The Case of Boeing 737 MAX

Photo by Ethan McArthur on Unsplash

Boeing 737 MAX is a narrow-body aircraft, designed as the fourth generation of the well-known Boeing 737 series. The 737 MAX series gained FAA (Federal Aviation Administration) certification in March 2017 1 and first placed into service in May of the same year 2. The aircraft series has been grounded by regulatory authorities around the world after two fatal crashes of Lion Air and Ethiopian Airlines in October 2018 and March 2019, which left 346 dead 3. Boeing has committed to updating the software and perhaps other remedies, after which the regulatory authorities will then allow the airplane to resume service.

In this post, I am going the describe the events up to the grounding of 737 MAX and explain what should we do after FAA issues new airworthiness certificates for Boeing 737 MAX. I try my best to consider the intricate process of airplane regulation, involving economic, business, and technical aspects, here. First, I briefly provide additional information about the chain of events that led to these two accidents. Then, I summarize the remedies that are addressed by Boeing and going to be crosschecked by FAA inspectors. Finally, I explain how the regulatory system works, and the achievement of this established system in providing safety. Before a final recommendation, I should also touch on an important topic on FAA certification that has been under scrutiny. In addition, I argue that airplane manufacturers, regulators, and airlines make a system that defines safety altogether and should be regulated in that way. Finally, I provide my view and recommendation on the topic.

MCAS system

It is not yet fully known what caused both crashes, however, investigators are looking at whether a new software system added to avoid stalls in Boeing’s 737 MAX series may have had a role in them. To understand the role of this new system in the flying characteristics of Boeing 737 MAX, we need to investigate the difference between the Boeing new product with its old parent, Boeing 737.

Boeing 737 MAX was designed in response to the high fuel consumption of the Boeing 737 series. Boeing decided to install more efficient engines, CFM International LEAP-1B engines, which required bigger fans. Boeing wanted to keep the MAX series similar enough to the existing 737 so that it could keep the same “type rating”. With the same “type rating”, the savings for Boeing and airlines, through fewer tests for certification and less training for pilots, would be significant. However, the new engines needed more ground clearance, so the engineers mounted the engines higher and further forward on the wings. The new structure did not have the same aerodynamic stability as the Boeing 737 series and increased the risk of stall if pilots angled the nose too high.

Airplane wings are designed to operate in linear flow conditions. If the aircraft take high angles of attacks, the angle of the aircraft wing with the coming air (Figure 1), it is harder for the air to pass over the wings, and at the critical angle of attack, the air cannot pass freely. As a result, the air detaches prematurely from the wings, which results in turbulence, and the linear no-slip assumption cannot predict the response of aircraft. In this condition, the aircraft cannot get lift anymore and would lose stability.

Figure 1: Angle of attack definition (reprinted from 4)

The pilot usually corrects the pitch through the elevator in the horizontal stabilizer (Figure 2), however, when the pitch is too much, the pilot might need to use the stabilizer trim, which is the rotation of the whole horizontal stabilizer. This exerts a great vertical force at a distance so that the required pitch moment can be obtained.

Figure 2: Stabilizer and elevator (reprinted from 5)

Since Boeing 737 MAX engines were mounted differently, the chance of getting high pitch through engine trust was higher, which resulted in different stall characteristics that were not certifiable based on FAA regulations. Boeing decided to create the MCAS, Maneuvering characteristics Augmentation System, to electronically direct the plane nose downward in response to sensor data that shows the plane is in danger of stall. It was designed to be activated without pilot input and only operates in manual flight. The MCAS becomes activated through the Flight Control Computer (FCC) when the AoA exceeds a threshold based on airspeed and altitude. It will activate for up to 9.26 seconds before pausing for 5 seconds. The function will stop when the angle of attack falls in the recommended threshold or the flight crew command a manual stabilizer. However, if the original elevated angle of attack persists, the MCAS commands another nose-down action 6. If the system gets triggered erroneously, a pilot can pull back on the control column to lift the nose up again. To minimize the engineering rework and pilot training, Boeing decided to add the feature to the existing STS, Speed Trim System. Therefore, the pilots did not need any new training to understand MCAS. The 737 MAX operation manual did not sufficiently explain the MCAS system at the time 7.

