Boeing 737 MAX family NEWS ONLY

From the FAA:
"When automation systems do not work as intended or do not work well in the operational situation, pilots without sufficient manual flight control experience and proper training may be reluctant or may not be adequately skilled to take control of the aircraft," says the paper, available from ICAO.

"As the use of automation increases in aircraft design, it is important to consider how ICAO standards and guidance should evolve to ensure that pilot training programmes align with technological advancements," it adds.

 
WASHINGTON/SINGAPORE (Reuters) - An international panel of air safety regulators on Friday harshly criticized the U.S. Federal Aviation Administration’s (FAA) review of a safety system on Boeing Co’s (BA.N) 737 MAX jet that was later tied to two crashes that killed 346 people.
The Joint Authorities Technical Review (JATR) was commissioned by the FAA in April to look into the agency’s oversight and approval of the so-called MCAS anti-stall system before the fatal crashes.
“The JATR team found that the MCAS was not evaluated as a complete and integrated function in the certification documents that were submitted to the FAA,” the 69-page series of findings and recommendations said.
“The lack of a unified top-down development and evaluation of the system function and its safety analyses, combined with the extensive and fragmented documentation, made it difficult to assess whether compliance was fully demonstrated.”
[...]
The JATR draft recommendations, obtained by Reuters ahead of its release on Friday, also said the FAA’s long-standing practice of delegating “a high level” of certification tasks to manufacturers like Boeing needs significant reform to ensure adequate safety oversight.
“With adequate FAA engagement and oversight, the extent of delegation does not in itself compromise safety,” the report said. “However, in the B737 MAX program, the FAA had inadequate awareness of the MCAS function which, coupled with limited involvement, resulted in an inability of the FAA to provide an independent assessment of the adequacy of the Boeing-proposed certification activities associated with MCAS.”
The report also questioned FAA’s limited staffing to oversee certification tasks it designated to Boeing and said there were an “inadequate number of FAA specialists” involved in the 737 MAX certification.
It added there were signs that Boeing employees conducting FAA work faced “undue pressure. ..which may be attributed to conflicting priorities and an environment that does not support FAA requirements.”
FAA Administrator Steve Dickson said in a statement he would look at the panel’s recommendations and take appropriate action following the “unvarnished and independent review of the certification of the Boeing 737 MAX.”
More at the link.
 
Last edited:
I guess Boeing's and the FAA's insurers will need to fight it out in court, as to whether the FAA should have known better or were misled by Boeing (either intentionally or unintentionally) into a false understanding of the situation. No doubt Boeing will say there was never any misleading on their part and the FAA will say there was and that they had no way of knowing they were being misled. The question then is, will both sides privately recognise all their cock-ups straight away and get on with fixing them, given that such visible changes will help to point an expensive legal finger at themselves?

Meanwhile, if I were a foreign authority I would not accept a revised design and operating regime until I was confident that the process for the whole aircraft had been properly reviewed and fixed, and that that had flowed through into the whole of the revised design and regime, and not just into the changes. I would not wait up, and I would advise my airlines not to either.

Call me an old cynic, but I continue to expect a lot of gung-ho "We're onto it and we'll have it fixed real soon now" rhetoric from Boeing, to try and keep customers from drifting off to the competition.
 
Last edited:
I guess Boeing's and the FAA's insurers will need to fight it out in court, as to whether the FAA should have known better or were misled by Boeing (either intentionally or unintentionally) into a false understanding of the situation.

Meanwhile, if I were a foreign authority I would not accept a revised design and operating regime until I was confident that the process for the whole aircraft had been properly reviewed and fixed, and that that had flowed through into the whole of the revised design and regime, and not just into the changes. I would not wait up, and I would advise my airlines not to either.

Call me an old cynic, but I continue to expect a lot of gung-ho "We're onto it and we'll have it fixed real soon now" rhetoric from Boeing, to try and keep customers from drifting off to the competition.
Boeing v FAA - complex, as if I understand it, there were some FAA staff, then there were some boeing staff working on certification - so who exactly got it wrong.....

Field day for the lawyers.
 
Lawyers win every which way. Passengers will lose until this is sorted but watch for a retraction in the market courtessy of increased environmental awareness. Boeing will rue the choices it made with this aircraft.
 
I guess Boeing's and the FAA's insurers will need to fight it out in court,

The FAA's "insurers" are otherwise known as the US taxpayers. It's a government agency, after all, and the US government self-insures.

But the government also enjoys a significant degree of sovereign immunity, so it is very unlikely to be found financially liable at all.
 
