Boeing 737 Max: As automation proliferates, risk of human error persistsEric Olson | September 25, 2019
Humans are increasingly reliant on automated systems to make decisions to keep us safe. Computers are often seen as infallible; for example, they are typically incapable of making a mistake on clearly defined problems like math calculations.
But computers and software are designed and built by error-prone humans. Furthermore, the intelligence of automated systems is limited by the algorithms that prescribe their actions. Constrained by programming, algorithms cannot adapt to new situations in the same way that humans can. (Although, as artificial intelligence improves, the capability gap is closing).
In safety-critical applications like automated flight control systems, which have over aircraft maneuvers, the failure of an automated system can be deadly.
(On September 26, the National Transportation Safety Board issued seven safety recommendations to the Federal Aviation Administration, calling upon the agency to address concerns about how multiple alerts and indications are considered when making assumptions as part of design safety assessments.)
Maneuvering characteristics augmentation system
The apparent failure of the maneuvering characteristics augmentation system (MCAS) on Boeing 737 Max aircraft is implicated in two separate crashes in which 346 people lost their lives: Ethiopian Airlines Flight 302 on March 10, and Lion Air Flight 610 on Oct. 29, 2018.
MCAS is a new addition to the 737 Max that was not present on previous generations of the 737. It is a software function in the flight control system designed to enhance the aircraft’s pitch stability.
Pitch is a rotation of an aircraft about its center of gravity resulting in an up or down motion of the aircraft’s nose. Pitch angle is the angle between the longitudinal axis of the airplane (i.e., the axis that goes from tail to nose through the aircraft’s center of gravity) and the horizon. Pitch is a rotation about the horizontal axis parallel to a line that goes from wingtip to wingtip, passes through the aircraft’s center of gravity and is perpendicular to the longitudinal axis. If an aircraft’s nose pitches up too high, the aircraft will stall, resulting in a drastic reduction in lift generated by the wings and severely impaired ability for pilots to control the aircraft.
MCAS automatically changes the angle of the horizontal stabilizer on the tail of the aircraft to adjust nose pitch when one of two angle-of-attack sensors (AOA) mounted on the exterior of the airplane indicates the nose is pitching up beyond a certain threshold. MCAS swivels the stabilizer up to create an aerodynamic force on the control surface, generating a moment about the airplane’s center of gravity that pitches the aircraft’s nose down.
The need for MCAS
The reasons for MCAS’s existence can be traced to competition between Boeing and archrival Airbus for supremacy of the commercial jet market. In December 2010, Airbus announced the A320neo, a new model for the extremely popular narrow-body airliner market, which burned 6% less fuel than Boeing’s competing aircraft, the 737NG. At the Paris Air Show in June 2011 the A320neo won 667 orders, a record number for the event.
To prevent Airbus from market domination, Boeing needed to swiftly introduce its own improved narrow-body aircraft to compete. The time constraint forced Boeing to upgrade its existing 737 family of aircraft instead of developing an entirely new model. In August 2011, Boeing unveiled the 737 Max, which it promised would increase fuel efficiency by 8% over the A320neo.
In designing the new model, fuel-efficient LEAP-1B engines were chosen to replace the older CFM56 engines. The new engines are larger and more powerful than those on older 737s, requiring a mounting arrangement that places them higher and farther forward on the wing. The bigger engine geometry and different positioning changed the aerodynamics of the new airplane. The larger engine nacelles produced additional lift, particularly at high angles of attack. This affected the longitudinal (pitch) stability of the aircraft in certain situations, lowering its margin of stability in aggressive maneuvers like steep banking turns. (Pitch instability is a dangerous scenario where small changes in pitch tend to be amplified instead of damped, a scenario where pitch angle could rapidly increase leading to a stall.) The different aerodynamics altered the Max’s handling characteristics, causing pilots to feel uneven forces in the control stick in certain conditions.
This posed a dilemma for Boeing. To meet the FAA's requirements for a new model within the existing 737 type, the Max needed to behave similarly to each of the previous 737 models, all the way back to the original 737-100, which first entered service in February 1968. There is also an FAA requirement that stick forces must smoothly change when flying commercial aircraft.
If Boeing was unable to convince the FAA that the Max was simply a new model within the 737 type, the aircraft would not receive a 737-type certificate and would be less appealing to the marketplace. This is because airlines often build fleets around specific families of aircraft to realize efficiencies in aircraft maintenance, pilot training and scheduling. A prime example is Southwest Airlines, which operates only 737s. Certifying pilots for multiple types of airplane is more expensive than using a single family of aircraft.
For these reasons, Boeing created MCAS for the 737 Max. The system would mimic the handling characteristics of older 737s and smooth control stick forces during certain maneuvers and flight conditions, allowing the Max to be certified as a new model within the 737 type of aircraft.
