Sign in to follow this  
Maverick

Another 737 MAX down.

Recommended Posts

MORE DAMAGE CONTROL OR ?????

Boeing changes executive in charge of the 737 Max factory

The executive who manages the Boeing 737 Max program and the Seattle-area factory where the now-grounded plane is built is retiring. A Boeing spokesman said Thursday Lindblad's retirement was long planned and is unrelated to two Max accidents.

Eric Lindblad has been in the job less than a year

CBC News · Posted: Jul 11, 2019 5:40 PM ET | Last Updated: an hour ago

The executive who manages the Boeing 737 Max program and the Seattle-area factory where the now-grounded plane is built is retiring.

Eric Lindblad has been in the job less than a year, taking over as Boeing struggled with shortages of engines and fuselages from suppliers.

A Boeing spokesman said Thursday Lindblad's retirement was long planned and is unrelated to two Max accidents.

Lindblad will be replaced by Mark Jenks, a vice-president overseeing possible development of a new mid-size plane. Jenks previously managed the Boeing 787 program

Share this post


Link to post
Share on other sites

More schedule reality.  American Airlines and United cancel Boeing 737 Max flights through Nov. 2 as planes stay grounded

Published 30 min ago
Key Points
  • American removed the Boeing 737 Max from its schedule until Nov. 2.
  • The airline previously expected to reintroduce the plane to its schedule in September

United, which has 14 Max jets in its fleet, announced Friday it was removing the jets from its schedule and has canceled thousands of Max flights since the grounding through Nov. 3.

Share this post


Link to post
Share on other sites

Ryanair to cut flights after 737 Max delays

Ryanair has said it will be forced to cut the number of summer flights it operates next year blaming further expected delays before the Boeing 737 Max is allowed to fly again.

The airline said it could be as late as December before regulators clear the aircraft to return to the skies after two fatal crashes.

It was awaiting delivery of 58 planes before next summer but it now expects to receive just over half of those.

It could also close bases as a result.

The airline said it was in talks with airports about which of its hubs could suffer cuts.

 

"We are starting a series of discussions with our airports to determine which of Ryanair's underperforming or loss making bases should suffer these short term cuts and/or closures from November 2019," the airline's chief executive, Michael O'Leary, said in a statement.

Ryanair added that it would talk to its staff and unions about the planned closures, which it said were "directly caused" by the delays delivering the 737 Max.

The airline is now expecting to carry 157 million passengers in the year to March 2021, five million fewer than it had been planning for.

 

Airline analyst Chris Tarry told the BBC that the move to cut routes was "entirely predictable" after the 737 Max was grounded.

He said the plane was "unlikely, even with a following wind, to return to the skies before the end of the year".

There's a finite number of aircraft that Ryanair can use, he said, explaining that the airline would use those planes on the most profitable routes.

Another airline expert, John Strickland, said the grounding was likely to have an effect on the airline's growth plans. At present Ryanair has around 455 planes but it plans to expand its fleet to roughly 600 by 2025.

"A lot of it is about limiting growth rather than cutting back," he said.

"In the summer they would have expected to grow strongly, having additional bases and additional routes."


Analysis:

By Theo Leggett , BBC international business correspondent

Grounded Boeing 737 Max planesImage copyright Reuters

It's looking increasingly unlikely that the 737 Max will be flying again before late autumn - and quite possibly not before next year. So should we be surprised?

In a word, no. The stakes are too high, and this is one decision the regulators simply can't afford to get wrong.

The Federal Aviation Administration has already faced heavy criticism for allowing the aircraft into service in its original form, with flight control software that has been implicated in two separate accidents and the loss of 346 lives.

A repeat would be simply unthinkable - and for the sake of its own reputation the FAA not only needs to be thorough but to be seen to be thorough.

So its analysis appears to have gone well beyond the fresh software developed to solve the original problem - and is now addressing a range of other potential issues.

Boeing does desperately want to get the 737 Max flying again and resume deliveries to customers - it's running out of parking space at its Renton factory for a start. Airlines also need the new plane.

But the message from the FAA has been consistent: it will lift the ban on flying "when we deem it is safe to do so".

Share this post


Link to post
Share on other sites

·        Boeing 737 Max grounding hits Southwest’s pilot hiring

Published 44 min agoUpdated Moments Ago

Leslie Josephs@lesliejosephs

         

Key Points

    1. Southwest is putting off some pilot hiring as the Boeing 737 Max stays grounded.

    2. The planes have been grounded since mid-March after two fatal crashes.

    3. The airline says it made the decision because it is unclear when the planes will fly again.

    4.  

       

      Southwest Airlines Boeing 737 MAX aircraft are parked on the tarmac after being grounded, at the Southern California Logistics Airport in Victorville, California on March 28, 2019.Mark Ralston | AFP | Getty Images
    5. The Boeing 737 Max grounding is starting to affect pilot hiring as the planes remain out of the skies for a fifth month.Southwest Airlines said it delayed hiring for two classes of new pilots, which have about 25 apiece, and postponed captain upgrades for two other classes of current pilots because it isn’t clear when the Max planes will fly again.

    6. Dallas-based Southwest is the biggest U.S. operator of the Boeing 737 Max with 34 in its fleet of around 750 aircraft.Airlines have already delayed thousands of flights and have removed the planes from their schedules through the fall with no sense from regulators when the planes will be allowed to fly again. Aviation officials worldwide grounded the planes in mid-March after two fatal crashes claimed a total of 346 lives.

    7. “All of these classes were scheduled to take place in either September, October, or December of this year to support our previously anticipated delivery of 37 MAX 8 and 7 MAX 7 aircraft in 2019,” said Southwest in a statement. “Once we have more clarity on the return-to-service date of the MAX, and future MAX delivery timelines, we will look towards reinstating classes, as needed, to support the expected growth of our fleet.

    8. ”Southwest operates an all-Boeing 737 fleet and had about 9,100 pilots as of the end of last year, according to a company filing.

    9. Other airlines are also grappling with the affects of the grounding, which has coincided with the summer travel season, U.S. airlines’ busiest time of year. United, which reports second-quarter results after the market closes on Tuesday, and American in the past week removed the planes from their schedules until early November, several months later than previously expected. Southwest removed the planes from its schedules until October.Boeing has developed a software fix for a system that investigators implicated in the two crashes — one in Indonesia in October and another in Ethiopia in March. But regulators have not indicated when they expect to approve the fix along with a package of pilot training updates and materials.American and Southwest will update investors on the impact of the Max grounding when they report second-quarter results on July 25. American last week said it expects the Max grounding cost it $185 million in pretax income in the three months ended June 30, but that fuller planes likely drove up revenue for each seat it flies a mile, a key industry metric.European budget airline Ryanair on Tuesday cut its passenger growth forecast for next summer, saying it expects to have fewer Max planes flying by then than it expected.

    10. Rival Delta Air Lines doesn’t have any Boeing 737 Max planes and told investors last week that it has benefited slightly from its competitors’ constrained fleets due to the grounding. Delta’s stock hit an all-time high of $62.90 on Tuesday.

       

Share this post


Link to post
Share on other sites

https://www.nytimes.com/2019/07/27/business/boeing-737-max-faa.html?smid=nytcore-ios-share&fbclid=IwAR1a5lqw655WIwpFKv3sNbTn-sx6kUzEk2I2TSnFKv-YxCNgoPBy6zqHm6U

The Roots of Boeing’s 737 Max Crisis: A Regulator Relaxes Its Oversight

ImageAfter the first fatal crash of the 737 Max, in October 2018, federal regulators realized they didn’t fully understand the software system that sent the plane into a nosedive.

After the first fatal crash of the 737 Max, in October 2018, federal regulators realized they didn’t fully understand the software system that sent the plane into a nosedive. 

CreditCreditRuth Fremson/The New York Times

  • July 27, 2019

SEATTLE — In the days after the first crash of Boeing’s 737 Max, engineers at the Federal Aviation Administration came to a troubling realization: They didn’t fully understand the automated system that helped send the plane into a nose-dive, killing everyone on board.

Engineers at the agency scoured their files for information about the system designed to help avoid stalls. They didn’t find much. Regulators had never independently assessed the risks of the dangerous software known as MCAS when they approved the plane in 2017.