And in Max-related news, Boeing have taken the Chairman role off CEO Dennis Muilenberg, a change they rejected as recently as April.

 
I guess Boeing's and the FAA's insurers will need to fight it out in court,

The FAA's "insurers" are otherwise known as the US taxpayers. It's a government agency, after all, and the US government self-insures.

But the government also enjoys a significant degree of sovereign immunity, so it is very unlikely to be found financially liable at all.

Fair enough. On the other hand, Boeing's lawyers will want to offload any and all blame onto the FAA, but the government/FAA will not want their name to be smeared, while the individual FAA staffers will not want to be fingered for criminal investgation or career assassination.
 
And in Max-related news, Boeing have taken the Chairman role off CEO Dennis Muilenberg, a change they rejected as recently as April.

Not sacked, just demoted to plain CEO. I'll bet he hasn't taken a pay cut though. Bundling chairman and CEO (in the UK the managing director) in the same job has long been a contentious thing to do. One camp says that a single person is more efficient and the company's policy and operations more tightly integrated. The other camp says that this can cause a conflict of interest between wider policy objectives and short-term financial gain, moreover combining the roles leads to overwork and loss of family time. I have never seen stats on how the two alternatives actually stack up historically - is a joint role genuinely likely to lead to MAX type blowouts? Like so many "social" sciences, management science is often not really science at all, just untested or even untestable theorising. For me, this move comes under "Let's remove one possible line of criticism, at least it shows we are doing something." The earlier revisions to the engineering reporting lines were far more important and necessary.
 
Last edited:
Flicked through that JATR report and it looks like a bit of a fudge apart from suggesting that undue pressure was applied by Boeing senior management to those certifying the aircraft to get it through. Whether Boeing will face any kind of censure remains to be seen but this cannot possibly continue.
 
A series of failures led to the crash of a Lion Air Boeing 737 Max in October last year, which killed 189 people, an official report says.
Indonesian investigators found faults by Boeing, Lion Air and the pilots led to the plane crashing.
It also said the jet should have been grounded after an earlier fault, and that one of the pilots was unfamiliar with procedures.
The report found 31 pages were missing from the plane's maintenance log.
The report, published on Friday, suggests that a crucial sensor, which had been bought from a repair shop in Florida, had not been properly tested.
[...]
Indonesian investigators found issues with the aircraft's Manoeuvring Characteristics Augmentation System - or MCAS - software designed to help prevent the 737 Max from stalling.
It showed there were incorrect assumptions about how the MCAS control system would behave and that the "deficiencies" had been highlighted during training.
In a statement responding to the report, Boeing said it was "addressing" the recommendations from Indonesia's National Transportation Safety Committee.
The planemaker said it was "taking actions to enhance the safety of the 737 Max to prevent the flight control conditions that occurred in this accident from ever happening again".
[...]
A preliminary report published in November last year said that the stick shaker - a warning device that alerts flight crew when their plane is at risk of stalling - was active throughout the flight.
Indonesian authorities laid out some recommendations for Boeing in the report, including that it redesign the MCAS and provide adequate information about it in pilot manuals and training.
More at the link.
 
Boeing - and regulators - allowed the system to be designed in this way and didn't change it after the Lion Air crash, leading to a further disaster. And that means that while the report clearly points to serious failures by a parts supplier and by the airline itself, it is Boeing that will bear the greatest share of responsibility.
That is way overstretched.
 
Last edited:
The FAA says it started investigating Xtra in November 2018, looking "specifically at the company's compliance with regulatory requirements… and records and work orders for aircraft parts it approved for return to service".

"From November 2009 until May 2019, Xtra failed to complete and retain records in accordance with procedures in its repair-station manual to support parts on its capability list," says the FAA. "The company also did not substantiate that it had adequate facilities, tools, test equipment, technical publications and trained and qualified employees to repair parts on its capability list."

The FAA says the order revoking Xtra's certificate is part of a settlement agreement under which the company waives its right to appeal the decision.

 
Congress just went after Dennis Muilenburg over Boeing's behaviour in a formal hearing, calling the Max "a flying coffin", and being angry over newly revealed IMs between Boeing's test pilots expressing concerns over MCAS, and the certification strategy, pre-certification. I think it's particularly damning for Muilenburg that Boeing management knew about these IMs before the Ethiopian crash, but Muilenburg claims not to have known about their detailed content until a couple of weeks ago. At best he looks incredibly lackadaisical for not familiarising himself with something so potentially damaging to the company when he's had the best part of a year to do it and it's already destroyed company profitability.