Possible safety issues

The correction system was based on a non-redundant angle of attack sensor to decide how much trim should be added. In its original report, Boeing said that MCAS could move the horizontal stabilizer a maximum of 0.6 degrees. However, after the Lion Air crash, it told airlines that MCAS can move the horizontal stabilizer up to 2.5 degrees. Boeing increased the limit because flight tests showed that a more powerful movement was needed at high angles of attack to keep the flying characteristics similar to old 737s. FAA was not informed about this change 8. On both flights, the on-duty sensor gave widely wrong readings (Figure 3). In the Lion Air case, this was compounded by maintenance problems. The previous crew experienced the same problem and took proper measures to deactivate the system. However, they did not record the problem in the maintenance logbook. Also, the pilots in LionAir were never told about the new system. After the first crash, pilots complained that they had not been made aware of a change to the flight-control system on the MAX 9. While some reports suggest that they successfully disengaged the MCAS system, however, they did not know that the system would restart after 5 seconds. Based on the contents of the cockpit voice recorder, they were hunting through the Quick Reference Handbook to identify the problem until the plane hit the water 10.

Figure 3: The LionAir plane’s sensors took different readings (reprinted from 3, Source: Ethiopiean Aircraft accident investigation Bureau)

The problem could be identified using two optional safety features, an “angle of attack indicator” and an “angle of attack disagree light”. The “angle of attack indicator” displays the readings of the two sensors, and the “disagree light” is an alert that activates when the sensors do not agree. Both of the safety features are not included in the aircraft by Boeing as standard safety features. Both crashed airplanes did not have these options on them. Charging extra for safety add-ons is a big moneymaker for airplane manufactures, the various options for a narrow-body aircraft would be around 5% of the plane’s final price. Many airlines, especially low-cost carriers such as Lion Air, have opted out to buy them and regulators do not require them. The decision of the FAA on the minimum safety measures has been scrutinized by experts 11.

After the Lion Air crash in October 2018, Boeing promised a software patch to make the MCAS safer by January. The fix has since been delayed until April, because of “engineering challenges” and “differences of opinion” between federal authorities and Boeing officials 12.

Boeing response

Recently, Boeing announced to address the issues with the MCAS system with a series of actions. Currently, MCAS only uses data from the angle of attack sensor on the side of the active FCC. A software patch will combine data from both sensors and if the outputs of the two angle of attack sensors differ by more than 5.5 degrees, MCAS will be disabled. Boeing also will make the disagree light a standard feature, which enhances the detection of an erroneous angle of attack sensor behaviour. However, the angle of attack indicator will remain optional for airlines to add to their planes.

The software patch will also limit the MCAS to operate only for one cycle. At present, it will operate for 10 seconds, pause for 5 seconds and repeat for as often as it senses the high angle of attack condition is present. Furthermore, Boeing will limit how much MCAS can move the horizontal stabilizer when activated [6]. The FAA said that Boeing will also include pilot type conversion training programs to address issues with the MAX series. They will also explain MCAS in the Flight Crew Operation Manual, revise the Quick Reference Handbook, and update the checklists accordingly.

Delegation of authority

FAA has established itself as a gold standard regulatory body in aircraft certification and played a big role to make air travel the safest method of transportation. The fundamental role of the FAA is to make sure what is the critical safety aspects of every part of an airplane. Safety requires data that only can be obtained through the mutual collaboration of regulatory and regulated parties. Moreover, regulatory work necessitates employing and training a team of experts to oversight the design process, analyse system safety, conduct failure assessment, etc. To increase collaboration, speed up the certification processes, and focus the limited resources on the most critical safety aspects, the FAA shifted toward working with the industry to meet shared safety goals. For example, FAA now delegates more of its aircraft certification to approve manufacturers through the Organization Designation Authorization (ODA) program, where companies like Boeing can choose their employees to work on behalf of the FAA. Moreover, air carriers are playing a larger role to identify and mitigate safety risks [13].

The delegation program has come under scrutiny after the two accidents. Experts said that the delegation of airplane certification has gone too far and the staff responsible for regulating aircraft safety are answerable to the manufacturers, who profit from cutting corners, not the FAA. They believe this delegation has resulted in misassessment of the failure level for the MCAS system [8]. The system that meets the “major failure” requirement must have a probability of failure less than one in 100000. Therefore, they are not typically allowed to rely on a single input sensor. In response, FAA states that the procedure does not imply self-certification and the regulatory body retains strict oversight in all stages.

Conclusion

Much of the reported information is preliminary findings and has not yet been announced officially. The investigations are still ongoing, although, similarities between the two crashes have been confirmed and ended up in grounding the MAX series. Modern aircraft is a complex system, which is designed not to crash because of a single failure. Airplanes, such as the 737 MAX, rely on more than 350,000 parts to fly. For a sound recommendation, as an engineer, I need to consider the facts, such as Boeing stellar reputation as a world-leading aircraft manufacturer and the performance and efficiency of the regulatory system (FAA) through several decades.