More than a dozen current and former employees at the F.A.A. and Boeing who spoke with The New York Times described a broken regulatory process that effectively neutered the oversight authority of the agency.

The regulator had been passing off routine tasks to manufacturers for years, with the goal of freeing up specialists to focus on the most important safety concerns. But on the Max, the regulator handed nearly complete control to Boeing, leaving some key agency officials in the dark about important systems like MCAS, according to the current and former employees.

Catch up and prep for the week ahead with this newsletter of the most important business insights, delivered Sundays.

While the agency’s flawed oversight of the Boeing 737 Max has attracted much scrutiny since the first crash in October and a second one in March, a Times investigation revealed previously unreported details about weaknesses in the regulatory process that compromised the safety of the plane.

The company performed its own assessments of the system, which were not stress-tested by the regulator. Turnover at the agency left two relatively inexperienced engineers overseeing Boeing’s early work on the system.

The F.A.A. eventually handed over responsibility for approval of MCAS to the manufacturer. After that, Boeing didn’t have to share the details of the system with the two agency engineers. They weren’t aware of its intricacies, according to two people with knowledge of the matter.

Late in the development of the Max, Boeing decided to expand the use of MCAS, to ensure the plane flew smoothly. The new, riskier version relied on a single sensor and could push down the nose of the plane by a much larger amount.

Boeing did not submit a formal review of MCAS after the overhaul. It wasn’t required by F.A.A. rules. An engineering test pilot at the regulator knew about the changes, according to an agency official. But his job was to evaluate the way the plane flew, not to determine the safety of the system.

The agency ultimately certified the jet as safe, required little training for pilots and allowed the plane to keep flying until a second deadly Max crash, less than five months after the first.

The plane remains grounded as regulators await a fix from Boeing. If the ban persists much longer, Boeing said this past week that it could be forced to halt production.

The F.A.A. and Boeing have defended the plane’s certification, saying they followed proper procedures and adhered to the highest standards.

“The agency’s certification processes are well-established and have consistently produced safe aircraft designs,” the regulator said in a statement Friday. “The 737 Max certification program involved 110,000 hours of work on the part of F.A.A. personnel, including flying or supporting 297 test flights.”

Boeing said “the F.A.A.’s rigor and regulatory leadership has driven ever-increasing levels of safety over the decades,” adding that “the 737 Max met the F.A.A.’s stringent standards and requirements as it was certified through the F.A.A.’s processes.”

[If you have worked at Boeing or the F.A.A. and want to discuss your experience, contact The Times confidentially here.]merlin_152643222_fdb4e1c8-150f-4d36-863b

 
While Ali Bahrami was the Federal Aviation Administration’s top official in Seattle, some engineers believed that he had installed managers who would be deferential to Boeing.CreditJonathan Ernst/Bloomberg

Federal prosecutors and lawmakers are now investigating whether the regulatory process is fundamentally flawed. As planes become more technologically advanced, the rules, even when they are followed, may not be enough to ensure safety. The new software played a role in both disasters, involving Lion Air and Ethiopian Airlines, which together killed 346 people.

“Did MCAS get the attention it needed? That’s one of the things we’re looking at,” said Chris Hart, the former chairman of the National Transportation Safety Board, who is now leading a multiagency task force investigating how the Max was approved. “As it evolved from a less robust system to a more powerful system, were the certifiers aware of the changes?”

Boeing needed the approval process on the Max to go swiftly. Months behind its rival Airbus, the company was racing to finish the plane, a more fuel-efficient version of its best-selling 737.

The regulator’s hands-off approach was pivotal. At crucial moments in the Max’s development, the agency operated in the background, mainly monitoring Boeing’s progress and checking paperwork. The nation’s largest aerospace manufacturer, Boeing was treated as a client, with F.A.A. officials making decisions based on the company’s deadlines and budget.

It has long been a cozy relationship. Top agency officials have shuffled between the government and the industry.

During the Max certification, senior leaders at the F.A.A. sometimes overruled their own staff members’ recommendations after Boeing pushed back. For safety reasons, many agency engineers wanted Boeing to redesign a pair of cables, part of a major system unrelated to MCAS. The company resisted, and F.A.A. managers took Boeing’s side, according to internal agency documents.

After the crash of the Lion Air plane last October, F.A.A. engineers were shocked to discover they didn’t have a complete analysis of MCAS. The safety review in their files didn’t mention that the system could aggressively push down the nose of the plane and trigger repeatedly, making it difficult to regain control of the aircraft, as it did on the doomed Lion Air flight.

Despite their hazy understanding of the system, F.A.A. officials decided against grounding the 737 Max. Instead, they published a notice reminding pilots of existing emergency procedures.

The notice didn’t describe how MCAS worked. At the last minute, an F.A.A. manager told agency engineers to remove the only mention of the system, according to internal agency documents and two people with knowledge of the matter. Instead, airlines learned about it from Boeing.

‘He really wanted abdication.’

The F.A.A. department that oversaw the Max development had such a singular focus that it was named after the company: The Boeing Aviation Safety Oversight Office.

Many F.A.A. veterans came to see the department, created in 2009, as a symbol of the agency’s close relationship with the manufacturer. The top official in Seattle at the time, Ali Bahrami, had a tough time persuading employees to join, according to three current and former employees.

Some engineers believed that Mr. Bahrami had installed managers in the office who would defer to Boeing. “He didn’t put enough checks and balances in the system,” Mike McRae, a former F.A.A. engineer, said of Mr. Bahrami. “He really wanted abdication. He didn’t want delegation.”

Before the certification of the Max began, Mr. Bahrami called a group of F.A.A. engineers into his office, the current and former employees said, and asked some of them to join the group. Many didn’t want to change jobs, according to a complaint filed by the National Air Traffic Controllers Association, the union representing F.A.A. engineers.

“I got dragged kicking and screaming,” said Richard Reed, a former systems engineer at the F.A.A. Mr. Reed said he had just left surgery when agency officials called to ask whether he would work in the office. “I always claimed that I was on drugs when I said ‘yes.’”

The F.A.A. said in a statement that Mr. Bahrami “dedicated his career to the advancement of aviation safety in both the private and public sectors.”merlin_158309541_98d62025-20c8-45af-840d

F.A.A. offices in Des Moines, Wash. The way the agency dealt with Boeing left engineers at the agency demoralized, two employees said.CreditRuth Fremson/The New York Times

For decades, the F.A.A. relied on engineers inside Boeing to help certify aircraft. But after intense lobbying by industry, the agency adopted rules in 2005 that would give manufacturers like Boeing even more control. Previously, the agency selected the company engineers to work on its behalf; under the new regulations, Boeing could choose them.

Many of the agency’s top leaders embraced the approach. It would allow the F.A.A. to certify planes more efficiently and stretch its limited resources. The regulator had also been finding it harder to compete for talented engineers, their government salaries unable to keep up with the going rates in the industry.

For Boeing, the changes meant shedding a layer of bureaucracy. “The process was working well,” said Tom Heineman, a retired Boeing engineer who worked on the Max. “The F.A.A. was delegating more of the work and the review and the oversight to the manufacturers than it used to.”

But some F.A.A. engineers were concerned that they were no longer able to effectively monitor what was happening inside Boeing. In a PowerPoint presentation to agency managers in 2016, union representatives raised concerns about a “brain drain” and the “inability to hire and retain qualified personnel.”

By 2018, the F.A.A. was letting the company certify 96 percent of its own work, according to an agency official.

Nicole Potter, an F.A.A. propulsion and fuel systems engineer who worked on the Max, said supervisors repeatedly asked her to give up the right to approve safety documents. She often had to fight to keep the work.

“Leadership was targeting a high level of delegation,” Ms. Potter said. When F.A.A. employees didn’t have time to approve a critical document, she said, “managers could delegate it back to Boeing.”

It was a process Mr. Bahrami championed to lawmakers. After spending more than two decades at the F.A.A., he left the agency in 2013 and took a job at the Aerospace Industries Association, a trade group that represents Boeing and other manufacturers.

“We urge the F.A.A. to allow maximum use of delegation,” Mr. Bahrami told Congress in his new lobbying role, arguing it would help American manufacturers compete.

In 2017, Mr. Bahrami returned to the F.A.A. as the head of safety.

An internal battle at the F.A.A.

