Stifle your initial yawn – our lives depend on a technical oxymoron of innovation & certitude.

You have surely wondered at the checks & balances, the machinations & controls that go into realising the approvals on the aircraft in which you fly. Fear not – they are extensive, but fear(!) – inevitably there is an element of compromise.

First and foremost, aircraft certification is not given in the belief that it will prevent accidents. Anything that defies gravity and leaves terra-firma, is certain, now-and-again, to come down unexpectedly and with a big bump. The aim of regulatory authorities is to seek to minimize design and human error as a cause, and to put controls in place by exacting technical and operational systemization. But as is now common in any risk analysis, acceptable risk is not zero risk.  In aviation it is 0.002%. In other words, when you fly you have a 99.998% of reaching your desired destination (albeit, not always in a timely manner !!). As a measure of overall safety, this far exceeds that of ground transportation that you use most days. But, notwithstanding this elevated targeting, the process is not without surprising discrepancies.

The world of aviation is based on a baseline set of regulations (in massive tomes) drawn up by the International Civil Aviation Authority (ICAO), now effectively the aviation arm of UNO (the United Nations). Dull as puddle water, its origins were a riveting bit of history, dating back to 1944 during the still uncertain and intense hostilities in the latter years of WW-II.  

Recognizing that aircraft now transporting bombloads of destruction, would one day carry passengers and freight in similar quantities, all parties to the war gathered in Montreal, Canada to agree a set of baseline regulations for the conduct of commercial aviation once the war was over – whoever won it. The logistics of getting everyone to that meeting and the underlying diplomacy which produced the final declaration (below), is as extraordinary as the regulatory document is dull – and it is very dull! Also, to this day, ICAO remains based in Montreal.

On that foundation three main aviation genus have evolved, inevitably based aviation hubs of design, innovation, and manufacture – the American FAA, the European EASA, and the Russian ‘WhatevA’!  Roughly 90% of aviation is controlled by the first two and that in most of the former Russian empire (the USSR) by the latter. As is true for most things Russian, the devil is in the (lack of) detail. That doesn’t make Russian designs bad – indeed they build robust aircraft, particularly helicopters. But historically lower levels of control and verification have led to higher levels of risk**, albeit matched by significantly lower cost of purchase (an 18 Pax. helicopter in ‘the West’ costs more than 5 times that of an equivalent manufactured in Russia).  Fortunately, now (or at least until the invasion of Ukraine), with most commercial aircraft operated by Russian airlines being of western manufacture, there is a better alignment in accident statistics.

(**By way of example, there are similar numbers of aircraft on the Russian and UK registers but, over the last 50 years, with more than five times the accident rate in Russia)

Not surprisingly there is a high level of commonality between the two western systems which themselves form the basis of most other global national regulatory practices (even in China) – with nations’ choice of US or EU alignment typically being based on countries’ historical alignments.

So, the regulatory big picture is multi-tiered. ICAO approves a country to operate the aircraft on its register internationally but has no control, only influence, in what goes on within each country’s internal airspace. There, the National Civil Aviation Authority, going under many different names, but to which here we will refer as ‘the NCAA’, certifies each air operator by periodic award of an AOC (Air Operator’s Certificate) and each registered aircraft by issue of an annual CofA (Certificate of Airworthiness). You’ve guessed it – the potential for corruption is rife!!  And there is another issue, the dual hatted nature of NCAAs – to both promote and to regulate their national aviation industries. These two roles are, in the main, incompatible and is an issue that remans largely unresolved as exemplified, in part, by the Boeing Max-saga discussed in an earlier article on this site. As such, while the regulations are based on the ICAO baseline with FAA or EASA alignment, the quality of the detail and consistency of its implementation by NCAAs varies enormously.

The principal control in this regard is ICAO through a single sanction – the right to deny corrupt nations’ aircraft the right to use international airspace. Of course, they don’t shoot down a sanctioned nation’s aircraft if they stray outside their national airspace, but ICAO can decertify any international airport which allows them to land – a fully effective commercial sanction. Unfortunately, such NCAA declassification by ICAO is only used in extremis, with less than a dozen (mostly small and backward) countries thus black-listed.

The certification process, like everything in life, is subject to financial limitation. In all aspects of regulation, there is just not enough money available to do things ‘properly’ across the board. So, under ICAO rules, the regulatory focus is on the carriage of passengers. Hence, as a general principal, the less the passengers on an aircraft type or mission profile, the less the regulation. This is reflected in the ICAO specified levels of certification, with increasing degrees of monitoring at each level along these lines: –

