Last week was a tumultuous week in aviation, as the investigation into the crash of ET302 led to several revelations about the 737 MAX and the process through which it was certified. Enough questions have been raised that the FBI is now conducting what appears to be a criminal investigation, and the world’s commercial aviation regulatory system is changing as regulatory agencies in other parts of the world have apparently lost confidence in the FAA, once considered to be the world leader in aviation safety.
Let’s review some of the basics of what has happened:
First, does the 737MAX have a problem? The answer is yes and no. Two MAX airplanes have crashed in five months, which is simply an unacceptable rate in today’s day and age. Is the airplane unsafe? That answer is yet forthcoming, but given that the same MAX at Lion Air with a faulty sensor was successfully flown the day before, with the system MCAS system properly shut off, indicates that like all accidents, everything is not cut and dried. Despite the ability to override the system, the crashes may have resulted from a faulty sensor leading to a runaway system feeding on inaccurate data, combined with pilot error, potentially inadequate training, or a combination of other factors. Until the investigations of both crashes are complete, we simply don’t know all of the relevant facts.
However, the MCAS system, which the pilots were apparently not adequately trained on, or allegedly not even made aware of during transition training, appears to be a potential contributing factor in the Lion Air accident. The early evidence from ET302, where no determination has been made as to cause, appears to have similar characteristics to the JT610 flight, causing international regulators to shut down operations from the rationale of an abundance of safety until additional facts were known. Ethiopian’s CEO has indicated that the MCAS system likely activated on that flight as well, confirming what many suspected given pilot conversations indicate the crew had difficulty in controlling the aircraft.
The FAA approved both the airworthiness of the 737 MAX as well as Boeing’s transition training for pilots between the 737NG aircraft and the MAX. If there was a flaw in the aircraft or training, it would have slipped through the cracks, and the FAA, responsible for oversight and finding potential flaws during certification, bears significant responsibility in that regard. The system used for certification in the US, where employees of Boeing have a seconded responsibility to the FAA, has a potential built-in conflict of interest for those employees, who could potentially be pressured by their employer to approve something they otherwise might not in order to keep their job. While there is no evidence that this happened, the FBI is undertaking a criminal investigation, which is likely related to the certification process.
How MCAS came about
Boeing wanted the 737 MAX to fly just like the previous 737 NG, but that is not the case with the two aircraft. Despite having the same fuselage and seating the same number of passengers, the aircraft are different. The new engines, which are larger and heavier than on the previous model, are attached more forward and higher on the wing. This impacted aerodynamics, resulting in the MAX aircraft tending to “pitch up” when power was applied.
Aircraft can go into an aerodynamic stall at high angles of attack, which are typically pitch-up angles, especially pitch-up angles in tight turns. As a result, Boeing created the MCAS system, which was designed to kick-in during unusual aircraft attitudes to keep the nose of the aircraft pointed down in a safe range. Today’s computer-controlled fly by wire aircraft utilize control laws to limit the envelope of flight to safe regimes. But in these two fatal crashes, something likely went wrong.
The GIGO Problem
One of the old adages of computer science is “garbage in – garbage out,” which relates to the need to ensure that input data into a system are correct. In the case of the MCAS system on the MAX, the system relied on inputs from only one of two angle of attack sensors on the aircraft, alternating between the two sensors based on whether the captain or first officer station had control of the aircraft when the flight began.
Unfortunately, a failed sensor could result in the computer system controlling the aircraft in an unintended manner, including pushing the nose down when it should not and potentially even crashing the aircraft if the computer forces and aerodynamic conditions are such that pilots cannot overcome the computer system commands.
After the Lion Air crash, and before the Ethiopian crash, Boeing was already developing a “fix” for the MCAS system. That “fix” included several elements designed to enhance the software logic in the event of erroneous data being fed to the system. The fix includes the physical degree to which the computer could impact the trim system and “dive” the aircraft, the number of times the system could recycle and continue to “fight” the pilots, the ability for pilots to override the system using electric trim switches that normally operate the trim system, and incorporation of a second sensor input into the system. Boeing will be reviewing its proposed changes to this system with airlines and regulators this week, as the company has been working diligently since the Lion Air crash to improve the safety of the aircraft.
Unfortunately, because the accident is under investigation and Boeing cannot comment on an investigation in process, rumors and speculation, rather than facts, continue to rule the day in media reports. The people who have most of the answers, and could provide additional facts, have their hands tied at this point in time. The result is a public perception that Boeing may be too quiet or not forthcoming when behind the scenes in the accident investigation, the exact opposite is true. Since the Lion Air accident, Boeing has been working diligently on improvements to avoid similar future accidents. Boeing faces the difficult task of nightly news criticism without the ability to appropriately respond due as the investigation remains active and will be for quite some time.
Aviation remains the safest form of travel, and because crashes tend to be rare events, they generate substantial attention. We have learned from experience that most accidents arise from a confluence of multiple factors rather than a single cause, and that investigation often takes more time than desired.