After Boeing 737 MAX passed the required tests for the new software update and received an updated certification by the FAA, I would recommend everybody to fly on this airplane. I justify my recommendation by explaining the diligence of the FAA, the reputation of Boeing, and the current state of air travel safety around the world. During the production and certification process, passenger airplanes go through an extensive evaluation, testing and review by the manufacturer and the FAA. The decision to delegate part of certification to Boeing engineers is partly due to the higher expertise of the manufacturing engineers in identifying the risks and regulation procedures. Although, it is always necessary to have an independent regulatory to oversight the procedure of design and manufacturing, the history of Boeing makes it clear that the safety culture is of great significance in that company.

I would also recommend my family to consider the airline as a parameter in their decision. The recent accidents showed that training and resources directly influence safety. The airline is responsible for pilot training and has to get its training program approved by their country’s aviation authority. Resource limited airlines tend to go for the minimum training program that is required for the approval. The general rules for certification of commercial aircrafts have been amended for over 130 times by the FAA in the last 5 decades, using the knowledge and data gained from past tests and failures. The certification process is extensive, well-established, and have consistently produced safe aircraft designs for decades. For Boeing 737 MAX, the certification process took around 5 years and FAA was fully involved in the process, including participation in 183 of 297 flight tests.

Boeing has a large body of engineers with remarkable expertise in airplane design and manufacturing. Every engineering system is exposed to numerous risks. The system should be designed and assessed, through analysis or experiments, to meet a certain level of reliability. However, high reliability does not mean that failure is not possible. The airplane systems are like multiple slices of swiss cheese, stacked side by side, in which the risk of failure is mitigated by the differing layers. Therefore, defensive layers always exist to prevent a single point of failure. The system produces failure when a hole in each slice momentarily aligns. Boeing engineers overlooked the capabilities of the MCAS system in critical situations. They added another automation system to the currently overcomplicated system of airplane navigation. The complex software is necessary to navigate modern airplanes, however, a trained pilot should be able to identify the malfunctioned system and turn the settings back to full human control. I believe that the Boeing modification would address this issue accordingly.

Finally, I would like to bring up a similar story that happened a few years ago. The 787 Dreamliner was grounded for three months in 2013 because batteries were catching fire. The fix for the Dreamliner problem was a more extensive change to that plane than a software update of a safety system. It included the installation of a containment and venting system around the batteries. However, the grounding was lifted and it has no remaining negative effect on the model. It is one of the most popular Boeing airplanes currently.

REFERENCES

  1. “Type Certificate Data Sheet No. A16WE” (PDF). FAA. March 8, 2017. 

  2. “Malindo operates world’s first 737 Max flight.” . Available: https://www.flightglobal.com/news/articles/malindo-operates-worlds-first-737-max-flight-437454/. [Accessed: 10-Apr-2019]. 

  3. “Boeing 737 Max: What went wrong?,” 05-Apr-2019.  2

  4. “Angle of attack,” Wikipedia. 07-Apr-2019. 

  5. “Stabilizer (aeronautics),” Wikipedia. 13-Feb-2019. 

  6. C. Brady, “737 MAX - MCAS,” The Boeing 737 Technical Site. Available: http://www.b737.org.uk/mcas.htm. [Accessed: 12-Apr-2019]. 

  7. N. Rivero, “The missteps that may have made the 737 Max crash-prone,” Quartz. Available: https://qz.com/1575509/what-went-wrong-with-the-boeing-737-max-8/. [Accessed: 10-Apr-2019]. 

  8. “Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system,” The Seattle Times, 17-Mar-2019. Available: https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/. [Accessed: 12-Apr-2019]. 

  9. “U.S. pilots flying 737 MAX weren’t told about new automatic systems change linked to Lion Air crash,” The Seattle Times, 12-Nov-2018. Available: https://www.seattletimes.com/business/boeing-aerospace/u-s-pilots-flying-737-max-werent-told-about-new-automatic-systems-change-linked-to-lion-air-crash/. [Accessed: 15-Apr-2019]. 

  10. “Exclusive: Lion Air pilots scoured handbook in minutes before crash…,” Reuters, 20-Mar-2019. 

  11. A. Monaghan, “Doomed Boeing planes lacked two optional safety features – report,” The Guardian, 22-Mar-2019. 

  12. A. Pasztor and A. Tangel, “Boeing and Regulators Delay Jetliner Fixes Prompted by Lion Air Crash,” Wall Street Journal, 10-Feb-2019.