After two fatal crashes and a grounding, extensive remedial work should fix the 737 Max; now Boeing must also rethink the basic design philosophy underpinning its future aircraft

Recent statements by Boeing’s new chief executive, David Calhoun, make it clear that the company is preparing to change the way it designs its aircraft for pilots.

Since the early days of commercial aviation, manufacturers had inevitably provided imperfect aircraft to the airlines, and their imperfect pilots had to learn to manage their shortcomings. Travellers assumed aviation was a relatively risky business, so the occasional accident – even a fatal one – was seen as just one of those things. Mechanical failures were common, and from time to time failure by the pilots to cope with the mishap was inevitable.

737 Max cockpit

Source: AirTeamImages

Instrumentation has grown more complex over the past 40 years, with greater automation

This has not been so for about 30 years. Passengers have become accustomed to the hugely improved reliability and higher safety standards that modern engineering and smart aircraft systems have provided.

So when – last year – the second of two fatal crashes within five months involved Boeing’s latest product, the 737 Max 8, it caused considerable shock. As facts gradually emerged from the investigations, regulators at national aviation authorities (NAAs) all over the world deliberated about how to react. Gradually, a consensus developed that a change in the approach to airworthiness certification is overdue.

Calhoun has clearly thought deeply about the implications for the future. This is what he said about the design philosophy his company must adopt for its next all-new product: “We might have to start with the flight-control philosophy before we actually get to the airplane. We have always favoured airplanes that required more pilot flying than maybe our competitor did. We are all going to have to get our heads around exactly what we want.”

Calhoun says Boeing needs a change in company culture: “It will be built around the level of light we shed on safety processes. It will be built on the engineering disciplines and what we do for pilots around the world, not just pilots in the USA.” He explains why this is necessary: “Things have changed a bit. The competitive playing field is a bit different. We have to plan for China… We are going to start with a clean sheet of paper again.”

In summary, the regulators believe that long-established assumptions about pilot reactions to failures might no longer be valid in the modern aviation environment. The fundamental question that arises is this: what can reasonably be expected of pilots when something goes wrong with the complex integrated systems in today’s aircraft?

ethiopian crash debris c Mulugeta Ayene_AP_Shutter

Source: Mulugeta Ayene, AP, Shutterstock

Wreckage from the crash of Ethiopian Airlines flight 302, a Boeing 737 Max 8 that slammed into the ground after takeoff from Addis Ababa on 10 March 2019, killing all 157 people aboard.

In both the accidents – the Lion Air and the Ethiopian Airlines losses – there were remedies the pilots could have deployed to prevent the crashes. On the other hand, critical failures of angle-of-attack (AoA) sensors in both cases had triggered very confusing aircraft behaviour for which the pilots had been ill prepared by their training and by Boeing’s aircraft manual. This is where the consensus question arises in the case of the two Max crashes: was it reasonable to have assumed that, in the short time available, given the aircraft’s low height in both cases, they would definitely have been able to cope with the stabiliser trim movement that the AoA sensor failure triggered – and kept triggering?

Calhoun accepts that a flaw in the Max’s flight-control system had proved disastrous, but claims the design did not result from a decision to put cost factors ahead of safety. The flaws, he says, came from long-standing assumptions about how pilots would react to a failure. Boeing designers had assumed they would get the measure of it within 3s, and act in mitigation.

A great deal has changed on flightdecks in the past 40 years. The advent of the digital flightdeck in the early 1980s gradually – over the subsequent four decades – brought ever-higher levels of automation, greater systems integration, more information for the pilots on their electronic flight instrument systems, more flight mode options for the flight management system/autopilot, and generally greater complexity. In the transitional 1980s the most commonly voiced exclamation on the flightdeck became “What’s it doing now?”

Throughout this period – indeed, before it – the 737 series was doggedly present, its flightdeck gradually developing through four iterations of the aircraft from an analogue/electric interface to digital/electronic by the time the highly electronic Max entered service in 2017.

