Summary – In previous articles we discussed automated flight systems in general. In this article we examine in detail a nominal systemic ‘tweek’ in the flight automation by Boeing of their dominant 737-series regional airliner which has developed into a major scandal. Boeing is as synonymous with commercial aviation as Bell is to helicopters. They invented the quality systems on which ISO-9000 is based. So, how is it that they appear to have lost the plot in this regard? It is a long story, so we have done it in three parts. The first was a brief history of how the Boeing Aircraft Company achieved total market dominance: the second analysed how this hegemony has been successfully challenged by Airbus. This final article is an analysis of how the useful MCAS concept became a killer.
Part-III: A Technical Fudge (Sales wags Engineering)
In the first two parts of this article we saw how the Boeing Aircraft Company changed its core value from engineering excellence to optimised financial management, supressing technical innovation and excellence to favour of the bottom line to become a Wall Street darling. This allowed their rival Airbus in the last 10 years to assume the lead both technically and commercially. While just holding their own in the wide-body market, in the larger narrow body sector, Boeing are getting trounced. Having neither the time nor the money to bring a new game-changer design into play, they opted instead to seek to match the competition by re-engining the venerable 737 design with a new, fuel-efficient, by-pass engine type. However, by its very ‘by-pass’ nature, the new engine was significantly larger than its direct-flow predecessor powerplant and thus no longer fitted in the space under the wing. As described in the second part of this series, it was therefore moved forward and raised on a structural pylon. This changed the aerodynamics of the aircraft, risking a stall condition at high power settings. This negative and potentially dangerous impact was overcome using technical trickery, MCAS – Manoeuvring Characteristic Augmentation System – a simple but clever automated device to overcome this negative aerodynamic norm at an insipient stage. The new powerplant, combined with a unique winglet design to maintain laminar airflow on the wings, increased the efficiency of this new 737 iteration by some 20%. However, while looking much the same as its 737-900 predecessor, it was arguably, a new aircraft type. But to minimize the requirements relating to the associated certification and subsequent conversion-to-type for the client airlines, the Sales department was allowed to obfuscate and minimise the engineering issues. The result was bumper sales – a commercial triumph – and an latent disaster.
Airbus & Boeing – head to head adversaries
The latter demon soon woke. Within a few months of entry into service, a Lion Air Max crashed into the sea shortly after take-off from Jakarta on a mild day with light breezes. With the Captain being a foreign national and the co-pilot relatively inexperienced, it suited both operator and manufacturer alike to initially blame it on Pilot error. While the detailed accident investigation followed it’s protracted course, that was the generally accepted view in the aviation industry. But then, just five months later, a very similar accident occurred in Ethiopian Airlines, also just after take-off and also in fair weather. Now, while Lion Air is an LCC in a poorly regulated developing nation, the national airline of Ethiopia is highly respected internationally, being run to very high standards by a bunch of experienced expats from the developed world. So the event was not so easily fobbed-off. As a result, led by the Chinese, more and more developed nations grounded the Max. The last to do so was the USA and then only after the Pilot’s Union wrote an open letter to the President of the USA resulting in it being grounded, not by the FAA, but by a Presidential Decree !
The root cause in each case was eventually found to be a failure of an angle of attack (AoA) indicator. This is a simple mechanical pendulum device allowing the easy measurement of aircraft flight angle relative to the horizontal, hence the aerodynamic Angle of Attack – (AoA). In the Ethiopian accident the sensor was found to have been broken by a bird strike: in Indonesia, with the unfortunate aircraft having plunged into the sea at very high speed, no definitive prognosis could be made, but it was considered a reasonable assumption. Bird strikes are common hazard in aviation, so the two events could be considered appalling bad luck. But, as the investigations proceeded and multiple other casual factors came to light, it started to become abundantly clear that appalling management at the OEM was equally to blame – and herein lies the scandal. This has been exposed in an excellent Netflix documentary – Downfall – by Rory Kennedy (yes, of ‘that’ family) issued late in 2021 and on which much of this thesis is based. The failures cover almost every aspect of management within Boeing! Let’s start with the technical.
