An Analysis of the Engineering Decisions Made by Boeing in Designing the B-737 Max Aircraft
On October 29, 2018, a Boeing 737Max 8 operated as Indonesian Lion Air Flight 610 crashed in the Java Sea. The aircraft exhibited an erratic flight profile concluding with a vertical dive into the sea.
Assumptions, Speculation and Reasonable Inferences
On October 29, 2018, a Boeing 737 Max 8 operated as Indonesian Lion Air Flight 610 crashed in the Java Sea. The aircraft exhibited an erratic flight profile concluding with a vertical dive into the sea. On November 6, 2018, Boeing issued a bulletin concerning the operations of the B-737 Max. The next day the FAA issued an emergency airworthiness directive addressing the B-737 Max and its Maneuvering Characteristics Augmentation System (“MCAS”). In the midst of this confusing environment, the Allied Pilots Union (“APA”) which represents American Airlines dispatched a letter to its members concerning the MCAS asserting:
This is the first description you, as 737 pilots, have seen. It is not in the 737 Flight Manual Part 2 nor is there a description in the Boeing FCOM (flight crew operations manual).
The APA further wrote in the letter: “Awareness is the key in all safety issues.”
On March 10, 2019, Ethiopian Flight 302 departed Addis Ababa. The B-737 Max 8 aircraft crashed six minutes after takeoff. The flight profile of the Ethiopian crash was very similar to that of the Lion Air crash. Following the second B-737 Max crash, countries around the world grounded the aircraft with the exclusion of the United States and Canada. Finally, on Wednesday, March 13, 2019, President Donald Trump took the unprecedented action of issuing an executive order grounding the B-737 Max aircraft.
In the wake of these extraordinary developments, no one can provide definitive and conclusive comments on these two accidents and what the grounding of 375 Boeing 737 Max aircraft portends for the future of Boeing, the Federal Aviation Administration, and the reputation of the United States as the leading country in the world in aircraft design, manufacture and certification. Despite this uncertainty, the author will explore some considerations that may inform us about this unfolding drama.
Engineering Considerations in the Design of the Boeing 737 Max
Stall barrier systems that force the nose of the aircraft down in the face of a perceived stall are not new. These kinds of systems have been around for decades in a variety of aircraft like the early Lear Jet series. Moreover, Gulfstream aircraft have stall barrier systems that employ two angle of attack (“AOA”) probes with a single indicator and two computers. The stall barrier system will not give a command to lower the nose unless the inputs from both AOA probes present data indicating an impending stall.
While a great deal of information will be forthcoming as the crash investigations move forward, there are some things we do know that are very disturbing.
The first thing we know is the Boeing 737 Max was designed to compete with the Airbus A-320. The Boeing 737 Max employed larger engines with a greater propensity to pitch the nose upward. This flying characteristic made a stall barrier system important in the design of the aircraft. We also know the Boeing 737 Max was lagging nine months behind the development of its rival the Airbus A320 Neo. In the FAA’s oversight in the design and certification process, corners were cut. More and more oversight in the development of the aircraft was delegated from the FAA to Boeing engineers. In the haste to develop and certify the aircraft, in some instances FAA managers and not agency technical experts signed off on approvals.
Second, the marketing department a Boeing assured its customers that the pilots could transition from the predecessor aircraft, the Boeing 737 NG (Next Generation) to the Boeing 737 Max without “differences training.” Differences training is training pilots receive when transitioning from one aircraft to another or to an aircraft of the same type when there are “differences” in the systems or flight characteristics of the aircraft. The MCAS was supposed to make the larger, more powerful Boeing 737 Max feel like its predecessor, the Boeing 737 NG. This allowed Boeing to minimize the time and expense devoted to pilot training. According to Boeing’s website, “as you build your 737 Max fleet, millions of dollars will be saved because of its commonality with the Next-Generation 737.” Both American and Southwest pilots have criticized Boeing for not providing information about MCAS or its possible malfunction in 737Max aircraft flight manuals.
Because of the Boeing 737 Max’s propensity for the nose to rise and present the potential for exceeding the critical angle of attack, Boeing engineers conceived of MCAS as a means of protecting the aircraft against a stall and a departure from controlled flight. However, the facts available at this time suggest the Boeing-designed MCAS is a flawed system of imperfect and dangerous design.
Third, the nose down pitch authority of MCAS as originally conceived was to be limited to 0.6 degrees out of a maximum limit of 5 degrees of nose down movement. However, flight tests revealed MCAS required even more nose down control authority. Consequently, the control authority of MCAS was increased by a factor of four, from the original 0.6 degrees to 2.5 degrees. The final safety analysis document prepared by Boeing was premised on 0.6 degrees rather than the actual 2.5 degrees actually employed in MCAS.
