By Dominic Gates, Steve Miletich and Lewis Kamb / The Seattle Times
In 2014, Boeing convinced the Federal Aviation Administration (FAA) to relax the safety standards for the new 737 Max related to cockpit alerts that would warn pilots if something went wrong during flight, according to documents reviewed by the Seattle Times.
Seeking an exception, Boeing relied on a special FAA rule to successfully argue that full compliance with the latest federal requirements would be “impractical” for the Max and would cost too much.
“They went through the process and weren’t required to step up,” said an FAA safety engineer familiar with how the waiver request was handled and who asked for anonymity because he spoke without agency authorization.
Based on lessons learned from past airline accidents, the FAA regulation stipulates precise design details for the warning displays in the cockpit. These are aimed at ensuring that alerts relay clearly to the pilots what’s going on when a malfunction occurs, catch attention so that they won’t be overlooked, and avert any possible confusion.
During the two fatal Max crashes that killed 346 people, pilots struggled to understand the cascade of warnings in their cockpits. Last week a National Transportation Safety Board (NTSB) report on those crashes highlighted the crucial role that crew alerting systems play when pilots face an in-flight emergency.
The Seattle Times reviewed the relevant parts of the document that Boeing submitted to the FAA to win its exception. They show the federal regulator struck out four separate clauses that would be requirements for any new jet being produced today.
This meant Boeing avoided having to design a complete upgrade of the 737’s aging flight-crew-alerting system.
The underlying design of the 737 was first certified more than five decades ago, and its airframe and systems have been upgraded in an incremental patchwork ever since. Boeing’s submission reveals the cold actuarial calculus by which such exceptions are granted to allow certification of airplanes, such as the Max, that are derivatives of older, legacy models.
Following the Max crashes, such rulings are likely to come under tougher scrutiny in the future.
Boeing declined to comment on the details in this story. The FAA said in a statement that the Max complies with the “applicable” regulations, then listed some of the criteria under which exceptions from full compliance are granted.
Relaxing the rules
Boeing’s argument in the document, which has not been previously reported, rested most basically on the long service history of the 737. At the time the Maxes exception was granted, that included more than 300 million hours in the air, almost all accumulated on routinely safe flights.
However, Boeing’s analysis also had to deal with the fact that the 737’s record in the previous 20 years included three fatal crashes where crew alerting was a contributing factor: the 2005 Helios Airways crash in Greece that killed 121 people; the 2009 Turkish Airlines crash in Holland with nine fatalities; and the 2008 Aeroflot-Nord crash in Russia, in which 88 died.
Boeing convinced the FAA that it had dealt with the three distinct issues in each of those crashes.
The submission from Boeing then cited an estimate of the cost of full compliance at more than $10 billion.
This staggering sum included not only the direct cost to Boeing of redesigning the airplane systems but also the expense of additional pilot training that new systems would require —costs that would have been borne by Boeing’s airline customers and would have made the Max a much less attractive airplane to buy.
In April 2014, the FAA accepted Boeing’s argument that for the Max, the safety benefit of full compliance with the crew-alerting regulations was “not commensurate with the costs necessary to comply.”
A new urgency
Pilots rely on their instruments to tell them how an airplane is performing in flight and to warn of any system malfunctions. The federal regulations are designed to make such alerts as clear and unambiguous as possible about the nature and severity of any malfunctions.
The early investigation reports into the two Max crashes show the pilots didn’t understand what their instruments were telling them and failed to handle the emergency as they might have.
Though the accidents were initiated by a failed sensor and a flawed Boeing flight-control system, both the capabilities of the pilots and the design of the crew alerting system played a role in the outcome.
Last week’s NTSB report criticized Boeing for failing to account in its testing of the Max for the overload of warning messages in the cockpit that occurred during the two fatal flights.
One of the current alerting regulations that the Max is excused from is relevant to such a scenario. It requires that there must be a way to suppress erroneous attention-getting alerts that might interfere with the crew’s ability to focus —such as the “stick-shaker” that vibrated the captain’s control column on both the crashed Max flights.
Because of a faulty angle-of-attack sensor on each flight, the stick-shaker was warning, falsely, that the jet was close to a stall. But having noted it, the pilots couldn’t stop it. The Max has no way to suppress that alert. The stick-shaker continued throughout both flights, along with multiple other alerts.
On the Ethiopian Airlines flight that crashed in March, the pilots faced a barrage of alerts throughout the six-minute flight. Besides the stick-shaker, they heard repeated loud “DON’T SINK” warnings that the jet was too close to the ground; a “clacker” making a very loud clicking sound to signal the jet was going too fast; and multiple warning lights telling the crew the speed, altitude and other readings on their instruments were unreliable.
