhaps this week – the US Federal Aviation Administration is expected to declare Boeing’s 737 Max safe to fly again in America’s skies, lifting nearly two years of compulsory grounding.
Such an event would normally be a subject of press fanfare, but Covid-19’s near-immobilisation of commercial air transport activity worldwide has rendered the Max’s long grounding almost invisible to the non-specialist media and the public.
The airlines have been able to work not only without the 387 Maxes already delivered, but without the additional 450 that have rolled off Boeing’s Renton, Washington production line since then – only to be delivered straight into desert storage.
The changes being applied – at the FAA’s behest – to this latest version of the highly successful 737 series are partly to correct design flaws that allowed two notorious fatal crashes to occur, but some additional modifications will bring the type fully in line with modern safety regulations that this marque had previously been permitted to avoid under “grandfather rights”.
Once the Max fleet had been grounded, it made sense to incorporate not only the changes required to make it safe, but also improvements that would prolong the marque’s commercial desirability for as long as possible. That is essential because Boeing’s next product in this market sector will be entirely new, and will not be launched for some years.
The truth is that the 737 line has reached the end of its viable development life, but given the fact that it has been in continuous production since 1966 through four iterations, that should not be too surprising.
Basically, the Max marque was intended as a stop-gap while Boeing came up with a “new mid-market airplane”, but when the Max hit the marketplace it was astoundingly successful. Its price was right, its economics excellent, its delivery guaranteed, and it was a known and trusted quantity. And all this despite the fact that it is an old fashioned, mechanically controlled machine surrounded by digitally controlled competition.
This relaunch of the Max into an airline world decimated by Covid-19 is going to be watched with bated breath, not just by Boeing, but by the whole industry.
Public perception of the aircraft is key. Will they see it as safe? Will it be safe?
As soon as the FAA announces the detail of its decision, the answers will be here.
Boeing CEO Dennis Muilenburg says the successful return to service of the company’s 737 Max series depends on international consensus among the many national aviation authorities (NAA) that will see the aircraft operating in their countries.
Not just the US FAA.
As a reminder, the 737 Max series fleet was grounded in March as a result of findings from the investigations into to the Lion Air and Ethiopian Airlines fatal crashes, respectively in October 2018 and March this year.
Speaking this week at Boeing’s Seattle Delivery Centre, Muilenburg declined to predict a return-to-service date, explaining: “Dates are uncertain because we are going for a global recertification.” That means unanimity – near or absolute – has to be achieved.
Boeing aircraft being prepared for delivery at Boeing Field, Seattle
He emphasised the point: “If we do not coordinate this [return to service] we may see some disaggregation, and I don’t think that’s a future any of us wants to see.”
Muilenburg is confident the combined hardware and software changes Boeing has developed for the Max will satisfy the FAA and the multinational Joint Operations Evaluation Board (JOEB).
The primary causal factor of the Lion Air crash was erroneous triggering of its manoeuvring characteristics augmentation system (MCAS) by a faulty angle of attack (AoA) sensor, according to the Indonesian final accident report. It is at the MCAS that Boeing’s efforts have been directed.
More on MCAS later.
Boeing test pilot and VP Operations Craig Bomben, who flew the 737 Max first flight and has coordinated development activity on the type since the accidents, described the essential difference between the original MCAS and Boeing’s proposed replacement: “We’ve moved from a very simple system to an intelligent system.”
In both the accidents MCAS – triggered by a faulty or damaged AoA sensor which wrongly indicated a high AoA – reacted by providing nose-down stabiliser rotation that took the pilots by surprise. They did not understand the reason it kicked in. Their efforts to reverse the strong nose-down pitch did not succeed, and because both these events occurred just after take-off, the loss of height quickly resulted in impact with the surface.
Bomben said the new “intelligent” system has two AoA sensors instead of one, and if their readings differ by 5.5deg or more, MCAS is not triggered at all.
But if it is correctly triggered, the system now “operates only once per AoA event”, according to Bomben, and when it does trigger stabiliser movement, it memorises how much displacement has taken place, so if it were triggered again it would take account of existing stabiliser displacement and will not apply more than a safe cumulative limit.
