Moon of Alabama – Feb 12, 2019
On Sunday an Ethiopian Airlines flight crashed, killing all on board. Five months earlier an Indonesian Lion Air jet crashed near Jakarta. All crew and passengers died. Both airplanes were Boeing 737-8 MAX. Both incidents happened shortly after take off.
Boeing 737 MAX aircraft are now grounded about everywhere except in the United States. That this move follows only now is sad. After the first crash it was already obvious that the plane is not safe to fly.
The Boeing 737 and the Airbus 320 types are single aisle planes with some 150 seats. Both are bread and butter planes sold by the hundreds with a good profit. In 2010 Airbus decided to offer its A-320 with a New Engine Option (NEO) which uses less fuel. To counter the Airbus move Boeing had to follow up. The 737 would also get new engines for a more efficient flight and longer range. The new engines on the 737 MAX are bigger and needed to be placed a bit different than on the older version. That again changed the flight characteristics of the plane by giving it a nose up attitude.
The new flight characteristic of the 737 MAX would have require a retraining of the pilots. But Boeing’s marketing people had told their customers all along that the 737 MAX would not require extensive new training. Instead of expensive simulator training for the new type experienced 737 pilots would only have to read some documentation about the changes between the old and the new versions.
To make that viable Boeing’s engineers had to use a little trick. They added a ‘maneuver characteristics augmentation system’ (MCAS) that pitches the nose of the plane down if a sensor detects a too high angle of attack (AoA) that might lead to a stall. That made the flight characteristic of the new 737 version similar to the old one.
But the engineers screwed up.
The 737 MAX has two flight control computers. Each is connected to only one of the two angle of attack sensors. During a flight only one of two computer runs the MCAS control. If it detects a too high angle of attack it trims the horizontal stabilizer down for some 10 seconds. It then waits for 5 seconds and reads the sensor again. If the sensor continues to show a too high angle of attack it again trims the stabilizer to pitch the plane’s nose done.
MCSA is independent of the autopilot. It is even active in manual flight. There is a procedure to deactivate it but it takes some time.
One of the angle of attack sensors on the Indonesian flight was faulty. Unfortunately it was the one connected to the computer that ran the MCAS on that flight. Shortly after take off the sensor signaled a too high angle of attack even as the plane was flying in a normal climb. The MCAS engaged and put the planes nose down. The pilots reacted by disabling the autopilot and pulling the control stick back. The MCAS engaged again pitching the plane further down. The pilots again pulled the stick. This happened some 12 times in a row before the plane crashed into the sea.
To implement a security relevant automatism that depends on only one sensor is extremely bad design. To have a flight control automatism engaged even when the pilot flies manually is also a bad choice. But the real criminality was that Boeing hid the feature.
Neither the airlines that bought the planes nor the pilots who flew it were told about MCAS. They did not know that it exists. They were not aware of an automatic system that controlled the stabilizer even when the autopilot was off. They had no idea how it could be deactivated.
Nine days after the Indonesian Lion Air Flight 610 ended in a deadly crash, the Federal Aviation Administration (FAA) issued an Emergency Airworthiness Directive.
The 737 MAX pilots were aghast. The APA pilot union sent a letter to its members: