
Internal FAA Review Saw High Risk of 737 Max Crashes - tompic823
https://www.wsj.com/articles/internal-faa-review-saw-high-risk-of-737-max-crashes-11576069202
======
forgingahead
_The MAX’s safety record when it was grounded, after two years in service,
roughly amounted to two catastrophic accidents for every one million flights,
according to estimates by industry officials relying on unofficial data. By
contrast, the model of 737 that came before the MAX has suffered one fatal
crash for every 10 million flights, according to data from Boeing._

Put another way, the 737 Max has a statistic of 1 catastrophe per 500k
flights, whilst the 737 was 1 per 10 million, _basically 20 times_ as much.

This is criminal behaviour, and people need to go to jail. The MAX should
never be allowed to fly again.

~~~
LeifCarrotson
On the other hand, generalizing from two incidents to a rate isn't great
statistics. The list of accidents and incidents with the previous generation
[1] shows some 9 fatal problems spread over more than a decade, which is
closer to a rate. But saying that the 737 Max is known to be 20 times worse
when the real value might be anywhere between 2 and 200 if it had been allowed
to continue flying is a little imprecise.

Put people in jail for negligence, sure. But we should be criminalizing based
on that negligence and not on its results.

[1]:
[https://en.wikipedia.org/wiki/List_of_accidents_and_incident...](https://en.wikipedia.org/wiki/List_of_accidents_and_incidents_involving_the_Boeing_737#737_Next_Generation_\(-600/-700/-800/-900\)_aircraft)

~~~
cameldrv
The FAA was not just using the fact of the first crash in the risk analysis.
This was the methodology they used:
[http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgPolicy....](http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgPolicy.nsf/0/4e5ae8707164674a862579510061f96b/$FILE/PS-
ANM-25-05%20TARAM%20Handbook.pdf)

They would have looked at the failure rate of the AoA sensor and the failure
rate of the recovery procedure and the fact that there had been one fatal
crash. That gave them a reasonable estimate of the risk. Based on that
analysis they should have grounded the plane, but Boeing apparently convinced
them that with pilot awareness of the problem that the recovery procedure
would be more effective. Unfortunately that was overly optimistic.

~~~
linuxftw
> Unfortunately that was overly optimistic.

No, it was fraudulent. Boeing didn't make even the slightest attempt to
identify all the potential failure modes, and it's still unclear if the plane
is even safe to fly with MCAS disabled.

~~~
cameldrv
The plane cannot be certified without MCAS or some other stability
augmentation. This is not unusual in itself, almost every jet aircraft has
some kind of instability. The problem was that MCAS is not reliable and
doesn’t fail safe. The fix they’re testing actually makes it less reliable,
but when it fails it will disable itself instead of making a smoking hole in
the ground.

------
mzs
We finally know fuller details* about the as proposed MCAS fix not-a-fix >

There are four main changes to the B737 MAX flight control system software
that have been developed to prevent future accidents like the ones that
happened with the Lion Air and Ethiopian Air flights. They include the
following:

1\. Angle of Attack (AoA) comparison – an addition to MCAS that will now
compare readings from both angle of attack sensors on the aircraft. If there
is a difference of more than 5.5 degrees the speed trim system will be
disabled. Also included in this change is something known as a “midvalue
select” which uses data from both sensors together to create a third input
that will help to filter out any AOA signal oscillatory failures or spurious
sensor failures. This modification will prevent MCAS from commanding nose down
trim when a single AoA sensor reports a false AoA as it happened in the two
accident flights.

2\. MCAS resynchronization – this change will account for manual electric trim
inputs made by the pilot while MCAS is activating. It will track whatever
input the pilot makes and return the pitch trim to that setting when MCAS
retrims back to normal.

3\. Stab trim command limit – is an addition that will limit the maximum nose
down trim that the automatic flight control system can command to prevent the
pitch trim from reaching an uncontrollable situation.

4\. FCC monitors – software monitors have been added to the flight control
computers that will cross check pitch trim commands against each other. If a
difference is detected by these monitors the automatic trim functions are
disabled. This protection helps prevent erroneous trim commands from a myriad
of causes that could occur in the automatic flight control system.

These design changes in the software that controls the automatic pitch trim
features including MCAS should prevent angle of attack sensor failures from
causing the pitch trim to operate when it should not. Further, they should
prevent the trim from activating erroneously for other reasons as well.

* [https://transportation.house.gov/download/kiefer-testimony](https://transportation.house.gov/download/kiefer-testimony)

~~~
linuxftw
Unfortunately, we don't know if flying the plane without MCAS is even safe.
MCAS was required for a reason, and disabling it at an inopportune time might
be disastrous.

