It took the lives of 189 occupants on board Lion Air flight LN610 (and 157 more of Ethiopian ET302 a few months later) to uncover the biggest flaw in aircraft design and certification of the Boeing 737 MAX. Much has been said and written about the circumstances that led to this, but the final report on LN610 by the Indonesian Komite National Keselamatam Transportasi (KNKT) released on October 24 puts these into perspective. What lessons can be learned from the fatal accident, a year ago this October 29?
It’s always something to keep in mind when reading how events unfolded that Monday in 2018: the two pilots, six cabin crew and 181 passengers on board Lion Air Boeing 737 MAX 8 PK-LQP didn’t have the slightest inkling of what was about to happen. That is clear when going through the analyses of the cockpit voice and flight data recorders that go on page after page.
From the moment the MAX was airborne at 23:20:16 UTC until the end of the recording at 23:31:54 UTC, you witness utter confusion about the different readings of the Angle-of-Attack (AoA) sensors and airspeed indicators from the cockpit crew. The 31-year old Captain from Indian origin and the 41-year old First Officer from Indonesia tried to understand what their aircraft was doing as the flight computer issued nose-down commands and after five minutes the Maneuver Characteristics Augmentation System (MCAS) activated for the first of 26 times.
Apparently, it went unnoticed to the crew that on LQP’s previous flight LN1043 the night before from Denpasar, the computer had commanded multiple nose-down maneuvers too but was overruled as the captain of that flight had switched off the automatic trim system.
Diagram showing Lion Air LN610 flight data recorder recordings. The amber line in the upper half shows the MCAS-induced nose-down maneuvres. (KNKT)
While the co-pilot was figuring out what was happening, the captain struggled to keep the MAX stable and airborne at some 5.000 feet, constantly providing nose up-commands to fight the ‘system’s’ nose-down instructions. Most likely stressed by the situation and multiple aural warnings, their intra-communication was suffering and situational awareness was reduced. Crucially, the crew never declared a Mayday that would have given them priority on returning to Jakarta.
Only at 23:30:54, the FO said “I have control” but within seconds the aircraft entered its steep and final dive into the sea that ended the flight a minute later.
As we all know now, the crew was fighting a system of its existence it had no clue, because operators of the MAX and especially cockpit crew weren’t instructed by Boeing to deal with MCAS. It wasn’t in their manuals.
Conclusions:
The report goes at length to identify why this was allowed to happen in the first place and has come up with 89 conclusions, of which we quote the most relevant:
“1. MCAS is designed to function only during manual flight (autopilot not engaged), with the aircraft’s flaps up, at an elevated AOA. As the development of the 737-8 (MAX) progressed, the MCAS function was expanded to low Mach numbers and increased to maximum MCAS command limit of 2.5 degrees of stabilizer movement.
2. During the Functional Hazard Analysis (FHA), unintended MCAS-commanded stabilizer movement was considered a failure condition with ‘Major’ effect in the normal flight envelope. The assessment of Major did not require Boeing to more rigorously analyze the failure condition in the safety analysis using Failure Modes and Effects Analysis (FMEA) and Fault Tree Analysis (FTA), as these are only required for ‘Hazardous’ or ‘Catastrophic’ failure conditions.
3. Uncommanded MCAS function was considered Major during the FHA. Boeing reasoned that such a failure could be countered by using elevator alone. In addition, stabilizer trim is available to offload column forces, and stabilizer cutout is also available but not required to counter failure.
4. FMEA would have been able to identify single-point and latent failures which have significant effects as in the case of MCAS design. It also provides significant insight into means for detecting identified failures, flight crew impact on resolution of failure effect, maintenance impact on isolation of failure and corresponding restitution of system.
5. Boeing conducted the FHA assessment based on the FAA guidance and was also based on an assumption that the flight crew was highly reliable to respond correctly and in time within 3 seconds. The assessment was that each MCAS input could be controlled with control column alone and subsequently re-trimmed to zero column force while maintaining flight path.”