Certification Questions
Redundancy in systems is a basic tenet of aviation safety, and it is likely that the criminal investigation will include how a system could be certified that relied on only one sensor, and an examination of the certification tests that were performed to determine what would happen should a sensor fail with inaccurate readings in either direction. We do not yet know why the FAA approved a control system without redundant sensor input, but it appears to be outside the norm.
Boeing and the FAA also determined that the MCAS system, designed to engage only in rare situations, was not worthy of being described in detail in flight manuals. The company and the FAA, who approved their documentation and processes, apparently failed to inform pilots about this new system during transition training from the old to new aircraft. When the existence of the MCAS system came to light after the Lion Air crash, there was a loud protest from pilots. The FAA, after the fact, mandated changes to the flight manual to teach pilots about the system and how to shut it off should something go wrong. Boeing quickly went to work on re-examining the system and refining it to ensure that it was easier to properly use. Unfortunately, the pilots fighting to control an aircraft shortly after takeoff and trying to figure out why it isn’t responding as correctly, may not be thinking about shutting down the MCAS as a natural response.
Safety Devices are Sometimes Optional Equipment
In addition, Boeing made two potential safety devices optional equipment to be installed at the discretion of the airline. The first is an angle of attack gauge for the pilots to visually check the angle of attack from the two sensors, and the second a disagreement alert should one of the two angle of attack sensors vary significantly from the other. Neither device was installed on either the Lion Air or Ethiopian aircraft. Airlines like to custom configure their aircraft. The disagreement system would be akin to a warning light in your car that tire pressures are significantly different. While it doesn’t mean you have a flat, it may mean it is time to check a tire. Boeing now faces a public relations issue in explaining to laymen why components that are related to flight safety were optional equipment rather than standard equipment, and some airlines face similar public pressure in explaining why they didn’t include that equipment in their orders.
Boeing now wants to make the disagreement alert standard equipment so that pilots are aware of a potential problem with the angle of attack sensors and can shut down MCAS to fly the aircraft manually. An interesting question is had these been installed on the crashed aircraft and had the pilots been adequately trained about MCAS would there have been a different outcome?
Moving to a regulatory patchwork quilt
The FAA was the last major regulatory agency to ground the MAX, leading to international speculation that the agency favored a US-built aircraft over safety. While the FAA’s philosophy is to keep flying until data are received to indicate an unsafe condition, international regulators, in this case, led by the CAAC, took the position of an overabundance of caution and ground the aircraft until it could be proven safe. That move was followed by EASA and then Canada before the US finally grounded the aircraft, with President Trump rather than the head of the FAA making the call.
While some speculate that China may have rushed to judgment to put pressure on US trade talks, the delays by the FAA in noting similarities between the crashes that virtually every other agency noted has resulted in a loss of credibility. The FAA certification system, relying on industry employees to, in essence, self-regulate, has also been called into question outside the US. The result is that Europe and Canada have decided not to grant reciprocity and follow the lead of the FAA, as has traditionally been done, but to open independent investigations into the airworthiness of the MAX and make their own determinations on what should be required for the aircraft to return to service.
This is unprecedented and will likely further delay the return of the MAX to service around the world, which may now happen at different times for different countries. Something important has changed in the previous close working relationship between international regulators, and mistrust internationally of the FAA is now a part of the picture that the industry will need to deal with in the future.
Potential Order Cancellations
Garuda Airlines in Indonesia has asked Boeing to cancel the remaining 49 aircraft from its 50 aircraft order, becoming the first airline to formally do so. The CEO at Lion Air indicated that his company was also rethinking their order for 201 of the aircraft. The reason Garuda cited was the customers had lost confidence in the MAX, and no longer want to fly on that aircraft.
We’ve historically seen aircraft with crashes or groundings early in their production cycle go on to become best sellers. The Boeing 727, 787, and Douglas DC-10 are good examples that returned to success after their groundings. We expect the MAX to also return to service, with enhancements and training to make it an even better aircraft. Boeing has a strong backlog for this aircraft, which we expect will do just fine over the long-term. But there may be some short-term impacts and residual consumer pushback until the airplane once again proves itself worthy of customer trust.
The Bottom Line
Last week was not a good week for either Boeing or the FAA. Potential flaws in the aircraft, and the process through which it, and training for it, were certified, have come to light. Some decisions may have been less than stellar and might have contributed to the deaths of 346 individuals. The FBI may also be investigating whether those decisions were criminal in nature.
Boeing had to rush the MAX into service to meet the competitive threat of the A320neo family, which beat it into service by a year. The company needed to quickly meet the requirements of American Airlines, who were already ordering the competing Airbus A320neo. The question regulators may look at once the accident cause is known is whether there are other areas on the MAX that should also be reviewed. As revelations continue to emerge from Washington DC and Seattle, the situation could continue to get worse before it gets better. Unfortunately, it will take time to get the answers, and in the meantime, the MAX will likely remain grounded, with a tarnished reputation in the near term.
