Driven by his faith and remorse, FAA safety engineer Joe Jacobsen is going public with his concerns about the FAA’s certification of Boeing’s 737 MAX.
Haunted by the two deadly crashes of Boeing 737 MAX jets and his agency’s role in approving the plane, veteran Federal Aviation Administration (FAA) safety engineer Joe Jacobsen is stepping forward publicly to give the victims’ families “a firsthand account of what the truth is.”
In a detailed letter sent last month to a family that lost their daughter in the second MAX crash in Ethiopia two years ago this week, and in interviews with The Seattle Times, Jacobsen gave the first personal account by an insider of the federal safety agency’s response to the MAX crashes.
Jacobsen should have been among the FAA specialists who reviewed the MAX’s critical new flight control software during its original certification, which was largely controlled by Boeing. He’s confident that he and other FAA engineers would have flagged its serious design flaws. He got the chance to do so only after the first crash in Indonesia, in late 2018.
He believes additional system upgrades are needed beyond Boeing’s fix for the MAX that was blessed by the FAA and other regulators.
And Jacobsen argues that the plane would be safer if Boeing simply removed altogether the new software — the Maneuvering Characteristics Augmentation System (MCAS) — that went wrong in the two crashes that killed 346 people.
Jacobsen also calls for the replacement of some of the people at “the highest levels of FAA management,” whom he blames for creating a culture too concerned with fulfilling the demands of industry.
In his letter and interview, Jacobsen also described in more depth than previously reported how an autothrottle system issue may have contributed to the crash in Ethiopia in March 2019.
Boeing and the FAA said in separate statements they believe the MAX is fixed and safe, and that regulators worldwide have validated this conclusion.
Jacobsen is a 59-year-old top safety specialist at the FAA, who’d previously spent more than a decade at Boeing.
In the months after the second crash, Jacobsen laid out his concerns to his FAA managers and to the Department of Transportation inspector general’s office. He also communicated them to the House and Senate committees that subsequently issued scathing investigative reports and wrote the FAA reform legislation passed in December.
This year, fired up by a newly intense commitment to Christianity, regretful that he wasn’t more assertive internally before the second crash, and moved by the anger and frustration of the families of those who died, Jacobsen decided that wasn’t enough.
Ahead of his planned retirement from the FAA at the end of this month, he recounted his MAX experience in a Feb. 8 letter to the parents of Samya Rose Stumo, a 24-year-old American who died on Ethiopian Airlines flight ET302.
“I felt a strong conviction that I should help with healing the families of the 737 Max crashes,” he wrote.
Aside from officials defending the agency, Jacobsen is the first current FAA employee to speak out about what went wrong in the MAX’s certification. Now sharing his concerns with the press for the first time, he’s risking his post-FAA employment prospects.
An insider perspective on MAX certification
Jacobsen, the local FAA office’s most experienced engineer in aircraft handling and performance, would have been deeply involved in assessing MCAS had Boeing properly identified it to the FAA as a new and critical system.
That designation would have spurred the writing of an “issue paper” to evaluate and explain the details for regulators around the world.
A week after the Lion Air crash on Oct. 29, 2018, Jacobsen received an email from a colleague asking if there was an issue paper on MCAS.
“This was the first day that I heard about MCAS,” he wrote. “We had no issue papers, and if we had, I would have been the engineer responsible for providing technical content and comment on such an issue paper.”
When he did get a look at the system, Jacobsen said he was “shocked to discover that the airplane was purposely designed and certified to use just one AOA (Angle of Attack) input for a flight critical function.”
If given the chance during the original certification, he’s certain that he and “6 to 8 of our most experienced engineers in the Seattle office” would have identified that as a serious design flaw because there’s “a long history of AOA sensor failures.”
Instead, Boeing minimized MCAS and kept the details of its assessment to itself.
“If we emphasize MCAS is a new function there may be a greater certification and training impact,” read the minutes of a June 2013 Boeing meeting documented in a U.S. House investigation.