With Boeing taking more control, F.A.A. engineers found they had little power, even when they did raise concerns.

Early on, engineers at the F.A.A. discovered a problem with one of the most important new features of the Max: its engines. The Max, the latest version of the 50-year-old 737, featured more fuel-efficient engines, with a larger fan and a high-pressure turbine. But the bigger, more complex engines could do more damage if they broke apart midair.

The F.A.A. engineers were particularly concerned about pieces hitting the cables that control the rudder, according to five people with knowledge of the matter and internal agency documents. A cable severed during takeoff would make it difficult for pilots to regain control, potentially bringing down the jet.

The F.A.A. engineers suggested a couple solutions, three of the people said. The company could add a second set of cables or install a computerized system for controlling the rudder.

Boeing did not want to make a change, according to internal F.A.A. documents reviewed by The Times. A redesign could have caused delays. Company engineers argued that it was unlikely that an engine would break apart and shrapnel would hit the rudder cable.

Most of the F.A.A. engineers working on the issue insisted the change was necessary for safety reasons, according to internal agency emails and documents. But their supervisors balked. In a July 2015 meeting, Jeff Duven, who replaced Mr. Bahrami as the head of the F.A.A.’s Seattle operation, sided with Boeing, said two current employees at the agency.merlin_158309937_878b999c-d96e-441e-b55e

Boeing Max planes in Renton, Wash. The company downplayed the risks of the software, MCAS, to federal officials.CreditRuth Fremson/The New York Times

F.A.A. managers conceded that the Max “does not meet” agency guidelines “for protecting flight controls,” according to an agency document. But in another document, they added that they had to consider whether any requested changes would interfere with Boeing’s timeline. The managers wrote that it would be “impractical at this late point in the program,” for the company to resolve the issue. Mr. Duven at the F.A.A. also said the decision was based on the safety record of the plane.

Engineers at the agency were demoralized, the two agency employees said. One engineer submitted an anonymous complaint to an internal F.A.A. safety board, which was reviewed by The Times.

“During meetings regarding this issue the cost to Boeing to upgrade the design was discussed,” the engineer wrote. “The comment was made that there may be better places for Boeing to spend their safety dollars.”

An F.A.A. panel investigated the complaint. It found managers siding with Boeing had created “an environment of mistrust that hampers the ability of the agency to work effectively,” the panel said in a 2017 report, which was reviewed by The Times. The panel cautioned against allowing Boeing to handle this kind of approval, saying “the company has a vested interest in minimizing costs and schedule impact.”

By then, the panel’s findings were moot. Managers at the agency had already given Boeing the right to approve the cables, and they were installed on the Max.

Playing down risks

In the middle of the Max’s development, two of the most seasoned engineers in the F.A.A.’s Boeing office left.

The engineers, who had a combined 50 years of experience, had joined the office at its creation, taking on responsibility for flight control systems, including MCAS. But they both grew frustrated with the work, which they saw as mostly paper pushing, according to two people with knowledge of the staff changes.

In their place, the F.A.A. appointed an engineer who had little experience in flight controls, and a new hire who had gotten his master’s degree three years earlier. People who worked with the two engineers said they seemed ill-equipped to identify any problems in a complex system like MCAS.

And Boeing played down the importance of MCAS from the outset.

An early review by the company didn’t consider the system risky, and it didn’t prompt additional scrutiny from the F.A.A. engineers, according to two agency officials. The review described a system that would activate only in rare situations, when a plane was making a sharp turn at high speeds.

The F.A.A. engineers who had been overseeing MCAS never received another safety assessment. As Boeing raced to finish the Max in 2016, agency managers gave the company the power to approve a batch of safety assessments — some of the most important documents in any certification. They believed the issues were low risk.

One of the managers, Julie Alger, delegated the review of MCAS. Previously, the F.A.A. had the final say over the system.

The F.A.A. said that decision reflected the consensus of the team.

Boeing was in the middle of overhauling MCAS. To help pilots control the plane and avoid a stall, the company allowed MCAS to trigger at low speeds, rather than just at high speeds. The overhauled version would move the stabilizer by as much as 2.5 degrees each time it triggered, significantly pushing down the nose of the plane. The earlier version moved the stabilizer by 0.6 degrees.

When company engineers analyzed the change, they figured that the system had not become any riskier, according to two people familiar with Boeing’s discussions on the matter. They assumed that pilots would respond to a malfunction in three seconds, quickly bringing the nose of the plane back up. In their view, any problems would be less dangerous at low speeds.

So the company never submitted an updated safety assessment of those changes to the agency. In several briefings in 2016, an F.A.A. test pilot learned the details of the system from Boeing. But the two F.A.A. engineers didn’t understand that MCAS could move the tail as much as 2.5 degrees, according to two people familiar with their thinking.

Under the impression the system was insignificant, officials didn’t require Boeing to tell pilots about MCAS. When the company asked to remove mention of MCAS from the pilot’s manual, the agency agreed. The F.A.A. also did not mention the software in 30 pages of detailed descriptions noting differences between the Max and the previous iteration of the 737.

Days after the Lion Air crash, the agency invited Boeing executives to the F.A.A.’s Seattle headquarters, according to two people with knowledge of the matter. The officials sat incredulous as Boeing executives explained details about the system that they didn’t know.

In the middle of the conversation, an F.A.A. employee, one of the people said, interrupted to ask a question on the minds of several agency engineers: Why hadn’t Boeing updated the safety analysis of a system that had become so dangerous?

 

The reporters on this article can be reached at Natalie.Kitroeff@nytimes.com, David.Gelles@nytimes.com and Jack.Nicas@nytimes.com.

Edited by moeman
  • Like 1

Share this post


Link to post
Share on other sites
 

The Boeing 737 Max Crisis Is a Leadership Failure

Safety begins at the top, and the top officials at Boeing and the Federal Aviation Administration have let us down.

By Jim Hall and Peter Goelz

Mr. Hall was chairman of the National Transportation Safety Board from 1994 to 2001. Mr. Goelz was managing director of the board from 1996 to 2000.

  • July 17, 2019

We’ve seen this before: A Boeing airliner crashes, killing all aboard. Investigators believe a design flaw in the aircraft played a major role in the accident, but Boeing blames the pilots. Eventually, the design flaw is corrected, but not before another plane crashes, leaving more deaths in its wake.

In our time at the National Transportation Safety Board we saw this happen — long before the two Boeing crashes in the past year.

On March 3, 1991, a United Airlines Boeing 737 crashed on approach to Colorado Springs, killing all 25 people aboard. After an investigation of almost two years, the N.T.S.B. concluded that one of the two likely causes was a malfunctioning rudder power control unit, which moved the rudder in the opposite direction to that intended by the pilots. The agency recommended that the Federal Aviation Administration require airlines to install a modified part, to prevent future rudder reversals, as soon as Boeing made them available, but Boeing failed to do that.

On Sept. 8, 1994, a USAir 737 crashed as it neared Pittsburgh, killing all 132 people aboard. Despite the obvious similarities between the two crashes that were revealed during the investigation, Boeing insisted even to the final stages of the second inquiry that there was nothing wrong with the design of the aircraft, and the company again pointed to improper pilot rudder commands as the cause. In the end, the rudder was indeed determined to have malfunctioned and caused both crashes. Boeing redesigned the part, and it was retrofitted in all 737s. There has not been a crash caused by that issue since then.

But this disturbing culture of denial persists today at Boeing, as shown by the revelations following the crashes of two 737 Max 8 aircraft in Indonesia and Ethiopia, which killed 346 people. The company has an institutional reluctance to even examine potential design flaws in its product.

 
  •  
 
 

Boeing’s stubborn resistance to admit its mistakes — even as those mistakes have delayed the return to operation of 737 Max planesby several months, according to The Wall Street Journal — are turning into a disaster for the company and its customers. Some of the families of the victims testified before Congress on Wednesday.

Even worse, Boeing has found a willing partner in the F.A.A., which allowed the company to circumvent standard certification processes so it could sell aircraft more quickly. Boeing’s inadequate regard for safety and the F.A.A.’s complicity display an unconscionable lack of leadership at both organizations. Boeing’s first public statements after the Indonesia crash in October, supported by the F.A.A., questioned the abilities of the pilots, even though subsequent reporting has shown that pilots were not given the information they needed to properly react to the aircraft’s unexpected descents. Only after the crash of the second Max 8 in Ethiopia, in March, did Boeing acknowledge that software in the planes’ cockpits played a major role in the accidents.