In fully automated systems, everything must be duplex: if safety critical, then it’s triplex. The AoA indication, being the fundamental driver of MCAS, is surely in the latter category. Yet it was simplex! There are actually two such AoA sensors (to left / right of the nose) but no software provision was made to cover one or both failing except for a computing anomaly indication – thus effectively making this safety critical element simplex. At the time of writing, one can offer no logic for such a fundamental error: maybe it was a just factor of the sensor’s simplicity in that, being little more than a plumb line, it is was considered that there was nothing there to fail……. That said, with man-in-loop (an earlier article – PFT-2 – on Flight Automation refers), it would not in itself have been a big deal as the MCAS element could just be switched off and the aircraft flown manually.
It is here that the second root cause, of commercial sales wagging the technical dog, came into play. There were two main issues. Management wanted a speedy certification process to get the aircraft into service as quickly as possible so as to better compete with the A320-Neo family; and the Sales strategy was to minimise the conversion to type for B737-800/900 pilots (again emulating said 320-family) to be little more than a in-house computerised aircraft differences training, with a standard line check by an authorised airline Training Captain on completion. This was to avoid the training typical for new aircraft types requiring pilots to fly to the USA for a couple of weeks conversion Training with the OEM and the need to build specific simulators to accommodate the emergency aspects of that training. If conversion to the new type could be accommodated within the existing infrastructure, then time-lines and costs bringing the new type into service would be dramatically reduced for both the OEM and end-user Operators.
So the OEM management decision was to ‘hide’ the MCAS within the existing auto-pilot as an auto-stabilization element (which, in effect, it indeed was). As a result, it was not documented in any detail anywhere – not in the Pilots’ Ops. Manual, not in Technical Manuals, nor even in cockpit checklists. This technical subterfuge was so complete that the only mention of MCAS in all of the technical and operational documentation was in the Glossary of Terms at the very beginning of every Manual. (Typically Glossaries, being common to all the various Manuals pertaining to any aircraft type, are kept as a separate computer file). As such, with all reference to MCAS removed in all other Manuals and Checklists, it appears to have been left in the Glossary by oversight – effectively a “typo”. Such is indicative that, decisions with regard to the technical strategy of eliminating all reference to MCAS in both technical and operational Manuals and cockpit check-lists, was taken at the highest levels within the company. In fairness, there is a logic in this regard, in that the automated elements were really very simple and, as long as there was no failure, the system inputs were so deeply embedded in the aircraft’s operating system, as to be unnoticeable. So MCAS was presented as a software ‘tweek’ to make this Max ‘feel’ like its 737-800/900 predecessors, which indeed, was essentially the case. The Wall Street Journal subsequent investigation as to its lack of elevation, advises of a Boeing statement being made to the effect that it was company policy “not to overload Pilots with too much information”! As a result of this Sales ploy, no mention was made of two simple switches labelled ‘auto-stab.’, that would turn off the MCAS in the event of a software problem.