Pilots around the world vary greatly in their flying expertise, especially in their ability to handle a plane when automated systems fail. While many U.S. airline pilots previously have flown military planes for the Air Force, that’s not the experience level in most countries. Further, even a good pilot will have a bad day.
So both Boeing and rival Airbus will in future have to pay increasing attention to “human factors,” meaning the way people interpret and respond to systems and what’s happening around them —which in an airplane depends crucially on the crew alerting system.
A person familiar with the details said that the European Union Aviation Safety Agency (EASA), in its ongoing re-evaluation of the Max following the two crashes, has already expressed concern to both Boeing and the FAA about inadequacies in the jet’s alerting system, including the constant erroneous stick shaker.
Boeing’s state-of-the-art system
Early in the development of the 737 Max, Boeing considered equipping the flight deck with its state-of-the-art flight-crew alerting system, called EICAS, the Engine-Indicating and Crew-Alerting System.
It provides pilots visual, aural and tactile warnings as well as written messages on the main flight display when anything goes wrong with either the engines or with the airplane systems, and then also recommends the remedial action needed.
EICAS, designed to take account of the latest human factors studies, is a system that integrates all the interactions between the pilots and the machine they are flying.
Boeing introduced EICAS in the early 1980s when the 757 and 767 jets entered service. The improved alert system was one justification for removing the role of flight engineer to allow those airplanes to fly with two-person crews. It’s been upgraded incrementally since and installed on all subsequent Boeing jets.
But alone among Boeing jets, the 737 was never updated with EICAS, though it was considered at least twice before in previous iterations of the airplane.
It was pushed again for the Max.
An ethics complaint submitted in April by Boeing engineer Curtis Ewbank and reviewed by the Seattle Times says that Mike Carriker —Boeing’s chief pilot for product development, who flew the first flight of the 787 Dreamliner —proposed studying whether to put EICAS on the Max, saying “it was necessary for the 737 to be a modern airplane.”
Boeing identified the detailed changes both to the airplane systems and to crew procedures that would be needed to install EICAS on the 737 Max. But ultimately that plan was abandoned because of “the overall cost,” the ethics complaint states.
In a brief phone interview last week, Carriker declined to discuss details but said installing EICAS on the 737 “would be challenging.” And pointing to the older systems on the Max compared to other planes like the Dreamliner, he added that “there aren’t enough sensors on the 737.”
Having settled on retaining its older cockpit alerting system, Boeing then needed to convince the FAA that the Max should not have to meet all the latest federal crew alerting requirements, which are closely aligned with the capabilities of the EICAS system.
Making an exception
A document submitted by Boeing to the FAA in 2012 lays out the airplane description and preliminary data needed to plan the certification work for the Max and includes an “issue paper” devoted to the Max’s crew alerting systems.
A Boeing request for an official exemption from the regulations would have required a public notice in the Federal Register and an opportunity for interested parties or the general public to comment. Instead, Boeing followed a standard procedure for being granted such a waiver that was not public.
Instead of an “exemption,” Boeing asked for an “exception” granted under a special FAA procedure called the “Changed Product Rule,” which lays out the conditions under which a new, changed version of an older model can be granted exceptions during certification.
An official FAA advisory circular stipulates that exceptions will be granted if the applicant, in this case Boeing, can demonstrate that compliance is “impractical.” The design must come close to meeting safety requirements, and then demonstrate that “full compliance would require a substantial increase in the outlay or expenditure of resources with a very small increase in the level of safety.”
Boeing’s submission to the FAA cites first the flight history of the 737, going back to 1967. It notes that by 2011 the jet had completed 321 million flight hours and 213 million departures. Broken down by model type, the 737 version prior to the Max, known as the 737 NG, had completed 80 million flight hours and 42 million departures.
Boeing then documented the 737’s safety record during the previous 10 years. Between 2002 and 2011, it identified three fatal accidents where a deficiency in the flight-crew-alerting system had played a role in the tragedy. These were:
• Helios Airways flight 522 in 2005. Flying at 34,000 feet near Athens, Greece, the crew misinterpreted a horn that sounded to warn of a cabin depressurization, interpreting it as a false and irrelevant alert about the plane’s take-off configuration. The horn sounds were identical for these two distinct alerts. The pilots passed out from lack of oxygen and the plane continued flying in a straight line on autopilot, shadowed by a Greek jet fighter impotent to help. All 121 people on board died when the airliner ran out of fuel and crashed.
Following the accident, Boeing installed a light on the 737’s pilot display to distinguish a depressurization from the other alert.
• Turkish Airlines flight 1951 in 2009. On approach into Amsterdam, a single radio altimeter fed an incorrect low altitude reading to the autothrottle, which duly retarded the engines for landing. The pilots, busy with some checklists, failed to notice until too late a visual alert about the airspeed dropping too low. The plane crashed well short of the runway. Nine people, including three Boeing engineers who were on board by chance, were killed.
