Boeing rejected 737 MAX safety upgrades before fatal crashes,
whistleblower says Rescuers work at the scene of an Ethiopian Airlines jet crash south of Addis Ababa, Ethiopia, March 11, 2019. Boeing's 737 MAX 8 aircraft has been grounded worldwide as a result of this crash and another last October. (Mulugeta Ayene / The Associated Press) Seven weeks after the second fatal crash of a 737 MAX in March, a Boeing engineer submitted a scathing internal ethics complaint alleging that management - determined to keep down costs for airline customers - had blocked significant safety improvements during the jet's development. The ethics charge, filed by 33-year-old engineer Curtis Ewbank, whose job involved studying past crashes and using that information to make new planes safer, describes how around 2014 his group presented to managers and senior executives a proposal to add various safety upgrades to the MAX. The complaint, a copy of which was reviewed by The Seattle Times, suggests that one of the proposed systems could have potentially prevented the crashes in Indonesia and Ethiopia that killed 346 people. Three of Ewbank's former colleagues interviewed for this story concurred. The details revealed in the ethics complaint raise new questions about the culture at Boeing and whether the long-held imperative that safety must be the overarching priority was compromised on the MAX by business considerations and management's focus on schedule and cost. Managers twice rejected adding the new system on the basis of "cost and potential (pilot) training impact," the complaint states. It was then raised a third time in a meeting with 737 MAX chief project engineer, Michael Teal, who cited the same objections as he killed the proposal. A version of the proposed system, called synthetic airspeed, was already installed on the 787 Dreamliner. It was not directly related to the flight-control system - the Maneuvering Characteristics Augmentation System (MCAS) - that contributed to both crashes. But it would have detected the false angle of attack signal that initiated events in both accidents, and so potentially could have stopped MCAS from activating and repeatedly pushing down the nose of each jet. But installing it in the MAX would likely have meant 737 pilots needed extra training in flight simulators. Running thousands of pilots through simulator sessions would have delayed the jet's entry into service and added substantial costs for Boeing's airline customers, damaging the MAX's competitive edge against the rival Airbus A320neo. Ewbank's complaint goes further than the decision not to install this one new system. He describes management as "more concerned with cost and schedule than safety and quality." And he alleges that in one instance Boeing hid inflight safety incident data from the European Union Aviation Safety Agency (EASA). As first reported in The Seattle Times, Boeing did an inadequate system safety assessment that missed flaws in the design of MCAS that were central to the two MAX disasters. And Boeing engineers were under pressure to limit safety testing to certify the MAX. These fresh allegations from inside Boeing indicate that the problems with jetmaker's safety culture may go deeper than MCAS. Sticking out from the side of a 737 MAX, two pitot tubes for measuring air pressure sit above an angle of attack vane. A new system was proposed for the MAX, but never approved, that would have allowed these different sensors to cross-check each other. That could have enabled detection of a faulty angle-of-attack signal such as those linked to the two fatal crashes of 737 MAX jets. (Mike Siegel / The Seattle Times) Submitted via Boeing's internal whistleblower system, Ewbank's complaint alleges that MAX program managers, concerned with avoiding higher costs and more pilot training, were intent on "shutting down trade studies that attempted to modernize the airplane and avoiding awareness of known issues encountered in historical 737 operation." Federal investigators The FBI has interviewed at least two Boeing employees about the complaint. It's unclear how the Boeing document reached the agency, but federal investigators are known to have issued subpoenas to the company. Department of Justice prosecutors, Department of Transportation inspectors and Securities and Exchange Commission (SEC) officials are all involved in a wide-ranging federal investigation into possible wrongdoing at Boeing during certification of the MAX that was already under way before the engineer filed his internal complaint in April. Boeing declined to comment on the details of the ethics complaint. Teal, 737 MAX chief project engineer, could not be reached for comment. The Department of Justice also declined to comment. The Seattle Times is not naming the employees who have been questioned by the FBI to protect the identity of the source of that