• Experimental – this is what all aircraft fly under during the certification process under FAA/EASA. Aircraft are limited as to when and where they can fly, what flight profiles are followed and with whom on board. Each series of test flights is endorsed by the National Authority with approvals of subsequent steps being subject to the reporting of the previous series. Some wild things can go on within this category and it is here that most aviation technical development occurs.
• Aerial Work – this is the lowest level of certification under which aircraft can fly ‘for hire & reward’ basically only for freighting or specialist missions. Pax. on board are limited to crew members. This includes such things such as cargo carriage, heavy-lifting, forest firefighting, logging, aerial advertising, aerobatics, paramilitary agency marine surveillance and pilot training. Transport Category aircraft (see below) can recertify themselves at this lower level to do specific jobs. So, if you want to do something ‘extra-ordinary’ with an aircraft, this is the way to go.
• Transport Category – this is for the carriage of fare-paying passengers (Pax.) and under ICAO regulations is evidently the most highly controlled. However, within a national context, this again is to various levels.
  • Part-91: is for private aircraft servicing a restricted & specified range of Pax. such as corporate business jets, flying clubs and the like. Controls & limitations are kept to a minimum, it being very similar to Aerial Work. Even more lofty service providers such as Airforce-One in the USA and the Queen’s (now King’s) Flight in the UK, nominally are also likely to be operated under this category.
  • Part-135: is for General Aviation (GA) including all charter operations. So if a business jet is offered for charter, it must upgrade to this level. On the technical side, the level of service provider surveillance and controls is essentially the same as Part-121 (below) but with less stringency on operating criteria and passenger controls.
  • Part-121: is for Commercial Aviation. As such, any Airline accepting ad-hoc, fare-paying Pax., must operate to these most stringent criteria where everything is done to the highest standard, in accordance with a proscribed and documented methodology from which no deviation is permitted.

Not surprisingly, the US-FAA and the European EASA use the same certification benchmarks, but separately developed.  But with their respective aircraft designs now only differing in the detail, the two set of regulations have steadily become more aligned to the point of being almost identical. Only the Russians hold out to their own (lack of) rules and for that reason, while designing robust and relatively inexpensive aircraft, they can only use them for carriage of Pax. within their (albeit massive) national borders. As yet, and not for want of trying, none of the established Russian-built airliners have achieved EASA/FAA certification standards. However, a new generation of Russian (and Chinese) aircraft designs are stumbling uncertainly towards that goal.

The big difference between EASA and the FAA is in the method of certification of new aircraft types.  The US-FAA is a tortuously labyrinthine bureaucracy, while the Europeans, while still ever the bureaucrat, the style is more corporate than governmental. So, while in the US certification is at fixed rates based on the nature of the task, in Europe it is man-hour related. So, while this makes European certification more expensive (which, since the OEMs there have access to low-cost government loans, to the fury of their US competitors, the European counterparts can afford), it is also quicker and more adaptive, as the Authority is as much a Service Provider as a Government Agent.

The Brits (as is their eccentric way) have taken this to an extreme. In the 1930s, as aviation became a mainstream service and the government sought to legislate, the industry kicked back and formed a self-regulating body – as such the UK-CAA fulfils the same regulatory role but, as a Non-governmental Organisation (NGO), it is largely funded by the industry it regulates. As such, in the UK, certification is a contractual task with obligations on both sides and the ability to sue if the Regulator fails to provide the agreed certification within the contracted timeframe.

As a result, while with EASA and the FAA, the onus is on the OEM to demonstrate that a product is safe, in the UK it is the other way round, with the onus is on the CAA to substantiate that a product is unsafe to require its modification. The path to certification in the UK is thus surer, but a lot more expensive. The one bonus of FAA certification is that the experimental category which, being a domain dominated by DARPA (the Defence Advanced Project Agency), extremes are acceptable. The European experimental counterparts are typically more conservative. It is for this reason that the USA now leads in most aspects of aeronautical development.

Underlying the above systemisation and controls are financial realities – money still talks! In truth, no electro-mechanical device testing and certification is fool proof. But at least in cars it reflects the vehicles’ guarantee period. With aircraft, as a function of operating costs and development timeframes, the level of testing during the certification process gets nowhere near to this. Typically, the process from first flight to type certification takes some 3-5 years and with barely a couple of a thousand hours of test flying – and with the latter flight hours typically spread over several test aircraft (hence, with only a few hundred hours on each unit).

This is driven purely by commercial pressures and ALARP principals.  So, notwithstanding certified airworthiness by the FAA/EASA, the parties in the sale any new aircraft type, will have little idea of what will happen in the latter part of the 5 year or 5000 flight-hours typically covered in an aircraft guarantee period, and not an inkling of what might occur thereafter (a typical aircraft life being some 30 years and/or more than 40,000 flight hours – choppas rather less). So, even the best and most exacting of aircraft designs can have awful incidents.  

An example of this occurred in one of the most powerful, hence safest, of helicopters. Having passed the normal certification process with flying colours and taken the market by storm, as a function of its very high-power output, after 3000+ hours of flying a few individual aircraft experienced serious tail-rotor problems with a few of them dropping-off in flight!!  With the half-dozen test vehicles each having only flown less than 1000 hours under test, there was no way such failure could have been reasonably predicted.

A detailed design review immediately imposed by the OEM Regulatory Authority quickly produced an effective solution, and there have been no problems since.  But sometimes, driven by commercial pressures, technical solutions can be fudged. There is an example of a much-used Part-121 Airliner flying to this day with such an egregious compromise. Like any cell phone its lithium battery at the core of the electrical system risks severe overheating and associated fire-risk. The Authorities of course suggested a different battery be used.  However, there was none on the market with the required capability and output. Such predicated a restructuring of the aircraft electronic design which at such a late stage in the certification process was commercially unthinkable. The fudge therefore was to accept the risk but to mitigate it by locating the battery in a specially designed fireproof compartment. So, to this day, hundreds of these airliners are flying with a potential fire-bomb encased in its technical core.  While such has been shown to meet acceptable ALARP and Risk Management criteria, subjectively it is somewhat unnerving and clearly shows the financial constraints on the certification process.  

