In the space of 6 months, we had two B737 Max crashes. Two fatal accidents, one from Lion Air in Indonesia and one from Ethiopian Airlines.
If you believe the culprit was an errant piece of software, pull up a jump-seat.
Let us take you on a journey of knowledge. And clarity. Focusing on the real causes of these tragic events.
You may have heard how both flight crews fought helplessly, but some hidden automation cost them and their passengers their lives. Or that the aircraft decided to crash itself, shortly after take-off from Jakarta and Addis Ababa airports. The truth, as always, is more complicated.
To blame software, or automation, is both an oversimplification and inaccurate. It makes for perfect clickbait however, feeding our suspicion of complex technology thwarting human operators. The final reports showed us the truth is closer to human error outside the cockpit, rather than those who died.
We want to explain the facts on why two new B737Max aircraft, Boeing’s longest serving (and best designed) aircraft, crashed twice in quick succession. And how billions of dollars of design and development included deadly cost-cutting mistakes. And criminal omissions.
A tale of how economics competes with safety when cost-cutting and timesaving go awry. But first a caveat – we want to hold back as many acronyms as possible! To keep things as simple as we can. Not because we want to talk down to you – but because we want you to learn the biggest lessons here. Which is not what MCAS stands for.
Finally, at the end we link to the official reports on the accidents should you wish to get all the facts. Which we implore you do.
On Oct 29, 2018, a newly delivered Boeing B737 Max, flown by Lion Air, crashed shortly after take-off. The following March, another Max crashed. This time flown by Ethiopian Airlines. Two deadly crashes in 6 months. Both brand-new aircraft.
346 people on board, all lost in what transpired to be entirely avoidable circumstances. The B737 Max is the jewel in Boeing’s crown. The most developed aircraft ever built, had somehow conspired to crash itself. Despite the best efforts of experienced flight crews.
We now know the seeds of these B737 Max crashes were planted during the design and development of the B737. Commercial decisions during the certification process had created pathways for both tragedies. Yes there was a single system at the center of both events, but its function, its implementation – even its existence – was all human error.
Everyone lies. We just did. We do need to give you acronyms. But only two. And explain what they are. It’s important. First, the piece of “software” you heard about. This is MCAS or “Maneuvering Characteristics Augmentation System” (pronounced “em-cass”).
The other is the AOA (“a-oh-a”). Or “Angle of Attack sensor”. It’s a physical part that protrudes from the aircraft skin, just under the pilot’s window. MCAS is part of the TRIM SYSTEM that causes the nose of the aircraft to point up or down (and to what degree) based on the aircraft configuration. But it’s a box of tricks hidden deep in the flight control system that forms part of the anti-stall system.
The AOA sits on the outside of the aircraft. It’s a miniature “wing” that’s moved by the flow of air as the aircraft flies. It sends data to the flight control computer, telling it exactly where the aircraft’s nose is pointed.
Simply put, the AOA sensor keeps flight crews updated (or warned) via the aircraft’s brain using real environmental data that it converts into metrics the software can use to display to the pilots.
MCAS works mostly on autopilot. To ensure a level cruise – without bothering the flight crews.
Wait, bothering? Yes. An important fact to know here is that these kinds of flight controls have been in aviation for decades. Modern commercial aircraft have many systems that perform similar functions automatically. Fuel management for example.
If you were sitting on a Delta Air Lines Captain’s seat right now and tried to plummet the plane into a nosedive, the aircraft will stop you. For as long as it can at least. Automated systems know every flight phase and aircraft envelope. And it knows when something is amiss.
So, what went wrong with these B737Max flights? The problem, dear reader, is that when MCAS malfunctioned, it did so invisibly. Because none of these ill-fated pilots were aware that MCAS even existed. Not to mention the control function it was capable of.
While we cannot speculate on the decision-making at Boeing, we can certainly offer some opinions based on the OIG (Office of the Inspector general) report. But first, an important history lesson. The B737 was first flown in 1967. And while the aircraft has been modified and developed since, the fundamental design (or type certificate) remains the same.
You see, when you need to get your aircraft design approved by the Federal Aviation Administration (FAA) it’s faster (not to mention cheaper) to use what is known as the “Changed Product Rule”. You’re just seeking a modification to a pre-existing airplane.
Why? Because beginning from nothing takes money and time. And opens the door to Risk. And boy does Risk love time and money.
In 2010, Boeing’s main aircraft manufacturer rival, Airbus, announced a “game-changer” aircraft. A competitor to the B737-800 NG, the B737Max predecessor. It was the Airbus A320Neo. A major evolution from their A320 aircraft type. And Boeing was not ready. Why? The A320Neo had new engines. The CFM International CFM56 “Leap”.
And the leap was going to deliver 20% fuel savings to airlines like Southwest, Ryanair, Lion Air and Ethiopian. Fifty percent of direct operating costs of flying are fuel, So, you can imagine Boeing’s reaction. The good news for Seattle, however, was that the LEAP engine was also available to them.
Phew, they thought. All we need to do is stick them the B737-800NG. Give it a cool name like, I don’t know, “B737Max” and stick it on the forecourt. Right?
Wrong.
You see the dated 1967 B737 design was going to trigger a chain of events. The B737 “sits” lower to the ground than the A320. And these new CFM International Leap engines were taller. It meant the B737 would drag them along the ground. Not good.
So, Boeing structural engineers got busy finding the fix. And they did. They decided they needed to move the engines further up the wing – closer to the fuselage. Allowing the clearance they needed. “Not so fast” said the aerodynamics guys. This new position changes the flight control law of aerodynamics.