And so, Jacobsen wrote, “none of us were briefed on the original design and most aspects were delegated to just a small number of Boeing … engineers for approval.”
Yet Boeing itself didn’t grasp the danger of the system.
Michael Teal, 737 MAX chief engineer, testified to Congress that he first learned only after the Lion Air crash that MCAS relied on a single sensor.
The autothrottle problem
The instructions Boeing and the FAA gave pilots immediately after the first crash — instructions the Ethiopian pilots tried to follow — have been heavily criticized.
Boeing’s procedure failed to emphasize that pilots need to bring the nose of the jet back up electrically before hitting the cutoff switches to stop MCAS acting.
Jacobsen’s letter adds something new about the inadequacy of those instructions: There was no mention of an issue with the autothrottle — the automated system controlling the thrust of the engines — that added to the jet’s excessive speed and made it impossible to manually bring the jet’s nose up.
According to the interim investigation report released a year ago, the faulty Angle of Attack sensor on Flight ET302, even before it triggered MCAS to push the plane’s nose down, interfered with other sensor readings of altitude and airspeed.
Registering the plane as still below 800 feet above the ground even after it passed that threshold, the jet’s computer had the autothrottle maintain full takeoff thrust for 16 seconds after it should have reduced the power for the climb phase.
More significantly, seconds later the pilots set the jet’s speed target at 238 knots, but the autothrottle didn’t follow through.
Again because of the faulty sensor on the left, the flight computer detected the discrepancy between the left and right airspeed values and flagged the data as invalid. Unable to validate the aircraft’s speed, the computer stopped sending thrust instructions to the autothrottle.
As a result, the engines remained at maximum thrust for the rest of the fatal flight.
The plane eventually exceeded the 737’s maximum design speed of 340 knots. This so increased the forces on the jet’s tail that the pilots couldn’t budge it manually.
Some pilots faulted the Ethiopian crew for allowing the plane to gather so much speed.
Jacobsen recalls how he was angered listening to Rep. Sam Graves, R-Missouri, say during a May 2019 House hearing that U.S.-trained pilots would have been able to handle the emergency.
The Ethiopian crew indeed should have throttled back the engines manually. But apparently they were confused by the cacophony of alerts going off. Those alerts did not include any autothrottle warning to indicate it had stopped responding to their speed setting.
Boeing has said that for this kind of emergency it relies on pilots to execute a standard checklist from memory that includes an instruction to disengage the autothrottle.
The FAA, in a statement, said this checklist tells pilots “to turn off all automatic systems, including autopilot and auto-throttle.”
The ET302 pilots, however, jumped immediately to the step in the checklist that Boeing emphasized in its bulletin after the Lion Air crash: hitting the cutoff switches to stop MCAS from pushing the jet’s nose down. In their rush to do that, they didn’t first bring the nose back up with the electrical switches and didn’t disengage the autothrottle.
And Jacobsen points out that the FAA’s emergency directive after the Lion Air crash lists the procedure pilots should follow — but omits the instruction on the autothrottle and fails to mention that it could malfunction.
“I think it was just a miss,” said Jacobsen. “I don’t think anyone recognized the Angle of Attack malfunction would also mess with the autothrottle.”
In an interview, Capt. John Cox, a veteran pilot and founder of Washington, D.C.-based aviation safety consultancy Safety Operating Systems, called this autothrottle behavior on ET 302 a “hard-to-detect failure.”
“To fail this way and not tell the crew, that bothers me. Humans are not good at picking up omissions,” Cox said. “It’s a significant miss.”
Capt. Chesley “Sully” Sullenberger, the celebrated pilot from the 2009 “Miracle on the Hudson” emergency, agreed that Boeing and the FAA provided pilots inadequate information after the Lion Air crash, including a lack of warning about the autothrottle issue.
The ET302 crew “did take affirmative action to set a reasonable speed, but the system failed to command that speed and didn’t tell them,” Sullenberger said.
