Vol. XLIII No. 16 April 21, 2019

Boeing 737 Max: Design Flaws, Regulatory Failure


THE second crash of a Boeing 737 Max8 aircraft on March 17 killing all 158 passengers and crew, this time operated by Ethiopian Airlines en route from Addis Ababa to Nairobi, six months after an earlier Lion Air crash in Indonesia, has since led to a worldwide grounding of all 737 Max8 aircraft. Analysis of the Lion Air crash itself, including data from the “black box” or cockpit voice recorder (CVR) and flight data recorder (FDR) as well as real-time data from satellites and from aircraft and engine manufacturers, had pointed to problems with an automated software that apparently overrode the pilot’s commands. Preliminary data from the Ethiopian Airlines crash have shown striking similarities such as the pilot encountering and reporting problems with the flight control systems, erratic speed and rate of climb of the aircraft soon after take-off, inability of the pilots to regain control, and finally the aircraft crashing after a steep dive.
Initially, air safety regulators around the world seemed hesitant to arrive at definitive conclusions or even take a precautionary decision to ground all aircraft of this type, especially since Boeing insisted that the aircraft was safe and suggested that the pilots of both aircraft should have been able to tackle any anomalies as indeed pilots had done in other 787 Max flights. On top of this, the US Federal Aviation Administration (FAA), long regarded as the world’s leading air safety regulator too refused to order any action until analyses were completed and any definitive conclusions reached. However, with fears mounting among passengers and airlines worldwide, air safety regulators in other countries, used to following FAA decisions, started moving independently. 
China’s Civil Aviation Administration grounded all 96 Boeing 737 Max aircraft operated by Chinese carriers just a day after the Ethiopian crash. Similar actions were taken by many other Asian countries in the following days, with the European Union Air Safety Agency following suit three days later. It was then left to US President Donald Trump to order the grounding of all Boeing Max aircraft flown by US carriers, only following which the FAA finally smelled the coffee and ordered a worldwide grounding of the more than 350 aircraft of this type. Boeing now says it recognises a flight control problem that might be behind both the crashes and will develop and introduce modifications within a few weeks or months. In the months to come, Boeing faces a sea of problems, such as possible cancellation of many of the over 5000 orders it has for the 737 Max, claims for damages by the two airlines that suffered crashes and by families of the victims, and a sharp drop in its market value. 
That is not all, however. Much more information and analyses have become available by now. These lead to a firm conclusion that there were fatal design flaws in the Boeing 737 Max series of aircraft (there is the Max 8 and also the Max 9 and 10 mostly operated by US carriers, each suffix numeral indicating differing passenger capacities), that Boeing introduced automated software to counter these flaws, that the software itself was highly problematic, and that pilots were not properly informed or trained for this feature with manuals not containing requisite information. It now further transpires that the FAA, instead of scrupulously implementing its regulatory and oversight role as regards airworthiness and safety guidelines, actually delegated most of these functions back to the manufacturer Boeing itself in a shocking abdication of responsibility. At the time of writing, the US has ordered an investigation into how the airworthiness license came to be granted by FAA for this aircraft type, opening another can of worms.
The Boeing 737 has been one of the most successful passenger aircraft from the Boeing stable in terms of both reliability and safety record, with over 10,000 aircraft including all variants in service worldwide. The 737 was conceived as a short- to medium-haul twin-engined narrow-body airliner in 1964 and introduced into service in 1968. Several variants such as the 737-200 (dash 200) through the dash 500 were gradually introduced, stretching the original airframe for more passenger capacity, and using the CFM56 engine made by a joint venture of the French Safran (formerly SNECMA) and the US General Electric. Boeing then introduced new variants in the 1990s with a re-designed wing and longer called the New Generation or NG series of -700, -800 and -900 aircraft. The Max series was introduced in the 2010s using the CFM LEAP-1 fuel efficient engine, promising around 14 per cent fuel savings, and twin-leaf winglets (forked wing tips) offering a further 1-2 per cent fuel savings. 
The Max 8 entered service in 2017 in the face of stiff competition from the latest Airbus 320 variants especially the Airbus 320neo series also using the CFM LEAP engines. Driven by the desire to achieve fuel economy, Boeing has since then obtained orders for over 5000 Max series including its stretched -9 and -10 variants.
Problem for Boeing was that the CFM-Leap engine has a much larger front fan and air intake than its predecessors. Boeing did not want to undertake any major redesign effort to properly incorporate the new engine into the airframe, since it was facing time pressure for deliveries due to stiff competition from Airbus. So Boeing adopted some short-cuts. (It is to be noted that Airbus did not face similar problems with its airframe, although it has encountered other problems with its CFM-Leap engines on the Airbus 320neo, but that is another story.) Boeing fitted the engine on the wing in a slightly forward position, and also somewhat tilted upward in order to provide additional clearance from the ground. Unfortunately, this created some aerodynamic instability with a tendency for the nose of the aircraft to tilt upwards.
Boeing sought to compensate for this by introducing a flight control software which, if it sensed a problematic higher upward tilt of the nose, or higher “angle of attack” as it is technically termed that could lead to the aircraft stalling (i.e. incapable of sustaining flight), would automatically adjust the rear stabiliser of the aircraft (the two horizontal flaps at the tail that are rotated up or down to make the aircraft tilt downwards or upwards) to force the nose down. 