 

The 737 Max of today — a 143-foot-long plane seating more than 230 people — is a very different aircraft from the humble 737 of the 1960s, which was only 94 feet long and seated no more than 118. But the current regulatory system allows for significant modifications of an aircraft design without requiring a new certification review. Even though the new plane had different flight characteristics, larger engines and a new flight management system, no simulator training was required for pilots familiar with older model 737s, a marketing move designed by Boeing to increase sales. And the F.A.A. allowed this.

Safety begins at the top, and the top at both Boeing and the F.A.A. has let us down. Boeing’s board must find out who has enabled and encouraged this corporate culture, and hold those leaders accountable, beginning with the chief executive, Dennis Muilenburg.

But this is bigger than the Max 8. We now have an airline safety agency that has become less and less forceful in exercising its regulatory authority over an aircraft manufacturer, even one that appears to be aggressively prioritizing profits over safety. It hasn’t helped that, like many government agencies, the F.A.A. has been without a permanent leader for 18 months.

Congress has permitted this to occur, but it can make the system much stronger. Two decades ago, lawmakers wisely sought to remove the F.A.A. from the political process by giving its administrator a five-year term so that the agency would have continuity of leadership. Congress can push for a permanent F.A.A. administrator, and use its oversight authority to make sure that the new leadership re-establishes the proper relationship between the regulator and the regulated.

The bottom line is that two nearly new, American-built airliners crashed within a few months of each other and nearly 350 people died. No one should be proud of the regulatory structure that put these planes in the air. We need major changes now.

Jim Hall was chairman of the National Transportation Safety Board from 1994 to 2001. Peter Goelz was managing director of the board from 1996 to 2000.

The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email:letters@nytimes.com.

Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) andInstagram.

 

https://www.nytimes.com/2019/07/17/opinion/boeing-737-max.html?action=click&module=RelatedCoverage&pgtype=Article&region=Footer

Share this post


Link to post
Share on other sites

The Roots of Boeing’s 737 Max Crisis: A Regulator Relaxes Its Oversight

 

After the first fatal crash of the 737 Max, in October 2018, federal regulators realized they didn’t fully understand the software system that sent the plane into a nosedive.CreditCreditRuth Fremson/The New York Times

By Natalie Kitroeff, David Gelles and Jack Nicas

  • July 27, 2019

SEATTLE — In the days after the first crash of Boeing’s 737 Max, engineers at the Federal Aviation Administration came to a troubling realization: They didn’t fully understand the automated system that helped send the plane into a nose-dive, killing everyone on board.

Engineers at the agency scoured their files for information about the system designed to help avoid stalls. They didn’t find much. Regulators had never independently assessed the risks of the dangerous software known as MCAS when they approved the plane in 2017.

More than a dozen current and former employees at the F.A.A. and Boeing who spoke with The New York Times described a broken regulatory process that effectively neutered the oversight authority of the agency.

The regulator had been passing off routine tasks to manufacturers for years, with the goal of freeing up specialists to focus on the most important safety concerns. But on the Max, the regulator handed nearly complete control to Boeing, leaving some key agency officials in the dark about important systems like MCAS, according to the current and former employees.

While the agency’s flawed oversight of the Boeing 737 Max has attracted much scrutiny since the first crash in October and a second one in March, a Times investigation revealed previously unreported details about weaknesses in the regulatory process that compromised the safety of the plane.

The company performed its own assessments of the system, which were not stress-tested by the regulator. Turnover at the agency left two relatively inexperienced engineers overseeing Boeing’s early work on the system.

The F.A.A. eventually handed over responsibility for approval of MCAS to the manufacturer. After that, Boeing didn’t have to share the details of the system with the two agency engineers. They weren’t aware of its intricacies, according to two people with knowledge of the matter.

Late in the development of the Max, Boeing decided to expand the use of MCAS, to ensure the plane flew smoothly. The new, riskier version relied on a single sensor and could push down the nose of the plane by a much larger amount.

Boeing did not submit a formal review of MCAS after the overhaul. It wasn’t required by F.A.A. rules. An engineering test pilot at the regulator knew about the changes, according to an agency official. But his job was to evaluate the way the plane flew, not to determine the safety of the system.

The agency ultimately certified the jet as safe, required little training for pilots and allowed the plane to keep flying until a second deadly Max crash, less than five months after the first.

The plane remains grounded as regulators await a fix from Boeing. If the ban persists much longer, Boeing said this past week that it could be forced to halt production.

The F.A.A. and Boeing have defended the plane’s certification, saying they followed proper procedures and adhered to the highest standards.

“The agency’s certification processes are well-established and have consistently produced safe aircraft designs,” the regulator said in a statement Friday. “The 737 Max certification program involved 110,000 hours of work on the part of F.A.A. personnel, including flying or supporting 297 test flights.”

Boeing said “the F.A.A.’s rigor and regulatory leadership has driven ever-increasing levels of safety over the decades,” adding that “the 737 Max met the F.A.A.’s stringent standards and requirements as it was certified through the F.A.A.’s processes.”

While Ali Bahrami was the Federal Aviation Administration’s top official in Seattle, some engineers believed that he had installed managers who would be deferential to Boeing.CreditJonathan Ernst/Bloomberg

Federal prosecutors and lawmakers are now investigating whether the regulatory process is fundamentally flawed. As planes become more technologically advanced, the rules, even when they are followed, may not be enough to ensure safety. The new software played a role in both disasters, involving Lion Air and Ethiopian Airlines, which together killed 346 people.

 “Did MCAS get the attention it needed? That’s one of the things we’re looking at,” said Chris Hart, the former chairman of the National Transportation Safety Board, who is now leading a multiagency task force investigating how the Max was approved. “As it evolved from a less robust system to a more powerful system, were the certifiers aware of the changes?”

Boeing needed the approval process on the Max to go swiftly. Months behind its rival Airbus, the company was racing to finish the plane, a more fuel-efficient version of its best-selling 737.

The regulator’s hands-off approach was pivotal. At crucial moments in the Max’s development, the agency operated in the background, mainly monitoring Boeing’s progress and checking paperwork. The nation’s largest aerospace manufacturer, Boeing was treated as a client, with F.A.A. officials making decisions based on the company’s deadlines and budget.

It has long been a cozy relationship. Top agency officials have shuffled between the government and the industry.

During the Max certification, senior leaders at the F.A.A. sometimes overruled their own staff members’ recommendations after Boeing pushed back. For safety reasons, many agency engineers wanted Boeing to redesign a pair of cables, part of a major system unrelated to MCAS. The company resisted, and F.A.A. managers took Boeing’s side, according to internal agency documents.

After the crash of the Lion Air plane last October, F.A.A. engineers were shocked to discover they didn’t have a complete analysis of MCAS. The safety review in their files didn’t mention that the system could aggressively push down the nose of the plane and trigger repeatedly, making it difficult to regain control of the aircraft, as it did on the doomed Lion Air flight.

Despite their hazy understanding of the system, F.A.A. officials decided against grounding the 737 Max. Instead, they published a notice reminding pilots of existing emergency procedures.

The notice didn’t describe how MCAS worked. At the last minute, an F.A.A. manager told agency engineers to remove the only mention of the system, according to internal agency documents and two people with knowledge of the matter. Instead, airlines learned about it from Boeing.

‘He really wanted abdication.’

The F.A.A. department that oversaw the Max development had such a singular focus that it was named after the company: The Boeing Aviation Safety Oversight Office.

Many F.A.A. veterans came to see the department, created in 2009, as a symbol of the agency’s close relationship with the manufacturer. The top official in Seattle at the time, Ali Bahrami, had a tough time persuading employees to join, according to three current and former employees.

Some engineers believed that Mr. Bahrami had installed managers in the office who would defer to Boeing. “He didn’t put enough checks and balances in the system,” Mike McRae, a former F.A.A. engineer, said of Mr. Bahrami. “He really wanted abdication. He didn’t want delegation.”

