Has airline safety peaked?

The dominant features in world airline safety performance for 2019 were a gentle reversal of the long-established improving trend – and the shock to the entire commercial air transport industry of a second crash involving a nearly-new Boeing 737 Max 8 within five months of the first, in October 2018.

A question for the industry to answer is: are these two factors causally related? The safety statistics trend reversal in calendar year 2019 was obviously influenced by the 737 Max crash that happened in March. Less obvious, however, is whether the design failing by Boeing that contributed to the two accidents is a symptom of a more general malaise. Might it be deemed complacency, or does it have another name?

In any case, global airline fatal accident figures in 2019 do indeed suggest that a long period of consistent airline safety improvement may be coming to an end. Until that point, modern airline safety performance statistics had been improving steadily since the Second World War.

That does not mean that the world’s airlines are suddenly unsafe, but it does suggest that the hope of a zero fatal accident future is likely to remain just out of reach in today’s air transport industry.

Last year, the total number of fatal accidents involving airline operations of all kinds was 22, and the number of resulting crew and passenger deaths was 297. In 2018 the respective figures were 14 and 543; in 2017 there were 12 fatal accidents and only 56 fatalities; but the best year to date was 2015, which saw only nine fatal crashes and 176 casualties.

In recent years, there have been some 12-month periods in which no jet-powered airliners crashed at all, but the 2019 fatal crashes involved three carrying passengers and two big cargo aircraft. The rest of the 2019 fatal accidents involved propeller-driven aircraft large and small.

The most serious accident of the year was the 10 March crash of an Ethiopian Airlines 737-8 near Addis Ababa, in which all eight crew and 149 passengers died. It was also the most shocking event of the year by a long way because, less than five months previously, a Lion Air 737-8 had crashed fatally, having suffered an almost identical technical anomaly.

Within 24h of the Ethiopian crash, Ethiopia and several Asia-Pacific nations grounded their 737 Max operations; the following day, the European Union Aviation Safety Agency and others did the same, and finally the US Federal Aviation Administration (FAA) grounded US Maxes on 13 March, explaining that information emerging from the Ethiopian investigation had precipitated its decision.

DOUBLE BLOW

Since the two 737 Max accidents, the industry has experienced something of an identity crisis, based on the undeniable fact that two aircraft just off the production line of the world’s most respected and long-established aircraft manufacturer could have suffered almost identical technical failures that caused the crews to lose control of them. Comment at all levels since then has been raucous and relentless.

The aviation world seems to be using the 737 Max grounding as a period of reflection, which is no bad thing. Boeing and the FAA have accepted that the eventual clearance of the modified aircraft to fly again must be an international decision, not a US one. In December, before his departure from the company, Boeing’s then-chief executive Dennis Muilenberg said: “If we do not co-ordinate this [return to service] we may see some disaggregation, and I don’t think that’s a future any of us wants to see.”

There is consensus, however, between the completed Indonesian investigation (see synopsis on P26) and the unfinished Ethiopian inquiry, that a software-driven system unique to the 737 Max – known as the Maneuvering Characteristics Augmentation System (MCAS) – designed to help balance the aircraft in pitch under specific circumstances, was erroneously triggered, in both cases by a faulty or damaged angle-of-attack (AOA) sensor. The effect of this incorrect AOA input was to pitch the aircraft’s nose down repeatedly by motoring the horizontal stabiliser, confusing the crews about the cause of this pitch change, so their efforts at correcting it were ineffective. Both aircraft crashed at high speed with high rates of descent.

Public comment on the two Max accidents has included a great deal of unhelpful contributions on pilot web forums. This has mostly been on US – or more generally, Western – sites and demonstrates a mindset that concludes: “These crashes both happened to a non-Western carrier,” as if that were an explanation. The clear implication is: “It would not have happened to a US airline.”

Both Max accidents, however, involved an aggravated version of loss of control in flight, precipitated by a confusing technical distraction. To attribute the crashes mainly to pilot incompetence is a dangerous departure from the fact that something technical went very wrong, and that pilot training everywhere – including in the USA – for an MCAS malfunction has since been found in the investigations to have been inadequate. The ongoing review of Boeing’s “fix” for the MCAS is not merely a matter of hardware and software redesign, it entails a review of how Max pilots must be trained for the redesigned system before the aircraft can be cleared once again for commercial operation.

