As members of the FAA’s Aircraft Evaluation Group (AEG) and Boeing flight test pilots prepared to perform the 737 Max’s July 10 operational suitability flights between Boeing Field in Seattle and Moses Lake, Washington, industry observers and airline customers alike eagerly awaited the results of three days of certification flying that ended a week and a half earlier. Described by an FAA spokesman as a routine part of any certification effort, the operational suitability flights marked one of the last procedural hurdles the program must clear before the agency issues its final approval for the airplane to return to service.
Before that happens, authorities must determine whether or not the software changes engineers made to the flight control systems met design criteria. During the series of certification flights, test pilots would typically fly so-called hardovers, during which control surfaces deflect to their maximum automated limit, according to retired Boeing designated engineering representative (DER) and FAA organization designation authorization (ODA) administrator Mike Borfitz.
“I would also imagine there would be a lot of analysis of the two angle-of-attack vanes,” Borfitz added. “I would imagine there would be a lot of work into the reliability of those things. What happens if there’s a disconnect between the two? Because that’s where things went south on them.”
Perhaps most vitally, testing will center on the airplane’s maneuvering characteristics augmentation system (MCAS), a malfunction of which led to the twin crashes in October 2018 and March 2019 that killed 346 people and the Max’s now 16-month grounding by global aviation authorities.
“The software is going to be a huge, huge deal…I would imagine they’d be looking at MCAS failures in all phases of flight, that being takeoff, departure, cruise, approach, and landing, that sort of thing,” explained Borfitz. “It would just be a matter of wringing out every possibility for this system to fail in.”
According to a Department of Transportation Inspector General’s report issued on July 1, Boeing failed to submit certification documents to the FAA on modifications to the MCAS, including significantly increasing the system’s ability to lower the aircraft’s nose automatically under certain conditions. According to the report, FAA flight test personnel knew of the change, but “key” agency certification engineers and personnel responsible for approving the level of airline pilot training told the IG’s office they did not.
The report also revealed that because Boeing’s safety analysis did not assess system-level safety risks as catastrophic, the company’s engineers designed MCAS to rely on data from just one of the two flight control computers associated with the angle-of-attack sensors.
Although Boeing did not communicate to the FAA the formal safety risk assessments related to MCAS until November 2016 and January 2017, more than four years into the five-year certification process, FAA managers told the IG’s office that “it isn’t unusual” for manufacturers to complete and submit safety assessments toward the end of the certification process.
Meanwhile, because Boeing presented the software as a modification to the 737’s existing speed trim system that would activate only in limited conditions, the FAA did not emphasize MCAS in its certification efforts and, therefore, a more detailed review of the system did not occur between agency engineers and Boeing. Rather, the FAA concentrated its efforts on what it considered high-risk areas such as the airplane’s larger engines, fly-by-wire spoilers, and landing gear changes.
“From everything I’ve seen, it appears to me that the MCAS fault was overlooked,” said Borfitz. “And it appears to me that it was undervalued…understated by the Boeing Company. You can only regulate what you know. That’s the kind of thing that I really hang my hat on, that the FAA can only regulate what they’re told.”
Following the start of flight testing in 2016, the FAA’s Flight Standards Service approved a training plan proposed by Boeing—known as Level B training—for 737 Max pilots already qualified to fly the Boeing 737-800. According to the IG report, the outcome met with Boeing’s “overarching” goal of gaining a common type rating for pilots moving to the Max from the NG largely because it limited costs by avoiding simulator training. Furthermore, required training did not include pilot response to automated MCAS activation, added the report.
According to Borfitz, Boeing’s failure to rank as catastrophic the level of system-level safety risks in the MCAS also might have allowed it to avoid the need for simulator training.
The FAA’s Flight Standardization Board (FSB) and the Joint Operations Evaluation Board (JOEB)—which includes international partners from Canada, Europe, and Brazil—will evaluate minimum pilot training requirements, including the need for simulator time. The FSB will issue a draft report for public comment addressing the groups’ findings before the FAA publishes a final FSB report.
Other tasks include an FAA review of Boeing’s final design documentation to evaluate compliance with all agency regulations. The multi-agency Technical Advisory Board (TAB) will also review the final Boeing submission and issue a final report before the FAA determines compliance. The FAA then must issue a Continued Airworthiness Notification to the International Community (CANIC) of pending safety actions and publish an airworthiness directive (AD) that addresses the known problems that led to the grounding. The AD will advise operators of needed corrective actions before aircraft may re-enter commercial service.
Once it rescinds the grounding order, the FAA will retain its authority to issue airworthiness certificates and export certificates for all new 737 Max airplanes manufactured since the grounding and perform in-person, individual reviews of each aircraft. Those reviews, said Borfitz, will require the FAA to commit far more resources to delivery authorizations than usual given that regulations allow for ODA personnel to release the airplanes for delivery in normal circumstances. Inspectors will have to conduct a review of manufacturing records, including approved corrective actions for typical deviations such as mis-drilled holes, deviations in materials or processes, as well as a thorough review of the more critical design changes such as software revision levels. Returning airplanes from storage is another process the FAA likely needs to review.
“Those inspectors are going to go out and they’re going to take a look at the airplanes, they’re going to first and foremost ensure that the software load on each airplane is correct and appropriate and the paperwork is all correct,” explained Borfitz.
Inspectors might also review what Borfitz also described as a “stack of information” known as material review board (MRB) documentation that follows each airplane during the production process.
“The MRB is a pretty rigorous process and it’s part of the production approval,” he explained. “An inspector might want to look into the MRBs just to do a spot check through that paperwork, but first and foremost is to be sure the software load is correct and the process is appropriate. Typically they don’t do that; everything is just delegated and the MIDO [FAA manufacturing inspection district office] folks just review the process.”