Unfortunately, almost every new aircraft type experience something similar. Regulatory Authorities therefore oblige and formalize the end-user community reporting of all failures and, where deemed a risk to flight safety, aircraft by type or batch can be immediately grounded by issue of an ASB – Alert Service Bulletin (ASB) – by the manufacturer. This is then rapidly endorsed by the OEM Regulatory Authority by issue of an ASR (Aircraft Servicing Requirement) or an AD (Aircraft Directive). These remain in force until the failure is corrected or mitigated. Typically, this will be measured in days or weeks, but in the case of the B737-Max, it took almost two years.

And talking of the Max., one of the aspects of this sorry tale that the scandalising multi-media made a feast of, was that the OEM Quality department did many of the FAA certification tasks in-house. This was seen as corporate duplicity. It is, in fact, a norm throughout the aviation industry.  The FAA annual budget, along with every other NCAA in the world, is insufficient for the task.  So, there are never enough inspectors not least because, anyone qualified for that role, can earn a lot more money in the commercial sector that is being inspected – so there is no waiting list of applicants. As a result, QA (Quality Assurance) managers world-wide are twin-hatted, reporting both to the CEO of the Airline and the Technical Directorate of the NCAA. 

This works because it takes a lot of graft to get an engineering license – at some 10 years, it is significantly longer than, say, a doctor: and a QA license is only awarded to folk having many years experience in engineering management.  As such, it is effectively the top of the technical tree, and no-one there will allow an ‘amateur’ CEO/CFO to put his valuable and hard-earned license at risk by demanding he cover-up any incident that may occur within an air operator! The Boeing Max saga was a very rare exception to this rule.

In summary, the only way to guarantee safety in aviation, is not to fly. So, while the process of aircraft certification is far from flawless, the systematic and frequent checks and balances of every process, and every electro-mechanical part of an aircraft, ensures that the level of risk is significantly less than that relating to an outing in your car. But systems are only as good as the humans that implement them so, as on the road, one should keep a beady eye out for folk who do not look after their vehicles properly!

Summary – It is a pleasing paradox that possibly the least preferred seat on a commercial airliner, is probably the safest one.

But to begin with a few general words on seats. Firstly they, along with the interiors of all aircraft, are not actually made by the aircraft OEM but by specialist companies that compete to supply aircraft interiors. That said, Boeing specify an economy seat that is a couple of centimetres less wide than that of Airbus and with a 28” separation – the so-called seat pitch – (Airbus specify 30”) to squeeze in a few more passengers into their slightly smaller airframes. Small difference maybe, but over a 3–5-hour flight this makes a big difference.

• More importantly, in the event of such ‘9g’ crash, if not actually cut in two by the lap strap, folk will suffer such bad organ damage that, in the event of survival of the event itself, an ensuing slower death is assured. A shoulder strap (better two) is a lifesaver. Such has always been known but, until now, only airline staff have been thus privileged (and, most recently, First & Business class also).

• The seats also face in the wrong direction. In the event of a crash, aft facing seats would largely mitigate the above two problems, increasing the chances of survival significantly. Airlines don’t do anything about this principally due to a perception that passengers like to see where they are going. And then there is the cost. Sadly, one cannot just turn the seat around – the seat structure is completely different. To do so on a new aircraft type would be easy, but that would highlight this safety issue: for any airline, the thought of then having to retro-fit the rest of a large fleet of in-service older aircraft will assure that this, and shoulder harnesses, will never happen – in coach anyway…….!

As stated above, in airline manufacture, unlike cars, the OEMs do not fit the interiors. This is done by specialist service providers contracted directly by the end-user airlines and to design limitations set, and overseen, by national regulatory authorities.  So, this element, so fundamental to an airline image and passenger satisfaction, has little to do with the aircraft OEM. It also represents only slightly more than 1% of an airliner’s cost.  Indeed, while on the subject, with respect to airliner cost, OEMs are directly responsible for the manufacture of only about a quarter of the end-product. Having developed and certified a new design (at huge expense) they actually only build the cockpit and hull structures and sometimes the wings and tailplane. The rest is furnished by other specialist service providers and only bolted on, or fitted into, said hull by the aircraft OEM. As such, were an aircraft manufacturer to go bankrupt or withdraw from the market, the impact on their aircraft end-users is little more than an administrative inconvenience.

 In previous articles we investigate how airliners are controlled of which increasingly, the near-total reliance on digital technologies, makes gloomy reading for analogue man. It also makes the subject at hand, namely, the safest seat on an airliner if one of these flying whales goes out of control, a subject of considerable relevance.

In first class one pays for luxury, a premium service and to be the first off, the aircraft: but one is also the first to die. The cockpit module is manufactured separately to the main hull onto which it is bolted. It is a very strong structure, with significantly higher stress tolerances than the main passenger carrying hull, and into which, in the event of an emergency, most of the working crew strap themselves (using said four or five-point seat harnesses).  The rest of the hull, where we the fare-paying, single lap-strapped masses are seated, is relatively flimsy in comparison. So, in the event of a crash-landing, it is certain that the hull will concertina into the strongly reinforced cockpit section, thus crushing to death all those high-paying premium flyers at the front.

