Chris Moore, who lost his daughter Danielle in the Ethiopian Airlines 737 Max crash one year ago, poses for a portrait at Transport Canada's headquarters in Ottawa, on March 10, 2020.PATRICK DOYLE/Reuters
The deadly flaw in the Boeing 737 Max could have been “easily” detected with a simple test before the new plane flew, a federal hearing learned on Tuesday, the first anniversary of a crash in Ethiopia that killed 157 people, including 18 Canadians.
A leading Canadian aviation expert told the hearings in Ottawa that changes to aircraft regulations, requiring manufacturers to test whether seemingly insignificant design tweaks affect the plane’s overall operation, would expose the kind of flaws that caused two 737 Max disasters.
The plane, a new model introduced by Boeing in 2017, was grounded last year after crashing twice in the span of five months. The first disaster killed 189 people near Indonesia in late 2018, followed by a second crash one year ago in Ethiopia. In both cases, the plane was brought down by software designed to stabilize the aircraft that instead forced the 737 Max into a fatal nosedive.
Gilles Primeau, an expert in flight control systems who works as an industry consultant, said when Boeing designed the software, it connected it to a single sensor that measures the angle of the plane in flight. Although there are two angle of attack (AOA) sensors on each side of the plane, Boeing didn’t test what would happen if the lone sensor controlling the software malfunctioned – as it did in both 737 Max disasters.
Had Boeing engineers tested how the failure of that sensor might affect the overall operation of the software, and therefore the plane as a whole, they would have been able to see the 737 Max had a catastrophic weakness, Mr. Primeau said.
“Testing of critical systems individually or in silos is insufficient," Mr. Primeau said, calling for a regulatory change to fix the problem. “With this rule, the simple test of a faulty AOA sensor would have easily uncovered its multiple effects, forcing architecture changes on the 737 Max.”
The House of Commons Transport Committee convened the hearings to discuss changes to Canada’s aircraft certification system. Transport Canada relied heavily on the U.S. Federal Aviation Authority (FAA) to scrutinize the 737 Max, and endorsed the plane without examining the software.
Under aviation regulations, manufacturers can apply design tweaks to an existing aircraft certificate if they are not considered critical changes, a process known in the industry as “grandfathering.” Mr. Primeau said aircraft manufacturers are sometimes reluctant to perform full aircraft tests on design tweaks if they are not deemed major alterations.
“It’s amazing the discussions – endless – that I have seen in my career. They might as well turn it around and go and test it, it would have taken less time and resources,” he said.
His proposal to end the grandfathering process on any design change that interacts with other functions of the plane echoes the findings of an international panel of regulators that investigated the 737 Max disasters last year. Mr. Primeau also proposed that new aircraft be examined by “an international team of experts” where regulators such as Canada and Europe would dispatch people to work with the FAA on certifying Boeing planes.
Under decades-old aviation agreements, the FAA performs the certification on new Boeing planes, while Canada and other countries verify that work if they see a need. However, in the case of the 737 Max, that system created troubling blind spots for Canada.
Crash investigations have shown that Boeing withheld information about the software, known as the manoeuvring characteristics augmentation system, or MCAS, from pilots and airlines, and left key details out of the flight manual in an effort to get the plane certified faster. Owing to a series of deregulation moves in the U.S., the FAA gave Boeing’s engineers increasing authority to certify their own designs, tantamount to self regulation.
Transport Canada officials testified two weeks ago they believed the 737 Max was safe when the government approved the plane, but officials did not scrutinize all areas of the aircraft, including the software.
“I can assure you if we had any of that knowledge at the time, we would have been digging a lot further," David Turnbull, Transport Canada’s national aircraft certification director, said.
While some relatives of the 18 Canadians who died in the Ethiopian disaster attended the hearing Tuesday, others gathered at the crash site near Addis Ababa to mark the anniversary of their loss.
Michael Deer, an airworthiness specialist with Bell Textron Canada Ltd. said Transport Canada has the ultimate power to determine if changes to an aircraft’s design are significant and should under go more rigorous testing.
However, Jodi Diamant, chief engineer of airworthiness and certification at aircraft engine manufacturer Pratt & Whitney Canada said Transport Canada is at a disadvantage if Boeing wasn’t forthcoming about the software in the FAA certification process. “They would have been trying to find a needle in a haystack, then there’s limited time to do it,” she said.
Asked what could be done differently at Boeing, Mr. Primeau referred to internal company e-mails made public in the U.S. that show at least one engineer questioned the logic of connecting the powerful 737 Max software to a single sensor that could malfunction. “I’d like to know who that guy is,” Mr. Primeau said. "He should be put in charge.”