But why is MCAS – which is unique to the Max – required at all? Boeing insists it was not fitted as an anti-stall system, because the aircraft already has stall warnings and stick-shakers.
The purpose of fitting MCAS, Bomben explained, was to compensate for a slight change in the low-airspeed aerodynamics of the 737 Max compared with the NG.
MCAS was only designed to trigger in an unlikely (but obviously possible) combination of circumstances that can cause the aircraft’s centre of lift to move slightly further forward, altering the weight-balance equation. It only happens when the Max is at low airspeed with the flaps up, and is being flown manually.
At low airspeed (200kt or thereabouts) – and flapless – the aircraft would be at a high angle of attack and close to the stall. FAA regulations require that one of the cues to the pilot of the approaching stall is that there should be a linear increase in the required column force versus displacement response.
In the Max, however, at a certain point in this sequence the centre of lift shifts forward a little, providing a slight nose-up pitch force, therefore the stick force does not continue to increase, so MCAS is designed to kick in with some nose-down trim to restore the linear increase.
If MCAS doesn’t kick in, the aircraft is still easily controlled without it, but the required progressive stick-force cueing is lost.
In technical and regulatory terms, MCAS seems to be a lot of fuss for very little purpose, but the painful fact is that the original MCAS played its part in bringing down two aeroplanes and killing 346 people.
Muilenburg’s confidence in the fix is, so far, based on more than 100,000 hours of development work on the new solution, plus 1,850 flight hours using the new software, 1,200 hours of refining the results in the simulator, and 240 hours of regulatory scrutiny in the simulator.
Meanwhile, if Muilenburg cannot predict when the world will approve the 737 Max’s return to the air, what is happening to its production at present? The aircraft had won more than 5,000 orders, and fewer than 400 have been delivered.
The Max series, despite the grounding, continues to roll off the production line at Boeing’s Renton plant near Seattle, at a rate of 42 per month. The factory is capable of turning out 57 a month, but Boeing is keeping the rate lower for now. Despite this, Renton has seen no staff layoffs, says Boeing.
The completed aircraft, however, go into storage at Moses Lake or San Antonio desert sites, because the manufacturer’s own sites at Renton, Everett and Boeing Field are full.
Muilenburg said every 737 Max grounded or in store awaiting modification will have an individual entry into service programme, and that in the meantime the engines, systems and cabin of all the aircraft are regularly being run and maintained.
But will they still have that “new plane smell” when the airlines take delivery?
A Max in production at the Renton plant, its unique split winglet close to the camera
Boeing, the FAA, and national aviation authorities (NAAs) from several other countries, met in Dallas on 23 May to consider the future of the 737 Max series of aircraft.
It is impossible to overstate how important this meeting is. The way civil aircraft manufacturing does business, not just in America, but all over the world, is under scrutiny.
Detail gradually emerging from Boeing and the FAA following the two 737 Max fatal crashes has upset such basic assumptions about the way modern aviation works that industry veterans – whose initial reaction was that this was just a case of finding a fix and getting the Max airborne again – are , only now, fully realising it’s not.
Like the Looney Tunes cartoon characters who ran over a cliff they didn’t know was there, we didn’t begin to fall until we looked down.
Let’s examine the proposal that all airliners nowadays are massively computerized, so adding some digital controls to the good old 737 to make it a Max is just bringing the 737 marque up to date.
After all, digital controls work on other types like Airbuses and Boeing’s own 777 and 787, and they are safe, so why not on the 737?
Back to basics.
All modern commercial airliners are supposed to be designed, in the first place, so they fly easily and intuitively, and have a natural aerodynamic stability within their flight envelope. That should hold true with or without computer control.
Designing an aircraft to be fly-by-wire, rather than conventionally controlled, can provide additional safeguards, but the airframe itself should still fly naturally.
Applying a digital solution to an airframe-related flight characteristic that is undesirable is a different matter entirely; but that is what Boeing chose to do when it installed the Manoeuvring Characteristics Augmentation System (MCAS) in the new Max.
The fact – revealed by the fatal accidents – that the MCAS could be triggered when it was not needed, and what consequences might follow its triggering, appears not to have been examined in any depth by Boeing or the FAA.
The fundamental questions for the FAA – and the foreign NAAs- are these: is the Max, as a simple airframe without digital corrections, sufficiently stable within its flight envelope to satisfy the regulators it is worthy of certification?
If not, is a digital fix sufficient to cover the undesirable flight characteristics lurking in a corner of its flight envelope? How reliable does the fix have to be to win approval?…and how can its reliability be proven?
For three decades the aviation world has agreed to operate a regime whereby the NAAs in countries where aircraft are manufactured all use the same standards when they certificate a new aircraft. So when the FAA certificated the 737 Max, the rest of the world accepted the FAA’s judgement and did not insist – as in the bad old days of the 1970s and before – on re-certificating it country by country.
At the end of the Dallas meeting Boeing had this to say: “We appreciate the FAA’s leadership…in bringing global regulators together to share information and discuss the safe return to service of the 737 MAX….Once we have addressed the information requests from the FAA, we will be ready to schedule a certification test flight and submit final certification documentation.”
Industry speculation as to when the FAA will be ready to approve return to service varies massively, from a week to many months. These seers also seem to be preparing themselves for disagreement between the FAA and foreign NAAs.
This is the point at which you dare not look down.
Yesterday the US Federal Aviation Administration joined most of the rest of the aviation world in grounding the Boeing 737 Max series of aircraft, the very latest version of the established 737 series. What took it so long?
Having entered service in May 2017, by early March this year the Max had suffered two fatal crashes within five months. This is extraordinary for a new commercial airliner today.
Evidence from the preliminary report on the earlier of the two accidents suggests a technical failure precipitated it. The first event, in October 2018, involved a nearly-new 737 Max 8 belonging to Indonesian carrier Lion Air. It crashed into the sea near Jakarta within about 10min of take-off. The second accident, on 10 March this year, involved an Ethiopian Airlines aircraft of the same type, and it plunged into the ground within six minutes of take-off from Addis Ababa. Pilots of both aircraft radioed that they were having trouble controlling the aircraft’s height, and this was evident on flight tracking systems.
The FAA issued its grounding order on 13 March. This was three days after the Ethiopian crash, two days after China, Ethiopia and Singapore had banned Max operations, and a day later than the influential European Aviation Safety Agency – and many other states – had done the same.
Does this demonstrate that there are different safety standards – or safety philosophies – in different countries? Or does it suggest that the relationship – in this case – between the safety regulator and the manufacturer is too close?
On 12 March, resisting calls to ground the aircraft, the FAA said: “Thus far, our review shows no systemic performance issues and provides no basis to order grounding the aircraft.”
The next day it stated: “The FAA is ordering the temporary grounding of Boeing 737 MAX aircraft operated by U.S. airlines or in U.S. territory. The agency made this decision as a result of the data gathering process and new evidence collected at the site [of the Ethiopian crash] and analyzed today. This evidence, together with newly refined satellite data available to FAA this morning, led to this decision.”
The safety principle behind aircraft design, for more than half a century, has been that all systems should “fail safe”. This means that any one critical system or piece of equipment, if it fails, will not directly cause an accident. This is achieved either by multiplexing critical systems so there is backup if one of them fails, or by ensuring that the failure does not render the aircraft unflyable.
The preliminary report from the Indonesian accident investigator NTSC suggests that a factor in the sequence of events leading to it was a faulty angle of attack (AoA) sensor. This device, says the report, sent false signals to a new stall protection system unique to the Max series of 737s, known as the manoeuvring control augmentation system (MCAS). According to the report, these signals wrongly indicated a very high AoA, and the MCAS triggered the horizontal stabiliser to trim the aircraft nose-down. Finally, the crew seems not to have known how to counteract this nose-down control demand.
The implication of the NTSC report – not the final verdict – is that the MCAS was not designed according to fail safe principles: a single unit failed, causing a software-controlled automatic system to motor the powerful horizontal stabiliser to pitch the aircraft nose-down, and it kept on doing this until the crew could not overcome the pitch-down force with elevator.