Boeing designed this so-called Maneuvering Characteristics Augmentation System or MCAS (pronounced Em-Cass) to operate even when the plane is not on auto-pilot, over-riding any manual operations by the pilot. Problem is that Boeing sought to make this system “non-intrusive,” in other words the pilot would not even be aware of the automated correction, and therefore did not think it necessary to highlight this issue in the pilot’s manual for this aircraft type, even though this was an entirely new feature compared with earlier B-737 models. This MCAS system and the way it operates is the root cause of the crashes of the Boeing Max 8.    
Boeing committed multiple follies with this MCAS system, all driven by its hurry to obtain airworthiness certification and start deliveries in the shortest possible time, given its race with Airbus, and reduce costs both to itself and to customer airlines.
The MCAS is designed to be triggered by two sensors, one on each side of the nose of the airframe, which read airspeed and angle of attack (AoA). Unfortunately, the system was designed so that the MCAS received signal from only one of these sensors. It is not known why Boeing did not design the system to work with both readings, and perhaps ignore the anomalous one compared to ground-level checks before take-off, and why no such check procedure was mandated for pilots.
In both the Lion Air and Ethiopian Airlines crashes, the sensor(s) transmitted faulty AoA readings to MCAS which then forced the nose down, reducing the rate of climb of the aircraft and increasing the speed. The pilots, sensing something was wrong, tried to correct this through manual corrections raising the nose. The MCAS again responded by lowering the nose again. In the Lion Air crash this happened more than 20 times, with the pilot fighting against MCAS like in a tug of war, by which time the aircraft had stopped climbing and entered into a high speed steep dive from which the pilot could not recover. The same thing seems to have happened with Ethiopian.
Boeing argues that the pilot only needed to manually shut down automatic stabiliser trim function in order to neutralise the MCAS. It seems that some pilots did indeed do so on earlier occasions. But this does not account for natural confusion and panic in the cockpit, magnified by the absence of specific instructions in the manual. Even when pilots are quite senior with many thousand kilometres of flying under their belt, as the captains on both the crashed Boeing Max aircraft were, the Boeing Max was a new aircraft and even most commanders would have had limited experience in it.   
Apparently, during the certification process, the issue of error in AoA sensors and hence incorrect response by MCAS was not classified as “hazardous” but only as “serious” which does not call for fresh Manuals or Training. Thus only advisories were issued, which many pilots may have put aside assuming they were not all that important.  The certification that the Boeing Max was only a minor extension of earlier 737 NG models meant that no special re-training was required including on simulators. This was an added plus point for customer airlines, since that would reduce induction costs for the new aircraft type. It seems most new Boeing Max pilots were mostly briefly explained the MCAS system on a tablet computer! 
Further, the MCAS was initially designed to effect a 0.6 degree change in angle of attack out of the physical maximum of 5 degrees, and this was reflected in the documentation submitted to FAA at the time of certification. However, Boeing later modified this to raise the MCAS command limit to 2.5 degrees, which meant that each time MCAS kicked in, it would cause a much larger change in the attitude of the aircraft than indicated in the initial documentation. This was done without amending any documentation and with FAA seemingly simply passed this important modification through.
A modern aircraft with numerous components and computerised automation systems is a very complex machine and, understandable, few regulatory agencies would have the requisite numbers of qualified staff to comprehensively check all these for every new aircraft or variant and then provide airworthiness certificates. Increasingly, aviation regulators have tended to rely more and more on the manufacturers themselves to provide necessary expertise and manpower. This is clearly a huge problem with in-built conflicts of interest. This phenomenon has been known in other technology sectors, and has been termed “regulatory capture” wherein the industry supposed to be regulated in effect has captured the agency tasked with such oversight.
Apparently, in the recent past, the US FAA has delegated close to 80 per cent of component or sub-system certification to Boeing itself, or at least to Boeing engineers temporarily seconded to the FAA for certification purposes. This is tantamount to self-certification, and seems to have reached grave proportions in the aviation sector.
In the case of the Boeing 737 max, it appears that most features and modifications of the MCAS system were made either without the knowledge of, or with a complicit nod from, the FAA. Hopefully, the investigation will establish this and institute safeguards for the future.
Boeing has said it will introduce necessary modifications soon. In all likelihood, these are likely to include limiting the aircraft attitude or AoA changes MCAS is authorised to actuate, the number of times it is allowed to do so perhaps limiting it to two, and to allow both sensors to feed AoA signals to MCAS, besides explicitly covering in a new Manual all these aspects, precautionary checks, and corrective action that pilots can take. Will these be enough? Or will Boeing be compelled to make the airframe design changes it should have made at the outset? Whichever option is taken, given the cloud hanging over the FAA and the certification process, it is unlikely we will see the Boeing 737 Max take to the skies in anything less than six to nine months. It remains to be seen how much Boeing will suffer before and after that.
Meanwhile our own Director General of Civil Aviation (DGCA) better wake up from its slumber fast. It made absolutely no moves in India even after so many regulatory agencies the world over had grounded the Max. It virtually took the US grounding order for the DGCA to wake up. Additionally, the certification and airworthiness process in India too urgently needs reform, with a truly independent Air Safety investigation and monitoring agency exercising oversight of the DGCA.