The US National Transportation Safety Board (NTSB) is urging the FAA to review pilot-related assumptions that Boeing and other manufacturers use when designing aircraft. In September, the NTSB issued a report recommending a review not only of aspects of the 737 Max’s certification, but also those of all commercial transport aircraft, urging the FAA to develop broad standards to make cockpit alerts clearer and to help pilots prioritise cockpit warnings. The report says: “We are concerned that the process used to evaluate the original design needs improvement because that [old] process is still in use to certify current and future aircraft and system designs.”

There is an implication throughout the reports that reviews of assumed pilot reaction to failures must be conducted from time to time because, in a digital age, new young pilots will have been educated differently, so their knowledge, understanding and reactions may be different from that of their forebears. Even the aircraft they first learn to fly on will have digital instrumentation and aircraft management tools, so they are less likely to have had the same exposure to “raw” flying – and the practical human-factor consequences of this inevitable change must be studied by the manufacturers and regulators.

 

EXTERNAL INPUT

Apart from internal reviews of their respective organisations and corporate culture conducted by the FAA and Boeing in the light of the Max accidents, the FAA also commissioned an independent inquiry by a group of regulators from 10 countries. This group, the Joint Authorities Technical Review (JATR), was tasked with reviewing the process of certification, design and development in this age of integrated systems and the effect of design changes on human factors.

Specifically relating to the design of the MCAS, the JATR had this to say: “The design process was not sufficient to identify all the potential MCAS hazards. As part of the single-channel speed trim system, the MCAS function did not include fault tolerant features, such as sensors voting or limits of authority, to limit failure effects consistent with the hazard classification.” It added: “The use of pilot action as a primary mitigation means for MCAS hazards, before considering eliminating such hazards or providing design features or warnings to mitigate them, is not in accordance with Boeing’s process instructions for safe design in the conception of MCAS for the 737 Max.”

On flight-control system design process, the JATR provided the FAA and Boeing with this general advice, tailored for the arrival of the age of integrated systems: “Aircraft functions should be assessed, not in an incremental and fragmented manner, but holistically at the aircraft level. System function and performance, including the effects of failures, should be demonstrated and associated assumptions should be challenged to ensure robust designs are realised. The safety analysis process should be integrated with the aircraft development assurance process to ensure all safety requirements and associated assumptions are correct, complete, and verified.”

The implication is that present systems, inherited from a compliance culture where components were tested individually to prescribed standards, is no longer suitable for today’s certification challenges.

Finally, the Indonesian report on the Lion Air crash argues exhaustively that aircraft must be designed for ordinary crews, not for Boeing or Airbus test pilots. This is not a new argument, but a re-statement of it appears to be needed. Hopefully better type rating and recurrent training would also be an outcome of this soul searching.

 

NOTABLE EVENTS

Meanwhile, in the USA, an Amazon Prime Air 767 freighter crashed out of control during what began as a normal descent to its destination at Houston. Initial investigations by the NTSB suggest that a possible contributory factor may be pilot disorientation caused by a sudden linear acceleration in flight (see accident listing, P32). Like the two Max crashes, in this case the aircraft also ended up in a high-speed dive, but the reasons for that terminal flight profile look as if they will be found to be very different when the inquiry is complete.

Another notable, but completely different accident, was the Aeroflot Sukhoi Superjet that was hit powerfully by lightning, causing multiple systems to fail. Detail on the failures is still incomplete. The aircraft returned to land at Moscow Sheremetyevo airport, but the crew’s already high workload was compounded by a strong and gusting crosswind, and a very heavy landing and high bounce caused structural failure leading to a fire (see P30).

In 2019, however, dominating every other consideration were the 737 Max accidents and the lessons they confer. As a result, over the next few years, aircraft certification processes will almost certainly be overhauled to make them suitable for monitoring the use of 2020s technology, and delivering to the flightcrew equipment that they can work with.