The B737 will want to push its nose up in the cruise. Let us explain – think of having a bicycle with a basket behind the seat. When the basket is empty, you don’t have a problem. Now fill the basket with rocks. All’s ok while you are on a flat road. But when you cycle up a steep hill, or pull a wheelie, those rocks want to topple the bike. You need something to make sure this doesn’t happen.
Aircraft noses point up and down regularly. Environmental conditions, turbulence, clouds, and the Jetstream keep autopilots busy. This nose “balance” is called TRIM. And the B737 Max had a trim problem.
To counteract this flight control law, Boeing Commercial Airplanes took a system from a pre-existing military platform using the B767 and adapted it to the B737. This new MCAS software is part of the trim system that kicks in if the aircraft balance gets out of whack. Ok, sounds good. Except it wasn’t. Because Boeing hid it. From everyone.
Why would they hide it? Our interpretation is due to two reasons. First, they downplayed MCAS and its capability so the FAA would not class it as a “safety-critical” system. If they did, it would have been subject to further lengthy evaluations.
And if they didn’t go well, it would mean pilot simulator training for customers. And when you sell new aircraft to low-cost airlines, they are keen that their pilots can fly it without additional training. Because simulator training is really expensive, and airlines have lots of pilots.
Boeing wanted the Max to be just another B737. At least under the eyes of the regulators.
Boeing’s primary goal was to produce an aircraft that could be handed over to the current stock of B737 pilots as being identical to the previous version. Just with 20% better fuel economy. Just like that annoying A320Neo.
Now you might ask “How complex was this MCAS? I mean, how expensive would it have been to retrain the pilots?”. A lot. So much so, that one of the Max launch customers (Southwest Airlines) had it in their contract, that if any simulator-based training were required for pilots rating on the Max, Boeing would have to reduce every aircraft price by USD $1M.
Southwest would order four hundred aircraft. And besides Southwest, every other airline would think the same. So yes, it was important. Billions of dollars important.
Let’s concentrate on the Lion Air Flight 610 B737 Max crash. The Ethiopian Airlines accident was fundamentally the same in its causation. The AOA sensor (that small wing outside below the pilot’s window) on Lion Air Flight 610 had recently been replaced.
The replacement unit they procured had been bench tested, but the installation test was poorly done. And the AOA sensor malfunctioned on the previous flight to 610. The way MCAS was designed meant it took its reading from only one of the two AOAs per flight. Unluckily for 610, MCAS activated when the single, faulty, AOA started giving false readings shortly after take-off.
The Report told us exactly what happened. The recovered flight data recorder showed the incorrect aircraft trim data was fed from the faulty AOA to MCAS. Flight 610 believed it was in a severe “nose-up” position. So, MCAS stepped in to do its job.
The aircraft reacted by pitching its nose downward. But the aircraft was on a steady climb. Every few seconds MCAS would take over and pitch the nose down. The flight crews responded every time, pulling back on the controls to correct it. But MCAS persisted.
Every few seconds, it would kick in again. And pitch the nose down. And the pilots had no idea why this was happening or what was causing it. They would never know.
Oblivious to what was causing the control issue, both Lion Air and the Ethiopian Airlines crews became increasingly distracted and disorientated. They tried desperately to diagnose the problem in the flight manual, while struggling with changing flight conditions.
Sitting here, on your phone, or computer, it’s easy to imagine a few button-clicks to diagnose a problem. Or to switch over to YouTube to find a fix. But at a meager few thousand feet, at dangerously low speed, with an aircraft fighting against you, I assure you it would have been a chaotic cockpit.
Every instrument would seem to be working normally, but the aircraft was doing the opposite of what they wanted. Until they ran out of time. I think a lot about their final minutes and the frustration they must have felt.
We know why MCAS came into existence. But why was it hidden? Driven solely by commercial realities and flouting safety, Boeing opted for the path of least resistance rather than a “new” Aircraft. Just to avoid the A320Neo beating them to big customers.
This decision forced its entire workforce to compromise certification issues from the outset. The treatment of MCAS by Boeing and the lack of Human Factors considerations in its certification combined with increased evolution of its covert function was poorly assessed.
A recent court case against the Chief Test Pilot of the B737Max attests to this. The key reason was the minimizing and misclassification of the MCAS system. As well as its relationship to the AOA dependencies. Boeing was acutely aware of how both the MCAS and the AOA functionality related to the flight training manual which they were desperately trying to downplay. Or risk huge cash penalties.
So where was the FAA in all this? The great overseer? Well, a few years back the FAA allowed Boeing to mostly self-regulate. While they mostly checked in on them. But not really.
Thankfully, this issue has since been resolved. Again, this is in the report.
A final reflection. On the previous flight to the B737 Max crash of 610, on this same aircraft, was something we think about. On that previous flight to the crashed Lion Air 610, another crew had the same AOA/MCAS problem. That’s right. The MCAS kicked in and tried to tip the aircraft into the ocean.
Except this crew figured out what might be causing it. So, they pulled the power to the trim system (where MCAS is located) suspecting that to be the culprit. And continued to land safely.
They were right. But didn’t know why.
And while they logged the issue on arrival, they didn’t log the action they took that stopped them from losing control. Had they stuck that in the logbook, the next crew might have done the same thing. Maybe. We don’t say this to shine a light on the innocent.
We do this to highlight how important reporting is and how incredibly valuable experience with problems is when they are shared. And how we learn from them.
In the aviation industry mistakes are incredibly valuable. Some of you think mistakes are bad. Shame on you. You need to make more mistakes.
If you learn from them.