~~~
Obi_Juan_Kenobi
MCAS was required to keep a linear relationship between the force applied to
the flight stick and the pitch-up control moment.

There is nothing magical about this linear relationship; it is an intuitive
configuration for pilots, but many other aircraft do not follow it. The
requirement makes sense for single-certification, but we must be clear in
understanding what is actually happening with this system.

The system counters the hazard of pilots experienced in 'regular' 737s getting
close to stalling without realizing, due to lighter stick inputs not having
the intended effect. Any MCAS malfunction would direct their attention to this
issue.

Actual anti-stall systems (MCAS is not anti-stall, nevermind some shoddy
reporting) would still function if a pilot were to approach this flight
envelope. This includes cabin alerts, stick shakers, etc.

The scenario where MCAS cuts out, _and_ it's in the envelope of conditions
where it actually functions, _and_ the pilots fail to notice this, _and_ the
MCAS inputs were needed to avoid approaching a stall, _and_ the pilots fail to
correct and avoid the stall .. it's a contrived hypothetical.

MCAS is not a system that activates on a normal flight. Only in relatively
extreme circumstances does it even function, and then it only seeks to make
intuitive pilot behavior less likely to approach stall conditions. A good
pilot monitoring airspeed, trim angle, AoA, etc. will be able to avoid a stall
just as well without the system.

~~~
mzs
Literally a take-off where one AOA sensor fails.

>The scenario where MCAS cuts out, and it's in the envelope of conditions
where it actually functions, and the pilots fail to notice this, and the MCAS
inputs were needed to avoid approaching a stall, and the pilots fail to
correct and avoid the stall .. it's a contrived hypothetical.

~~~
DuskStar
But MCAS is disabled when flaps are extended, such as on takeoff?

~~~
mzs
On a 737 they are retracted early in the climb, typically between 1000 and
1250 feet. If the slight stick movement the pilot is accustomed to to bring
the elevation down 2-3* fails to do so cause MCAS does not engage, there's not
a whole lot of distance to recover from a stall then.

~~~
DuskStar
> If the slight stick movement the pilot is accustomed to to bring the
> elevation down 2-3* fails to do so

This is completely unrelated to MCAS, though? Since the goal of MCAS wasn't
"bring the nose down" but instead "increase the pressure on the stick required
to maintain a certain nose-up attitude", I'd be really flabbergasted if it was
supposed to operate in a normal takeoff environment.

~~~
linuxftw
The goal was always bring the nose down, stick input not required.

------
jdsully
Its pretty clear reading the article that the public now has a much higher
safety standard than the FAA did internally.

Flying has become so safe that the public no longer considers it risky, but
the FAA never updated its targets. So when Boeing wanted to trade safety for
market share there was no basis to stop them.

To illustrate the change in attitude it used to be common for airports to sell
life insurance for the flight directly at the gate. This continued as late as
the 1980s.

[https://www.insurancebusinessmag.com/us/news/breaking-
news/a...](https://www.insurancebusinessmag.com/us/news/breaking-news/a-look-
back-whatever-happened-to-airport-insurance-vending-machines-22593.aspx)

~~~
ksdale
I feel your example just illustrates that the public has always thought flying
is more dangerous than it actually is. No one would be selling life insurance
if flying was as dangerous as the people buying the insurance thought it was.

The FAA set a standard that makes flying way safer than driving, a risk people
happily undertake all the time, but people still overestimate the risk of
flying and demand more safety improvements.

~~~
ncallaway
Yea, but the parent commenter was discussing the _public's_ risk tolerance for
flying.

The fact that life insurance was being sold, meant the flying public _thought_
they were taking significant risks (even if they weren't).

Now, such life insurance would be laughable, which means the public _does not_
think it's taking any risks. The general public's risk tolerance for flying
has dropped dramatically.

So, based on that, it seems the example perfectly demonstrates the point. The
public thinks flying is much less of a risk now than it used to.

~~~
ksdale
Your point is well taken, thank you.

Though, presumably the FAA's tolerance for risk has also dropped tremendously
over the past several decades, so I feel like the more relevant comparison is
the perceived risk to the actual risk.

Although the public thinks the risk it's taking is much smaller, it still
vastly overestimates the danger of flying.

I agree completely that the public thinks flying is a lot safer than they used
to, which is a change, but I think they also still really overestimate the
danger, which is not a change, and which I believe is borne out by the same
evidence provided by the parent, people buying life insurance when it was a
bad deal and people continuing to demand that the FAA make flying so much
safer than activities like driving that they engage in without a second
thought.

