An internal risk analysis after the first of two Boeing 737 MAX airliner crashes showed the likelihood was high of a similar cockpit emergency within months, according to a Federal Aviation Administration official familiar with the details and others briefed on the matter.
The regulator’s analysis, not previously reported, showed that it “didn’t take that much” for a malfunction like the one confronted by the pilots of the Lion Air flight that crashed into the Java Sea last year to occur, one of the people briefed on the analysis said.
Based on the findings, the regulator decided it was sufficient to inform pilots about the hazards of an onboard sensor malfunction that led to a flight-control system pushing down the plane’s nose. The belief was that if pilots were aware of the risk and knew how to respond, it was acceptable to give Boeing and regulators time to design and approve a permanent software fix to MCAS, the flight-control system implicated in the crash, according to the agency official and people briefed on the findings.
The FAA’s early goal, one of these people added, was: “Get something out immediately and then mandate something more permanent.”
Specifically, the FAA’s analysis suggested that a warning to pilots would be enough to provide Boeing about 10 months to design and implement changes to MCAS, according to a person close to the manufacturer. Boeing had been planning to complete the changes by April, within the 10-month period, this person said.
Boeing and the FAA’s risk projections faced a real-world crisis in less than five months. Ethiopian Airlines Flight 302 went down on March 10 in a similar nosedive prompted by the same type of automated MCAS commands pilots couldn’t overcome. The dual crashes took a total of 346 lives.
Investigators quickly focused on the central role of MCAS, and regulators around the world grounded the aircraft.
The FAA has said it doesn’t have a deadline for approving the final package of fixes but won’t allow the planes back in the air until all safety issues are resolved.
A Boeing spokesman said: “Boeing and the FAA both agreed, based on the results of their respective rigorous safety processes, that the initial action of reinforcing existing pilot procedures…and then the development and fielding of a software update, were the appropriate actions.”
He added: “The safety of everyone flying our airplanes was paramount as the analysis was done and the actions were taken.”
The FAA’s internal analysis, prepared in the days immediately following the Oct. 29 Lion Air crash, is called a TARAM, an acronym that stands for Transport Airplane Risk Assessment Methodology. It essentially involves a spreadsheet with formulas that consider a number of factors—such as fleet size, probability that sensors will fail, passenger counts—and aims to predict how many people could die over a certain period because of potential hazards, according to people familiar with the process.
There is also a subjective analysis that, along with the TARAM’s numerical forecasts, informs FAA managers and engineers about what types of actions to take and when—for major but also less-serious air-safety issues. “It’s kind of a cold way of looking at it,” the person briefed on the analysis said, adding: “It’s not foolproof. It’s a tool.”
The analysis determined that the underlying risks from the MCAS design were unacceptably high without at least some FAA action, that they exceeded internal FAA safety standards and that the likelihood of another emergency or even accident “was over our threshold,” according to the FAA official. “We decided…it was not an acceptable situation,” the official said.
The directive to pilots essentially reiterated that cockpit crews should counteract and then disable an MCAS misfire by following long-established emergency procedures for a related flight-control problem that can similarly push down an aircraft’s nose.
When the FAA determines an aircraft poses an unacceptably high safety risk, it typically mandates targeted equipment changes, inspections or training to alleviate the hazard. It is unusual for the agency to conclude that reiterating cockpit emergency procedures or tweaking manuals will suffice.
The FAA’s Nov. 7 emergency directive, described as an “interim action,” didn’t mandate design or operational changes. Because it reminded pilots how to swiftly and correctly respond to such an MCAS malfunction, that approach “wasn’t removing the risk,” the FAA official said Tuesday, but rather “making it acceptable for a period based on the data we had.”
In a report shared with Boeing in late 2018, after the FAA’s directive, the agency said its analysis found the “risk is sufficiently low…until the changes to the system are retrofitted,” according to the person close to the manufacturer.
Grounding wasn’t seriously discussed but “that’s always on the table” after a deadly crash, the person briefed on the analysis said. As FAA officials learned of MCAS’s design issues, they also learned of other problems that could have contributed to the accident, including maintenance and pilot missteps, this person said.
Boeing said it began working on changes to MCAS shortly after the Lion Air crash. The first software fix package was formally presented for FAA approval in December, but was still being tested and analyzed when the Ethiopian crash occurred in March.
Between the two crashes, FAA engineering teams continued to assess data and fold details of the Lion Air probe into their safety assessments. “We continued asking questions,” the FAA official said, adding that historical safety information from U.S. operators of the MAX indicated that “we weren’t getting data” revealing pilots wouldn’t react appropriately to MCAS emergencies.
In the end, the FAA’s statistical predictions didn’t anticipate another accident would happen as soon as it did. “Statistically, the calculations just didn’t work out,” said the person briefed on the analysis. “You can’t predict randomness.”
It isn’t clear why Boeing took longer to finish MCAS changes than some industry and FAA officials had expected. At a late March briefing in Renton, Wash., a Boeing official said the plane maker took care to fine-tune the revised software and test it. “We didn’t rush it because rushing is the wrong thing to do in a situation like this,” the Boeing official said.
FAA engineers and safety experts prepared a separate TARAM risk analysis in the wake of the Ethiopian crash, according to the FAA official and others familiar with the matter. The full assessment was completed two days after the crash, the official recalled, and was presented to senior policy makers at headquarters the next day. That same morning, the FAA received new satellite data more directly implicating MCAS, prompting the agency to become the last major aviation regulator to ground the MAX fleet.
Boeing has since experienced more delays amid subsequent company reviews, questions from the FAA and flight test results—including simulator sessions with FAA pilots—revealing a series of technical problems.