American Flight 965, a Boeing 757 descending at night toward its destination at Cali, Colombia, collided with an Andean mountain ridge, killing 159 crew and passengers. Miraculously, four passengers did not die.
The accident report that emerged from the investigation laid all blame at the feet of the pilots, softening the blow by citing some flight management system navigational anomalies as contributory factors.
Recently an independent re-examination of the data by a team of aviation and accident investigation experts has concluded that simply writing off the crash as “pilot error” was a bad decision. The pilots were among American’s best, yet the crew exchanges on the cockpit voice recorder, according to their peers, demonstrated a degree of confusion that was out of character.
Initially the Colombian/American investigation team believed alcohol in the pilots’ blood might have been a factor, but later forensic testing confirmed the alcohol was a product of tissue degeneration. Having ruled out alcohol as a cause of the pilots’ uncharacteristic confusion, the investigators failed to ask whether there might have been an alternative explanation for it, confining the event to history as simple pilot error.
After nearly two years of grounding, Boeing’s 737 Max series has been cleared by the US Federal Aviation Administration to carry fare-paying passengers once again.
This is the first step in a redemption process for one of the world’s truly great engineering companies. Like a boxer who dropped his guard for just a second, Boeing has taken a punch that has knocked it to the canvas, and the referee had started counting.
Now, air traveller reaction is nervously awaited. Will the public believe claims by the FAA and Boeing that, together, they have confined to history the flaws that caused the 737 Max fatal crashes in 2018 and 2019?
The FAA – blamed along with the manufacturer for the lapses in design oversight that led to the two accidents – has declared the aircraft safe to operate in America. One by one, other national aviation authorities (NAA) are expected to follow suit.
Oversight of the type’s rehabilitation continues to be the FAA’s responsibility, but decisions on the systems and software changes applied to the Max have been made by multinational teams. Bodies formed to decide what changes were needed – and then to see them implemented – included the Joint Authorities Technical Review (JATR) representing nine nations plus the European Union Aviation Safety Agency (EASA) – and the Joint Operations Evaluation Board.
The relationship between the FAA and Boeing was much criticised in the accident investigations and the JATR review process . For that reason, the reaction of EASA to the Max’s clearance to fly is seen as critical.
Not only is EASA the agency that oversees safety in the region containing the largest group of aerospace industries outside America, but its contribution to the JATR recommendations made clear EASA was not happy with the FAA’s former piecemeal approach to certifying critical changes applied to the 737 Max.
Its opprobrium was directed particularly at the FAA’s approval of the flawed Manoeuvring Characteristics Augmentation System (MCAS), unique to the Max, and not used in earlier marques of 737. It recommended “a comprehensive integrated system-level analysis” of the MCAS, and of its integration into the total system-of-systems that constitutes a modern aircraft (for more detail, see “The Failures and the Fixes”section following this article).
So it was with heartfelt relief that Boeing heard EASA’s executive director, Patrick Ky, report on Max progress to the European Parliament Transport Committee on 29 October. Ky told them: “We are fully confident that, given all the work that has been performed, and the assessments which have been done, the aircraft can be returned safely to service.” Ky’s statement suggests EASA will re-certificate the 737 Max in Europe soon after the FAA’s announcement.
Meanwhile, out in the real world, Covid-19’s near-immobilisation of commercial air transport worldwide has rendered the Max’s long grounding almost invisible to the media and the public. Because of the far lower level of air travel activity, the airlines have been able to live without the 387 Maxes already delivered to them, and also without the additional 450 that have rolled off Boeing’s Renton, Washington production line since then. The latter are all in storage, awaiting any updates not already incorporated, and ultimate delivery.
Although clearance to fly has now been delivered, even in the USA the airlines will not instantly be re-launching their already-owned 737 Max fleets. The status of all the proposed software and hardware modifications to the type will not have been confirmed until the moment the FAA signs it all off.
American Airlines has said it hopes to start getting its Max fleet airborne before the end of December.