I'm also not so sure that a lot of people wouldn't still buy life insurance at
the gate if it was available.

~~~
jdsully
The FAA estimated the 737 Max would crash roughly once every 2-3 years. That
is 8x more often than the rest of Boeing’s fleet.

This apparently was still within FAA guidelines. I gurantee the flying
public’s risk tolerance is lower than that. I know mine is.

------
TooSmugToFail
This was a massive shot in the foot by the FAA. Not only they neglected red
flags after the first crash, remember that the idiots were also hesitating
after the second one, allowing other regulators to ground the Max before them.

FAA's credibility is in the dumps, along with the Boeing's.

~~~
mzs
not the only case: [https://transportation.house.gov/download/collins-
testimony](https://transportation.house.gov/download/collins-testimony)

edit: I found more. In particular Pierson's attachment included emails and
ends with a listing of 15 emergencies over 13 months and the Summary of
Subject Matter includes a quick run-down of various Boeing happening beyond
the MCAS.

[https://docs.house.gov/Committee/Calendar/ByEvent.aspx?Event...](https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=110296)

------
bookofjoe
[http://archive.is/JVWfg](http://archive.is/JVWfg)

~~~
tpmx
Who keeps downvoting these archive.is comments and why? They are clearly very
useful.

~~~
AnimalMuppet
They'd be a lot _more_ useful with some hint about what's being linked to. A
bare link, with an opaque URL, and with no comment, is basically saying "trust
me, this points to something relevant, but I won't tell you what". If I
disagree with the poster's definition of "relevant", I've wasted my time.

How about telling me _what_ you're linking to, not just giving me a raw,
opaque link?

------
tpmx
> The November 2018 internal Federal Aviation Administration analysis,
> expected to be released during a House committee hearing Wednesday

Is this document publicly available now? Did anyone find it?

~~~
mzs
I can't find the report itself but the submitted testimony and hearing is
here* In particular Collins' submission has this:

>787 Lithium-Ion Battery Containment:

>Before the AIR Safety Review Process was implemented in mid-2015, there were
other examples of FAA management accepting applicant’s positions over the
concerns of FAA technical specialists, the FAA’s aerospace safety engineers.
For example, during initial certification review of the new technology 787
lithium battery system design the certification of the 787, an FAA technical
specialist determined the lack of a fireproof enclosure could result in
catastrophic failure due to uncontrolled fire from the battery. He proposed to
FAA management that the special conditions design of for the airplane system
lithium-ion battery should include a requirement for a steel containment
structure that would be vented overboard. FAA management overruled the
specialist. The specialist worked to modify a new special condition that was
applied to the battery installation so a containment system would be required.
Unfortunately, FAA managers pushed to delegate 95 percent of the certification
to the applicant, including the high risk, new technology, battery
installation. Without FAA safety engineer oversight, the ODA found the design
without an enclosure to be compliant. Sadly, after certification, the airplane
system lithium-ion battery experienced two extremely dangerous fire events and
the FAA mandated the 787 fleet to be grounded. The design changes the FAA
mandated to allow the 787 to fly again included a steel battery containment
box that was vented overboard; as originally proposed by the FAA aerospace
engineer.

* [https://transportation.house.gov/committee-activity/hearings...](https://transportation.house.gov/committee-activity/hearings/the-boeing-737-max-examining-the-federal-aviation-administrations-oversight-of-the-aircrafts-certification)

edit: better link
[https://docs.house.gov/Committee/Calendar/ByEvent.aspx?Event...](https://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=110296)

~~~
redis_mlc
I saw the pictures of the 787 lithium-ion battery fire aftermath ... the
entire equipment rack was a charred mess. In other words, a raging fire
happened in the hold.

The only initial San Jose Terminal 3 ($1.2+ billion) international airline was
JAL, and they had to stop flying for about a year. This was a terrible blow to
the airport.

The engineer who advocated a battery box was not just correct, but following
basic principles - even the Cessna 172 has a metal battery box:

[https://www.knots2u.net/battery-box-cessna-172-stainless-
ste...](https://www.knots2u.net/battery-box-cessna-172-stainless-steel/)

Heck, I even tell IT departments to use a stainless-steel "bathtub" under
water-cooled computer systems. Each time I'm called a Cassandra, until it
starts leaking, then it's like, "Well of course. Anybody would do it that
way."

Source: commercially-licensed airplane pilot.