'Federal regulators on Friday demanded Boeing explain why it withheld documentation of employees' concerns with a software system which investigators have linked to two fatal crashes of the 737 MAX.
The instant messages, obtained by CNN from a congressional source, show internal concerns that the MCAS stabilization system was "running rampant" and more powerful than the company had told the Federal Aviation Administration.
"[T]he plane is trimming itself like craxy," one pilot wrote in a message, several of which contain misspellings, later adding, "granted, I suck at flying, but even this was egregious."
He wrote the plane had "some real fundamental issues that they claim they're aware of."
"I basically lied to the regulators (unknowingly)," the pilot wrote.
His colleague responded: "It wasnt a lie, no one told us that was the case."
In the messages, the pilot refers to his job as "insane" and commiserates with the colleague about internal pressure and feeling out of the loop on developments such as MCAS.
"I'd ask for a job in sales where I can just get paid to drink with customers and lie about how awesome our airplanes are," he wrote.'

One of the pilots is apparently Boeing’s chief test pilot Mark Forkner, who also complained of “egregious” erratic behavior in flight simulator tests of the MCAS system, and referred to “Jedi mind tricks” to persuade regulators to approve the plane.

I hadn't seen reports of a DoJ investigation before now. That's interesting as I'm not sure what grounds they would have for criminal liability. FAA might have grounds for enforcement, but DoJ? I can't see anything criminal (vs civil) on the engineering side unless the US has a corporate manslaughter law, or maybe OSHA violations; but maybe contractual liability? Intent to defraud? Wire fraud? RICO?

See https://www.theguardian.com/busines...is-muilenburg-congress-testimony-737-max-mcas
and https://edition.cnn.com/2019/10/18/politics/boeing-737-max-faa-documents/index.html
 
The text message had for subject the simulator, not the actual Flight control law in the plane. It's quite different to have a simulation software not representative of the actual plane behavior and experimenting such in flight.
More related to the actual hardware, the FAA just retired agreement from the company that had refitted the faulty AoA sensor (see my earlier post) .

But Muilenburg is toast. That's a fact.
 
Either the simulator programmers nailed the dangers of MCAS, or they made a non-representative simulator and Boeing was lax with quality checks on the simulator.

Both are bad news for Boeing.
 
Last edited:
Either the simulator programmers nailed the dangers of MCAS, or they made a non-representative simulator and Boeing were lax with quality checks on the simulator.

I seem to recall a report some time ago that the simulator contractor passed the software design to Boeing's design engineers for functional checking, but nobody thought to pass it to their safety-checks department for fail-safe analysis. Consequently the AoA sampling algorithm was passed as meeting its functional spec but never safety-checked by Boeing. It was suggested that the contractor would have had no way of knowing that their approach had a safety flaw, as the wider system behaviour was outside the scope of the specification they had been given. Certainly, it was Boeing's job as overall system authority to ensure that the safety-checking procedures were not broken.
Then again, it is not clear to me whether the AoA status display is a part of the MCAS package or of the cockpit display package, but either way the MCAS contractor would not have known that Boeing would disable it unless the customer coughed up for the extra "option".
Whether the contractor has a problem or not, Boeing surely does.
 
I hope Boeing survive to learn the lessons from this.
 
The text message had for subject the simulator, not the actual Flight control law in the plane. It's quite different to have a simulation software not representative of the actual plane behavior and experimenting such in flight.

I've actually done Boeing FCS development, remember. If they are using the iron bird (Max was described as having a mini iron bird, which would be consistent with its derivative nature), then they would be using full flight representative hardware (i.e. an actual MCAS box). If they were using a conventional simulator then it might be either an actual MCAS box, or an emulation using the actual flight control laws. Which for simulation purposes are the same thing. There's zero point in doing testing that's not representative. That's not to say the flight control laws are fixed, they prototype changes on the simulator (and on the aircraft), but at all stages they would be representative of the current flight system design.

The rest of the conversation makes it clear they were discussing not just flight representative hardware /software, but the actual certifiable state of the design, because they would not have been concerned that they had lied to the regulators over anything that wasn't representative.
 
I seem to recall a report some time ago that the simulator contractor passed the software design to Boeing's design engineers for functional checking, but nobody thought to pass it to their safety-checks department for fail-safe analysis.

There's an important difference between a normal training simulator, and a flight development simulator. Unlike a training simulator, which nowadays is a software simulation of the aircraft developed separately from the flight software/hardware, a flight development simulator is programmed by the Boeing control law development guys themselves or by their flight control laws guys working in conjunction with the FCS contractor if it's using flight hardware in the loop. It doesn't have an option to be non-representative, because by definition it is the current state of the flight control laws, or a proposed future state.

