Last week, Boeing 737 MAX aircraft were grounded all over the world following two highly-publicized crashes, one an Ethiopian Airlines flight on March 10 that killed all 157 people aboard, and an earlier Lion Air crash from late October that killed all 189 passengers and crew.
An in-depth story from The Seattle Times suggests that both crashes may be the result of a single faulty sensor, and compromised FAA safety oversight procedures.
The sensor in question is an Angle of Attack (AoA) sensor, a small, wing-like mechanism that sprouts from the lower front side of the plane and mechanically detects the angle between the wing and the airflow rushing past the aeroplane.
The reason this is important is that if that angle is too high, the plane is in danger of stalling, which is not the same as when you get off the clutch too fast in your car, but rather is an aeronautical term describing the condition of the wings losing lift due to the angle of attack — the angle the wings are encountering the airflow — being too high.
In this situation, the sensor triggers the Manoeuvring Characteristics Augmentation System (MCAS), which, according to the aviation-focused website The Air Current:
The Manoeuvring Characteristics Augmentation System (MCAS) was designed to address this, according to Boeing engineers and pilots briefed on the system, now at the center of the inquiry into the crash of Lion Air 610, a brand new Boeing 737 Max 8. MCAS is “without pilot input” and “commands nose down stabilizer to enhance pitch characteristics during step turns with elevated load factors and during flaps up flight at airspeeds approaching stall.”
“It’s sole function is to trim the stabilizer nose down,” according to the system’s description to pilots, who were learning about it for the first time this week.
So, the way the system corrects an angle that it feels is too high and may result in a stall is by adjusting the rear-mounted horizontal stabilizer to lift the tail of the plane, which will pitch the nose down, reducing the angle.
Both crashes displayed characteristics of a pilot attempting to get the plane’s nose back up as it was repeatedly forced down, presumably by a malfunctioning MCAS system.
Even though there are two AoA sensors on the plane, Boeing only decided to use one of them for input to the MCAS system, which appears to go against practices that suggest that systems whose failure can lead to a “hazardous failure mode” should have redundant systems.
From the Seattle Times report:
“But when the consequences are assessed to be more severe, with a “hazardous failure” requirement demanding a more stringent probability of one in 10 million, then a system typically must have at least two separate input channels in case one goes wrong.
Boeing’s System Safety Analysis assessment that the MCAS failure would be “hazardous” troubles former flight controls engineer Lemme because the system is triggered by the reading from a single angle-of-attack sensor.
“A hazardous failure mode depending on a single sensor, I don’t think passes muster,” said Lemme.”
Another issue was that the MCAS system was originally reported to the FAA as being capable of moving the rear horizontal stabilizer in increments a maximum of 0.6 degrees. This was done in order to keep the changes to the plane’s flight more controllable.
The system as delivered on the 737 MAX aircraft, though, was able to to move the stabilizer in 2.5 degree increments, over four times what was reported to the FAA. This means that the MCAS system essentially had “full authority” to move the rear stabilizer, meaning that just a few pushes from the system could move the stabilizer to its maximum limits, forcing the most possible downward force on the plane.
This limit could be reached with just two cycles of the MCAS system without corrections and could be enough to put the plane into the “maximum nose-down effect.”
Faulty information from the sensor forced the MCAS system to attempt to pitch the plane downwards, and the larger angles made those pitch-down maneuvers much more dramatic.
Pilots would have no information that the AoA sensor was sending false data, and every time they corrected the plane, the system would reset, get false data again, and attempt to pitch the plane down again, even though the rear stabilizer had already been moved.
Black box recordings from the Lion Air flight show this cycle repeated 21 times, with the captain eventually attempting to pull the plane’s nose back up with force before the plane dived into the sea.
The report characterises the safety analysis from Boeing like this:
Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.
Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the aeroplane’s nose downward.
Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.
So, how did this happen? How did these faulty sensors get past the FAA’s safety checks? The Seattle Times story describes an FAA with limited time and resources farming out safety procedures to Boeing themselves. This delegation of safety analyses to aircraft manufacturers has been going on for some time.
“But several FAA technical experts said in interviews that as certification proceeded, managers prodded them to speed the process. Development of the MAX was lagging nine months behind the rival Airbus A320neo. Time was of the essence for Boeing.”
Boeing also neglected to give 737 pilots extra training on the new system, because MCAS was only likely to come into play in such extreme flight situations. Not requiring new training was a big selling point for airlines looking to upgrade older 737s, since they wouldn’t need to retrain their pilots.
The investigation is still ongoing, so neither Boeing or the FAA are able to comment on it directly, but the information so far suggests a situation where inadequate testing and rushed practices led to some real disasters.