Before the certification of the Max began, Mr. Bahrami called a group of F.A.A. engineers into his office, the current and former employees said, and asked some of them to join the group. Many didn’t want to change jobs, according to a complaint filed by the National Air Traffic Controllers Association, the union representing F.A.A. engineers.

“I got dragged kicking and screaming,” said Richard Reed, a former systems engineer at the F.A.A. Mr. Reed said he had just left surgery when agency officials called to ask whether he would work in the office. “I always claimed that I was on drugs when I said ‘yes.’”

The F.A.A. said in a statement that Mr. Bahrami “dedicated his career to the advancement of aviation safety in both the private and public sectors.”

F.A.A. offices in Des Moines, Wash. The way the agency dealt with Boeing left engineers at the agency demoralized, two employees said.CreditRuth Fremson/The New York Times

For decades, the F.A.A. relied on engineers inside Boeing to help certify aircraft. But after intense lobbying to Congress by industry, the agency adopted rules in 2005 that would give manufacturers like Boeing even more control. Previously, the agency selected the company engineers to work on its behalf; under the new regulations, Boeing could choose them, though the F.A.A. has veto power.

Many of the agency’s top leaders embraced the approach. It would allow the F.A.A. to certify planes more efficiently and stretch its limited resources. The regulator had also been finding it harder to compete for talented engineers, their government salaries unable to keep up with the going rates in the industry.

For Boeing, the changes meant shedding a layer of bureaucracy. “The process was working well,” said Tom Heineman, a retired Boeing engineer who worked on the Max. “The F.A.A. was delegating more of the work and the review and the oversight to the manufacturers than it used to.”

But some F.A.A. engineers were concerned that they were no longer able to effectively monitor what was happening inside Boeing. In a PowerPoint presentation to agency managers in 2016, union representatives raised concerns about a “brain drain” and the “inability to hire and retain qualified personnel.”

By 2018, the F.A.A. was letting the company certify 96 percent of its own work, according to an agency official.

Nicole Potter, an F.A.A. propulsion and fuel systems engineer who worked on the Max, said supervisors repeatedly asked her to give up the right to approve safety documents. She often had to fight to keep the work.

“Leadership was targeting a high level of delegation,” Ms. Potter said. When F.A.A. employees didn’t have time to approve a critical document, she said, “managers could delegate it back to Boeing.”

It was a process Mr. Bahrami championed to lawmakers. After spending more than two decades at the F.A.A., he left the agency in 2013 and took a job at the Aerospace Industries Association, a trade group that represents Boeing and other manufacturers.

“We urge the F.A.A. to allow maximum use of delegation,” Mr. Bahrami told Congress in his new lobbying role, arguing it would help American manufacturers compete.

In 2017, Mr. Bahrami returned to the F.A.A. as the head of safety.

An internal battle at the F.A.A.

With Boeing taking more control, F.A.A. engineers found they had little power, even when they did raise concerns.

Early on, engineers at the F.A.A. discovered a problem with one of the most important new features of the Max: its engines. The Max, the latest version of the 50-year-old 737, featured more fuel-efficient engines, with a larger fan and a high-pressure turbine. But the bigger, more complex engines could do more damage if they broke apart midair.

The F.A.A. engineers were particularly concerned about pieces hitting the cables that control the rudder, according to five people with knowledge of the matter and internal agency documents. A cable severed during takeoff would make it difficult for pilots to regain control, potentially bringing down the jet.

The F.A.A. engineers suggested a couple solutions, three of the people said. The company could add a second set of cables or install a computerized system for controlling the rudder.

Boeing did not want to make a change, according to internal F.A.A. documents reviewed by The Times. A redesign could have caused delays. Company engineers argued that it was unlikely that an engine would break apart and shrapnel would hit the rudder cable.

Most of the F.A.A. engineers working on the issue insisted the change was necessary for safety reasons, according to internal agency emails and documents. But their supervisors balked. In a July 2015 meeting, Jeff Duven, who replaced Mr. Bahrami as the head of the F.A.A.’s Seattle operation, sided with Boeing, said two current employees at the agency.

Boeing Max planes in Renton, Wash. The company downplayed the risks of the software, MCAS, to federal officials.CreditRuth Fremson/The New York Times

F.A.A. managers conceded that the Max “does not meet” agency guidelines “for protecting flight controls,” according to an agency document. But in another document, they added that they had to consider whether any requested changes would interfere with Boeing’s timeline. The managers wrote that it would be “impractical at this late point in the program,” for the company to resolve the issue. Mr. Duven at the F.A.A. also said the decision was based on the safety record of the plane.

Engineers at the agency were demoralized, the two agency employees said. One engineer submitted an anonymous complaint to an internal F.A.A. safety board, which was reviewed by The Times.

“During meetings regarding this issue the cost to Boeing to upgrade the design was discussed,” the engineer wrote. “The comment was made that there may be better places for Boeing to spend their safety dollars.”

An F.A.A. panel investigated the complaint. It found managers siding with Boeing had created “an environment of mistrust that hampers the ability of the agency to work effectively,” the panel said in a 2017 report, which was reviewed by The Times. The panel cautioned against allowing Boeing to handle this kind of approval, saying “the company has a vested interest in minimizing costs and schedule impact.”

By then, the panel’s findings were moot. Managers at the agency had already given Boeing the right to approve the cables, and they were installed on the Max.

Playing down risks

In the middle of the Max’s development, two of the most seasoned engineers in the F.A.A.’s Boeing office left.

The engineers, who had a combined 50 years of experience, had joined the office at its creation, taking on responsibility for flight control systems, including MCAS. But they both grew frustrated with the work, which they saw as mostly paper pushing, according to two people with knowledge of the staff changes.

In their place, the F.A.A. appointed an engineer who had little experience in flight controls, and a new hire who had gotten his master’s degree three years earlier. People who worked with the two engineers said they seemed ill-equipped to identify any problems in a complex system like MCAS.

And Boeing played down the importance of MCAS from the outset.

An early review by the company didn’t consider the system risky, and it didn’t prompt additional scrutiny from the F.A.A. engineers, according to two agency officials. The review described a system that would activate only in rare situations, when a plane was making a sharp turn at high speeds.

The F.A.A. engineers who had been overseeing MCAS never received another safety assessment. As Boeing raced to finish the Max in 2016, agency managers gave the company the power to approve a batch of safety assessments — some of the most important documents in any certification. They believed the issues were low risk.

One of the managers, Julie Alger, delegated the review of MCAS. Previously, the F.A.A. had the final say over the system.

The F.A.A. said that decision reflected the consensus of the team.

Boeing was in the middle of overhauling MCAS. To help pilots control the plane and avoid a stall, the company allowed MCAS to trigger at low speeds, rather than just at high speeds. The overhauled version would move the stabilizer by as much as 2.5 degrees each time it triggered, significantly pushing down the nose of the plane. The earlier version moved the stabilizer by 0.6 degrees.

When company engineers analyzed the change, they figured that the system had not become any riskier, according to two people familiar with Boeing’s discussions on the matter. They assumed that pilots would respond to a malfunction in three seconds, quickly bringing the nose of the plane back up. In their view, any problems would be less dangerous at low speeds.

So the company never submitted an updated safety assessment of those changes to the agency. In several briefings in 2016, an F.A.A. test pilot learned the details of the system from Boeing. But the two F.A.A. engineers didn’t understand that MCAS could move the tail as much as 2.5 degrees, according to two people familiar with their thinking.

Under the impression the system was insignificant, officials didn’t require Boeing to tell pilots about MCAS. When the company asked to remove mention of MCAS from the pilot’s manual, the agency agreed. The F.A.A. also did not mention the software in 30 pages of detailed descriptions noting differences between the Max and the previous iteration of the 737.

Days after the Lion Air crash, the agency invited Boeing executives to the F.A.A.’s Seattle headquarters, according to two people with knowledge of the matter. The officials sat incredulous as Boeing executives explained details about the system that they didn’t know.

In the middle of the conversation, an F.A.A. employee, one of the people said, interrupted to ask a question on the minds of several agency engineers: Why hadn’t Boeing updated the safety analysis of a system that had become so dangerous?

The reporters on this article can be reached at Natalie.Kitroeff@nytimes.com, David.Gelles@nytimes.com and Jack.Nicas@nytimes.com.

