During the original design and certification of Boeing’s 737 MAX, company engineers didn’t notice that the electrical wiring doesn’t meet federal aviation regulations for safe wire separation. And the Federal Aviation Administration (FAA) failed to detect Boeing’s miss.
The wiring vulnerability creates the theoretical potential for an electrical short to move the jet’s horizontal tail uncommanded by the pilot, which could be catastrophic. If that were to happen, it could lead to a flight control emergency similar to the one that brought down two MAX jets, causing 346 deaths and the grounding of the aircraft.
Because this danger is extremely remote, the FAA faces a dilemma over what to do about it. The issue has complicated the return of the MAX to service after a grounding that is edging close to one year.
Modifying the wiring would be a delicate and expensive task, and Boeing this week submitted a proposal to the FAA, arguing that it shouldn’t be required.
Yet allowing the wiring to remain as is will be difficult at a time when both Boeing and the FAA are under tremendous scrutiny.
Boeing’s argument rests on the long service history of the earlier model 737, which has the same wiring. That earlier 737 NG model didn’t have to meet the current wiring-separation standards because they came into force long after that jet was certified.
“There are 205 million flight hours in the 737 fleet with this wiring type,” a Boeing official said. “There have been 16 failures in service, none of which were applicable to this scenario. We’ve had no hot shorts.”
In addition, Boeing says pulling out and rerouting wires on the almost 800 MAXs already built would pose a potentially higher risk of causing an electrical short, because insulation could chafe or crack in the process of moving the wires.
However, an FAA safety engineer familiar with the issue, who asked not to be identified because he spoke without agency permission, said agency technical staff have been clear that the wiring doesn’t comply with regulations and have told their Boeing counterparts it has to be fixed.
A second person familiar with the FAA’s thinking said the agency has communicated to Boeing that despite the safe service history of the wiring on other 737s, it will be difficult to convince regulators that they should do nothing.
“Our people have to weigh that against the regulations and the political and public opinion risk of appearing to give Boeing a break on a regulation that’s there for a reason,” the second person said.
Furthermore, there’s also pressure from foreign regulators, including the European Union Aviation Safety Agency (EASA).
“It’s probably true that if Boeing proposes to do nothing, EASA is going to say, ‘Hell, no,'” the second person said.
Jeff Guzzetti, a former accident investigator with both the FAA and the National Transportation Safety Board (NTSB), and now an air-safety consultant, said the federal agency’s decision “will be influenced by the white-hot spotlight the FAA is under” because of the MAX crashes.
Whatever decision it ultimately makes, he said, “The FAA better have a strong case.”
On Friday, the FAA issued an official statement hinting that Boeing may be forced to comply with the wiring regulation.
“We will rigorously evaluate Boeing’s proposal to address a recently discovered wiring issue with the 737 MAX,” the FAA said. “The manufacturer must demonstrate compliance with all certification standards.”
Boeing spokesman Gordon Johndroe said that the entire range of possible options — from doing nothing to moving the wires — was considered and built into Boeing’s schedule adjustment last month.
Johndroe said that whatever decision the FAA makes “will not change the company’s estimate for the MAX returning to service by the middle of the year.”
A remote possibility
Boeing discovered the wiring vulnerabilities and informed the FAA of the problem when, after the crashes, it undertook a complete redo of its system safety analysis on the MAX, a painstaking look at all the possible system and equipment failures and the impact of each.
It was forced to do the new analysis when it realized the MAX’s original certification analysis included assumptions about pilot reaction times that didn’t match the reality of the responses during the two MAX crashes.
It’s unclear how during the design of the MAX Boeing missed the fact that the wiring didn’t meet the regulation governing separation of wires to prevent shorts.
The regulation was introduced in 2009 following study of two fatal crashes: TWA 800 in 1996, in which an electrical short is believed to have caused a spark in the fuel tank and an explosion; and Swissair 111 in 1998, when an electrical short caused a fire in the cockpit.
The FAA safety engineer said Boeing identified about a dozen positions in the 737 wiring, including one toward the jet’s tail and the rest in the electronics bay under the forward fuselage, where “significant runs of wire” failed to meet the new separation standard. The wire lengths involved were as long as 16 feet, he said.
In one instance, engineers found a hot power wire that was too close to two command wires running to the jet’s moveable horizontal tail, or stabilizer, one for commanding the tail to swivel to move the jet nose-up, the other to move it nose-down. The danger is a short that causes arcing of electricity from the hot wire to the command wire.
“If a hot short occurs between the power wire and either the up or down command wire, the stabilizer can go to the full nose-up or nose-down position,” the engineer said.
Furthermore, the electrical power in that wire could circumvent the cutoff switches in the cockpit that, in the event of such a stabilizer runaway, are used to kill electrical power to the tail. Theoretically, the pilots could be unable to shut it off.