6. The flight crew did not react to MCAS activation but to the increasing force on the control column. Since the flight crew initially countered the MCAS command using control column, the longer response time for making electric stabilizer trim inputs was understandable.
8. During FHA, the simulator test had never considered a scenario in which the MCAS activation allowed the stabilizer movement to reach the maximum MCAS limit of 2.5 degrees. Repetitive MCAS activations without adequate trim reaction by the flight crew would make the stabilizer move to maximum deflection and escalate the flight crew workload and hence failure effects should have been reconsidered. Therefore, their combined flight deck effects were not evaluated.
9. In the event of multiple MCAS activations with repeated electric trim inputs by flight crew without sufficient response to return the aircraft to a trimmed state, the control column force to maintain level flight could eventually increase to a level where control forces alone may not be adequate to control the aircraft. The cumulative mis-trim could not be countered by using elevator alone which is contrary to the Boeing assumption during FHA.
10. Any out of trim condition which is not properly corrected would lead the flight crew into a situation that makes it more difficult for them to maintain desired attitude of the aircraft. The flight crews in both the accident flight and the previous flight had difficulty maintaining flight path during multiple MCAS activations.
11. The procedure of runaway stabilizer was not reintroduced during transition training and there was no immediate indication available to the flight crew to be able to directly correlate the uncommanded nose-down stabilizer to the procedure. Therefore, the assumption of relying on trained crew procedures to implement memory items was inappropriate.
14. The flight crew of LNI043 eventually observed and recognized the uncommanded stabilizer movement and moved the stabilizer trim cutout switches to the cutout position. Stopping the stabilizer movement enabled the flight crew to continue the flight using manual trim wheel to control stabilizer position.
15. Boeing considered that the loss of one AOA and erroneous AOA as two independent events with distinct probabilities. The combined failure event probability was assessed as beyond extremely improbable, hence complying with the safety requirements for the Air Data System. However, the design of MCAS relying on input from a single AOA sensor, made this Flight Control System susceptible to a single failure of AOA malfunction.
18. The MCAS software uses input from a single AOA sensor only. Certain failures or anomalies of the AOA sensor corresponding to the master FCC controlling STS can generate an unintended activation of MCAS. Anticipated flight crew response including aircraft nose up (ANU) electric trim commands (which reset MCAS) may cause the flight crew difficulty in controlling the aircraft.
30. Flight crew training would have supported the recognition of abnormal situations and appropriate flight crew action. Boeing did not provide information and additional training requirements for the 737-8 (MAX) since the condition was considered similar to previous 737 models.
31. The aircraft should have included the intended AOA DISAGREE alert message functionally, which was installed on 737 NG aircraft. Boeing and the FAA should ensure that new and changed aircraft design are properly described, analyzed, and certified.”
FAA oversight
The report said Boeing internally discussed providing extra MCAS redundancy by including input from multiple AoA sensors but concluded “it was not required based on the FHA classification of Major. (…) If the uncommanded MCAS failure condition had been assessed as more severe than Major, the decision to rely on a single AOA sensor should have been avoided.”
This is where another conclusion (nr 26) comes in: “Boeing did not submit the required documentation and the FAA did not sufficiently oversee Boeing (Organization Design Authorization) ODA. Without documenting the updated analysis in the stabilizer SSA document, the FAA flight control systems specialists may not have been aware of the design change.”
It is a situation that has its roots in 2009 when the FAA delegated ODA to Boeing and gave the airframer the authority that abides by what it thought was best. It revised the parameters of MCAS in 2016 to allow it to operate at low-speed too without informing the FAA. It exploited a system that had been adopted by other regulatory agencies worldwide as this was the way it was always done.
KNKT acknowledges that since its initial findings on LN610 were released on November, 28, 2018 and the crash of Ethiopian ET302 on March 10 have triggered a complete review of the relationship between Boeing and the FAA and aircraft certification globally. Yet, the Indonesian investigation board recommends “that the FAA review their processes for determining their level of involvement (degree of delegation) and how changes in the design are communicated to the FAA to ensure an appropriate level of review.”