At that point disaster could still have been prevented if the crew had been familiar with the MCAS, or with the drill for a runaway stabiliser trim. But the MCAS would not have been expected to trigger at climb speeds during departure. The result was that in this case the crew failed to act as the final backup safety system.
In the months immediately following the Indonesian crash some pilot associations in the USA whose members operate the Max publicly claimed that there was a widespread ignorance among Max-qualified pilots of the very existence of the MCAS, and also many assumed that a runaway trim could be dealt with in exactly the same way as it was for all the earlier 737 marques. Actually the drill is quite different for the Max, as Boeing and the US Federal Aviation Administration (FAA) have pointed out. There is more detail on the MCAS in the preceding item in this blog – “This shouldn’t happen these days”.
Somehow, therefore, many 737 Max pilots in Boeing’s home territory had found themselves un-briefed on a system that was unique to the Max. They claimed lack of detail in the flight crew operations manual (FCOM), which described the system’s function but did not give it a name. US pilots who converted to the Max were all 737 type-rated and had flown the NG marque, but their conversion course to the Max consisted of computer-based learning, with no simulator time.
This ignorance among US pilots was soon corrected because the issue got plenty of intra-industry publicity, so if a US carrier pilot suffered an MCAS malfunction the crews would have known to apply the runaway trim checklist, and select the STAB TRIM switches to CUT OUT. Was this confidence about US crew knowledge the reason the FAA was able to maintain its sang-froid over grounding for longer than the rest?
On the other hand it is not a good principle to use a pilot as the back-up for a system that is not fail-safe.
In the 1990s there were several serious fatal accidents to 737s caused by what became known as “rudder hard-over”. This was a sudden, uncommanded move of the rudder to one extreme or the other, rendering the aircraft out of control, and unrecoverable if it happened at low altitude. The problem was ultimately solved by redesigning the rudder power control unit, for which there was no backup, thus no fail-safe.
If a Boeing product has a fault the responsibility is Boeing’s, but it is equally the FAA’s. The FAA is the safety overseer, and should satisfy itself that all critical systems are fail-safe and that the manufacturer has proven this through testing.
If America has an image it is that of the can-do, the entrepreneurial risk-taker. Why would Boeing or the FAA be different? One of the FAA’s stated values is this: “Innovation is our signature. We foster creativity and vision to provide solutions beyond today’s boundaries.”
The world has benefited from the USA’s risk-taking culture which has driven some aviation advances faster than they would have occurred in other more risk-averse cultures like that of Western Europe. An example of this is the massive extension of ETOPs (extended range twin engine operation) with the arrival on the market of the Boeing 777, which ultimately drove the four-engined Airbus A340 out of the market and influenced the early close-down of the A380 line. Boeing and the FAA took the risk together, and together they got away with it.
Is the 737 Max going to prove to be the one Boeing didn’t get away with? Time will tell.
But is certain Boeing will find a fix that will get the Max back in the sky. And although this episode, if it runs the course it seems likely to follow, will damage Boeing, the damage will be far from terminal. The company has an unbreakable brand name by virtue of being so good for so long, but trust will have suffered.
In the world at large, the art and science of safety oversight is changing dramatically. Technology is advancing so fast that the traditional system of close oversight by the regulator cannot work without stifling innovation, so “Performance-Based Regulation” (PBR) is the new watchword. Basically this means that the regulator prescribes what performance and reliability objectives a system or piece of equipment should meet, and the manufacturer has to prove to the regulator that it meets them. This is fine, providing that the regulator insists on the testing and the proof, and has the expertise and resources to carry out the oversight.
Although lack of oversight resources in the FAA seems unlikely, it would be a global disaster if it occurred. The same would be true of other national aviation agencies (NAA) in countries where aviation manufacturing takes place.
That risk of under-resourcing NAAs is a serious worry for the future, because all the signs are that most countries consider it a very low political priority, especially at a time of budget austerity.
Learmount.com 