information. Ewbanks declined to be interviewed. The Seattle Times is naming him because he identified himself in his complaint to Boeing. The MAX has been grounded worldwide for almost seven months as Boeing works on a comprehensive fix to its flight-control systems that will satisfy air safety regulators around the globe. The final updates to the systems are expected to be submitted to the Federal Aviation Administration (FAA) this month, and Boeing anticipates clearance to return the jet to the sky in November. Meanwhile, multiple investigations and reviews, internal and external, are examining what caused the deadly crashes. Last week, Boeing's board announced a revamp of the company's reporting structures aimed at producing better internal safety oversight. On Monday, Boeing chairman and chief executive Dennis Muilenburg said he's "taking immediate steps" to implement those recommendations. The engineer Ewbank's ethics complaint expressed concern about the possible personal consequences of stepping forward inside the company. "Given the nature of this complaint, the fear of retaliation is high, despite all official assurances that this should not be the case," he wrote. "There is a suppressive cultural attitude towards criticism of corporate policy - especially if that criticism comes as a result of fatal accidents." Ewbank wrote that co-workers told him in private they are afraid to speak up about similar safety concerns out of "fear for their jobs." In a statement responding to requests for comment this week, Boeing said it "has rigorous processes in place, both to ensure that such complaints receive thorough consideration and to protect the confidentiality of employees who make them." "Accordingly, Boeing does not comment on the substance or existence of such internal complaints," the statement added. Ewbank's LinkedIn profile shows he graduated from Embry-Riddle Aeronautical University in 2008 with a degree in aeronautical engineering, then got a master's at Purdue. After college, he took a job as rocket scientist, doing launch site design engineering at the Kennedy Space Center in Florida with United Space Alliance, the joint venture between Boeing and Lockheed Martin. He was hired by Boeing in 2010 to work on designing commercial airplane flight deck systems, including the MAX. He now works on airplane systems integration for the 777X program. However, dissatisfied with his experience on the MAX program, he took a break from Boeing. LinkedIn shows he left the company in April 2015 and returned to work on the 777X only last November. The reason for the career break is cited in the ethics complaint: his feeling that Boeing management was "squeezing the engineering budget for new programs ... more concerned with cost and schedule than safety and quality." In his first stint at Boeing, he worked on the safety of flight deck systems across multiple jet programs. It put him at the center of what has become one focus of the investigations into the crashes: The systems that tell pilots how their plane is performing in flight and alert them to anything going wrong. Ewbank's complaint says his job included "designing appropriate crew alerting and crew procedures based on expected (system) failures." We need your support In-depth journalism takes time and effort to produce, and it depends on paying subscribers. If you value these kinds of stories, consider subscribing. Last week, a National Transportation Safety Board (NTSB) report called for improvements to such systems and criticized Boeing's testing of the MAX for failing to simulate the possible barrage of system failures and warnings the pilots on the crashed flights faced. The memo The proposal for system upgrades that Ewbank discusses in his complaint emerged from work he did alongside several veteran employees in Boeing's Aviation Safety department "to analyze Loss of Control inflight accidents and design flight deck features that would work to break the accident chain of events." One was Associate Technical Fellow Randy Mumaw, a cognitive psychologist and "human factors" expert in how pilots react to an airplane's instruments. Mumaw, who left Boeing in 2015, said that as a non-engineer he can't assess the technicalities of the synthetic airspeed system. But he said he knew Ewbank as "highly respected and bright." The Seattle Times interviewed four former Boeing employees who were involved in the work of assessing the proposed safety upgrades. Rick Ludtke, a former flight deck integration engineer, worked alongside Ewbank and was a key participant in the proposal, which was presented in an engineering memo titled "Boeing Commercial Airplanes Strategy for Reducing the Risk of Loss of Control Events." Ludtke said the purpose of the memo, which Ewbank cites in his complaint, was to "capture the approval" of executives and to try to get a list of six