Slashdot Mirror
Crashed Boeing Planes Lacked Safety Features That Company Sold Only As Extras (apnews.com)
The recent Boeing 737 MAX crashes involving an Ethiopian Airlines flight and a Lion Air flight may have been a result of two missing safety features that Boeing charged airlines extra for (Warning: source may be paywalled; alternative source). The New York Times reports that many low-cost carriers like Indonesia's Lion Air opted not to buy them so they could save money, even though some of these systems are fundamental to the plane's operations. "Now, in the wake of the two deadly crashes involving the same jet model, Boeing will make one of those safety features standard as part of a fix to get the planes in the air again," the report says. From the report: It is not yet known what caused the crashes of Ethiopian Airlines Flight 302 on March 10 and Lion Air Flight 610 five months earlier, both after erratic takeoffs. But investigators are looking at whether a new software system added to avoid stalls in Boeing's 737 Max series may have been partly to blame. Faulty data from sensors on the Lion Air plane may have caused the system, known as MCAS, to malfunction, authorities investigating that crash suspect.
The jet's software system takes readings from one of two vanelike devices called angle of attack sensors that determine how much the plane's nose is pointing up or down relative to oncoming air. When MCAS detects that the plane is pointing up at a dangerous angle, it can automatically push down the nose of the plane in an effort to prevent the plane from stalling. Boeing's optional safety features, in part, could have helped the pilots detect any erroneous readings. One of the optional upgrades, the angle of attack indicator, displays the readings of the two sensors. The other, called a disagree light, is activated if those sensors are at odds with one another. The angle of attack indicator will remain an option that airlines can buy. Neither feature was mandated by the Federal Aviation Administration. All 737 Max jets have been grounded. "Boeing will soon update the MCAS software, and will also make the disagree light standard on all new 737 Max planes," the report adds, citing a person familiar with the changes. "Boeing started moving on the software fix and the equipment change before the crash in Ethiopia."
Slashdot reader Futurepower(R) adds to the story: The FBI has joined the criminal investigation into the certification of the Boeing 737 MAX, lending its considerable resources to an inquiry already being conducted by U.S. Department of Transportation agents, according to people familiar with the matter. "The federal grand jury investigation, based in Washington, D.C., is looking into the certification process that approved the safety of the new Boeing plane, two of which have crashed since October.
The jet's software system takes readings from one of two vanelike devices called angle of attack sensors that determine how much the plane's nose is pointing up or down relative to oncoming air. When MCAS detects that the plane is pointing up at a dangerous angle, it can automatically push down the nose of the plane in an effort to prevent the plane from stalling. Boeing's optional safety features, in part, could have helped the pilots detect any erroneous readings. One of the optional upgrades, the angle of attack indicator, displays the readings of the two sensors. The other, called a disagree light, is activated if those sensors are at odds with one another. The angle of attack indicator will remain an option that airlines can buy. Neither feature was mandated by the Federal Aviation Administration. All 737 Max jets have been grounded. "Boeing will soon update the MCAS software, and will also make the disagree light standard on all new 737 Max planes," the report adds, citing a person familiar with the changes. "Boeing started moving on the software fix and the equipment change before the crash in Ethiopia."
Slashdot reader Futurepower(R) adds to the story: The FBI has joined the criminal investigation into the certification of the Boeing 737 MAX, lending its considerable resources to an inquiry already being conducted by U.S. Department of Transportation agents, according to people familiar with the matter. "The federal grand jury investigation, based in Washington, D.C., is looking into the certification process that approved the safety of the new Boeing plane, two of which have crashed since October.
No, the third pilot's disassociated viewpoint had nothing to do with it. He simply knew the plane's checklist. That's a bunch of standard procedures every pilot is supposed to know of what to do when they encounter a specific type of problem on that specific model plane. When you hear that a pilot has been trained on a certain plane model, that's what they're talking about - they're leaning all these checklists. If a pilot can't remember it exactly, the entire book of checklists is available aboard the plane for the pilots to reference in a Quick Reference Handbook. Any time the pilots face a situation aboard the plane which puzzles them and they don't recall the resolution from their training, they should reach for the QRH. One of them flys the plane, the other looks up the problem in the QRH.
The third pilot knew the checklist for the 737 Max. He instructed the other pilots to perform the manufacturer's specified procedure to resolve the problem, and it did resolve the problem. The pilots in the two planes which crashed apparently did not know the checklist, and did not reference the QRH. (Speculating here a bit since we don't know yet what happened - maybe they performed the proper reset procedure and the problem didn't go away.)
Contrary to the way most people here seem to be interpreting it, the third pilot's anecdote actually absolves Boeing and places blame for the crashes primarily upon the four pilots. This is looking like a pilot training problem. Boeing is still culpable for designing an automatic safety system which was prone to fail multiple times in just months of operation, and for making it so hard and non-obvious to override. But based on the third pilot's anecdote, primary culpability would be upon the pilots of the two other planes for not knowing the plane's checklists, and not bothering to crack open the QRH to double-check if they were addressing the problem properly.
Planes are incredibly complicated and it's unreasonable to expect a pilot to understand how all of its systems interact. The checklists in the QRH are made by the engineers who designed the plane. They do understand all of the plane's systems and how they interact. They come up with every possible problem they can think of which a pilot might encounter, and write checklists to resolve every possible cause they can think of for those problems. The checklist procedure for this problem fixed it in the third pilot's case. If the four pilots did not follow that procedure, then the crashes were their fault, not Boeing's.
The Seattle Times has a good article on this although it should be taken as preliminary data subject to change.
To summarise
Due to airframe changes from previous models Boeing introduced MCAS which automatically lowers the nose when approaching a stall.
The MCAS was introduced to allow pilots with 737 experience to fly the 737 MAX with a minimal amount of conversion training thus saving airlines a lot of cost and making the MAX even more attractive to them.
As initially designed a failure of MCAS was classed as a "Major" hazard in that it could cause passenger discomfort but not death. This was because MCAS was limited to a very small change to the flight control surfaces. For this category the use of a single sensor is allowed assuming the sensor reliability is sufficient.
During the flight test phase the ability for MCAS was extended to unlimited repeat operations. These repeat operations have a cumulative effect on the flight control surfaces. The MCAS can now lead to a catastrophic failure.
At this point the category of hazard should have been changed. This should have lead to a design change but because the category remained at "Major" and not "Catastrophic" no further changes were made.
There could be any number of reasons why this categorisation change was missed, hopefully any future investigations will get to the root cause.