 Business class passengers are even worse off because, in addition to the crushing element described above, they are in the vicinity of the wing in which many hundreds of gallons of flammable aviation fuel are stored – so for them crushing and incineration are in delightful prospect (typically not highlighted in the glossy advertising). And if that wasn’t bad enough, any very dangerous cargo goods (DG) needing transportation are typically loaded in the wing box section, it being the strongest part of the hull hence, in the cargo area beneath the business class seats. Such cargo includes killer viruses, poisonous gases, explosive chemicals, and even radioactive waste to name but a few of the more delightful possibilities. This is due to the considerable bulk and associated greater weight of the DG packaging, which, of necessity, needs to be located near the aircraft centre of gravity and in the strongest part, of the hull – and one pays a significant premium for the privilege of being seated above this refuse…………?!

The high passenger density in economy, inevitably, is an inherent danger. But the biggest single hazard are the overhead baggage bins. Their design specification is to 7kg per pax – need one say more………?  The effect of the almost universal abuse of this baseline criterion is that, in the event of a crash, the locker structures are overwhelmed by the force of the impact and come crashing down with great force, mercifully breaking the necks of virtually all beneath.

 Only one row of seats remains completely unaffected by this mayhem – the back row. With it being located forward of the toilets, and with the lockers above usually taken over by the cabin staff and blessed with a general ‘pocky’ seat appearance, such makes this place less than a ‘des-res’ for the duration of any flight. But consider this. When those overburdened overhead lockers come crashing down, the forces of impact will also direct them forwards in the direction of flight. Hence, those in the last row will, typically, not be ‘topped’ by the falling overhead bins. Far from the wings, neither will they be burned to death. There is also no cargo space in the tail, so the horror of DG is not an issue. Finally, as the hull concertinas, it whip-lashes and weakens, often causing it to break, typically some three-quarters of the way aft. Hence, those passengers still alive in the broken tail-plane unit (typically, only those in the last row), will likely be able to simply walk or swim out of the open hull.  A recent example of this was in an Eva Air crash-landing at Los Angeles whereby the tail fin unit broke off, spinning across the airfield. When it came to rest, the four Flight Attendants strapped in their seats in that section (of course, with their 4-point harnesses) simply got out and walked away without even a bruise to show for it.!

Back against the wall

Daily Mail Newspaper

So, safer though it may be, when should the use this essentially undesirable seat row be considered.? Firstly, for any airline, when there is an expectation of heavy rain, or worse still, heavy snow, at the destination airport. In such circumstances, it is possible that a combination of minor piloting errors, possible gusting crosswinds and/or heavy braking on a slippery runway surface, is a quite frequent cause of runway excursions into the grass or worse.  In a more general context, the discomforts of the rear row should also be considered when using airlines in developing countries and with all but the largest LCCs (low-cost carriers).  

For LCCs this is not a structural issue.  The cost and method of operating a given type of airliner is very much the same whether operated by an established legacy airline or an LCC – the substantial fuel costs are exactly the same. Hence the savings necessary to reduce (LCC) ticket costs, in addition to slashing administrative overhead and infrastructural elements, are found largely in three ways – all with negative attributes in a safety context.

Firstly, in the use of lower capital cost (i.e., older) aircraft which typically are using previous generation flight technologies and inevitably which, through wear-and-tear, are more likely to suffer unscheduled technical events. Similarly, by maximizing aircraft utilization, through reduced turn-round times, can only have negative maintenance implications.  And thirdly, crew costs: experienced pilots will generally seek to work with legacy airlines where pay and perks are better. So, by dint of lower wages, LCC airliners are flown by less experienced Captains and First officers, the latter, on occasions, almost fresh out of Pilot school.

In terms of general safety, all the above are negatives. Hence, by way of mitigation, to subject oneself to the minor discomforts of the last row for the couple of hours of a short-haul flight makes good sense. And there are positives. LCCs generally forgo the use of flying bridges resulting in the back row passengers being among the first off the aircraft and onto the bus using the rear doors. Further to that, the back rows of economy, along with the front rows, are also generally the first to be served. Finally, one is near to the location where flight attendants are typically hiding when ignoring the passenger staff call button, making them more responsive to a good-old analogue shout which is more difficult for them to ignore!

In short, notwithstanding all the negatives highlighted above, the chances of a flight accident are minimal – travel on roads is significantly more dangerous. But, for any given flight, should the negatives impacting safety be perceived to increase, just as in the workplace, mitigating the associated risks, even if a cause for minor discomfort, is simple common sense.  

Summary – In previous articles we discussed automated flight systems in general. In this article we examine in detail a nominal systemic ‘tweek’ in the flight automation by Boeing of their dominant 737-series regional airliner which has developed into a major scandal. Boeing is as synonymous with commercial aviation as Bell is to helicopters. They invented the quality systems on which ISO-9000 is based. So, how is it that they appear to have lost the plot in this regard? It is a long story, so we have done it in three parts. The first was a brief history of how the Boeing Aircraft Company achieved total market dominance: the second analysed how this hegemony has been successfully challenged by Airbus. This final article is an analysis of how the useful MCAS concept became a killer.