In his letter, Jacobsen recommends that Boeing upgrade the MAX’s autothrottle logic to either disconnect or give the pilots a warning when the computer registers invalid data.
In the upgrade to the MAX that allowed it to return to service, the FAA did not require any such change but did add an explicit instruction that pilots in this kind of emergency should “disengage the autothrottle.”
Inspired, remorseful
Jacobsen grew up in the Olympia area and earned his aerospace engineering degree at the University of Washington.
He worked at Boeing for 11 years as an aerodynamicist, first on the 767 and then on the highly successful 777 program.
He began thinking about a change after the 777 entered service and “the bean counters decided we’d spent too much money on it.” He left for the FAA, which offered him the same salary for a 40-hour week without the extra overtime he’d worked at Boeing.
His decision to come forward now at the end of a 36-year career as an aerospace engineer followed a deepening of his Christian faith. A year ago, he began a practice of fasting and praying for several hours every Friday.
In his Bible reading he was struck by Isaiah 57, in which a wrathful God denounces those who prosper while “the righteous perish,” and is “enraged by their sinful greed.”
This “drew my thoughts to Boeing leadership culture,” Jacobsen wrote in his letter to the Stumo family.
He’s also driven by remorse.
Despite his expertise, immediately after the first crash Jacobsen was not assigned to work on the MCAS design fix. Managers assigned the engineers who had worked on the original certification.
With hindsight, Jacobsen regrets not pushing harder to be part of that: “I should have jumped in. I should have been more assertive.”
He describes the FAA as an organization with a militaristic chain of command, in which lower-level employees can offer opinions when asked but otherwise must “sit down and shut up.”
“I wish I hadn’t,” Jacobsen said.
After the second crash, though still not officially assigned to work on the MAX fix, he attended meetings anyway and offered his expertise. At one point, an FAA program manager asked him why he was in the meetings.
“Because I’m pissed,” he says he replied.
Recommendations for action
In a statement, Boeing said it “has implemented changes that ensure accidents like these will never happen again, and these changes have been validated by numerous regulatory agencies.”
Jacobsen’s letter lists additional steps he believes are still needed.
He calls on Boeing to acknowledge the original design flaw in the MAX and the inadequacy of its interim pilot procedures following the Lion Air accident.
He writes that while the FAA reform legislation passed in December is a good start, the “FAA leadership seems to be denying any wrongdoing.” To recover the agency’s safety culture, he says FAA leaders at high levels who for years have pushed for more delegation of oversight to industry should be cleaned out.
Most controversially, he says that although he worked on the fix for MCAS and saw that it was very thoroughly tested, he believes the MAX would be safer if MCAS were simply removed.
MCAS was added because, to meet FAA regulations, the plane has to handle very smoothly in certain extreme maneuvers. Without it, a pilot can still perform the maneuver but feels some slackness in the control column pulling through it.
Since the FAA acknowledges that the 737 MAX “is stable both with and without MCAS operating,” Jacobsen thinks it should grant an exemption to the certification requirements that make MCAS necessary.
He said this opinion is shared by some front-line engineers at the FAA and also at the air safety regulators in both Europe and Canada.
When the FAA returned the MAX to service, it ruled in response to a similar suggestion from several commenters that it “does not have a factual basis to mandate removing MCAS.”
In a statement, the FAA said it “is committed to continually improving its safety processes, and recognizes that the ability of employees to freely report concerns without fear of punishment is critical to this success.”
After retiring from the FAA, Jacobsen hopes to work part-time.
Someone with his credentials would typically find lots of lucrative freelance work at smaller aerospace companies who need help navigating the maze of FAA regulatory compliance to certify their products.
Now, he may struggle to get such gigs if he’s perceived as an antagonist of the agency.
“I recognize this could cost me future employment opportunities,” Jacobsen said. “But I feel like my allegiance right now is to these families.”
No comments:
Post a Comment