The report also says: “KNKT recommends that Boeing and the FAA more closely scrutinize the development and certification process for systems whose malfunction has the ability to lead to loss of control of the airplane.”
KNKT also recommends that the FAA review with other regulatory agencies and Boeing the criteria of information that should be included in-flight crew and engineers manuals. Crew should be trained properly for their job and know the intricacies of the aircraft they fly.
Recommendations for Boeing
In additional recommendations to Boeing, the Indonesian board says “that Boeing includes a larger tolerance in the design is required to allow operability by a larger population of flight-rated pilots.”
KNKT says Boeing should learn lessons from the cockpit crew workload during PT610s final minutes, with multiple alerts and indications to the two pilots. “KNKT recommends that the aircraft manufacturer to consider the effect of all possible flight deck alerts and indications on flight crew recognition and response; and incorporate design, flight crew procedures, and/or training requirements where needed to minimize the potential for flight crew actions that are inconsistent with manufacturer assumptions.” Including an ‘AoA Disagree’ alert message as standard could have helped the crew who was desperately looking for information on the status of their MAX.
KNKT also made recommendations on safety, training, and maintenance to Lion Air, Batam Air Tech and AirNav Indonesia. The board identified a serious flaw at US Xtra Aerospace, the company that repaired the left AoA sensor that was re-installed on the stricken Lion Air aircraft the day before the fatal flight and provided the crew with incorrect data. That the sensor wasn’t tested properly is Batam Air Tech’s error. During a shop visit at Xtra, it was determined that the re-assembly procedure left margin for error of sensitive sensor parts and most likely resulted in an uncalibrated, erroneous sensor being released for service. The investigators found this situation hadn’t changed since 2018. As a result, the FAA has since revoked Xtra’s licence.
Lessons learned
The only positive that comes out of the LN610 accident and KNKT’s final report is that most of the recommendations have been or are about to be addressed. The FAA is under scrutiny and the worldwide procedure for evaluating and certifying commercial aircraft has come under a magnifying glass.
Boeing has gone into crisis-mode and is going at length to introduce a new safety system and culture that should rectify not only all deficiencies of the MAX but also within its aircraft and cockpit design, engineering, and manufacturing processes. “We are addressing the KNKT’s safety recommendations, and taking actions to enhance the safety of the 737 MAX to prevent the flight control conditions that occurred in this accident from ever happening again”, CEO Dennis Muilenburg said in a press release on October 24.
We have to wait for the report of the Ethiopian authorities on ET302 to learn what additional lessons can be learned, so that not only Boeing, but all airframers, regulatory agencies worldwide, airlines and the industry will operate at levels of safety the traveling public can rely on.
The accidents probably would not have occurred if the stall vane had been properly installed and calibrated. It’s inconceivable to me the First Officer with only 300 hours TT could be qualified in a 737.
The MAX flown by Western countries had no such problems. Perhaps rather than throwing Boeing under the bus, we should implicate the foreign carriers for inferior maintenance and crew qualifications.
FINAL COMMITTEE REPORT: BOEING 737 MAX-
11. Final Observations
238
This report’s main investigative findings point to a company culture that is in serious need of
a safety reset. Boeing has gone from being a great engineering company to being a big business
focused on financial success. Continuing on the same path it followed with the 737 MAX, where
safety was sacrificed to production pressures, exposes the company to potentially repeating those
mistakes and to additional reputational damage and financial losses. One of the first steps on a new
path is understanding and acknowledging the problems that did occur, the technical mistakes that
were made, and the management missteps that led to the 737 MAX tragedies and the preventable
death of 346 people.
https://transportation.house.gov/download/20200915-final-737-max-report-for-public-release&download=1
Surely, the 737MAX is an inherently unstable and therefore unsafe aircraft. Frankly, the fact that Boeing thought it to be acceptable and safe with the lack of inbuilt redundancy astounds me. It shows unprecedented complacency, especially considering the lack of information in the manuals. It is not a plane I will travel on.