This is unrelated to the flight control system — the Maneuvering Characteristics Augmentation System (MCAS) — that repeatedly forced down the noses of the two MAXs that crashed. However, the similarity in the potential outcome is enough to raise alarm.
The engineer described this as “a semi-remote possibility.” Boeing’s position, based on the 205 million safe flight hours on the earlier 737 where this has never happened, is that this is extremely remote.
However, the danger is scientifically established.
Michael Traskos, chairman of the industry’s wiring and cable standards committee and president of Lectromec, a Virginia-based laboratory and engineering firm specializing in wire-system component testing and consulting, said that his team did testing for NASA in 2005 and 2006, not specific to a particular airplane, “that demonstrated potential uncommanded activation in the event of arcing.”
How the FAA handles a noncompliance
Discovering that an airplane doesn’t meet all the safety regulations is not rare, and if it wasn’t for the MAX crisis it’s highly unlikely this wiring issue would have risen to attention.
In 2015, Douglas Anderson, the FAA’s deputy counsel in the Seattle-area regional office, wrote a critical internal white paper — “Achieving Compliance with Airworthiness Standards”— arguing that the agency in effect encourages manufacturers to be loose about complying with all the safety regulations because it doesn’t slap them hard when it’s discovered after a plane is certified that the design does not comply.
He noted that if there is a clear safety of flight issue, the FAA will issue an airworthiness directive requiring that the problem be fixed within a set timeframe. But absent that order, it’s left to the manufacturer to decide what to do.
Unless there is some clear flight-safety issue, he wrote, jet manufacturers “usually have no obligation to correct noncompliances, and it’s faster and cheaper to develop designs if compliance is not a priority.”
“There is rarely any significant consequence” for the airplane manufacturer, who is “free to correct the noncompliance at its convenience without threatening delivery schedules.”
He noted that 2011, a year when Boeing certified two new airplanes, saw a spike in discoveries of designs failing to comply with requirements, with 98 non-compliances found in the 787 Dreamliner and 24 non-compliances in the 747-8 jumbo jet.
“Fully compliant and substantiated designs require more time and resources,” Anderson wrote.
Anderson recommended manufacturers be held to account and forced to make fixes, the expense of which would deter coming out with non-compliant designs.
During certification of the MAX, Boeing persuaded the FAA to exempt it from meeting certain regulations, arguing that the plane was a derivative of a much earlier design and that the cost of upgrading to meet the latest regulations would outweigh the safety benefit.
For instance, during the original MAX certification, the FAA allowed Boeing not to further separate the cables to the rudder in the tail to ensure redundancy and not to meet the latest requirements for crew alerting systems.
If Boeing back in 2017 had asked the FAA for a pass on this wiring separation requirement, on the basis of the safe flight history of the earlier model, it would almost certainly have been granted more readily than the rudder cable exception.
Assessing the risk
But Boeing didn’t ask for it then, because somehow it missed the problem entirely.
Guzzetti, the safety investigator, said that although the system safety analysis was delegated to Boeing, this reveals a failure too in FAA oversight.
“How did it go undetected?” he asked. “Delegation doesn’t give the FAA a complete pass.”
Traskos, the wiring standards expert, said that leaving aside the current pressures on the FAA and Boeing, the decision on what to do now should “come down to identifying the level of risk.”
“If they identify that the failure severity is not that great, not catastrophic, and the failure probability is low, they could potentially justify maintaining the system as is,” he said. “I believe that’s something both sides would agree to.”
The FAA safety engineer said the agency will have to perform a formal risk analysis called a TARAM — a Transport Airplane Risk Assessment Methodology — to determine what type of fix is required and how soon.
Since the wiring is the same on the earlier 737 NG model, the question arises whether any wiring modification might also be needed on those aircraft, of which there are more than 6,000 flying worldwide.
However, the second person familiar with the FAA’s thinking said a TARAM is unlikely to recommend any change to the wiring on the NG. He said the risk of breaking apart wiring on thousands of much older airplanes would almost certainly be greater than the risk from leaving the wiring as is.
“You run a greater risk of introducing a short on older airplanes by going in and messing with it,” he said. “We even have people within the FAA concerned about breaking apart the wiring on the new MAXs.”
Guzzetti said discovering the wiring vulnerability so late and after two crashes makes it a harder call than if Boeing had asked for an exception during the jet’s original certification.
“They realize only now they have a problem with the wiring and they want forgiveness,” Guzzetti said. “It’s going to have to be well-documented and justified.”
———
©2020 The Seattle Times
Visit The Seattle Times at www.seattletimes.com
Distributed by Tribune Content Agency, LLC.