Natalie Kitroeff and Jack Nicas reported from Seattle, and David Gelles from New York. James Glanz, Mike Baker and Kitty Bennett contributed reporting.

A version of this article appears in print on July 27, 2019, Section A, Page 1 of the New York edition with the headline: Relaxed F.A.A. Oversight At Root of Boeing’s Crisis. Order Reprints | Today’s Paper | Subscribe

 

 

 

  • Thanks 1

Share this post


Link to post
Share on other sites

Software Fix Will Address Most Recent MAX Issue

Aug 1, 2019 Sean Broderick | Aviation Week & Space Technology

Comments 17

The latest Boeing 737 MAX flight control computer system anomaly that the FAA has ordered fixed is addressable through software changes and presents less risk on older 737s, Aviation Week has confirmed.

The failure scenario involved forcing a flight control computer (FCC) processor command to the horizontal stabilizer nose-down after detecting specific flight profile conditions, a source with knowledge of the issue says. It also bypassed the control column inputs, meaning pulling back on the column, or yoke, does not interrupt the stabilizer movement. Finally, the fault was to happen while the autopilot was engaged during cruise. The anomaly has never occurred during flight operations, but the FAA wanted to see what would happen if different combinations of faulty data fooled the FCC.

Boeing is tackling the latest 737 flight control issue

Software will eliminate risk on the MAX

Column movement stops the issue on older 737s

FAA pilots tested the scenario in mid-June—one of about 30 scenarios trialed during the session—in Boeing’s 737 engineering simulator, or e-cab. They were able to recover using the runaway stabilizer emergency procedure, the source said. There was no hardware failure, and the aircraft’s systems reacted exactly as they are designed to do.

But at least one pilot determined that the time needed to identify the failure as a runaway stabilizer was too long, and the FAA ordered Boeing to address the issue. Boeing’s solution, the source says, is a software modification that monitors the FCC’s output. If the combination of erroneous data is detected, the second FCC and autopilot take over, eliminating the chance of stabilizer runaway. 

Details of the issue, many of which have not been previously reported, underscore the FAA’s heightened focus on eliminating risk as it scrutinizes the MAX’s design and evaluates when the aircraft will be safe to fly again. The FAA grounded the MAX on March 13, three days after the crash of Ethiopian Airlines Flight 302 (ET302), the second fatal MAX crash in five months. Other agencies, seeing similarities between the two accident flight profiles, began grounding the aircraft within a day of ET302, and the entire 380-aircraft fleet remains parked. 

New simulator scenarios are likely to be part of the revised Boeing 737 training requirements. Credit: Boeing

 

Investigators soon made a definitive link between ET302’s accident sequence and the October 2018 crash of Lion Air Flight 610 (JT610). In both cases, errant angle-of-attack (AOA) data being fed to the MAX’s Maneuvering Characteristics Augmentation System (MCAS) flight control law triggered nose-down stabilizer inputs as the aircraft were climbing shortly after takeoff. Both flight crews struggled to counter the system, which continued to operate, responding to the errant data. Both accident sequences ended in final dives that killed all onboard the aircraft.

The MCAS is an extension of the 737 Next Generation (NG) speed-trim system (STS), which adjusts the stabilizer to ensure pitch is maintained as speed increases. The MCAS activates when the aircraft’s speed approaches threshold AOA, or stick-shaker, stall-warning activation, for the aircraft’s configuration and flight profile. It was added to the MAX to enhance pitch stability with slats and flaps retracted at very light weights and full aft center of gravity. The MCAS ensures the MAX, which features larger-diameter engines that generate more lift than those on its NG predecessor, handles like the NG, helping the two models earn a common type rating and minimizing differences training.

Details from both ongoing accident probes, plus internal analysis, led Boeing and the FAA to determine that the MCAS needed changes. Boeing completed its software modifications in May and is awaiting word from the FAA on new training requirements that must be developed for MAX pilots.

The JT610 and ET302 accident sequences prompted the FAA to re-examine its approval of the MAX, including system safety evaluations. Prior to Boeing’s changes, the MCAS relied on a single source of AOA data. In each accident, issues with the AOA sensors meant the data stream was communicating an impossibly high AOA value to the FCC. Instead of ignoring the anomalous data—another change incorporated into the new MCAS logic—the system responded with nose-down stabilizer actions when they were not needed. Boeing and the FAA assumed such a failure would be both remotely possible and, if it did occur, quickly recognized by pilots as runaway stabilizer. Both MAX accident sequences show they were wrong.

New software must be installed on 380 in-service MAXs, plus about 200 more that are in storage awaiting delivery. Credit: Planet

 

As part of its MAX reevaluation, the FAA examined other anomalies considered remote and flagged the latest issue. Like the MCAS failure scenario, it would only be triggered by faulty data and require pilots to quickly identify runaway stabilizer. 

“We identified a very remote failure case. Knowing what we know [following the accidents], we really needed to go back and see, if this occurs, can flight crews recover?” Ali Bahrami, FAA associate administrator for aviation safety, told U.S. lawmakers during a July 31 hearing. “Our test pilots [decided] that the level of proficiency that is required to recover from this event was exceptional. That’s why the software changes are being incorporated.”

The scenario is not linked to the MCAS system. While it can occur on the NG, modifications to that fleet are not as pressing and may not be required at all. 

Pilots on the NG can counter any uncommanded stabilizer input by moving the yoke. On the MAX, Boeing bypasses this function—often called the column cut-out switch—when the MCAS is active, because it concluded that countering the MCAS by pulling back on the yoke could negate the system’s purpose. Because the column cut-out switch function is on the MAX, Boeing incorporated it into the latest round of worst-case failure scenarios trialed by the FAA’s pilots.

Boeing says it expects to deliver its package of MAX updates—including the completed MCAS changes, additional software modification and related training packages—to the FAA “in the September time frame.” The agency is expected to take several weeks to review the package before deciding whether to lift its grounding. It also will address all return-to-service recommendations made by its Technical Advisory Board, a group of FAA and outside engineers tasked with reviewing the MCAS update, related system safety assessment, and training.

“To be clear, the FAA will lift the 737 MAX grounding order only when it is safe to do so,” FAA Administrator Dan Elwell wrote in a July 30 letter to Congress. “While the FAA hopes to achieve nearly simultaneous approval from the major civil aviation authorities around the world, ultimately the U.S. and each country that grounded the 737 MAX will make its own determination based on its local requirements and processes.”

Elwell added that the FAA is “offering assistance to any and all countries to support their return-to-service decisions” and is “working with our colleagues from the European Union, Canada, and Brazil [the three other entities with agencies that oversee major aircraft manufacturing programs] to address their concerns.”

With the MCAS work done, Boeing’s main outstanding issues are the FCC software update to address the latest anomaly, certification flights to verify the package works as designed, and—perhaps most importantly—new training.

The FAA continues to acknowledge that pilots transitioning from the NG to the MAX were not given enough information on differences between the two aircraft. The MCAS system, designed to operate in the background, was not included in the original manuals or differences training. This has changed. 

Some emergency procedures are also being revised, and new scenarios will likely be added to 737 recurrent simulator training, based in part on preliminary information gleaned from the two MAX accident probes.

“We recognized that some actions the [JT610 and ET302] flight crews took were inconsistent with what we assumed would be the correct reaction,” Bahrami says.

 

  • Thanks 1

Share this post


Link to post
Share on other sites

Newly stringent FAA tests spur a fundamental software redesign of Boeing’s 737 MAX flight controls

Aug. 1, 2019 at 11:18 am Updated Aug. 1, 2019 at 9:45 pm

By Dominic Gates
Seattle Times aerospace reporter

While conducting newly stringent tests on the Boeing 737 MAX flight control system, the Federal Aviation Administration (FAA) in June uncovered a potential flaw that now has spurred Boeing to make a fundamental software-design change.

Boeing is changing the MAX’s automated flight-control system’s software so that it will take input from both flight-control computers at once instead of using only one on each flight. That might seem simple and obvious, but in the architecture that has been in place on the 737 for decades, the automated systems take input from only one computer on a flight, switching to use the other computer on the next flight.

Boeing believes the changes can be accomplished in time to win new regulatory approval for the MAX to fly again by October. Significant slipping of that schedule could lead to a temporary halt in production at its Renton plant where 10,000 workers assemble the 737.