Part-III:  A Technical Fudge (Sales wags Engineering)

In the first two parts of this article we saw how the Boeing Aircraft Company changed its core value from engineering excellence to optimised financial management, supressing technical innovation and excellence to favour of the bottom line to become a Wall Street darling. This allowed their rival Airbus in the last 10 years to assume the lead both technically and commercially. While just holding their own in the wide-body market, in the larger narrow body sector, Boeing are getting trounced. Having neither the time nor the money to bring a new game-changer design into play, they opted instead to seek to match the competition by re-engining the venerable 737 design with a new, fuel-efficient, by-pass engine type. However, by its very ‘by-pass’ nature, the new engine was significantly larger than its direct-flow predecessor powerplant and thus no longer fitted in the space under the wing. As described in the second part of this series, it was therefore moved forward and raised on a structural pylon. This changed the aerodynamics of the aircraft, risking a stall condition at high power settings. This negative and potentially dangerous impact was overcome using technical trickery, MCAS – Manoeuvring Characteristic Augmentation System – a simple but clever automated device to overcome this negative aerodynamic norm at an insipient stage. The new powerplant, combined with a unique winglet design to maintain laminar airflow on the wings, increased the efficiency of this new 737 iteration by some 20%. However, while looking much the same as its 737-900 predecessor, it was arguably, a new aircraft type.  But to minimize the requirements relating to the associated certification and subsequent conversion-to-type for the client airlines, the Sales department was allowed to obfuscate and minimise the engineering issues. The result was bumper sales – a commercial triumph – and an latent disaster.

Airbus & Boeing – head to head adversaries

The latter demon soon woke. Within a few months of entry into service, a Lion Air Max crashed into the sea shortly after take-off from Jakarta on a mild day with light breezes. With the Captain being a foreign national and the co-pilot relatively inexperienced, it suited both operator and manufacturer alike to initially blame it on Pilot error. While the detailed accident investigation followed it’s protracted course, that was the generally accepted view in the aviation industry. But then, just five months later, a very similar accident occurred in Ethiopian Airlines, also just after take-off and also in fair weather. Now, while Lion Air is an LCC in a poorly regulated developing nation, the national airline of Ethiopia is highly respected internationally, being run to very high standards by a bunch of experienced expats from the developed world. So the event was not so easily fobbed-off. As a result, led by the Chinese, more and more developed nations grounded the Max. The last to do so was the USA and then only after the Pilot’s Union wrote an open letter to the President of the USA resulting in it being grounded, not by the FAA, but by a Presidential Decree !

The root cause in each case was eventually found to be a failure of an angle of attack (AoA) indicator. This is a simple mechanical pendulum device allowing the easy measurement of aircraft flight angle relative to the horizontal, hence the aerodynamic Angle of Attack – (AoA).  In the Ethiopian accident the sensor was found to have been broken by a bird strike: in Indonesia, with the unfortunate aircraft having plunged into the sea at very high speed, no definitive prognosis could be made, but it was considered a reasonable assumption. Bird strikes are common hazard in aviation, so the two events could be considered appalling bad luck. But, as the investigations proceeded and multiple other casual factors came to light, it started to become abundantly clear that appalling management at the OEM was equally to blame – and herein lies the scandal. This has been exposed in an excellent Netflix documentary – Downfall – by Rory Kennedy (yes, of ‘that’ family) issued late in 2021 and on which much of this thesis is based. The failures cover almost every aspect of management within Boeing!  Let’s start with the technical.

In fully automated systems, everything must be duplex: if safety critical, then it’s triplex. The AoA indication, being the fundamental driver of MCAS, is surely in the latter category. Yet it was simplex! There are actually two such AoA sensors (to left / right of the nose) but no software provision was made to cover one or both failing except for a computing anomaly indication – thus effectively making this safety critical element simplex. At the time of writing, one can offer no logic for such a fundamental error: maybe it was a just factor of the sensor’s simplicity in that, being little more than a plumb line, it is was considered that there was nothing there to fail……. That said, with man-in-loop (an earlier article – PFT-2 – on Flight Automation refers), it would not in itself have been a big deal as the MCAS element could just be switched off and the aircraft flown manually.  

It is here that the second root cause, of commercial sales wagging the technical dog, came into play. There were two main issues. Management wanted a speedy certification process to get the aircraft into service as quickly as possible so as to better compete with the A320-Neo family; and the Sales strategy was to minimise the conversion to type for B737-800/900 pilots (again emulating said 320-family) to be little more than a in-house computerised aircraft differences training, with a standard line check by an authorised airline Training Captain on completion. This was to avoid the training typical for new aircraft types requiring pilots to fly to the USA for a couple of weeks conversion Training with the OEM and the need to build specific simulators to accommodate the emergency aspects of that training.  If conversion to the new type could be accommodated within the existing infrastructure, then time-lines and costs bringing the new type into service would be dramatically reduced for both the OEM and end-user Operators.  