Following the accident, Boeing added an extra aural alert —a computerized voice warning —for low airspeed.
• Aeroflot-Nord flight 821 in 2008. Flying through clouds at night in central Russia, the pilot lost spatial awareness as the plane banked dangerously left, activating a BANK ANGLE artificial voice alert. Confused, the captain turned the yoke the wrong way, rolling hard left and worsening the bank angle. The jet flipped upside down. All 88 people on board died in the crash.
Following the accident, Boeing designed a new aural alert that announces “Roll Right” or “Roll Left” as appropriate to counter a dangerous bank angle and also shows the right direction via an arrow on the flight display.
Each of those crashes was at least partly attributed to pilot error. Postmortem tests showed the Russian captain may even have been drunk. Yet in each case, the crew-alerting system could have been better, and was made so after the fact.
The FAA safety engineer said that in accidents where the pilots are blamed, “many times you’ll find the indication and alerting system provided confusing or misleading information.”
Boeing argued that the exception for the Max was justified by the long history of safe 737 flights and the fact that it had addressed the separate alerting issues in each of these fatal accidents.
“There is no reason to believe the future rate of accidents for the 737-8 (Max) will be significantly different from the 737 NG historical record,” the document states.
The submission to the FAA also points to the “existing common and proven alerting methodology” on the approximately 6,400 Boeing 737s then flying worldwide. It adds that the Max won’t represent the majority of the world 737 fleet until around 2030, which means airlines would be flying mixed fleets for “two generations of 737 pilots.”
Boeing contended that keeping the Max systems common with the systems on the prior 737 model would be preferable, to avoid confusion as pilots move between the two types of aircraft.
The FAA in its statement Wednesday listed some of the factors considered in agreeing that an aircraft complies with the rules sufficiently to be certified: “these factors include areas of change (in the airplane design), aircraft service experience and actions taken following earlier accidents.”
There is one glaring omission from that list, a factor that nevertheless the FAA guidelines clearly state will be taken into account: The matter of cost.
Yet Boeing’s argument in the Max certification document finally arrives at that detail: the cost to Boeing and to its airline customers.
Boeing said a “significant design change” would be required if it had to comply with the complete set of federal crew alerting regulations.
“Compliance would also require revision to the entire system of training and documentation that supports the alerting methodology, as used by 75,000 pilots and a large number of airline mechanics and engineers,” the document states.
Boeing estimated the cost of the design, training and documentation changes to achieve full compliance for the 737 Max would be “greater than $10 billion” in 2013 dollars.
As a result of the two Max accidents, Boeing has already racked up more than $8.3 billion in extra costs through July, including a $5.6 billion write-off last quarter, a $2.7 billion addition to the projected future costs of producing the 737, and a payout of $50 million in initial compensation to the families of victims.
The cost has grown since as the grounding of the Max fleet goes on, and further compensation costs to the families of victims, to customer airlines and to suppliers will likely continue to mount through next year.
The final bill, not even counting Boeing’s potential loss of orders and future market share, will almost certainly far exceed $10 billion.
Those outlays weren’t anticipated during development of the jet. So Boeing’s submission to the FAA concluded that the $10 billion estimate to achieve compliance met the standard for granting an exception, because the effort in terms of cost and changes to manufacturing “would not be commensurate with a small incremental safety gain.”
The FAA accepted this argument and granted Boeing’s request.
A Boeing engineer, who also asked for anonymity to protect his job, was troubled by the way the company’s analysis discounted the Helios, Turkish and Aeroflot 737 crashes.
“Yes, Boeing went and fixed each problem,” said the engineer in an interview. “It did so only after a fatal accident. They are being reactive. Boeing could have been proactive on the 737.”
He said the Max was another missed opportunity to be proactive on safety upgrades.
In addition, those fixes Boeing developed after the three crashes are not necessarily installed on all the older 737s now in service globally. The FAA did not mandate two of them —the aural alerts that resulted from the Turkish and Aeroflot accidents —in airworthiness directives that would require airlines to comply.
So although U.S. airlines have voluntarily installed those alerts, there may be overseas airlines flying 737s that have not done so.
The FAA engineer agreed that safety shouldn’t depend on an after-the-fact response to fatal accidents. Still, he wasn’t ready to dismiss Boeing’s overall contention that a full upgrade to such an old design wasn’t practical on the Max.
“Why force a change that would have a huge impact on the industry with no big increase in safety?” he asked. “It’s not a totally invalid argument.”
“It is old technology,” the engineer added. “The 737 flight deck display system is not anywhere near state of the art. But Boeing contends the pilots know it well.”