Meanwhile, the pilot supply had been changing, too. Gone was the military as the primary source of aviation training; it has been replaced by a massive worldwide industry of commercial training providers. This industry has been primed to supply licensed pilots at the lowest possible price to an airline industry looking for the lowest possible pilot induction cost, followed by the lowest possible recurrent training cost.

Of course, the airlines also want the highest possible pilot quality, but given the economic imperatives under which the training industry operates, it is reasonable to wonder how many of the graduate pilots could possibly achieve that level. Ryanair’s former head of training, Captain Andy O’Shea, has famously said that more than half of them have not reached an adequate standard, despite being awarded licences.

During the US Federal Aviation Administration (FAA) investigation of the 737 Max since its grounding, it set up the multinational Joint Authorities Technical Review (JATR) team as an independent group to look at the big picture. One of its most profound – but simple – statements is that systems design “must not rely on pilot action as a primary means of risk mitigation”. Also, says the JATR, assumptions about pilot reaction to system failures need to be reviewed in the light of the complexity of aircraft systems and a new generation of pilots trained in different ways.

JATR head Christopher Hart told the FAA: “As aircraft systems become more complex, ensuring that the certification process adequately addresses potential operational and safety ramifications for the entire aircraft that may be caused by the failure – or inappropriate operation – of any system on the aircraft, becomes not only far more important, but also far more difficult.”

FAA administrator Steve Dickson concurs: “The lessons learned will ideally lead to a more holistic, rather than transactional item-by-item approach to aircraft certification – not only in the US, but around the world, where we will more effectively integrate human considerations throughout the design process as aircraft become more automated and systems more complex.”

Meanwhile, in a recommendation related to the introduction of the Max that may sound the death knell for “grandfather rights”, the JATR says: “The FAA should be provided [by the manufacturer] all system differences between related aircraft in order to adequately evaluate operational impact, systems integration and human performance.”

Summing up the need for change in design for the man/machine interface – or, to be more precise, the need to design a workable relationship between a pilot and what is effectively a network of integrated systems, Hart continues: “Other specific [JATR] recommendations relate to revisiting the FAA’s standards regarding the time needed by pilots to identify and respond to problems that arise. Although existing standards have served the industry well for decades, the JATR members recommend an examination of whether those standards are as appropriate for the complex integrated systems in today’s airplanes.”

For clarity, Hart adds: “For example, when the failure or inappropriate operation of a system results in cascading failures and multiple alarms, query how adequately the certification process considers the impact of multiple alarms, along with possible startle effect, on the ability of pilots to respond appropriately. Inherent in this issue is the adequacy of training to help pilots be able to respond effectively to failures that they may never have encountered before, not even in training.”

The return of the Max to service is not only about the approval of new software and systems redesign, it is equally dependent on the FAA and other NAAs agreeing an approved pilot training regime to qualify them on the modified Max. The airlines would each also have to satisfy the regulators that they have prepared appropriate training arrangements. This would obviously entail a complete type rating course for those not rated on earlier 737 marques, and a differences course for those who are. It has already been agreed that the latter will entail time in a capable flight simulation training device.

The importance of pilot preparation has been heightened by revelations in internal emails within Boeing that Indonesia made it clear in June 2017 that it wanted Max simulator time for its carriers’ pilots. Boeing, however, talked it around, persuading airlines that computer-based training was sufficient. The manufacturer is not arguing this time.

There is very little doubt that a programme to return the Max to service will begin sometime in summer, and it will be successful. But this episode means Boeing will never think the same way again about the relationship between its increasingly sophisticated aircraft and their pilots.

Meanwhile, thousands of the world’s faithful Boeing pilots are wondering whether the company is finally heading for sidesticks and more complete flight envelope protection. But the good news is that absolutely no-one is talking about the elimination of pilots from the equation.