By Dominic Gates / The Seattle Times
Aviation safety regulators in Europe and Canada have demanded design changes to the flight control systems on Boeing’s 737 Max that go beyond fixing the flawed system that ultimately brought down the aircraft in two fatal crashes.
The Federal Aviation Administration (FAA) has told Boeing it must come up with design upgrades to satisfy these concerns.
Yet all three regulators have agreed Boeing will be required to make these additional design changes and retrofit the worldwide fleet only after the Max returns to service.
The required changes to the flight control systems highlight weaknesses in the 737’s inherited avionics systems. The fixes could add substantial cost to the Max program and might slow the ramp-up of deliveries Boeing needs to recover its cash flow.
Boeing has already developed a fix for the new Max flight control system that was the main cause of the two crashes: the Maneuvering Characteristics Augmentation System (MCAS).
Janet Northcote, head of communications at the European Aviation Safety Agency (EASA), said while MCAS “absolutely needs to be fixed for the plane to be recertified as airworthy … there are other issues in some way related to the sensor problem” that triggered MCAS and these also require correction.
“By themselves, these would not create a safety critical issue,” Northcote said. “It’s when they come together with something critical at the same time that it’s a major issue.”
All three regulators will allow the Max back into service without the additional fixes in place, officials said in interviews this week.
Boeing has proposed that when the Max initially starts flying again, it will be enough to make changes to the flight manual and pilot training, so crews are aware of the potential problems and know how to respond. EASA believes this “provides adequate mitigation in the short term.”
“However, further down the road, we think design enhancements are needed,” said Northcote.
Boeing has made some proposals for permanent fixes that the regulators are currently reviewing.
Tight schedule for Max retrofits
The push by the Europeans marks a new assertiveness by foreign regulators. After two crashes that killed 346 people and the consequent close scrutiny that uncovered new problems with the Max one after another, they aren’t prepared to just follow the FAA.
EASA has identified three issues that will require substantial redesign. Transport Canada has focused on one.
The FAA declined to comment on its ongoing review of the proposed design changes. However, a person familiar with the FAA’s deliberations said the U.S. agency will require Boeing to come up with a fix for all three of the issues raised.
Two sources familiar with the discussions said regulators want the permanent design changes done on a relatively tight timetable. “We are looking for this to be implemented at the latest by the time of the certification of the 737 Max 10,” said one. The second source verified this as the target.
The first Max 10, the final and largest model in the Max jet family, rolled out last November and its delayed first flight is expected later this year, which would typically imply certification late in 2021.
If the system design changes are required to be on the Max 10 from the moment it enters service, that might further delay the schedule for the Max 10.
Once the changes are finalized and approved, they “would then be retrofitted to the Max in-service fleet as soon as practicable,” Northcote said.
She added that EASA, the FAA and Boeing haven’t made a final determination on a schedule for implementing the design changes and that it’s possible the logistical problems posed by COVID-19 could extend it.
Boeing declined to address details of its proposed design changes, but in a statement said the company is “committed to addressing all of the regulators’ questions and meeting all certification and regulatory requirements. “
Angle of Attack sensor problems
EASA’s biggest concern is with Boeing’s proposed solution to the Angle of Attack problem that initiated the two 737 Max crashes.
In both crashes, MCAS was triggered by a single faulty Angle of Attack signal. Boeing’s redesign of MCAS uses both Angle of Attack sensors on the Max during any given flight instead of only one. MCAS won’t operate unless both sensors agree.
However, while this fixes MCAS, the Angle of Attack sensors feed into multiple other systems. EASA’s concern is that if the two sensors disagree, the flight control computers have no way of telling which is the correct reading.
The Europeans doubt having two sensors is good enough to make the system sufficiently robust.
Northcote said EASA considers the system used by Airbus, which has three Angle of Attack sensors on the rival A320 jet, a good design. The agency wants Boeing to develop a new system “that in some way matches that, but doesn’t necessarily have to be a third sensor.”
The alternative to a third physical sensor is what’s called a “synthetic” sensor, a system that provides an additional, indirect AOA calculation using a variety of different sensors and inputs.
Boeing’s latest all-new jet, the 787 Dreamliner, for example, has a system called Synthetic Airspeed that takes input from the Angle of Attack sensors and various data points that indicate the plane’s attitude in the air. This system serves to cross-check the signals from the other sensors and enables the flight control computer to identify a false data signal.
In the original development of the Max — as documented in an ethics complaint by Boeing engineer Curtis Ewbank and in controversial emails by Chief Technical Pilot on the Max, Mark Forkner — Boeing rejected the addition of Synthetic Airspeed to avoid the need for simulator training for Max pilots.
To add a synthetic system to the Max now would be costly. All its interactions with existing systems would have to be tested and certified, and Boeing will have to convince regulators the information it produces is as reliable or better than a physical sensor.