system improvements accepted across Boeing's airplane programs, including the MAX, which was then in early development. The memo, which was signed off by Todd Zarfos, the Boeing vice president who heads the company's engineering design centers, recommended that synthetic airspeed be installed on the MAX "with the next appropriate software update." Another veteran Boeing engineer and associate technical fellow, Carlo Ruelos, was the early champion of synthetic airspeed at Boeing. A pilot flying any airplane needs to know the current airspeed - the plane's speed relative to the air. Depending on the direction of the wind, that can be faster or slower than the groundspeed, the plane's speed relative to the earth. Too high an airspeed could stress the airframe. Too low an airspeed could stall the plane. This key piece of data is measured by pitot-static air pressure sensors, little tubes that stick out of the fuselage on both sides under the cockpit. It's entered into multiple calculations performed by the flight control computer, so an accurate value is important. Synthetic airspeed is a new system that provides an additional, indirect calculation of airspeed using different sensors, including the plane's angle-of-attack sensors. The system enters the airplane's angle of attack, its weight, the position of its control surfaces and other parameters into a proprietary Boeing algorithm to come up with an independently measured airspeed reading. The independence of the synthetic reading means that if it matches the direct airspeed readings, it verifies the data as highly reliable. If there's a discrepancy, the air data is rejected and the plane's automated systems won't use it. Ewbank's complaint cites a study that found air data reliability, and airspeed awareness in particular, as a "dominant theme" in airplane accidents where the pilots lost control. The only Boeing airplane using synthetic airspeed today is its latest all-new jet, the 787 Dreamliner. On the MAX, Ruelos saw an opportunity because the jet had a new integrated air data system box installed that had more computational power than that on the previous 737 NG model. That extra capability, Ruelos decided, would make it possible to add a variant of the 787 synthetic airspeed system to the MAX. And if it could be added, he felt it should be - because it would broadly enhance the reliability of the 737's air data systems. Ruelos, now 75 and retired, said in an interview that the pitot and static probes used for standard airspeed measurement"stick out of the airplane and can be damaged by a bird strike. Or something can plug the very small hole." So, he said, "I firmly believe that as another means of verifying the air data, (synthetic airspeed) is a key element in maintaining the safety of the airplane." "We pushed very hard for it, because safety is always the No.1 priority," he added. With the new air data avionics box on the MAX, he believed the system was "ready to go" on the new jet. The crashes At the time of this proposal, no one had identified MCAS as a concern. Back then, the original design of MCAS was more benign than the final version that went haywire on the two crash flights. It required two sensors to activate - a high angle of attack and and a high G-force -and was less extensive in its ability to push the nose down. It wasn't until March 2016 that the MCAS design was changed to depend solely on a single angle-of-attack sensor. Synthetic airspeed gains significance in the aftermath of the accidents because the system's cross-check of the independent airspeed readings would raise a red flag if there's any angle-of-attack sensor fault. If the readings disagree, Ewbank wrote in his complaint, the system as implemented on the 787 is designed to "monitor and detect erroneous angle-of-attack data, and then work to prevent the use of erroneous data by downstream systems." While Ewbank prefaces this statement with a careful qualifier - "It is not possible to say for certain that any actual implementation of synthetic airspeed on the 737 MAX would have prevented the accidents" - his implication is clear: Synthetic airspeed might have stopped MCAS from activating in the circumstances of the two crashed flights. Ludtke and Ruelos agreed. There's "a very good chance" that if Boeing had implemented synthetic airspeed on the MAX, it would have prevented the crashes, Ludtke said. "In our department, we never designed anything without comparators," meaning monitors that compare independent sensor readings and de-activate the system if they disagree, he said. "Curtis, I know, had several types of comparators in that synthetic airspeed system." Asked separately if synthetic airspeed might have prevented the crashes, Ruelos responded: "I think so. The left and right systems do cross checks, and if there is a discrepancy, it won't let the automatic system take