After two deadly crashes of Boeing’s 737 MAX and the ensuing heavy criticism of the FAA for its limited oversight of the jet’s original certification, the agency has been reevaluating and recertifying Boeing’s updated flight-control systems.

It has specifically rejected Boeing’s assumption that the plane’s pilots can be relied upon as the backstop safeguard in scenarios such as the uncommanded movement of the horizontal tail involved in both the Indonesian and Ethiopian crashes. That notion was ruled out by FAA pilots in June when, during testing of the effect of a glitch in the computer hardware, one out of three pilots in a simulation failed to save the aircraft.

The thoroughness of the ongoing review of the MAX flight controls in light of the two crashes is apparent in how a new potential fault with a microprocessor in the flight-control computer was discovered during the June testing. Details of that fault not previously reported were confirmed both by an FAA official and by a person at Boeing familiar with the tests.

In response to finding that new glitch, Boeing developed the plan to fundamentally change the software architecture of the MAX flight-control system and take input simultaneously from the two flight-control computers that are standard on the 737.

“This is a huge deal,” Peter Lemme, a former flight-controls engineer at Boeing and avionics expert, said about the change. Lemme said the proposed software architecture switch to a “fail-safe,” two-channel system, with each of the computers operating from an independent set of sensors, will not only address the new microprocessor issue but will also make the flawed Maneuvering Characteristics Augmentation System (MCAS) that went haywire on the two crash flights more reliable and safe.

“I’m overjoyed to hear Boeing is doing this,” Lemme said. “It’s absolutely the right thing to do.”

According to a third person familiar with the details, Boeing expects to have this new software architecture ready for testing toward the end of September. Meanwhile, it will continue certification activities in parallel so that it can stick to its announced schedule and hope for clearance from the FAA and other regulators in October.

Flipping bits

When Boeing announced June 26 that a new potential flaw had been discovered on the MAX — this time in a microprocessor in the jet’s flight-control computer — it even caught Boeing CEO Dennis Muilenburg by surprise.

Speaking at a conference in Aspen, Colorado, that morning, Muilenburg reiterated a prior projection that the MAX could be carrying passengers again by “the end of summer.” Later that day, Boeing announced the problem in a Securities and Exchange Commission filing, and soon after projected that the issue could add a further three months’ delay.

What the FAA was testing when it discovered this new vulnerability was esoteric and remote. According to the person familiar with the details, who asked for anonymity because of the sensitivity of the ongoing investigations, the specific fault that showed up has “never happened in 200 million flight hours on this same flight-control computer in [older model] 737 NGs.”

In sessions in a Boeing flight simulator in Seattle, two FAA engineering test pilots, typically ex-military test pilots, and a pilot from the FAA’s Flight Standards Aircraft Evaluation Group (AEG), typically an ex-airline pilot, set up a session to test 33 different scenarios that might be sparked by a rare, random microprocessor fault in the jet’s flight-control computer.

This was standard testing that’s typically done in certifying an airplane, but this time it was deliberately set up to produce specific effects similar to what happened on the Lion Air and Ethiopian flights.

The fault occurs when bits inside the microprocessor are randomly flipped from 0 to 1 or vice versa. This is a known phenomenon that can happen due to cosmic rays striking the circuitry. Electronics inside aircraft are particularly vulnerable to such radiation because they fly at high altitudes and high geographic latitudes where the rays are more intense.

A neutron hitting a cell on a microprocessor can change the cell’s electrical charge, flipping its binary state from 0 to 1 or from 1 to 0. The result is that although the software code is right and the inputs to the computer are correct, the output is corrupted by this one wrong bit.

So for example, a value of 1 on a single bit might indicate that the jet’s wing flaps are up, while a 0 would mean they are down. A value of 1 on a different bit might tell the computer that the MAX’s problematic flight-control system called MCAS is engaged, while a 0 would indicate it is not.

This isn’t as alarming as it may sound. There are standard ways to protect against such bit flips having any dangerous impact on an airplane system, and FAA regulations require that this possibility be accounted for in the design of all critical electronics on board aircraft. The simulator sessions in June were designed to test for any such vulnerability.

During the tests, 33 different scenarios were artificially induced by deliberately flipping five bits on the microprocessor, an error rate determined appropriate by prior analysis. For all five bits, each 1 became a 0 and each 0 became a 1. This is considered a single fault, on the assumption that some cause, whether cosmic rays or something else, might flip all five bits at once.

For these simulations, the five bits flipped were chosen in light of the two deadly crashes to create the worst possible combinations of failures to test if the pilots could cope.

In one scenario, the bits chosen first told the computer that MCAS was engaged when it wasn’t. This had the effect of disabling the cut-off switches inside the pilot-control column, which normally stop any uncommanded movement of the horizontal tail if the pilot pulls in the opposite direction. MCAS cannot work with those cut-off switches active and so the computer, fooled into thinking MCAS was operating, disabled them.

Since MCAS exists only on the MAX, not on earlier 737 models, this potential failure applies only to the MAX.

A second bit was chosen to make the horizontal tail, also known as the stabilizer, swivel upward uncommanded by the pilot, which has the effect of pitching the plane’s nose down. Other bits were flipped to add three more complications.

Even though the MCAS system that pushed the nose down on the two crash flights had not been activated, these changes in essence gave the FAA test pilots in the simulator an emergency situation similar to what transpired on those flights. This was deliberate. The FAA demanded, with knowledge about the crashes, that this scenario be rigorously reexamined in a new System Safety Analysis of the MAX’s flight controls.

“We were deliberately emulating some aspects of MCAS in a theoretical failure mode,” the person familiar with the tests said.
We need your support

In-depth journalism takes time and effort to produce, and it depends on paying subscribers. If you value these kinds of stories, consider subscribing.

This person emphasized how extremely improbable it is that five single bits on the microprocessor would flip at once and that the random bits would make these specific critical changes to the aircraft’s systems.

“While it’s a theoretical failure mode that has never been known to occur, we cannot prove it can’t happen,” he said. “So we have to account for it in the design.”

He added that early published accounts of the fault suggesting that the microprocessor had been overwhelmed and its data-processing speed slowed, causing the pilot-control column thumb switches that move the stabilizer to respond slowly, were inaccurate.

Lemme said he was happy to learn this because those accounts hadn’t made sense technically. And he said that the description of the fault and the chosen combination of random bit flips represent “a terribly worst-case condition that I cannot imagine happening in reality.”

Dwight Schaeffer, a former senior manager at Boeing Commercial Electronics, the company’s one-time in-house avionics division, agreed. “Five independent bit flips is really an extremely improbable event,” he said.

A crash in the simulator

What happened in the initial simulated run of this fault scenario in June is that the FAA test pilots handled the emergency using the standard procedure for a “runaway stabilizer” and recovered the aircraft. But they felt it took too long and that a less attentive pilot caught by surprise might have had a worse outcome.

FAA guidelines say that if an emergency arises on a plane flying by autopilot, the assumption is that a pilot will begin to respond within 3 seconds. If the plane is being flown manually, the assumption is 1 second.

That may seem a very short response time, but it’s not dissimilar to what a driver would be expected to do if, for example, a car skidded on ice or a tire blew. Still, not every driver and not every pilot is attentive.

“It took too long to recover,” said the FAA official familiar with the tests, who also asked for anonymity because of the sensitivity of ongoing investigations. “An important aspect of these simulations is to capture how a representative airline pilot would respond to the situation.”

So again in light of what happened in the crashes, the FAA pilots took a further step. They flew the same fault scenario again, this time deliberately allowing the fault to run for some time before responding. This time, one of the three pilots didn’t manage to recover and lost the aircraft.

Reclassified as “catastrophic”

In testimony Wednesday before a U.S. Senate Appropriations Subcommittee hearing on FAA oversight, Ali Bahrami, associate FAA administrator for aviation safety, confirmed this.

Describing what was tested in June as “a particular failure that was extremely remote,” Bahrami said “several of our pilots were able to recover. But there was one or so that could not recover successfully.”

According to a second FAA source, it was the AEG pilot, representing a typical U.S. airline captain, who failed to recover the jet.

That outcome changed everything for Boeing.