Rory Kennedy’s Downfall documentary includes footage in a simulator showing what happens when the AoA indicator fails. The effect of the broken mechanical sensor meant that, in maintaining a mechanical vertical, the pendulum fed an apparent high nose-up input into the FMS computer: such is indicative of a stall. This causes various panel lights to start flashing, the (joy) stick shaker activates, a voice screams “stall, stall !” and the computer brutally shoves the nose down. The flying pilot, seeing that the aircraft was in a normal flight condition, pulls the nose back up manually and the cycle restarts again getting more brutal each time as aircraft speed increases. The non-flying pilot frantically searches through checklists for information – there is none – thus leaving the crew trying to understand what heck was going on as they loose control of the aircraft in a cacophony of cockpit noise, no doubt further exacerbating matters, resulting in other mistakes. Such is the stuff of nightmares but, as a reality, there was no waking-up in a cold sweat, just a mercifully short screaming panic and oblivion…………
Actually all that needed to be done was to close the aforementioned couple of normal looking switches labelled ‘auto-stab’ and the MCAS would have been disconnected and the aircraft flown normally. But not only were these switches not documented, they were also tucked away at the back of the center console and so not readily visible. This was stated nowhere in the cockpit checklists. In the USA the information as to the use and location of these switches had passed by word of mouth between crews, and was likely seen as a teething problem with auto-stabilization in a new aircraft type that would soon be sorted out, with the check-lists being amended accordingly at the next update and as such, no big deal. Crews further afield overseas were less well advised. Actually, the pilot that few the Lion aircraft the day before the crash, also had the MCAS problem but, with friends in the US, he was in-the-loop and knew what to do, switched-off the Autostab. and conducted the rest of the 90 minute flight ‘manually’. On arrival in Jakarta, it is understood that, as is normal, he entered the auto-stab. unserviceability in the Technical Logbook. The engineers no doubt ground tested the system but, with the aircraft being horizontal on the ground, it of course worked normally. That being the case, they would have entered “tested and assessed serviceable” in that aircraft’s Technical Logbook (also a normal, and frequently used, procedure). So, the unfortunate Indian Captain assigned to the aircraft the next day, inevitably suffered the same problem again but, being out of the US Pilots’ gossip-loop, was not so lucky and nor were his 180-odd passengers and crew! The recovered Cockpit Voice Recorders shows similar confusion and panic in the final moments Ethiopian Airlines Max some five months later.
Conclusion
In the 18 months enforced down time since these accidents, the B737-Max has been virtually completely recertified by the FAA and the MCAS issue in particular is now fully resolved and properly documented, with pilots being properly trained in its use. The pendulum AoA sensor, through additional software, has now effectively been made duplex. So one may be confident there will be no repeat in future global Max operations of this sorry tale. The same cannot be said for the Boeing company. Their quality management issues in manufacture are still on-going causing 10s of billions of lost revenue, fines, law suites and capital expenditure. In such circumstances, one cannot imagine where they will find funds to develop a new mid-range aircraft design (the NMA – New Mid-range Aircraft) which they so desperately need to compete with Airbus. Indeed the Boeing CEO, David Calhoun, has indicated in an October interview that, for him, NMA has come to mean ‘No More Aircraft’ – at least until there are new engines types capable of offering some 20% in fuel savings.
Such engines are likely be similar to the new open-fan types currently being tested by Airbus on an A380 (see photo.). As such, there is a logic to this decision in that its location on the aircraft may likely be other than under the wing. However, since such power plants will only be available towards the end of this decade, the delay will mean that Boeing will have come up with no fresh design for more than quarter of a century. For much of this century, Boeing and Airbus have split the market between them approximately 50:50. Since the Max-saga, it has dropped to less than 40:60 in Airbus’s favour. For Boeing to not produce a new aircraft type for a full human generation will increase the negative impact on this balance, which will be further exacerbated by the fact that a whole generation of Boeing engineers will have had no experience in the field of commercial new aircraft development.
This is while Airbus are busily developing new generations of airliners with hybrid-electric or hydrogen power plants. So 10 years hence a 30:70 split is not unimaginable. The June announcement of the intention to move of the Boeing corporate HQ from Chicago to Washington DC, is indicative of a Boeing acceptance of this and a shift of company focus to government military/space projects.
But, notwithstanding one’s harsh review of this recent scandalous history, the author of this piece, where possible, will always choose to fly in a Boeing over an Airbus. Why? Because, as stated in a former flight control essay (PFT-2 in Sepetmber’22), with the exception of the B-787, Boeing aircraft are flown by Pilots, while the more advanced (Fly-by-Wire) Airbus types are flown by a computer. Before one is sued for the publication of such an opinion, let it be said this is a subjective choice is based on no (accepted) objective evidence and hence, is solely a function of this Author’s personal lack of digital empathy – a peccadillo for sure, but one that is shared by many other analogue folk!