control of the airplane. ... It would disengage and the downstream systems wouldn't use the data." The cost concerns Of course, Boeing could have achieved the same result in simpler ways, for example if MCAS had been designed from the start to compare readings from the two angle-of-attack sensors instead of only one. Still, in hindsight the rejection of synthetic airspeed seems fateful. In his complaint, Ewbank puts it down to "a corporate culture ... of expediency of design-to-market and cost-cutting." "The 737 MAX was designed via piecemeal updates to prevent triggering expensive certification and (pilot) training," his complaint states. Ludtke agreed. Synthetic airspeed was rejected "probably because of cost," he said. He said Boeing had promised the airlines that the MAX would be so minimally different from the prior 737 model that no additional pilot certification or flight simulator training would be necessary. He said his manager told him Boeing promised MAX launch customer Southwest "$1 million per tail" if the FAA were to require expensive simulator training. "The MAX program leaders had always mandated that, if it's not required for function or certification, it's not going on the airplane," Ludtke said. They looked upon synthetic airspeed as "a good improvement, but just an improvement," not a necessity. "We still tried. Because we believed these aircraft need improving for the quality of pilots we are experiencing," Ludtke added. "In the old days, before the MAX, that's how we did business. At the launch of a new program, its leaders would be very interested in including all the latest ideas and safety improvements. "The MAX was different from the very beginning," he said. "We're just going to put these new engines on and the minimum change to make that happen. That's it. We're not spending money." "That concept broke the company," Ludtke concluded. Another former Boeing employee, a veteran test pilot also involved in the assessment of the proposed system changes, wasn't close enough to the technical details of synthetic airspeed to be sure it would have prevented the accidents, yet agreed that any similar system based on angle of attack likely would have cut out MCAS. "That's how you would hope the system would work," said the pilot, who asked for anonymity to preserve relationships at Boeing. And the pilot agreed with Ludtke that preserving the MAX's common type rating - certifying it as just a variant of the prior 737 NG model, rather than a new airplane - and ensuring that airline pilots wouldn't be required to train for the MAX on flight simulators was "such a huge deal" that it blocked potential updates to the avionics systems. "I couldn't believe they kept stretching the 737, both literally (with a longer fuselage) and also in terms of cockpit design," the pilot said. The culture Ray Craig, former chief pilot on the 737 MAX until he retired in 2015, had a very different take. He said he worked with Ewbank and knew him as a "very sharp, very dedicated" engineer. Yet he defended the safety culture at Boeing and around the MAX program. "Safety was paramount. If there was something we thought was a safety issue, there was no question, it was taken care of," Craig said. "But it's not always a black-and-white decision." Lacking full technical details, he wouldn't venture an opinion about whether synthetic airspeed could have prevented the crashes. "I don't remember it as ready to go. It wasn't just a simple plug-and-play," Craig said. "It wasn't as program-ready as perhaps some of the folks were thinking. But I don't remember the exact reason it was shot down." Ewbank's ethics complaint is much broader than the failure to install synthetic airspeed. He attacks the company's culture around aviation safety and questions Craig's and Boeing's assertion that safety is always paramount. He recounts an episode in his department when he says Boeing hid in-flight safety incidents from Europe's aviation regulator. This occurred when EASA found five events where 737s experienced a problem with the autothrottle disconnecting on approach and a confusing alert led to an inappropriate pilot response. EASA asked if Boeing was aware of any other such events and Ewbank was assigned to search the in-service databases. But when he identified five further similar incidents on 737s, his ethics complaint says his manager decided "to not tell EASA about these events" and that instead "we would fix the issue ourselves." Ewbank, a relatively young engineer at the start of his career and with less than six years at Boeing over his two employment stints, even goes so far in the complaint as to directly attack CEO Muilenburg. He cites Muilenburg's statement on a quarterly earnings teleconference, just four days before Ewbank filed the ethics complaint, denying that the two recent MAX crashes were due to any "technical slip" by Boeing during the jet's design or certification. Ewbank calls this "a false statement." "When CEO Muilenburg and others state that the Max was a safe airplane as designed, they seriously misrepresent what Boeing Engineering has learned about how data and control functions should be treated," Ewbank wrote. |
