Boeing Max Failed to Apply Safety Lesson From Deadly 2009 Crash
(Bloomberg) -- A fatal airplane crash a decade ago prompted a life-saving fix across thousands of Boeing 737 cockpits. So why wasn’t the same lesson applied to the design of the 737 Max, an upgraded version on which 346 people died in recent disasters?
Investigators of the 2009 crash of a Turkish Airlines jet identified a faulty altitude sensor that thought the plane was closer to the ground than it was and triggered the engines to idle. The plane’s second radio altimeter displayed the correct elevation, but it didn’t matter: the automatic throttle was tied to the first gauge. The Amsterdam-bound plane crashed into a field, killing nine people and injuring 120.
Boeing ended up changing that throttle system to prevent one erroneous altitude reading from cascading into tragedy, changes the U.S. Federal Aviation Administration subsequently made mandatory.
Yet when the Max debuted in 2017 with a new flight-control feature to help pilots avoid a stall, it was designed to react to only one of the plane’s two “angle of attack” sensors that measure the jet’s incline. That proved deadly when malfunctioning sensors on jets operated by Lion Air and Ethiopian Airlines automatically commanded the noses of the planes down over and over, even though the other sensor showed it wasn’t necessary.
“When I read that the planes had two angle-of-attack sensors, I couldn’t think of a reason why they wouldn’t use both,” said Robert Canfield, an aeronautical engineering professor and technical director of the Virginia Tech Airworthiness Center.
A software fix for the 737 Max that is now in testing will do just that, and multiple investigations of two crashes, the first in October and the second in March, are probing why it wasn’t incorporated into the original design.
Boeing says the Max disasters shouldn’t be compared to the Turkish Airlines crash and no evidence has emerged to indicate that the altitude sensor, known as a radio altimeter, failed on the Lion Air or Ethiopian planes. “These incidents address fundamentally different system inputs and phases of flight,” Charles Bickers, a Boeing spokesman, said in an email.
“The 737 MAX was certified in accordance with the identical FAA requirements and processes that have governed certification of previous new airplanes and derivatives,” he said. The FAA signed off on the Max’s flight control feature, known as the Maneuvering Characteristics Augmentation System, or MCAS, he said.
“The FAA considered the final configuration and operating parameters of MCAS during Max certification, and concluded that it met all certification and regulatory requirements,” he said.
The crash of Turkish Airlines Flight 1951 foreshadowed the risks of an automated flight-control system relying on data from a single sensor, said Jeffrey Guzzetti, the former director of the U.S. Federal Aviation Administration’s Accident Investigation Division.
“Several parallels can be drawn,” Guzzetti said, including that each of the accidents involved a single-sensor failure and subsequent technical changes by Boeing that were eventually mandated by the FAA, he said.
And while the crashes have significant differences, the single-sensor lesson is one that Guzzetti says Boeing should have applied to the 737 MAX. “The short answer is yes,’’ he said, “but with the huge caveat that hindsight is 20/20.’’
After the crash of the Turkish Airlines 737-800, the FAA mandated changes to the Boeing 737
autothrottle computer in order to prevent what occurred in the accident: a single faulty radio altimeter from causing the autothrottle to reduce engine thrust to idle prematurely, which the FAA wrote in a 2014 airworthiness directive “could result in loss of control of the airplane,” according to the document.
While the FAA’s airworthiness directives and Boeing service bulletins don’t mention it explicitly, the changes allowed the autothrottle to compare readings from both radio altimeters, instead of relying on one as the first 737 Next Generation, or NGs, did, Guzzetti said after reviewing the documents.
“It seems clear to me that this was a software change to use both radio altimeters and compare them,” he said.
The 737 NG series is similar in design to the Max but without the larger engines that altered the aerodynamics of the plane and led Boeing to include the new computerized flight control system.
Not all experts agree that the Turkish Airlines crash -- in which investigators also cited multiple pilot missteps -- should have been a warning to Boeing when designing MCAS. While all three involve so-called single-point failures, that’s where the similarities end, said John Cox, president of consulting company Safety Operating Systems who participated in dozens of airline accident investigation as a pilot union representative.