According to the person familiar with the FAA’s deliberations — who spoke on condition of anonymity because of the sensitivity of the ongoing discussions between the regulators — EASA’s demand for the equivalent of a three-sensor system arises from a fundamentally different design philosophy between Airbus and Boeing.
Airbus jets are all designed so that when a pilot adjusts the controls, that action is sent via the computer to move the airplane’s control surfaces on the wings and tail. This requires multiple layers of redundancy to make sure no glitch in the software produces a faulty signal.
In contrast, on Boeing jets the main control surfaces are directly connected to the pilot controls by cables, giving the pilot a physical tactile connection that offers a sense of what the plane is doing that’s absent on an Airbus jet.
“For Airbus and EASA, three Angle of Attack sensors is just what you do,” said the person. “For Boeing and the FAA, it’s not necessary, because in addition to the two Angle of Attack sensors, you have that physical connection with the aircraft.”
Still, the FAA has told Boeing it must address EASA’s concern.
After the two Max crashes, Boeing’s longstanding reliance on pilot capabilities as the ultimate assurance of safety has been brought into question, especially in modern cockpits that are largely automated and computer-controlled.
Confusing cockpit warnings
The second issue for which EASA is demanding a design change stems from investigations that have established the pilots on both crash flights were confused by a cacophony of warning alerts going off simultaneously.
On the Max, multiple warning lights on the instrument panel and computer-generated aural alerts can be triggered by a single bad sensor.
It’s unclear what Boeing will propose to address that, but it has to come up with something to satisfy EASA.
The third issue that needs a design fix is one that has particularly bothered Transport Canada: a “stick shaker” stall warning that cannot be turned off even when clearly erroneous.
This is the alert system on the Max that makes the control column vibrate forcefully in the hands of the pilot if the plane is pitched too high and is slowing toward a stall — meaning the plane is about to lose lift under the wings and will begin to drop.
In both Max crash flights, the stick shaker was triggered erroneously by a faulty Angle of Attack signal.
On Ethiopian Airlines Flight 302 that crashed in March 2019, killing 157 people, the stick shaker vibrated throughout the six-minute flight, indicating the plane was going too slow and close to a stall, while simultaneously a loud clacker was sounding in the cockpit — warning the pilots they were going too fast.
To avoid such severe distraction and confusion, Transport Canada wants Boeing — before the Max’s return to service — to include in the flight manual instructions for how to pull circuit breakers to stop the stick shaker.
The circuit breakers are in an overhead panel in the 737 cockpit. Transport Canada said it will require Boeing to add “collars” to the stick shaker circuit breakers to distinguish them from others in the vicinity so they can be quickly identified in an emergency.
According to two people with knowledge of the FAA’s view of this, the U.S. agency doesn’t favor pilots having to reach up to pull circuit breakers in an emergency.
“Typically, pulling circuit breakers is not something we’d encourage. Those are supposed to be for maintenance, not for operating the airplane,” said an FAA safety engineer, who spoke without authorization and cannot be identified. “It’s a short-term solution,” he added.
Annie Joannette, a spokesperson for Transport Canada said Boeing is working on an alternative fix.
“Boeing has been discussing the possibility of a post-return-to-service modification that would allow the stick shaker to be deactivated by means other than pulling the circuit breaker,” she said. “If this modification was made available, then the circuit breaker pull procedure in the approved Aircraft Flight Manual would be an interim measure.”
It’s unclear if that interim option for pulling the circuit breakers will be included in all Max flight manuals or only in those for Canadian pilots.
Seeking regulator harmony
Existing U.S. certification requirements don’t mandate the enhancements EASA and Transport Canada are requiring.
The FAA’s stance in agreeing that Boeing must nevertheless address the three specific issues raised is aimed at achieving harmony among the main aviation regulators, which at earlier points in the discussions over the Max crashes have been unusually at odds.
Concerned at how the glaring flaws in the original MCAS design slipped through the Max’s initial certification, the Europeans and Canadians have insisted on conducting their own independent safety assessments of the Max recertification rather than automatically following the FAA lead.
Yet addressing the issues raised by EASA is not a point of contention.
“There’s no dispute. EASA and the FAA will each require it,” said the person familiar with the FAA’s deliberations. “Boeing has to come up with a path to address the concerns.”
As a result, U.S. sources now expect the Europeans will clear the Max to fly passengers again within a week or so of the FAA doing so.
The next important milestone on the way to the Max’s return to service is required certification flights, when pilots for the FAA and other regulators conduct flights to thoroughly test the new upgraded software that fixes MCAS.
Because of travel restrictions due to COVID-19, travelers from European Union countries cannot currently enter the United States, and Northcote said this has so far prevented EASA from scheduling its Max recertification flights.
However, sources within Boeing and the FAA say the FAA’s recertification test flights, which will take about three days of flying, could begin as early as next Monday.
If that happens, the Max will be on track to win FAA clearance around mid-September. That would be the signal for pilot training to begin, so U.S. airlines could be flying the Max again before year end.
The design changes demanded by the foreign regulators will then be Boeing’s next challenge.