Prior to that, Boeing had classified this failure mode as a “major fault,” a category that can be mitigated by flight-crew action. The one pilot’s failure to recover immediately changed the classification to “catastrophic,” and FAA regulations require that no single fault can be permitted to lead to a catastrophic outcome. That meant Boeing must fix it and eliminate the possibility.

“There are active means of protecting against bit flips,” said retired Boeing electronics manager Schaeffer. “We always built it into our own software.”

One standard way to fix such a problem is to have the second independent microprocessor inside the same flight-control computer check the output of the first. If the second processor output disagrees with that of the first processor for some specific automated flight control, then no automated action is initiated and the pilot must fly manually.

“Now it takes two processors to fail to get the bad result,” the person familiar with the tests said. “You are no longer in the realm of a single point failure.”

A radical redesign

Boeing could have just rewritten the software governing what functions are monitored within the flight-control computer to eliminate this failure scenario.

Instead, it’s decided to make a much more radical software redesign, one that will not only fix this problem but make the MAX’s entire flight-control system — including MCAS — more reliable, according to three sources.

This change means the flight-control system will take input from both of the airplane’s flight computers and compare their outputs. This goes beyond what Boeing had previously decided to do, which is to adjust the MCAS software so that it took input from two angle of attack sensors instead of one.

The problem with that earlier approach is that if something serious goes wrong with the single flight computer receiving this input — whether it’s the bit flipping issue, or a memory corruption or a chip failure of any kind — then the computer output to the flight controls could be wrong even if both angle of attack sensors are working correctly.

For the MAX, the new MCAS was simply added to an existing 737 flight control system called the Speed Trim System, which was introduced with this one-channel computer architecture on the older model 737-300 in the 1980s.

With the proposed dual-channel configuration, both computers will be used to activate the automated flight controls. They will each take input from a wholly independent set of sensors (air speed, angle of attack, altitude and so on) and compare outputs. If the outputs disagree, indicating a computer fault, the computers will initiate no action and just let the pilot fly manually.

In other words, the new system will detect not only any disagreement between the sensors but also check for any processing error in interpreting the information from the sensors.

“This is a really good solution,” said Lemme, adding that “it should have been designed this way” from the beginning of the flight control system in the 1980s.

This raises the separate question of why the potential microprocessor fault discovered in June wasn’t caught in the original System Safety Analysis when the MAX was certified.

That original System Safety Analysis, as The Seattle Times reported in March, was performed by Boeing, and FAA technical staff felt pressure from managers to sign off on it. And as reported in May, there was also pressure from Boeing managers on the engineers conducting the work to limit safety testing during the analysis.

The person familiar with the testing said the new tests in June were informed by the knowledge of what had happened in the crashes, especially the erroneous activation of MCAS that pushed down the nose of the aircraft on both flights.

“It was a reassessment in light of everything else going on in the world with MCAS,” he said. “It’s a different set of eyes, asking a different set of questions.”

David Hinds, a retired Boeing flight controls and autopilot expert, said that clearly “something got missed” in the original MAX certification of MCAS and now this microprocessor fault.

“I’d like to think you’d catch this on first pass,” said Hinds. “They should have looked harder at some of this.”

  • Like 1

Share this post


Link to post
Share on other sites
3 minutes ago, Maverick said:

Here you go

A Boeing 737 MAX Test Flight Had Its Ups and Downs

The aircraft flying loops off the Oregon Coast on Monday was likely testing potential fixes for the troubled MCAS system, implicated in two crashes.

 

a plane ERIK SIMONSEN/GETTY IMAGES

 

 

In the nearly five months since the Federal Aviation Administration grounded Boeing’s 737 MAX, investigators have revealed a series of issues with the jet’s software and raised questions about how the planemaker and the regulator allowed it to take off in the first place. The timeline for returning the MAX to passenger service remains murky, but that doesn’t mean it can’t fly at all. Monday morning, a Boeing-owned 737 MAX 7 took off from King County International Airport-Boeing Field near Seattle, climbing to 24,000 feet as it headed west to the Pacific Ocean, then due south. Over the next few minutes, according to tracking service FlightRadar24, the plane shed altitude and speed, until it was flying at about 13,000 feet and a lazy 250 mph, about 50 miles off the Oregon coast.

For the next two hours, the MAX slowed as it climbed, then sped up as it dropped, cycling between the two more than a dozen times. Its altitude fluctuated between 10,000 and 14,000 feet, its speed between 150 and 300 mph. All the while, it stayed in the same general area, far from normal air traffic, producing a flight path that resembled a pile of bent-out-of-shape paper clips. Then it climbed again, cruised back toward Seattle, and landed. (The FAA grounding order applied to MAX 8 and MAX 9 varieties of the jet; Boeing has yet to deliver any MAX 7s.)

This curious trip was a reconnaissance mission, but not to gather intel about anything on the ground. A Boeing spokesperson says it was an “engineering flight,” conducted at the FAA’s request, gathering data on the jet’s performance. The spokesperson offered no details on what sort of data Boeing was after, but it’s not surprising to see the test pilots imitating a yo-yo. The two MAX jet crashes—on Lion Air in October and Ethiopian Airlines in March, which together killed 346 people—happened just minutes into each flight, while the planes were climbing to their cruising altitude. The MCAS system, designed to automatically predict and prevent stalls by pointing the nose downward, kicked in when it shouldn’t have, plunging the planes toward the earth.

 

Whatever fix Boeing devises will have to address how MCAS works and interacts with related systems, ensuring that MCAS only activates when a stall is in fact imminent. Monday’s flight was likely a chance for the pilots to run through a series of potential failures. That means answering a lot of “what if” questions, says Pete Field, an aviation consultant and former Navy test pilot. “What if this part fails, how’s that going to affect it?” That lets Boeing’s engineers see how the plane’s software reacts to different types of bad information, from airspeed to temperature to altitude. The most important might be the plane’s angle of attack. That sensor appears to have malfunctioned on the Lion Air and Ethiopian flights, and had been a persistent problem for the MAX jet, CNN reported.

updown.jpg.0b0795d74bd3e33ab0c43ff83820436b.jpgField compares Monday’s flight to examining a witness in a courtroom: You only ask questions whose answers you already know. The maneuvers the Boeing pilots executed would have been tested in simulation first, to produce a good idea of what a real plane would do, and ensure no more lives were risked. If the plane had dropped more than expected, flying at about 10,000 feet would give the pilots ample time to recover, Field says.

Boeing CEO Dennis Muilenburg has said he expects that by the end of the year, the FAA will approve his company’s fix for the troubled jet, which involves a fundamental redesign of the software system, The Seattle Times reported. But before it can take off with passengers aboard, expect a few more up-and-down flights like this one.

Share this post


Link to post
Share on other sites

Boeing CEO sticks to fourth quarter timeline for 737 Max's service return

  • 07 August, 2019
  • SOURCE: FlightGlobal.com
  • BY: Jon Hemmerdinger
  • Boston

Boeing's chief executive has reiterated his expectation that the company will deliver the 737 Max's updated software to the Federal Aviation Administration next month, which should enable regulators to lift the grounding by year-end.

"We are working through a software update," CEO Dennis Muilenburg told investors on 7 August. "We still anticipate submitting that certification package to the FAA in the September timeframe... and are working toward a return to service of the Max in the fourth quarter."

Muilenburg's comments come nearly three weeks after the Chicago company disclosed that timeline, which led several airlines to shift further into the future the date on which they expect their Max will return to scheduled flying. Several airlines now have the aircraft returning in January.

Speaking during an investor conference hosted by Jefferies Financial Group on 7 August, Muilenburg stresses that approval remains in regulators' hands.

But he sought to ensure investors that Boeing is doing all it can to achieve that timeline and to ensure that, when the grounding lifts, the aircraft returns to the skies as smoothly as possible.

In addition to tweaking the 737 Max's flight control software, Boeing has been holding meetings globally with 737 Max customers and hosting simulator sessions with those customers, Muilenburg says.

The company has also been developing new training materials and completing "preservation" work intended the help ensure stored 737s are ready for quick deployment into airline flying.

Regulators initially grounded the 737 Max due to concerns about the role the aircraft's maneuvering characteristics augmentation system (MCAS) played in two crashes. But in June the FAA discovered a data processing issue that required Boeing complete another rework.

That issue involved the flight computer's data processing, an FAA official told FlightGlobal.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this