The Weekly Reflektion 30/2022
In last week’s Reflektion, week 29 -2022, we talked about how economic pressure and competition with Airbus led to the modification of the Boeing 737 MAX and the tragic consequences of two air crashes and 346 people dead. This week we will look at how the modification caused the crashes. Next week we will try to explain why Boeing did not manage the change safely and why the Federal Aviation Authority approved the change.
Do you ensure there is redundancy in your systems so that a single failure will not lead to serious consequences?
The development of the turbo-fan aircraft engine led toincreased fuel efficiency and reduction in CO2 and NOx emissions, however these are wider and heavier than conventional units. Installation of these engines on the Boeing 737 airframe was a challenge since there was not enough ground clearance and any change to the airframe would require an extensive Federal Aviation Authority (FAA) review. Boeing found a solution to the problem. The engine was relocated to a point higher up the wing and further forward. This changed the aerodynamics of the aircraft and led to a tendency for the aircraft to nose up under conditions of full thrust, for example at take-off. Boeing designed a software system, Manoeuvring Characteristics Augmentation System (MCAS), to compensate for this nose up behaviour and to ensure the aircraft behaved similarly to a ‘normal’ 737. TheMCAS system used a signal from one of the Angle-of-Attack (AoA) sensors on the nose of the aircraft. When the sensor registered an ‘abnormal’ angle, or pitch, a signal was sent to the spoilers on the rear wings that adjusted the aircraft angle. All this was done without the pilots receiving any indication that an adjustment was being made. The system was also independent of the autopilot so would not automatically disconnect if the pilots tried to manually take over control in the event of a problem.
There are two AoA sensors on commercial aircraft including the 737 MAX. Boeing decided to use the signal from one of these sensors to provide input to the MCAS. The system was therefore dependent on a ‘single’ sensor and as we are painfully aware, failure of a sensor can and does happen. A system for comparing the two signals was available from Boeing as an option however Lion Air that operated the first flight that crashed did not pay for this option. The pilotsreceived no warning of a discrepancy in the AoAmeasurements. However, since the pilots had no training on the MCAS system it is uncertain whether they could have responded to the warning and recovered the situation. The pilots on the Ethiopian Airlines aircraft, the second crash, were aware of the MCAS problem and managed to de-activate the MCAS system when a problem with the AoA sensor measurement occurred however, too late to regain control of the aircraft.
Critical systems should be robustly designed, and this includes ensuring there is adequate redundancy for failures that could lead to serious consequences. Independent sensors with comparison of measurements increase the system reliability. For the MCAS, disconnection of the system in the event of discrepancy and a warning to inform of the system fault would have been appropriate. This of course presupposes that the pilots had received adequate knowledge for this situation including training in a simulator.