Fourth, MCAS commands more nose down trim each time MCAS is triggered. In the first accident of October 29, 2018, MCAS was triggered multiple times. Every time the pilots reset the stabilator trim, MCAS kicked in again and commanded new increments of 2.5 degrees nose down trim. The consequence of this flawed design was to give MCAS unlimited control authority. The Lion Air flight data recorder indicates there were twenty-one cycles in the struggle between the flight crew and MCAS.
Fifth, as discussed more fully below, MCAS was allowed to make a nose-lowering control input based on data from a single Angle of Attack (AOA) probe. This means the system was designed so a single point of failure could doom the airplane, its passengers and crew.
Sixth, MCAS was designed on the assumption pilots would recognize what was, in effect, a runaway trim malfunction and turn off the power. But with no training on MCAS, its logic or how it worked, how were the pilots expected to arrive at the correct diagnosis with terrifyingly very few minutes to figure it out? These pilots, like all pilots, performed according to their training and experience. They simply did not have the requisite training and experience on MCAS operation and features. In fact, they may not even have known that MCAS was a part of the operating system of the 737Max, because it was not mentioned in the aircraft flight manuals. Pilots are very regulated, highly trained professionals who work with the information they are given about an aircraft. It was an extraordinary assumption for Boeing engineers to have made in believing pilots with no knowledge or training of MCAS would diagnose commands to lower the nose as a runaway trim malfunction.
As discussed earlier in this article, the Gulfstream stall barrier system requires concurrent signals from two AOA probes before it will command the nose of the aircraft to be lowered. Unfortunately, the Boeing MCAS only requires a signal from one AOA probe to lower the nose. This increases the potential of an erroneous AOA indication causing MCAS to lower the pitch attitude of the aircraft, since no confirmation of the AOA reading is required by a second AOA probe in order for the command by MCAS to be given. Unlike the Gulfstream system, the Boeing system does not provide a means by which a pilot can immediately cancel the nose down command. Why the Boeing engineers decided to rely on only one AOA probe to give an MCAS command to lower the nose and reduce the pitch or body angle is not known at this time. Previous experience suggests, however, that Boeing’s design relying on only one AOA signal to result in an MCAS command to lower the nose was a dangerous and unsound engineering decision.
The Absence of Meaningful Pilot Training and MCAS
Experience tells us that most aviation accidents are not caused by a single mistake or error in judgment. The facts we know now suggest that the absence of pilot “differences training” may also have played a role in these accidents. The APA letter to American Airlines pilots clearly signals that pilots received no meaningful and substantial training on the Maneuvering Characteristics Augmentation System. There appears to have been no “differences training” provided to pilots transitioning to the Boeing 737 Max aircraft. We know now that MCAS continues to operate even if the autopilot is off and the aircraft is flown in the manual mode. Were pilots trained to understand that MCAS continued to function, even when the aircraft was flown manually? Could pilots based on their previous training and experience have believed or assumed that turning off the autopilot would have solved the problem of a computer-generated command to lower the nose in the face of an MCAS command?
The information known at this time suggests poor engineering decisions made by Boeing together with an absence of pilot “differences training” may explain, at least in part, the two Boeing 737 Max crashes.
What Does the Future Portend for Boeing?
It now appears the safety of the Boeing 737Max will be improved with the following measures:
- The MCAS software will be modified to receive inputs from both Angle of Attack probes.
- MCAS will be modified to activate for only a single cycle.
- Pilot training will be improved and meaningful information about MCAS will be added to the aircraft flight manual.
The above corrective action will include an FAA airworthiness directive that should be issued by April of this year.
The grounding of 375 Boeing 737Max aircraft places considerable pressure on Boeing to re-evaluate the engineering decisions it made in designing the aircraft and its Maneuvering Characteristics Augmentation System. The dangerous and reckless decision to allow a single point of failure to bring a transport category aircraft down is beyond comprehension. Certainly, some engineer at Boeing must have recognized this and opposed this illogical and unsafe design. And what are we to make of oversight by the Federal Aviation Administration? Did the FAA fail to recognize that designing an aircraft in such a manner that a single point of failure could bring the aircraft down was a very bad idea? And why did the FAA not require differences training for pilots transitioning to the Boeing 737Max?
While a great deal more is to be learned about the causes of these tragic accidents, the facts we know presently are cause for concern. The reputation of Boeing has been tarnished. The FAA’s ability to oversee aircraft design and certification has been called into question. This affair draws into question the current relationship between the FAA and Boeing because neither recognized this for what it was. It was a design that allowed a single point of failure to bring down two transport category aircraft. Furthermore, it is revealing that at this time both federal prosecutors and Department of Transportation officials are investigating the development of the Boeing 737Max aircraft.
A safety management system review should expose the root causes of these two crashes and identify the areas of failure. If the root causes of those crashes are determined and appropriate corrective measures are put in place, it may restore Boeing’s tarnished reputation and provide reassurance to the flying public and the airmen charged with navigating these aircraft on the airways throughout the world.