Boeing CEO: Preliminary investigations show 737 Max pilots
exposed to 'high workload environment' Pilots who were unable to save two separate commercial Boeing 737 Max airplanes from crashes that killed 346 people were exposed to a "high workload environment," according to early findings from an investigation, Boeing's (BA) CEO Dennis Muilenburg said Wednesday during an address to the Economic Club of New York in Manhattan. Boeing has previously acknowledged that during both flights faulty data from a single external airplane sensor triggered an automatic system known as MCAS that adjusted the angle of the aircraft downward. However, in defense of the plane's design, Muilenburg has raised pilot inaction as a factor in a chain of events that could determine whether pilots successfully troubleshoot to disengage MCAS (Maneuvering Characteristics Augmentation System) and recover the aircraft. "If that kind of scenario occurs and you go through the checklist...it calls out actions that would be taken around power management and pitch management of the airplane," Muilenburg said in response to a reporter during the company's annual shareholder event in April. "It also refers to the cutout switches, that after an activation that was not pilot-induced, that you would hit the cutout switches," he added. "And, in some cases, those procedures were not completely followed." 'More workload for pilots' While much debate has ensued over whether highly trained pilots would have avoided the fatal crashes, Muilenburg's statements Wednesday acknowledged investigators' determination that MCAS software compounded pilots' emergency troubleshooting environment. "While the investigations have not yet issued their final reports, they have shared preliminary findings," Muilenburg said. "The early information established that in both lights, a software function activated in response to incorrect information from an external airplane sensor as part of a broader chain of events that created more workload for the pilots in what was already a high workload environment." Grounded Boeing 737 MAX aircraft are seen parked at Boeing Field in Seattle, Washington, U.S. July 1, 2019. Picture taken July 1, 2019. REUTERS/Lindsey Wasson In testimony before Congress in June, Chesley "Sully" Sullenberger, the decorated commercial airline captain responsible for saving the lives of 155 people in a heroic 2009 landing on New York's Hudson River, emphasized the significance of pilot "startle factor" and chaotic cockpit situations that play into a pilot's emergency response capabilities. Asked by Rep. Thomas Massie (R-KY) whether more experienced pilots would have been able to handle the MCAS-related emergencies, Sullenberger opined that it would have been unlikely they would have performed differently from the crews on the accident flights. "I'm one of a relatively small group of people who have experienced such a crisis and lived to share what we learned about it. I can tell you firsthand that the startle factor is real. And it's huge. It absolutely interferes with one's ability to quickly analyze the crisis and take an active action," Sullenberger said. 'Grab the weel, keep it from turning' Still, former FAA Certification and Regulatory Enforcement Support specialist, Larry Williams, has said any experienced pilot should have been able to handle the Max emergencies. "You grab the yoke and pull it back and if you can't override it you just kick off trim and fly it manually. It's autopilot disconnect, basically. Push a button on the yoke and disconnect - grab the wheel, keep it from turning." As a result of the findings, Boeing is altering both how much exterior data the 737 Max intakes, as well as the number of backup systems to recognize when an automatic adjustment of the plane's nose is in error. After alterations, each Max will be equipped with three redundancies, including two exterior "angle of attack" sensors, instead of one; single automatic activation of the MCAS system, rather than multiple activations; and a pilot override, to stop MCAS from pushing the nose down once a pilot takes control. Max planes were grounded by the FAA on March 13 following the second of two similar crashes that killed all passengers and crew on board. Shortly after takeoff from Jakarta, Indonesia, on October 29, Lion Air Flight 610 crashed into the Java Sea. Ethiopian Airlines Flight 302 crashed shortly after takeoff from Addis Ababa, Ethiopia, on March 10. |
Ingen kommentarer:
Legg inn en kommentar
Merk: Bare medlemmer av denne bloggen kan legge inn en kommentar.