737 MAX and an airworthiness perspective
In the public domain, the grounding of the 737 MAX has been and is continuing to be on a high note.
Politics got involved and that is never a move towards rational thinking as other interests usually are being served than the public one.
Much fingerpointing have been going on towards Boeing, the FAA and even the operators of aircraft that were involved in fatal accidents with many rogue comments against one party or another.
But we, as safety professionals, know that accidents never have one “cause” but multiple contributing factors and circumstances that in a detrimental combination can lead to catastrophic accidents.
The ever popular “swiss cheese” model is referred to, as in, when all the holes line up, one gan go through it. But that gives Swiss Cheese a bad name while it is too delicious for that.
Briefly what happened:
An Indonesian -MAX 8 crashed shortly after take off into the sea on 29-Oct-2018.
The final investigation report was published in October 2019 (attached)
An Ethiopian -MAX 8 crashed also shortly after take off on 10-March-2019. (interim report attached)
Both accidents left no survivors and 346 people lost their lives.
The commonality among both fatal accidents was the phase of flight (just after take off) and that the crew had problems with pitch control of the aircraft.
Two elements of the pitch control system are: horizontal stabilizer trim and elevator control. Generally the horizontal stab trim is used to balance the aircraft in a steady stade with a certain speed, centre of gravity, altitude and aircraft configuration. If one of those factors change, the trim setting also changes and the aircraft needs to be retrimmed. This can be done manually by actuating a trim switch on the control yoke or by manually turning the trim wheel on the flight deck control stand.
When the autopilot is in command, the trim is actuated automatically by the autopilot control system.
The elevators serve to control the aircraft short term, temporarily out of steady state, for example during turns, altitude changes, landing flare, take off rotation etc. This can be done manually or by autopilot (except take off rotation, that can only be done manually).
The stabilizer trim being both manually and electrically operated, of course, has different failure modes which have to mitigated. Mostly by crew drills.
One failure mode is no electrical operation, in which case manual operation can be used and vice versa.
Another failure mode is a so called “trim runaway”. This occurs when there is a short somewhere in the system and the stabiliser trim starts running in a random direction uncommanded. This moves the steady state of the aircraft to an uncommanded and undesirable point and needs to be compensated by elevator input. Crew drill in this case is to immediately arrest the movement of the trim wheel and remove the electrical power from the stab trim system and trim the aircraft manually from that point on.
This is the way it has worked on all 737 series aircraft including the preceding NG types
However, during certification flight tests of the 737MAX, due to the higher engine thrust and increased offset of the thrust line from aerodynamic drag, the pitch handling of the aircraft exhibited differences with the NG types. Especially at higher angles of attack but not stalled.
In order to match the handling qualities of the preceding NG types, Boeing decided to add a component in the electrical trim system, called MCAS. This stands for “Manoeuvring Characteristics Augmentation System”.
When the aircraft approaches high angles of attack (not normally encountered during normal operation) it sends a one time aircraft nose down input to the stab trim system that adjusts the horizontal stabilizer a couple of degrees and then stops.
During any normal flight profile, MCAS is not supposed to activate and remains dormant.
MCAS receives input from a single angle of attack (AoA) sensor. There are two on the aircraft.
A commonality between the two aforementioned accidents is that the pilots were confronted by multiple uncommanded trim activations. Eventually they were overwhelmed by the out of trim configuration of the aircraft and were unable to control the aircraft any longer and crashed.
It is argued by many, that the pilots should have immediately used the trim runaway procedure and stop the trim and flip the stabilizer cutout switches which removes electrical power from the trim system and retrim the aircraft manually.
The often overlooked nuance is that an MCAS activation is not a system failure but it is an uncommanded trim operation.
Both accident investigations revealed that, on both accident flights, a defective AoA sensor made the MCAS activate repeatedly; trimming and stopping, many times over before control was lost.
If a crew is not aware of the parameters that make the MCAS activate, they may not recognise whether it needs to activate or not. In other words they would need to assess whether the (uncommanded) activation is justified in order to deem it a system failure that needs action.
Contributing the fact that the trim activates and then stops may cause a crew in a high work load situation close to the ground to ignore the activation and focus on more urgent duties such as navigation, ATC comms etc.
Subsequent to the two accidents, aviation safety agencies, one by one, grounded the 737 MAX type, initially awaiting the investigation results and subsequently deeming the MCAS system unsafe for flight because of its insidious failure mode and the lack of redundancy by taking the AoA signal of only one of the two available AoA sensors on the aircraft.
SInce the type was grounded, things did not improve; Boeing and the FAA were in the crosshairs of media and politicians. The CEO of Boeing had to resign. Production of the 737 stopped, having a knock-on effect for operators having to ground their fleets and subcontractors and suppliers world wide. The 737 was Boeings cash cow; a reliable product that just kept selling and selling and provided the company with a solid cash flow. That has stopped for over a year now.
It requires sharp minds and cool heads to get the company back on track again...
The world started to look at product certification processes and the role of Boeing and the FAA and the crisis deepened further.
The concept of Airworthiness is that technical and operational standards must be met in order to achieve an acceptable level of safety for the intended use of the aircraft, in this case public transportation of people and freight.
Large transport aircraft designs must comply with many airworthiness standards, lions part of it being EASA’s CS-25 and FAA’s equivalent; FAR-25. A complex and comprehensive set of standards.
The 737 MAX was certified as a derivative of the previous iteration; the 737 NG series which was also certified as a derivative of the 737 classic series, which was certified as a derivative of the 737-100/200 series sometimes referred to as the “jurassic”. The iteration and type certification of a derivative of an existing type design obviously requires less effort than for a complete new design
Certification of a new aircraft type design is a complex task and demonstration of compliance with these standards require many analyses, and tests. The entire process for a new design airliner typically takes years. In this period of time, the set of standards are usually amended.
It is for that reason that type designs do not necessarily have to comply with the latest standards and need to be agreed with the certifying agency.
As the sets of airworthiness regulations are amended regularly and aircraft designs certified twenty or more years ago were not certified against the current airworthiness standards. So how are these aircraft still considered safe?
An approved aircraft type design must be managed by a Type Certificate Holder (TCH). Duty of the TCH is to continually conduct safety reviews on its type design by collecting and reviewing utilisation and safety data from the operators of the products.
These data and TCH analyses must be shared and discussed with the authorities of the state of design. Any safety concerns must be shown to be mitigated by the TCH and in many cases be sanctioned by the agencies.
This process results in issuance of Service Bulletins (SB), Service Letters (SL), All operator messages. Alert Bulletins and many others. Often these are sanctioned by the agencies and are legally directed by Airworthiness Directives (AD).
This does require a vigilant attitude from regulators and TCH's alike.
The consolidated 737 type certificate has over 400 AD's issued against it.
Internationally there are bilateral and multilateral agreements between regulators accepting each others data and safety analyses. For example between Europe’s EASA and US’s FAA this reciprocality is laid down in the mutually published TIP (Technical Implementation Procedures). (Attached)
Now after the 737 MAX debacle, the different aviation agencies jumped on the certification of the -MAX type iteration which every one of them previously approved after FAA provided the data and their assessment.
What is laid bare (painfully) is that the trust in the integrity and capabilities of authorative institutions is crumbling and trust between agencies may be dissolving.
One can only hope the level of competence of the authorities and TCH’s will be compellingly restored before it’s too late and the aviation industry will not be forced to go back 30 years when each country was doing their own certification projects with a complete hotchpotch of different standards, duplicating certification processes with the rise of costs and plummeting efficiency as a result, discarding common sense and international cooperation that have served the industry so well over the last years.
Damage control is imperative now.