March 12, 2019

Boeing, The FAA, And Why Two 737 MAX Planes Crashed

On Sunday an Ethiopian Airlines flight crashed, killing all on board. Five month earlier an Indonesian Lion Air jet crashed near Jakarta. All crew and passengers died. Both airplanes were Boeing 737-8 MAX. Both incidents happened shortly after take off.

Boeing 737 MAX aircraft are now grounded about everywhere except in the United States. That this move follows only now is sad. After the first crash it was already obvious that the plane is not safe to fly.

The Boeing 737 and the Airbus 320 types are single aisle planes with some 150 seats. Both are bread and butter planes sold by the hundreds with a good profit. In 2010 Airbus decided to offer its A-320 with a New Engine Option (NEO) which uses less fuel. To counter the Airbus move Boeing had to follow up. The 737 would also get new engines for a more efficient flight and longer range. The new engines on the 737 MAX are bigger and needed to be placed a bit different than on the older version. That again changed the flight characteristics of the plane by giving it a nose up attitude.

The new flight characteristic of the 737 MAX would have require a retraining of the pilots. But Boeing's marketing people had told their customers all along that the 737 MAX would not require extensive new training. Instead of expensive simulator training for the new type experienced 737 pilots would only have to read some documentation about the changes between the old and the new versions.

To make that viable Boeing's engineers had to use a little trick. They added a 'maneuver characteristics augmentation system' (MCAS) that pitches the nose of the plane down if a sensor detects a too high angle of attack (AoA) that might lead to a stall. That made the flight characteristic of the new 737 version similar to the old one.

But the engineers screwed up.

The 737 MAX has two flight control computers. Each is connected to only one of the two angle of attack sensors. During a flight only one of two computer runs the MCAS control. If it detects a too high angle of attack it trims the horizontal stabilizer down for some 10 seconds. It then waits for 5 seconds and reads the sensor again. If the sensor continues to show a too high angle of attack it again trims the stabilizer to pitch the plane's nose done.

MCSA is independent of the autopilot. It is even active in manual flight. There is a procedure to deactivate it but it takes some time.

One of the angle of attack sensors on the Indonesian flight was faulty. Unfortunately it was the one connected to the computer that ran the MCAS on that flight. Shortly after take off the sensor signaled a too high angle of attack even as the plane was flying in a normal climb. The MCAS engaged and put the planes nose down. The pilots reacted by disabling the autopilot and pulling the control stick back. The MCAS engaged again pitching the plane further down. The pilots again pulled the stick. This happened some 12 times in a row before the plane crashed into the sea.

To implement a security relevant automatism that depends on only one sensor is extremely bad design. To have a flight control automatism engaged even when the pilot flies manually is also a bad choice. But the real criminality was that Boeing hid the feature.

Neither the airlines that bought the planes nor the pilots who flew it were told about MCAS. They did not know that it exists. They were not aware of an automatic system that controlled the stabilizer even when the autopilot was off. They had no idea how it could be deactivated.

Nine days after the Indonesian Lion Air Flight 610 ended in a deadly crash, the Federal Aviation Administration (FAA) issued an Emergency Airworthiness Directive.

The 737 MAX pilots were aghast. The APA pilot union sent a letter to its members:

“This is the first description you, as 737 pilots, have seen. It is not in the AA 737 Flight Manual Part 2, nor is there a description in the Boeing FCOM (flight crew operations manual),” says the letter from the pilots’ union safety committee. “Awareness is the key with all safety issues.”

The Ethiopian Airlines plane that crashed went down in a similar flight profile as the Indonesian plane. It is highly likely that MCAS is the cause of both incidents. While the pilots of the Ethiopian plane were aware of the MCAS system they might have had too little time to turn it off. The flight recorders have been recovered and will tell the full story.

Boeing has sold nearly 5,000 of the 737 MAX. So far some 380 have been delivered. Most of these are now grounded. Some family members of people who died on the Indonesian flight are suing Boeing. Others will follow. But Boeing is not the only one who is at fault.

The FAA certifies all new planes and their documentation. I was for some time marginally involved in Airbus certification issues. It is an extremely detailed process that has to be followed by the letter. Hundreds of people are full time engaged for years to certify a modern jet. Every tiny screw and even the smallest design details of the hardware and software have to be documented and certified.

How or why did the FAA agree to accept the 737 MAX with the badly designed MCAS? How could the FAA allow that MCAS was left out of the documentation? What steps were taken after the Indonesian flight crashed into the sea?

Up to now the FAA was a highly regarded certification agency. Other countries followed its judgment and accepted the certifications the FAA issued. That most of the world now grounded the 737 MAX while it still flies in the States is a sign that this view is changing. The FAA's certifications of Boeing airplanes are now in doubt.

Today Boeing's share price dropped some 7.5%. I doubt that it is enough to reflect the liability issues at hand. Every airline that now had to ground its planes will ask for compensation. More than 330 people died and their families deserve redress. Orders for 737 MAX will be canceled as passengers will avoid that type.

Boeing will fix the MCAS problem by using more sensors or by otherwise changing the procedures. But the bigger issue for the U.S. aircraft industry might be the damage done to the FAA's reputation. If the FAA is internationally seen as a lobbying agency for the U.S. airline industry it will no longer be trusted and the industry will suffer from it. It will have to run future certification processes through a jungle of foreign agencies.

Congress should take up the FAA issue and ask why it failed.

Posted by b on March 12, 2019 at 20:39 UTC | Permalink

Comments

next page »