Failure, Capture and Crisis – Regulators, Aircraft Manufacturers and the Construction of Safety
On 29 October 2018, a Boeing B-737MAX. operated by Lion Air, crashed 12 minutes after take-off from Jakarta, Indonesia. A second B-737MAX crashed on 10 March 2019 after take-off from Addis Ababa, Ethiopia. In both the accidents, the ability of the pilots to control the behaviour of the aircraft was compromised. The following day, the Chinese Civil Aviation Authority (CAAC) ordered all B-737MAX aircraft to be grounded. This action was quickly followed by a number of other countries. The FAA waited three days before ordering the grounding of the model in the USA. The initial response from the manufacturer, Boeing, was to suggest that the problem lay with the performance of the pilots. The company’s CEO, responding to journalists’ questions at a press conference after a shareholder’s meeting, repeatedly stood behind the ‘Swiss Cheese’ mantra of any accident being the result of multiple factors in an attempt to deflect any discussion away from the role of Boeing. Soon after, he was sacked.
The Boeing 737 design concept is over 40years old and, having passed through a dozen iterations, is probably coming to the end of its growth potential. Competition from the younger, more efficient Airbus A320 family of variants prompted Boeing to look at freshening up the B-737. The solution to fit more powerful, fuel-efficient engines created a problem of simple aerodynamics. The additional thrust from the engines, together with the shape of the nacelles, created a nose-up vector which needed to be counteracted under certain conditions. The solution was the Manoeuvring Characteristics Augmentation System (MCAS). This system adjusts the horizontal stabiliser trim to pitch the aircraft’s nose down if it detects a potential stall condition developing. The initial MCAS design case was for circumstances of high speed and high angles of attack but it later became clear that it would also need to deal with low-speed situations as well. This had implications for the scale of control input the MCAS would need to make. In addition, MCAS drew data from a single angle of attack (AoA) indicator and, as a result, lacked redundancy. Unfortunately, reminiscent of the SAS MD-82 ATR discussed previously, the designers did not appear to consider either a loss of the AoA input due to mechanical damage or the implications of a repeated triggering of the system. The gap between the planned MCAS, as initially designed, and the actual installed version was not approved by FAA. In the event of an MCAS failure, pilots would only have limited time to detect the condition and to respond.
Intense media scrutiny followed the fatal accidents. A journalist, Dominic Gates at the Seattle Times, wrote (and continues to write) extensive pieces on aspects of the problem: Seattle is Boeing’s hometown, and the newspaper won a Pulitzer Prize for its coverage in 2020. A whistle-blower provided information to EASA, and reports circulated of the FAA being put under pressure by the pace of aircraft development and subsequent delays. FAA line managers, rather than technical experts, signed off on reports. The US Senate Committee on Aviation held formal hearings and, finally, on 1 June 2019, the FAA convened an international panel, the Joint Authorities Technical Review (JATR, 2019), to review the flight control certification process.
The B-737M AX quickly became a crisis for the manufacturer, and its response was being managed in a very complex political environment. In 2016, President Donald Trump came to power with an anti ‘Big State’ agenda. In February 2017, an executive order had been signed, requiring all federal government departments to cut back on ‘red tape’. At the same time, Trump had embarked upon a trade war with China, a state keen to expand its domestic aviation industry. The Chinese-manufactured Comae C-919 aircraft had its maiden flight on 5 May 2017 and is a direct competitor of the B-737. The speed with which the Chinese acted against the B-737MAX could be seen against this background. Aboulafia (2019) makes the point that the CAAC has a habit of banning things on a whim, has little experience, has a poor track record and is not free of political interference. In the USA, the debate about the safety of the B-737M AX was, at times, being conducted on the President’s Twitter account and, as the largest manufacturing exporter in the USA, the company’s woes were estimated to be having a negative impact on the US economy equivalent to a loss of 0.25% of GDP (Greene, 2019).
At the time of writing, work is underway to return the aircraft to the air, and the full story of the B-737MAX is beyond the scope of this chapter: it still has some distance to run. My interest is primarily in what light the event can shed on the nature of regulation and the exercise of control in the context of a system. Two aspects of the B-737MAX story are of specific relevance. The first is the manner in which the certification of MCAS was approached. This has the potential to create a cross-scale effect, manifested in a crew’s ability to control the aircraft. The second is the decision not to communicate details of MCAS to customers and, ultimately, pilots. This, clearly, will shape the underpinning knowledge available to crew about the aircraft and its behaviour.
