Boeing 737 Max: planemaker's safety analysis had profound flaws

The more evidence that emerges from the tragic loss of the Ethiopian Airlines flight on 10 March, the more it appears that there were profound flaws in the development and certification of the Boeing 737 Max.

All 157 passengers and crew aboard flight ET302 lost their lives when it hit the ground at high speed six minutes after take-off from the capital Addis Ababa.

The loss of the scheduled flight to Nairobi followed a crash of the same model aircraft in Indonesia in October 2019.

These are the key issues.

What are investigators focusing on?

A radical new anti-stall protection that was installed in Boeing 737 Max aircraft. It is known as the “Maneuvering Characteristics Augmentation System” or MCAS.

The system is designed to kick in if the angle between the wings and the airflow, known as the “angle of attack”, gets too steep and a stall looks feasible.

It gets the information from the angle-of-attack (AOA) sensor, which is a vane fitted on either side of the nose of the aircraft.

When the aircraft senses that the angle is too steep, an elevator in the tail goes up and the nose goes down. This happens without any input from the pilots. Indeed it is programmed to activate multiple times even if the captain or first officer is trying to correct the tilt down – unless specific actions are taken to disable it.

The initial report into the earlier crash of a Lion Air flight in Indonesia indicates that pilots felt they had lost control of the aircraft, and struggled vainly to save the lives of the 189 people aboard.

The flight data recorder shows that MCAS activated a dozen times. The aircraft crashed almost vertically at a speed of 500mph.

The Ethiopian transport minister, Dagmawit Moges, said the profile of flight ET302 was very similar.

Why was the anti-stall system deemed necessary?

The MAX takes a 50-year aircraft design to a new dimension with two very big, very efficient engines. In order to fit them on to a plane that sits fairly low on the ground, they are mounted very high and pushed forward, so they appear almost built into the wing.

This had an effect on the balance and aerodynamics of the aircraft, which made the designers fearful that it could in some circumstances tilt upwards and risk a stall.

So they installed a system which Boeing says “improves the behavior of the airplane in a non-normal part of the operating envelope”.

But MCAS also appears to have the power to threaten what should be an ordinary, safe flight.

How could something designed as a safety system go wrong?

The way that it was conceived and installed appears to be potentially hazardous in two regards. First, it can activate based on the signal from one faulty instrument. This goes against the usual principle of multiple redundant systems. An “AOA DISAGREE” warning to pilots was an optional extra, but was not fitted to the Lion Air jet.

Ideally three sensors would “vote” on a particular reading, and if one is seriously out of kilter with the other, it will be ignored.

In addition, Boeing does not appears to have built in a straightforward measure whereby the accuracy of the sensor is checked while the aircraft is moving on the ground; if it is not zero, then the pilots could be alerted.

What are the consequences of an inaccurate reading?

The elevator at the tail will activate to push the nose down. According to some formidable research carried out for the Seattle Times by aerospace reporter Dominic Gates, the original plan was a 0.6-degree movement, corresponding to a gentle downward nudge.

This was what the Federal Aviation Administration (FAA), which regulates safety, was told by Boeing. But in subsequent tests it appeared that the aircraft needed more of a nose-down push in order to recover. The movement was increased to 2.5 degrees.

Mr Gates says: “At a limit of 2.5 degrees, two cycles of MCAS without correction would have been enough to reach the maximum nose-down effect.”

But surely pilots are trained to handle unusual circumstances like this?

They certainly should be. Another question that Boeing must answer is why it did not make crystal clear that a radical new system had been installed, and provide specific training advice for MCAS.

What about the role of the regulator?

The FAA is responsible for certifying all new models of aircraft. But remarkably, the organisation outsourced many decisions on safety back to Boeing. So in a sense the aircraft manufacturer was marking its own homework.

After speaking to a wide range of serving and former employees at Boeing and the FAA, Mr Gates contacted both organisations with his concerns three days before the Ethiopian Airlines Boeing 737 Max crashed.

What happens now?

Boeing is working on modifications to eliminate the combination of factors which may have caused the downfall of the Ethiopian Airlines and Lion Air planes.

But there will be many questions asked about why the system was conceived and installed in the first place, why pilots were apparently uninformed about the potential of the stall-protection fix, and why faster action was not taken after the loss of the Lion Air flight.

What are Boeing and the FAA saying?

Boeing’s chairman, president and chief executive, Dennis Muilenburg, issued a statement on Sunday 17 March – a week after the Ethiopian crash. He said: “As part of our standard practice following any accident, we examine our aircraft design and operation, and when appropriate, institute product updates to further improve safety.

“While investigators continue to work to establish definitive conclusions, Boeing is finalizing its development of a previously-announced software update and pilot training revision that will address the MCAS flight control law’s behavior in response to erroneous sensor inputs.”

The FAA has said nothing since it grounded the Boeing 737 Max on 13 March. In that order, the organisation declared “an emergency exists related to safety in air commerce” because of “the possibility of a shared cause for the two incidents”.