Aircraft Sensor Defects May Be to Blame for 737 Max Crash

Contact an Ohio aviation accident attorney today at (216) 406-1058.

The investigation of the tragic crash of Ethiopian Airlines Flight 302 is in its earliest phases, but preliminary data recovered from the Boeing 737 Max involved in the crash already indicates disturbing similarities with the Oct. 29, 2018, crash of Lion Air Flight 610, also involving a 737 Max.

In the Lion Air crash, it appears that a sensor that measured the aircraft’s angle of attack (AOA) provided erroneous signals to the flight computer, which then triggered an aerodynamic stall prevention system called the Maneuvering Characteristics Augmentation System (MCAS). As part of the aircraft’s flight control software, the MCAS is designed to command the aircraft’s horizontal stabilizer to a position to pitch the aircraft’s nose down when the sensor indicates the AOA is too high, which then lowers the AOA in order to prevent a stall from occurring.

The 737 Max’s MCAS is unusual in that it receives input from only one AOA sensor, rather than two (which is common on other aircraft). Input from two sensors provides redundancy and the ability for sensors to crosscheck each other’s values. Typically, components that are deemed critical to flight are designed with redundancy.

Unfortunately, and to the detriment of the flying public, the Federal Aviation Administration (FAA) delegated a fair amount of authority to Boeing to conduct analysis and certification of the Boeing 737 Max. When Boeing performed a system safety analysis (risk analysis) for the MCAS, Boeing determined that the worst outcomes that could occur due to a failure of the AOA sensor would be a major failure or a hazardous failure, neither of which required Boeing to add redundancy. In the world of jet airliner design, redundancy is only required in cases where the analysis determines the system degradation could cause catastrophic failure.

The analysis was fatally flawed because it assumed that MCAS would only move the horizontal stabilizer 0.6 degrees (which was about 10% of its full authority); however, when Boeing released details about MCAS after the Lion Air crash, Boeing’s bulletin indicated the limit of MCAS’s command was 2.5 degrees (nearly 50% of its full authority). Had the system safety analysis been performed with the 2.5-degree value, the catastrophic failure category would likely have been invoked, and the MCAS would have been required to incorporate redundancy (i.e., use input from two AOA sensors). It’s been reported that Boeing initially intended to use 0.6%, but during flight tests the engineers determined they needed more authority to prevent a stall (hence 2.5%). It’s not clear yet whether Boeing failed to notify the FAA or if the FAA failed to act after notification. Congress should immediately convene a special committee to examine the entire certification process of this aircraft and perhaps others that may have unsafe flight characteristics.

What’s troubling is that the 737 Max has two AOA sensors, and Boeing could have designed MCAS to incorporate both signals. Data from the Lion Air flight data recorder indicated one AOA sensor was reading correctly before takeoff (i.e., zero AOA) but the other was not. A redundant system would have alerted the pilots. Boeing could have also designed MCAS to evaluate the health of the system while on the deck, when both sensors should be reading zero AOA—apparently, Boeing’s MCAS does not do this. If it did, the Lion Air pilots would have been alerted of the system’s degradation before takeoff.

We must question whether Boeing sought a single-sensor input MCAS because the program was running behind schedule, and it was faster to design and test software for a single rather than a dual sensor input system. This option was also cheaper because it would have required less flight testing.

Despite the known fatal design which should have been engineered out of the aircraft before first flight, Boeing never published to the airlines and pilot the existence of the MCAS system. Boeing also failed to warn of the consequences of a system malfunction and failed to provide steps to remedy such a failure. The AFM does not discuss the MCAS system. After the Lion Air accident, the FAA published an emergency airworthiness directive (EAD) that contained procedures for pilots to execute in the event of a un-commanded horizontal stabilizer trim movement, but the procedures are vague, and they do not give a pilot a complete understanding of the system or its failure modes.

What’s also disturbing is that when one reads the EAD, it’s clear that several of the potential outcomes of an un-commanded horizontal stabilizer trim movement would likely lead to a catastrophic failure, not just a major failure or hazardous failure. Based on this, I can’t see how Boeing could say the outcomes of the Lion Air and Ethiopian Airlines flights were not foreseeable when the MCAS was designed. The scenarios for both fatal flights were clearly foreseeable to Boeing and, as such, the company must be held accountable.

Related Posts