The presence of an automated system to smooth flight control is not, in itself, necessarily dangerous. But the implementation of MCAS was beset by deficient design rigor, rushed certification by an under-funded regulator and insufficient pilot training materials.
Even though the 737 Max is equipped with two AOA sensors, MCAS was triggered by data from only a single AOA sensor. If that sensor was damaged or malfunctioned, causing it to generate bad data, MCAS could trigger inadvertently.
Safety analyses by Boeing rated a potential failure of MCAS as, at most, “hazardous” on the FAA’s scale of failure conditions, which ranks possible system failures by their severity. A hazardous failure condition could cause “serious or fatal injury to an occupant.” This is less than the most severe system failure category of “catastrophic.” Even so, dual redundancy is typically required for instruments that could cause hazardous failure conditions. For example, a similar MCAS on the Air Force’s KC-46 tanker aircraft is programmed to compare readings from both sensors.
According to the FAA, the probability of hazardous failures must be less than one in 10 million. Boeing calculated that the probability of a hazardous failure condition of MCAS was about 1 in 223 trillion, well within the FAA’s guidelines. But AOA sensor anomalies occur regularly on commercial aircraft, with more than 50 problems reported in the past five years, calling into question Boeing’s probability analysis and its decision to rely on a single AOA sensor for MCAS activation.
Another problem is that safety assessments did not account for the complete range of MCAS capabilities. The analyses were based on an early iteration of MCAS that only changed the horizontal stabilizer by 0.6° from the trimmed position, instead of the more powerful final version which allowed up to 2.5° per activation. They also failed to take into account the possibility of multiple repeated MCAS activations.
During the certification process, the FAA missed safety issues with MCAS because the agency did not carry out its own detailed analyses of the system. The System Safety Analysis for MCAS was carried out by Boeing and reviewed by the FAA. FAA management also pressured its own technical experts to complete the certification process quickly.
Due to a lack of resources the FAA delegates much of the safety assessment work, which is crucial to airplane certification, to aircraft manufacturers. In March 2019, the FAA said it would need $1.8 billion per year for 10,000 more employees to carry out all certification work independently.
Lack of training
In the entire 1,600 page operating manual for the 737 Max, there was only a single reference to MCAS, where the acronym is defined in the manual's abbreviations section. The quick reference handbook for the aircraft did include a procedure for how to handle a runaway stabilizer situation in which “uncommanded stabilizer trim movement occurs continuously,” but details about how MCAS works were not provided.
It was not until the week after Lion Air Flight 610 crashed, on November 6, 2018, that Boeing issued a bulletin with further information, explaining that the “pitch trim system” could initiate uncommanded nose down cycles repetitively every 5 seconds if AOA data was erroneous. (The bulletin did not explicitly state that this behavior was caused by a software function named MCAS).
The full name of MCAS in connection with additional details about its operation, such as the fact that it could change the horizontal stabilizer angle up to 2.5° during each activation, were not revealed until four days later on November 10, 2018 in a multi-operator message to all Boeing 737 Max customers. (Boeing’s bulletin and message regarding MCAS can be found in the appendices of Indonesia’s preliminary accident investigation report on Flight 610.)
A tragic fact is that the quick reference handbook’s procedure to stop a runaway stabilizer could have prevented both crashes. This procedure disables automation of the horizontal stabilizer – including complete MCAS deactivation – by disengaging the autopilot and autothrottle and flicking two "STAB TRIM" switches in the cockpit's center console to the cutout position.
Tragically, on Ethiopian Airlines Flight 302, the pilots did flip the switches to deactivate MCAS, but the aircraft had passed the speed at which aerodynamic forces make the plane difficult to control and attempts to get the airplane to climb fail, so the switches were flipped back. Perhaps the pilots thought automatic trim control might help recover the plane. Instead, shortly after reactivating MCAS, the plane crashed.
In the aftermath of the second crash in Ethiopia, all 387 Max aircraft that were in service worldwide were grounded. Hundreds of additional Max jets are parked for storage as Boeing continues production of the aircraft.
The 737 Max will not fly again until Boeing finishes fixing and improving MCAS function and regulators certify that the aircraft is safe to fly.
Boeing’s fixes for MCAS include requiring a comparison of data from both AOA sensors before MCAS activation; preventing MCAS activation if the two AOA sensors differ by more than 5.5°; limiting MCAS activation to a single cycle instead of repeated cycles; and preventing MCAS from commanding more stabilizer input than pilots can counteract on the flight stick.
Boeing is also developing new computer-based training material for pilots, including information on how MCAS works and how to respond to a system malfunction.