The FAA publishes airworthiness requirements in the Code of Federal Regulations. A new model of aircraft must satisfy the latest iteration of the rules contained in regulations. Because the B-737MAX was deemed to be a modified version of the B-737NG, it was dealt with in a different manner. Under the Changed Product Rule, the 737MAX had to satisfy:
Under this framework, if a change is made, then, both the change and any areas affected by it have to be assessed for compliance. Unaffected areas do not have to be assessed. The JATR report (2019) was compiled by a team comprising representatives from NASA, the FAA and the CAAs of eight countries and the EU. The report’s recommendations are in 12 groups, and several of the recommendations reflect the complexity of the certification of modern aircraft. The report observed that regulations were found to be out of date and were not consistent in their interpretation and application. The process of certification can take up to 5 years, but there was no mechanism for testing and updating the original design assumptions. The context of certification, then, was problematic.
In order to reduce the requirement for assessment, Boeing proposed that MCAS - which was not installed on any previous model of 737- was not, in fact, a new system but, instead, was a modification to the existing flight control trim system. For this reason, it was decided not to provide a warning of an MCAS failure as this would be reflected in the existing speed trim fail light. The original design case for the MCAS was based on a specific manoeuvre - the ‘wind up’ turn. In this context, if necessary, MCAS would reduce the load on the controls by making a slight (0.6°) reduction in back pressure. However, the scope of MCAS was then enlarged to include low-speed situations where a greater input (2.5°) would be needed. The revised design case was not risk assessed. Concern was also raised about the apparent ‘single point of failure’ represented by the fact that the MCAS was associated with a single AoA indicator. This vulnerability was raised in 2015 but dismissed on the grounds that single points of failure were permissible if the outcome was not likely to be ‘catastrophic’. A possible failure of MCAS was not deemed to be catastrophic.
In addition to framing rules, regulators conduct physical oversight. The FAA had delegated oversight of parts of the certification process to Boeing and was exercised by the Boeing Aviation Safety Oversight Office (BASOO). Delegation of responsibility was signed off in law in the 1920s, and by 2004, some 13,400 Designated engineering representatives were acting on behalf of the FAA in the US aviation industry (Downer, 2009). The BASOO comprised 45 FAA employees and 1500 Boeing staff. The JATR team commented that BASOO staff numbers were inadequate and, given that some of the FAA engineers were relatively junior, experience levels were possibly inadequate. In addition, as we saw earlier, there was evidence of pressure being put on engineering unit members. Downer observes that delegation provides access to pools of expertise unavailable from within an agency’s own resources and that, in fact, rather than confirming compliance with regulations and standards, agencies such as the FAA put trust in other, more expert, people to do it on their behalf. In the case of the B-737MAX, the trust was misplaced. The JATR report observed that Boeing exerted undue influence over the FAA, which, in turn, was guilty of possibly placing the interests of Boeing above their own responsibility to guarantee safety. It seems, then, that the FAA had a flawed understanding of the situation and, certainly, lacked the resources to maintain robust oversight.
The second point of interest was the way in which information about MCAS was communicated. Commonality between aircraft models and variants is an advantage in that it reduces the need for additional, possibly extensive, customer training. Therefore, it was in Boeing’s interest to suggest that the B-737MAX was no different from other variants. The need for training had been raised but was blocked, largely on the grounds that to include training on MCAS and dealing with possible malfunctions was estimated to add US$1 m to the unit price of each aircraft. In the event of a failure, it was assumed that the pilots would detect and respond within 4 seconds, a reaction time considered by Boeing to be a ‘longstanding industry assumption’. The issue of pilot responses to a failure was raised in an e-mail that suggested that, while 4 seconds might be a plausible response, anything in excess of 10 seconds would be catastrophic because of an inability to prevent and arrest an overspeed (Senate Committee, 2019). In a recommendation reminiscent of the MD-82 ATR saga in Chapter 3, during certification a decision was made to remove information about MCAS from the draft FCOM. As a result, the FAA Flight Standardisation Board, which makes decisions about training requirements, was not fully aware of MCAS functions and was not in a position to assess training needs. The Boeing AFM does not include all the normal, non-normal and emergency procedures. Most of the operating procedures are in the FCOM, and so, changes could be made without getting FAA approval. Once again, the regulator was not fully aware of the situation over which it was supposed to exercise control.
The example of the B-737MAX illustrates how relationships between agencies can become subverted. Although the FAA has considerable power, its freedom of action can be constrained by economic, political and procedural factors. We saw earlier that regulatory capture reflects a situation where the needs of the body being overseen take priority and the interests of those put at risk by that body’s activities - in this case, the general public and flight crews - are overlooked. The B-737MAX saga is developing into a classical example of regulatory capture. However, it is also a crisis for both Boeing and the FAA, a condition I want to explore in more detail later.
Throughout this chapter, we have seen how aviation regulators have sometimes struggled to exercise oversight of safety. Equally, many of the themes raised in Chapter 2 were apparent in the examples we have just looked at: inadequate staffing levels; lack of expertise; fragile regulations; flawed communications processes; inadequate analysis of possible risks. We also see that environmental factors - geopolitics manifested as competition and industrial output as an element of national GDP - can shape decision-making.