One crucial consequence of the Boeing 737 Max scrutiny is that development and certification work for the 737-10 will differ substantially from that of the earlier Max variants.
Extensive analysis by the US FAA and European Union Aviation Safety Agency following the Max grounding two years ago has led not only to modifications on the current 737-8 and -9 but new requirements to be introduced with the -10.
These will include an angle-of-attack ‘integrity enhancement’ to be developed and certified for the new, larger variant.
Boeing has already developed new crew procedures and modifications for the Max – newly approved by the FAA and EASA – to address disproportionate and confusing effects in the cockpit from a single angle-of-attack sensor failure.
While EASA says these changes restore the effect of sensor failure to an “acceptably safe level”, it states that the integrity enhancement will further reduce crew workload in such a scenario.
Boeing proposed a change to be developed within two years, covering four main areas: increased angle-of-attack system integrity plus detection of most failure conditions, reduction of cockpit effects, simplification of air-data fault diagnosis, and means for the crew to select reliable air data.
EASA says it asked Boeing to consider installation of a third angle-of-attack sensor, but the US airframer opted against it after evaluation the feasibility.
“Due to the legacy independent federated system architecture of the Boeing 737, the installation of an additional angle-of-attack sensor would require a significant engineering effort,” says EASA.
“At the same time, Boeing demonstrated the soundness and appropriateness of the proposed design for enhanced angle-of-attack integrity.”
This design included a combination of enhanced angle-of-attack monitors and addition of a manual switch to select the air data source.
EASA says it acknowledged there was “no formal requirement” for a third sensor in order to achieve an acceptable level of safety, and says the revised design is “more robust” despite having only two sensors – although it also acknowledges that a certain amount of functionality from the speed-trim system might be lost.
The modifications will be implemented in the 737-10 from the start of production and retrofitted to the other in-service Max variants.
Analysis of angle-of-attack sensor failure was expanded to other air-data failure scenarios through a review of a Boeing process developed to assess cascading problems.
EASA says pilot evaluation of these scenarios, using an engineering simulator, turned up “discrepancies” between the results obtained by EASA and those to be expected, according to Boeing technical documentation. EASA adds that it identified a “significant lack of consideration” of human factors elements in the Boeing process.
Although EASA concedes that these evaluations “did not identify an unsafe condition”, it has agreed improvements to the Boeing single- and multiple-failure assessment process which will be reviewed in the context of validating the 737-10.
EASA executive director Patrick Ky highlighted to the European Parliament on 25 January, two days before the 737 Max approval, that changed-product rules needed to be reviewed to ensure the authority was not granting certification to “something no longer state-of-the-art”.
He noted that the 737’s crew alerting system “needs to improve” but cautioned that a “step-by-step approach” was necessary in order not to introduce changes which would, in turn, create additional risks.
EASA says the crew alerting system essentially dates back to the 737’s origins, based on independent and simple annunciations, and has been allowed to remain this way through the changed-product rules – whereas it might otherwise have been updated to a modern centralised design.
The work to recertify the Max, it says, has highlighted “several weaknesses” in the crew alerting system and mitigated them by introducing new procedures to provide a “more structured” method for the pilots to interact with it.
But as part of the post-recertification activity for the Max, a human factors evaluation of the crew alerting system will be conducted within 12 months of the aircraft’s return to service, in collaboration with Boeing and the FAA.
EASA says this activity will also involve monitoring and assessing performance of the crew alerting system with regard to the risks of pilot errors or excessive workload, using a safety-management system approach.
Its technical investigation during the Max recertification has revealed “several systemic issues” in Boeing’s aircraft design processes – which, says EASA, show that the methodological concerns surrounding the development of the controversial MCAS stabiliser-control system were “not an isolated case”.
The result has been a refreshment of Boeing’s safety-assessment and development-assurance processes which will be applied for the 737-10.
Application of EASA’s strategy including reviews beyond a focus on MCAS, says the authority, will not only allow the safe return to service of the 737 Max but also support the aircraft family’s development in the longer term through a series of design and process improvements.
Boeing is developing not only the 737-10 but also the 737-7 and the high-density 737-8200 variants of the Max family.