And we know this conversation was about the behaviour of the aircraft, whether actual or simulated, not the warning or display system, because they're talking about trim changes, which is how MCAS drives the aircraft.
 
I hope Boeing survive to learn the lessons from this.

Boeing will survive, there is absolutely no question of that, it's just too profitable to fail (and too significant to the U.S. in politico-economic terms). The worst that could happen to the company is that it goes into Chapter 11 bankruptcy to protect it from the residual liability over Max and emerges with new owners, c.f. what's happening with the California power supplier PG&E right now (in PG&E's case they've entered Chapter 11 to protect them from their liability for causing last year's California wildfires).
 
I seem to recall a report some time ago that the simulator contractor passed the software design to Boeing's design engineers for functional checking, but nobody thought to pass it to their safety-checks department for fail-safe analysis.
There's an important difference between a normal training simulator, and a flight development simulator.
Apologies, I meant "the MCAS contractor" not any simulator contractor. Not sure where that came from.

this conversation was about the behaviour of the aircraft, whether actual or simulated, not the warning or display system
It was also about the failure of Boeing to train pilots in the existence and behaviour of MCAS. You cannot separate aberrant behaviour from the causes of that behaviour, such as a failed AoA sensor.
 
I seem to recall a report some time ago that the simulator contractor passed the software design to Boeing's design engineers for functional checking, but nobody thought to pass it to their safety-checks department for fail-safe analysis.
There's an important difference between a normal training simulator, and a flight development simulator.
Apologies, I meant "the MCAS contractor" not any simulator contractor. Not sure where that came from.

In that case that's a different problem. Boeing define a set of requirements, including inputs, flight control laws, outputs and required fail-safe behaviour, and pass that to the contractor for implementation on top of their hardware/software design. Boeing's checking of that package of requirements is their own responsibility, not that of the contractor. The contractor then implements the design, does their integration testing, then passes it to Boeing to slot into the iron bird for Boeing's integration testing. The failure analysis should happen independent of the contractor, and before they ever see the requirements.

You cannot separate aberrant behaviour from the causes of that behaviour, such as a failed AoA sensor.

I'd disagree. There are at least two cases: 1) sensor fails, box reacts as designed, 2) sensor fails, box doesn't react as designed. The second case is independent of the cause triggering it. But in the Max case we actually have a problematic form of the first case. The sensor failed, the box reacted as designed, and the designed behaviour was so bad as to cause two separate crashes. That's a failure at the system design level, not the hardware/software level.
 
You cannot separate aberrant behaviour from the causes of that behaviour, such as a failed AoA sensor.
I'd disagree. There are at least two cases: 1) sensor fails, box reacts as designed, 2) sensor fails, box doesn't react as designed. The second case is independent of the cause triggering it. But in the Max case we actually have a problematic form of the first case. The sensor failed, the box reacted as designed, and the designed behaviour was so bad as to cause two separate crashes. That's a failure at the system design level, not the hardware/software level.
Look at it this way, there were two causes of failure - a faulty sensor and a faulty algorithm. If only one had failed the plane would have behaved OK. Separating either failure from its cumulative effect on the plane's behaviour is not tenable.
 
I hope Boeing survive to learn the lessons from this.

Boeing will survive, there is absolutely no question of that, it's just too profitable to fail (and too significant to the U.S. in politico-economic terms). The worst that could happen to the company is that it goes into Chapter 11 bankruptcy to protect it from the residual liability over Max and emerges with new owners, c.f. what's happening with the California power supplier PG&E right now (in PG&E's case they've entered Chapter 11 to protect them from their liability for causing last year's California wildfires).

Or this years wildfires? Not much is going to protect them from the fallout of this. Just as well perhaps. Once is bad luck possibly, repetition suggests bad maintenance.
 
The situation with PG&E (and we're getting off topic) is actually repetition over a number of years due to systematic under-investment in maintenance and vegetation management. They went into Chapter 11 because their insurance liability for the last couple of years of Californian wildfires was something like $30Bn. They're currently shutting down service for days at a time when there is a wind and wildfire risk, which has already killed at least one disabled customer who was dependent on an oxygen concentrator and put numerous others at risk, and which isn't stopping fires caused by their equipment happening, and estimate it will take years to correct the issues. It's a really good example of how doing things on the cheap can push a company with a guaranteed market into bankruptcy, and take years to fix. So it's a good model for what might happen to Boeing if they don't turn this around.
 
