The Boeing 737 Max Saga: Automating Failure

Chris Palmer

Senior Technology Writer

When Boeing announced the 737 Max in 2011, the plane was hailed as the next generation of the manufacturer’s dependable workhorse airliner. The Max, which first entered service in 2017 with new, more fuel-efficient engines and updated avionics, was to have a longer range and lower operating costs [1].

Importantly, Boeing designed the Max to have enough in common with previous models that one pool of pilots could fly both planes with minimal additional training, rather than a full recertification on a new aircraft type[2].Also,the fact that the Max used an existing, already-certified mechanical structure—just with new engines and avionics—meant that Boeing could avoid the timeconsuming certification process required for a redesigned airplane.

‘‘Opening up the certification can of worms could easily add years to an airplane’s delivery date,” said Timothy Takahashi, professor of practice for aerospace engineering in the School for the Engineering of Matter, Transport and Energy at Arizona State University in Tempe, Arizona. ‘‘Also, for Boeing’s customers the cost of retraining pilots is not trivial.”

The Max’s engines, however, are larger and positioned further forward and higher up on the wing than the engines on its immediate predecessor, the 737 NG. These differences cause the planes to fly differently. For example, the new engine placement could cause the plane’s nose to pitch upward in some situations—such as during low-speed flight or manual flight with a high angle of attack—potentially causing the plane to stall [1].

To make the Max handle more like previous 737 models,Boeing designed an automated software tool called the Maneuvering Characteristics Augmentation System(MCAS).In certain situations,this system automatically adjusts the horizontal tail trim to stabilize pitch by pushing the aircraft’s nose back down (Fig. 1). However, MCAS was designed to activate when just a single sensor showed a high angle of attack. That meant if one of the plane’s two angle-of-attack sensors was defective, MCAS could take over[3]. And, because Boeing intended the software to work discreetly in the background, MCAS was not mentioned in the Max’s pilot manual [3].

Needless to say, an airplane is an exceedingly complex engineering system. Investigators, including technical representatives from civil aviation authorities from ten countries, have now concluded that the business decision to maintain continuity in order to deliver planes more quickly and at lower overall cost, caused that system to fail, eventually leading to two fatal crashes of the Max [4]. After both crashes, investigators quickly focused on the plane’s electronic control software as the proximate source of the problem. Later, it became clear that regulatory oversight and pilot training also played roles.

Fig. 1. In certain situations, the MCAS of the Boeing 737 Max 8 was designed to automatically move the horizontal stabilizer,like this one on the Embraer ERJ-170,to push the nose of the aircraft down to prevent stalling. Credit: YSSYguy, English Wikipedia (CC BY-SA 3.0).

On 29 October 2018, at 6:20 a.m. local time, Lion Air flight 610 took off from Jakarta, Indonesia. On the plane’s previous flight,MCAS had been triggered by faulty speed and altitude readings.An off-duty pilot hitching a ride on that earlier flight correctly diagnosed the problem and disabled MCAS [5]. But immediately after flight 610 took off,warning signals in the cockpit alerted the pilots that the plane might be stalling.The pilots could determine neither the plane’s speed nor altitude and they told air-traffic controllers that they felt the nose of the plane was being pulled downward.Twelve minutes after takeoff,the plane crashed,killing all 189 people on board.

At the time of the crash,230 737 Max 8s had been delivered to airlines in 15 countries, including China and the United States.Within days, investigators were focusing on MCAS and the pilots’actions after it was activated. Within a week, Boeing released instructions about what pilots should do if an angle-of-attack sensor failure erroneously triggered MCAS.This was the first time that most pilots and airlines had heard of the automated software [1].During the investigation, airlines around the world kept the Max in service, and Boeing continued to build and deliver about 50 of the planes per month.

Then, five months later, on 10 March 2019, at 8:38 a.m.,Ethiopian Airlines flight 302 took off from Addis Ababa, Ethiopia.Two minutes into the flight, MCAS activated, pitching the nose downward.The pilots soon regained control of the plane,but MCAS activated a second time. Six minutes into the flight, the plane crashed, killing all 157 people on board.

After the Ethiopian Airlines crash, MCAS was again cited as a contributing cause, combined with the fact that the pilots could not adjust the horizontal trim by hand,partly because the engines were still on full thrust from takeoff. There was an electronic system to help turn the trim wheel (akin to power steering in a car),but that system, as well as several other electronics systems, was disabled by the same switch that disabled MCAS [1].

‘‘On a normal flight, MCAS should have sat like a silent sphinx,only pouncing into action if the pilots were messing up,” said Takahashi. ‘‘But a single angle-of-attack sensor giving a bad reading gave MCAS basically unlimited authority to push the nose of the airplane down. There is something wrong with that type of design.”

Carlos Varela, associate professor of computer science at Rensselaer Polytechnic Institute in Troy,New York,agreed.He also suggested that avionics systems are better off not relying on homogenous collections of sensors. ‘‘You really need different types of sensors, each with independent failure characteristics,”he said.

Indeed, original designs for the Max called for multiple sensor types feeding into MCAS [3]. Later, after the company decided to scale back to a single sensor, Boeing engineers contemplated including a synthetic airspeed system on the Max that would draw on several data sources to measure how fast the plane was moving.The system could have potentially served as a backup for when the angle-of-attack sensor failed, but Boeing executives decided on three separate occasions not to pursue the backup system, citing the cost to develop it and the increased training that pilots would have to undergo [6].

Regarding the pilots involved in the two crashes,Boeing executives have suggested that the pilots had engaged in the standard emergency procedure, the accidents may have been avoided. But US National Transportation Safety Board officials have refuted that claim,saying that the average pilot would have struggled to easily recover the plane following MCAS activation [7].

‘‘The more automation there is, the less pilots get to fly manually, making them less capable of dealing with emergencies,” said Varela, who is also an instrument-rated private pilot with more than 900 h of flight experience. ‘‘As air travel becomes more common, and the need for pilots increases, it is almost certain that average pilot skill is not going to increase. To deal with that,automation has to improve at a rate faster than average pilot quality drops off. Systems that can explain their decisions can help.”

Since the second crash in March 2019, the fleet of more than 300 Max planes in service at the time has been grounded worldwide, and Boeing has delivered no additional planes [1] (Fig. 2);to date only 387 of the 5043 planes ordered have been delivered.In addition to pending lawsuits from the families of the passengers killed in the crashes that some analysts say will cost$1 billion USD,Boeing set aside $5.6 billion USD in July 2019 for rebates to customers for the delayed deliveries in the form of discounts and additional service packages [8]. The delay may end up costing the company even more if the Max is not approved to return to service in the first quarter of 2020.As of October 2019,Southwest Airlines,which has the most Max jets of any carrier, and other US carriers had removed the plane from their schedules until February 2020.But all this was before October 2019,when the US Federal Aviation Administration discovered text messages between Boeing pilots demonstrating knowledge of the flaws in the MCAS software years before the crashes [9]. Meanwhile, Boeing is working to re-engineer the MCAS by scaling back its power to push the nose down and linking it to two sensors on each plane instead of relying on just one as in the original design. The company also plans to install a backup copy of the software in case the primary system fails [10].

Fig. 2. Following the second fatal crash of the Boeing 737 Max in March 2019, the fleet of 387 Max airplanes in service around the world at the time was grounded.Meanwhile,Boeing has continued to build dozens of the planes per month,and they sit in parking lots like this one in Seattle, waiting to be delivered. Credit:SounderBruce, Wikimedia Commons (CC BY-SA 4.0).