So the OEM management decision was to ‘hide’ the MCAS within the existing auto-pilot as an auto-stabilization element (which, in effect, it indeed was).  As a result, it was not documented in any detail anywhere – not in the Pilots’ Ops. Manual, not in Technical Manuals, nor even in cockpit checklists. This technical subterfuge was so complete that the only mention of MCAS in all of the technical and operational documentation was in the Glossary of Terms at the very beginning of every Manual. (Typically Glossaries, being common to all the various Manuals pertaining to any aircraft type, are kept as a separate computer file).  As such, with all reference to MCAS removed in all other Manuals and Checklists, it appears to have been left in the Glossary by oversight – effectively a “typo”.  Such is indicative that, decisions with regard to the technical strategy of eliminating all reference to MCAS in both technical and operational Manuals and cockpit check-lists, was taken at the highest levels within the company.  In fairness, there is a logic in this regard, in that the automated elements were really very simple and, as long as there was no failure, the system inputs were so deeply embedded in the aircraft’s operating system, as to be unnoticeable. So MCAS was presented as a software ‘tweek’ to make this Max ‘feel’ like its 737-800/900 predecessors, which indeed, was essentially the case. The Wall Street Journal subsequent investigation as to its lack of elevation, advises of a Boeing statement being made to the effect that it was company policy “not to overload Pilots with too much information”!  As a result of this Sales ploy, no mention was made of two simple switches labelled ‘auto-stab.’, that would turn off the MCAS in the event of a software problem.

Rory Kennedy’s Downfall documentary includes footage in a simulator showing what happens when the AoA indicator fails. The effect of the broken mechanical sensor meant that, in maintaining a mechanical vertical, the  pendulum fed an apparent high nose-up input into the FMS computer: such is indicative of a stall. This causes various panel lights to start flashing, the (joy) stick shaker activates, a voice screams “stall, stall !” and the computer brutally shoves the nose down. The flying pilot, seeing that the aircraft was in a normal flight condition, pulls the nose back up manually and the cycle restarts again getting more brutal each time as aircraft speed increases. The non-flying pilot frantically searches through checklists for information – there is none – thus  leaving the crew trying to understand what heck was going on as they loose control of the aircraft in a cacophony of cockpit noise, no doubt further exacerbating matters, resulting in other mistakes. Such is the stuff of nightmares but, as a reality, there was no waking-up in a cold sweat, just a mercifully short screaming panic and oblivion…………  

Actually all that needed to be done was to close the aforementioned couple of normal looking switches labelled ‘auto-stab’ and the MCAS would have been disconnected and the aircraft flown normally. But not only were these switches not documented, they were also tucked away at the back of the center console and so not readily visible. This was stated nowhere in the cockpit checklists. In the USA the information as to the use and location of these switches had passed by word of mouth between crews, and was likely seen as a teething problem with auto-stabilization in a new aircraft type that would soon be sorted out, with the check-lists being amended accordingly at the next update and as such, no big deal. Crews further afield overseas were less well advised. Actually, the pilot that few the Lion aircraft the day before the crash, also had the MCAS problem but, with friends in the US, he was in-the-loop and knew what to do, switched-off the Autostab. and conducted the rest of the 90 minute flight ‘manually’.  On arrival in Jakarta, it is understood that, as is normal, he entered the auto-stab. unserviceability in the Technical Logbook. The engineers no doubt ground tested the system but, with the aircraft being horizontal on the ground, it of course worked normally. That being the case, they would have entered “tested and assessed serviceable” in that aircraft’s Technical Logbook (also a normal, and frequently used, procedure).  So, the unfortunate Indian Captain assigned to the aircraft the next day, inevitably suffered the same problem again but, being out of the US Pilots’ gossip-loop, was not so lucky and nor were his 180-odd passengers and crew!  The recovered Cockpit Voice Recorders shows similar confusion and panic in the final moments Ethiopian Airlines Max some five months later.

Conclusion

In the 18 months enforced down time since these accidents, the B737-Max has been virtually completely recertified by the FAA and the MCAS issue in particular is now fully resolved and properly documented, with pilots being properly trained in its use. The pendulum AoA sensor, through additional software, has now effectively been made duplex. So one may be confident there will be no repeat in future global Max operations of this sorry tale. The same cannot be said for the Boeing company. Their quality management issues in manufacture are still on-going causing 10s of billions of lost revenue, fines, law suites and capital expenditure. In such circumstances, one cannot imagine where they will find funds to develop a new mid-range aircraft design (the NMA – New Mid-range Aircraft) which they so desperately need to compete with Airbus. Indeed the Boeing CEO, David Calhoun, has indicated in an October interview that, for him, NMA has come to mean ‘No More Aircraft’ – at least until there are new engines types capable of offering some 20% in fuel savings.

Such engines are likely be similar to the new open-fan types currently being tested by Airbus on an A380 (see photo.). As such, there is a logic to this decision in that its location on the aircraft may likely be other than under the wing. However, since such power plants will only be available towards the end of this decade, the delay will mean that Boeing will have come up with no fresh design for more than quarter of a century. For much of this century, Boeing and Airbus have split the market between them approximately 50:50. Since the Max-saga, it has dropped to less than 40:60 in Airbus’s favour. For Boeing to not produce a new aircraft type for a full human generation will increase the negative impact on this balance, which will be further exacerbated by the fact that a whole generation of Boeing engineers will have had no experience in the field of commercial new aircraft development. 

This is while Airbus are busily developing new generations of airliners with hybrid-electric or hydrogen power plants. So 10 years hence a 30:70 split is not unimaginable. The June announcement of the intention to move of the Boeing corporate HQ from Chicago to Washington DC, is indicative of a Boeing acceptance of this and a shift of company focus to government military/space projects.

But, notwithstanding one’s harsh review of this recent scandalous history, the author of this piece, where possible, will always choose to fly in a Boeing over an Airbus. Why? Because, as stated in a former flight control essay (PFT-2 in Sepetmber’22), with the exception of the B-787, Boeing aircraft are flown by Pilots, while the more advanced (Fly-by-Wire) Airbus types are flown by a computer. Before one is sued for the publication of such an opinion, let it be said this is a subjective choice is based on no (accepted) objective evidence and hence, is solely a function of this Author’s personal lack of digital empathy – a peccadillo for sure, but one that is shared by many other analogue folk!  

Summary – In previous articles we discussed automated flight systems in general. In this series of three articles we examine in detail a nominal systemic ‘tweek’ in the flight automation by Boeing of their dominant 737-series regional airliner which developed into a major scandal. Boeing is as synonymous with commercial aviation as Bell is to helicopters. They invented the quality systems on which ISO-9000 is based. So, how is it that they appear to have lost the plot in this regard? It is a long story. In the first part we gave a brief history of the first 100 years of the Boeing Flight Company, its designs and how it achieved total dominance in the commercial Airliner market. In this part we examine how, by failing to compete with Airbus technical innovation, Boeing lost their market hegemony.

Part-II:  The King has no Clothes – Tail wags Dog

In Part-1 of this history we saw how over a couple of generations, aviation in general, and the Boeing Company as a leading protagonist, evolved from the excitement of technical advancement into an investor driven industry. (In passing it is interesting to observe the parallel in today’s nascent Space industry).  So it was that, post-merger with McDonald-Douglas, the bean counters of MD assumed control over the joint venture with Wall Street accolades being prioritized over technical innovation. In fairness, from a purely financial perspective, with the merged Boeing Company having total market dominance in latter half of the Century, there seemed no good reason for the company to make the additional investment to match the technical innovation focused in a new European start-up, Airbus Industries. Having successfully castrated the Anglo-French Concorde, a technical last-gasp, this subsequent flabby political response with a gargantuan bureaucracy, formed in an attempt to halt the European brain drain of fading aviation expertise into the dynamic and now dominant US market, was seen as no threat. However this Newco, with no technical ‘baggage’ and deep governmental investor pockets, allowed the managing technicians to deploy state-of-the-art technologies in their new Airliner designs. For a score of years, as the new company felt it’s way and its first design, the A300 wide-body jumped the hurdles of certification, this had no impact on commercial aviation and so remained no threat to Boeing as the dominant airline market controller.

But, at the turn of the century, when the state-of-the-art and highly efficient A320 family entered service and soon dominated, the now rapidly growing narrow-body market, this swiftly changed. Suddenly faced with these cost-effective regional designs and the A330 to 380 impacting the long haul market, Boeing found itself competing against them with 1960/1970s designs – the B737-series and B767-series respectively. Neither was a match for the state-of-the-art Airbus competition as the table below of wide-body performance demonstrates.

Clearly knocking out more aircraft each week (up to a dozen) with less of everything, instilled an atmosphere of stress in the culture and practices on the factory floor and this is now evidenced in virtually every major Boeing program. In addition to the 737-Max saga, poor program management is evidenced in the 777-X being years behind schedule, 787 production having been on temporary hold due to QC standards and certification issues, the USAF new generation (B767-based) KC-46 aerial Tanker’s experiencing a very messy and delayed acceptance into service and, in space, the Starliner spaceship’s hugely delayed first launch. The common cause would appear to be corporate penny-pinching, and this is a probable root cause of the most recent B737-Max outrage as Part-III will show.

By any standard, the B-737 series is a very successful mid-market aircraft with more than 10,000 units thus far built over its 50-year life-span. During this time-frame, by incremental hull stretches and engine growth, the 737-series range and payload have been cost-effectively more than doubled. In the widebody sector, the B747 Jumbo Boeing dominated the trans-oceanic routes. Overland, the only serious competition to its B767 wide-bodies were other US iterations such as the MD DC-10 and Lockheed Tristar. As stated, the Airbus was a European political response to this US market hegemony which it was only able to chip at in incremental steps, initially in Europe and later in Asia until finally winning over a US major, American Airlines, now with the world’s largest A320 fleet of more than 450 units.

So it was that, atypically, over a score of years this political feature of market interference proved prescient as, with easy access to cheap government loans (all of which have since been fully repaid with interest), the bold Airbus designs and technical innovations successfully challenged Boeing dominance and particularly in the narrow-body market. The core of this challenge lay in the operating cost-efficiency of Airbus designs which was realised, in the main, through just two main elements. Foremost was the wing design and later the engines. The rest of the aircraft that the wings lift and engines power, has little impact on the cost-efficiency of its performance, until most recently, the hull weight reduction through the recent use of composites thus increasing payload. But since Boeing and Airbus use the same engines to power their designs, the secret of Airbus’s success lay in its aircrafts’ profiled wings.  

Fig.2 – Cause and Effect – Boeing vs. Airbus narrow-body sales

              B737 power plants  –  Classic series.                New generation series with 19” ground clearance.         Max-series, way forward of the wing

But moving the power plant forward impacted the Centre of Lift such that, at high power settings (typical when taking-off), would push the nose of the aircraft up with risk of stalling. That would require use of the elevators in the tail empennage to push it back down again which among other things, creates additional drag thus decreasing fuel efficiency (thus obviating the whole point of the exercise!).  The answer was to put a small tab on the elevator and to automate the process so as to catch and correct the nose-up movement at an insipient stage – that was the main function of MCAS (Manoeuvring Characteristic Augmentation System). The idea was to also make the aircraft fly and respond like the older 737-800s which had been sold in very large numbers: this the MCAS also successfully did.