Look at it this way, there were two causes of failure - a faulty sensor and a faulty algorithm. If only one had failed the plane would have behaved OK. Separating either failure from its cumulative effect on the plane's behaviour is not tenable.

Remember, we're dealing with two crashes, with two separate triggers of the MCAS functionality, and a known safety issue with the MCAS box (given we now know the opinion of the test pilots). If you know there's a safety of flight issue then you fix it, because an occurrence of the situation triggering it is ultimately inevitable (I can name you multiple Boeing flight losses caused by air data sensor failures).

NTSB is charged with finding the proximate cause, the thing both directly responsible for and without which the accident couldn't have happened. That's not the sensor failure, because both crashes were in clear air with no prior disturbance of the flight path - the pilots should have been able to eyeball AoA. It is, however, the continual MCAS triggering, which ultimately overpowered their control inputs and pushed the aircraft into the ground. But given that it was a known issue for safe control of flight, it's not impossible NTSB will push proximate cause back into the Boeing design and certification process.

I'd really like to see the flight test reports for the flights referred to in the IMs, because both the pilots and the flight test engineering team should have flagged them as issues, and either they didn't, or someone higher in management (possibly several someones in a Defect Review Board) decided they shouldn't be fixed.
 
every time I read the death toll - 346 poor souls - I can't help thinking about the 1974 THK DC10 crash in Ermennonville.

Exact same death toll to the digit, yet most importantly - exact same huge screw up from the aircraft builder:

WON'T YOU LATCH THAT REAR CARGO DOOR SOLIDLY YOU IDIOT MCDONNELL DOUGLAS ??!!

1972: whaaat you say FAA ? what ? test pilots ? airlines pilots ? can't hear you...
1974: bang, 346 dead.

the time lost from first warning to disaster is quite similar. All the alarm bells rung in vain, with perfect hindsight are perfectly... appalling.

Kudos Boeing, your 737Max has recreated the perfect DC-10 shitstorm 40 years later. Not that it was /really/ a desirable thing to do... but you achieved it !! bravo !!

then again NASA with STS-51L and o-rings was equally dumb deaf and blind until... until too late.

but all that was 45 years ago !!! losing 346 people, DC-10 style, in 2018 ? outch. it hurts.
 
Last edited:
Once again, look at the curves. There are more knock out attempts at the yoke than in the best of MMA league.
Even if you don't caution management decision regarding MCA classification, still planes haven't been crashing en-masse since 1947 and the first fielding of similar systems.
 
It’s not looking good.

The messages from the test pilots about the very system that lead to the crashes.

Overall design of the system, poor documentation, items that may have helped were on the option list( for a system able to push the nose down??) I mean we are not talking cars here, back in the 80’s in the uk cars came with no passenger side mirror, I’m spending millions on this jet and a control override light is an extra.? I bet the airline guy who didn’t choose it never understood its significance either.

I can’t imagine Boeing needing ch11, but they do deserve a real kick in the n*ts.
 
Look at it this way, there were two causes of failure - a faulty sensor and a faulty algorithm. If only one had failed the plane would have behaved OK. Separating either failure from its cumulative effect on the plane's behaviour is not tenable.
Remember...

NTSB is charged with...
Sorry, I don't recognise any kind of comment on my quoted post. We all remember and NTSB are not the only game in town. Maybe best to let this drop before we get each other into the ol' "what I meant was..." loop.
 

Ouch. The worrying element there would be that they couldn't completely switch the failed IRS out of the system - as evidenced by the continuing display of incorrect info, and probably the other symptoms as well. The implication is the Quick Reference Handbook procedure for shutting it down wasn't adequate. Systems will fail, but if the procedure for dealing with them is wrong, then that's worrying.
 

Ouch. The worrying element there would be that they couldn't completely switch the failed IRS out of the system - as evidenced by the continuing display of incorrect info, and probably the other symptoms as well. The implication is the Quick Reference Handbook procedure for shutting it down wasn't adequate. Systems will fail, but if the procedure for dealing with them is wrong, then that's worrying.
A follow-on problem must be that even if the faulty IRS is shut down, accumulated positional and attitude/directional errors will then need to be corrected.

One is forced to wonder what else Boeing has got wrong in both its failure mode analysis and its pilot information.
 
A follow-on problem must be that even if the faulty IRS is shut down, accumulated positional and attitude/directional errors will then need to be corrected.

That's a fairly normal part of having a multiply redundant system. Normally you'd use a rolling* average of all the values, so as soon as you switch one system out the average should start to converge on the value from the still operating system(s).

*i.e averaged over a set period so a single spurious value doesn't cause a sharp deviation.
 
Back
Top Bottom