“I don’t think it’s a fair comparison to say that Boeing should have known from the Turkish 1951 accident that they should’ve designed something different in MCAS,” Cox said.
In the 2009 crash, the erroneous altimeter data led to just one related failure: dialing back the jet’s throttle to idle prematurely. In the 737 Max crashes, faulty angle-of-attack data triggered airspeed and altitude warnings and caused the control yoke to shake violently, a sign that the plane could be approaching a stall, Cox said. That’s because the angle-of-attack readings factor in to those other sensors, he said.
“I think the only comparison you can make is that increasingly, airplanes are using more complex systems and that complexity on occasion can come up with unexpected results,’’ Cox said. “That’s true for Lion Air, Ethiopian Airlines and Turkish Airlines 1951, but to go beyond that I think is a stretch.’’
The 737 Max, Boeing’s best-selling plane, has been grounded worldwide since March. The Chicago-based aircraft maker is redesigning the software so MCAS won’t react to a single sensor reading. If one sensor is more than 5.5 degrees off from the one on the other side of the plane, MCAS won’t activate. It will also be more easily overcome by the pilot.
The KC-46, a U.S. Air Force midair refueling tanker based on the Boeing 767, also uses a version of MCAS, a spokeswoman for the service said. And while the tanker’s system has “important differences” from the software employed on the 737 Max and is not affected by the grounding of the passenger jet, it uses data from two angle-of-attack sensors instead of one, the spokeswoman said in an email.
Modern commercial airplanes use multiple, redundant sensors to measure airspeed, altitude, angle-of-attack and other key parameters. And for decades, pilots have had so-called “disagree” indicators in the cockpit to warn of possible malfunctions. They’re also armed with training and checklists to diagnose and address problems as they arise, critical safeguards that have helped pilots avoid disaster many times.
But on the 737 Max, the angle-of-attack disagree lights didn’t work as they had on the earlier versions of the venerable passenger jet, Boeing confirmed on Sunday.
The company said that it knew months before the Lion Air crash that a cockpit alert -- suggesting an angle-of-attack sensor may be malfunctioning -- wasn’t working the way the company had told buyers of the jetliner. But it didn’t share its findings with airlines or the FAA until after that plane went down off the coast of Indonesia.
Boeing’s latest admission raised new questions about the 737 Max’s development and testing -- and the company’s lack of transparency.
One reason for adding multiple sensors to aircraft is they can and do fail.
Pilots have for decades relied on the weather-vane-like angle-of-attack sensors to warn them when they near a dangerous aerodynamic stall.
A review of public databases by Bloomberg News reveals the potential hazards of relying on the devices, which are mounted on the fuselage near the plane’s nose and are vulnerable to damage. Though rare, there are at least 140 instances since the early 1990s of sensors on U.S. planes being damaged by jetways and other equipment on the ground, or striking birds in flight.
In at least 25 cases in the U.S., Canada and Europe, the damage triggered cockpit alerts or emergencies.
In the Oct. 29 crash of a Lion Air 737 Max off the coast of Indonesia, a malfunctioning angle-of-attack sensor that had just been installed sent erroneous signals indicating the plane’s nose was pointed too high relative to the oncoming air. That prompted MCAS to push the nose down more than 20 times until pilots lost control and it plunged into the Java Sea, killing all 189 people aboard.
On March 10, the same safety system on a 737 Max operated by Ethiopian Airlines was activated after an angle-of-attack sensor on the jet failed suddenly at liftoff. After about six minutes in which MCAS pushed the nose down several times, the plane went into a steep dive and crashed at high speed with 157 passengers and crew aboard.
The similarities between the recent disasters and the decade-old Turkish Airlines crash haven’t escaped the attention of lawyers. Last week, a suit filed on behalf of the Ethiopian Airlines crash victims cited the Turkish accident.
Boeing declined to comment on the suit, which alleged that "Boeing should have learned from that accident to never try to save money via single sensor reliance on critical systems.”
©2019 Bloomberg L.P.