So the Max sold like hot cakes with some 5000 orders before the first unit had even entered service in Indonesia with Lion Air (which was also the launch customer for the former B.900-ER and also one of the largest operators in the World of that series). With Lion also diversifying into Airbus A320 options, this was a major coup for Boeing.  But, the Sales department efforts to make the Max appear as an upgrade to the -800 series (so that pilots could more readily convert), rather than the new aircraft type it really was (requiring full certification and more onerous training), lay the seeds to the subsequent Max accidents. In Part-III, the germination of these fatal seeds will be followed in detailed slow motion.

Summary – In the previous article we discussed automated flight systems in general. In this article we examine in detail a nominal systemic ‘tweek’ in the flight automation by Boeing of their dominant 737-series regional airliner which has developed into a major scandal. Boeing is as synonymous with commercial aviation as Bell is to helicopters. They invented the quality systems on which ISO-9000 is based. So, how is it that they appear to have lost the plot in this regard? It is a long story, so we shall do it in three parts, starting with the historical background leading to the Boeing Max-series development.

Part-I:  Boeing Aviation Company – from Child to Man

To understand the tragic 737-Max saga, it is fruitful to go back a Century to the very beginning of Boeing Company to get a truer perspective on the recent events.  So this article starts with a brief history leading up to the Max’s production before analysing the elements of the scandal itself. The Boeing company’s origins in Seattle were not in aviation but in lumber and cabinet manufacture, as a family firm owned by William E. Boeing.  

Replica of ‘Bluebell’ the first Boeing aircraft – the B&W Seaplane –

at the Museum of Flight in Seattle

Until WW-II, it was typically Europe that provided the lead in aircraft development with the USA generally optimising those designs and their manufacture. The French built the first production mono-plane (the Nieuport Fighter), the Brits developed the first jet engine (the Whittle in 1933) and the Germans with the first jet aircraft (Heinkle-178 in 1939) as well as rocketry (V-I in 1944). The first mass-production jet was the British Meteor bomber (March 1943): the first US jet was the Bell XP.59-A (1942) powered by Whittle engines built under license by GE.   

Similarly, it was the 1930s British Avro, Vickers and Handley Page medium-heavy bomber designs, which evolved into the Wellington / Lancaster bombers and more importantly, across the pond, formed the basis of the Boeing B-17 ‘Flying Fortress’ heavy bomber – actually an early Boeing technical disaster. Rather than through any incompetence, this was a factor of their technical enthusiasm for stretching the norms of aviation technology. The B-17 was the largest, the fastest, the highest flying and with the biggest payload in this class – all far exceeding all the parameters of the military RFP (Request for Proposals) as issued by the US Army Air Corps (the predecessor to the USAF) in the late ‘30s and to which the B-17 was the Boeing Company response. As such it was also technically, significantly more complicated. So it was that, during a display to the client, the prototype crashed due to elements of the start-up checks having been overlooked, killing the Boeing Chief Test Pilot and an Airforce General – the head of the procurement committee – flying as a passenger in the Co-pilot’s seat. Not surprisingly, the first contract for 200 units was thus awarded to Douglas (the predecessor to MD), at that time, Boeing’s main rival. The enduring result of that crash was the birth of the aircraft check-list. Not surprisingly, subsequent contracts went to Boeing and ultimately, more than 12,000 B-17 units were built.

The growth in aviation sophistication and capability engendered by the needs of global warfare led to the first jet Airliner (the British Comet-1952) which, after a series of fatal accidents due to metal fatigue, in 1954 was grounded. In the years it took to find the root cause (square windows) and to change to the current oval design, the following Boeing Jet Airliner (the iconic B.707-1957) was able to catch up and subsequently dominate the market. Bill Boeing, unfortunately, passed away shortly before its maiden flight, so he did not witness the fruits of a lifetime of innovation. But the Boeing Company never looked back, dominating world aviation for the next two generations – although again, by stretching aviation limits, the very large B-747 ‘Jumbo-Jet’ (1969) did come within a whisker of bankrupting them.

Beauty and the Beast – an unhappy ending

A most significant event in Boeing’s subsequent history was the 1996 merger with it’s former rival Douglas – now McDonald-Douglas (MD). This was a function of a so-called ‘Last Supper’ in Reagan’s White House, where it was decreed that the dozen US aircraft manufactures should be reduced by half. Due to the MD widebody iteration, the DC-10, being significantly less successful than the Jumbo, MD was financially the weaker partner in this merger. Accordingly, Boeing was the lead with the merged entity assuming its name.

Having begun as a hobby-venture, even as it grew, Boeing it never fully lost that ethos. It was a family firm with  technological excellence in its DNA – there, the engineers were king. The MD culture, however, was one of corporate bean-counters with shareholder value rather than engineering excellence being the foremost core-value. So, not surprisingly, within a couple of years, the junior partner had assumed control. This led to cultural changes within Boeing which are the likely root cause of its current technical problems