Once the FAA has done that, getting the Max fleet ready for the sky will be an aircraft-by-aircraft, crew-by-crew process. In many airframes, a knowledge of what changes were coming has enabled a great deal of the work to be done. But also, because of the hardware and software changes to the Max, the crews have to be trained to use the new systems.
Incidentally, while the Max series was grounded, the FAA decided to order some additional modifications – completely unrelated to the crashes – to bring the type fully in line with modern safety regulations. For example, one of these involves the re-routeing and separation of wiring looms that the 737 had previously been allowed to sidestep under “grandfather” rules.
The number of lessons for manufacturers and regulators to learn from this aerospace drama is legion.
The failures and the fixes
Just a reminder: the 737 Max series fleet was grounded in March last year as a result of findings from the investigations into to the Lion Air and Ethiopian Airlines fatal crashes, respectively in October 2018 and March 2019.
The primary causal factor of the Lion Air Max crash was erroneous triggering of its manoeuvring characteristics augmentation system (MCAS) by a faulty angle of attack (AoA) sensor, according to the Indonesian final accident report. It is at the MCAS that Boeing’s corrective efforts have mostly been directed.
In both the accidents, the aircraft’s AoA sensor that feeds data to the MCAS wrongly indicated a very high AoA soon after take-off. The system reacted by providing nose-down stabilizer rotation that took the pilots by surprise. They did not understand the reason it kicked in, and their efforts to reverse the strong nose-down pitch did not succeed. Both these events occurred soon after take-off, and because the MCAS kept repeating the nose-down stabilizer in response to the continued erroneous high AoA sensor signal, the loss of height quickly resulted in impact with the surface.
During the examination of all the issues arising from the accidents, the JOEB was aware there were solutions to the situation in which the crews found themselves. But the fact that two crews in different regions of the world were so confused by what the MCAS was doing that they lost control had totally eclipsed pilot failings as the main issue.
MCAS was designed to trigger only in a specific flight configuration that causes the Max’s centre of lift to move slightly further forward, delivering a slight nose-up moment that can be countered by flight controls. This configuration is a combination of relatively low airspeed, flaps up, with the aircraft being flown manually. In the case of the Lion Air and Ethiopian flights, the pilots decided to continue to fly the aircraft manually during the early climb, rather than engaging the autopilot, so this precise flight configuration was encountered as soon as the flaps were fully retracted.
With flaps up, and still at a fairly low airspeed, the aircraft would be at a high angle of attack, and not far above the stall. FAA regulations require that, in the proximity to the stall, one of the “feel” cues to the pilots is that there should be a linear increase in the required control column force versus elevator displacement response, but the Max’s aerodynamics in this configuration had negated this effect, and MCAS was designed to restore that pilot cue automatically.
The JATR decided that MCAS’ fatal design weakness, above all, was that it was triggered by a single AoA sensor with no backup in case the unit had a fault or suffered damage. It seems Boeing and the FAA had overlooked that possibility, and had not explored the potential effects of erroneous inputs. Their excuse at the time was that the system was not seen as a critical one, rather as a refinement.
The 737 Max had always been fitted with two AoA vanes, but originally only one was wired up to MCAS, and there was no flight deck indication of a disparity between the two sensors if a difference developed, which could have warned the pilots of a potential vane fault.
The hardware fix agreed by the JATR was that both AoA sensors would now feed into the MCAS, there would be an automatic comparison between them, and if there was more than a small disparity the MCAS would be locked out completely, because the aircraft can be flown without it.
The software fix also ensures that – now – the MCAS only operates once per high AoA event, so the repeated nose-down pitch demand by the stabilizers that led to the two accidents would not occur. In addition, the two flight control computers (FCC) now continuously cross-monitor each other.
After the hardware and software changes, the final improvements – overseen by the multinational JOEB – are to pilot training and cockpit drills for the Max series.
Now, even if the pilots are coming to the Max from the very similar 737NG series, pilots must undergo a one-off training session in a Max full flight simulator. This involves recovery from a full stall, dealing with a runaway stabilizer, practice manual trimming at high speeds (and therefore high trim loads), and crew cooperation on all these exercises.
Non-normal checklists have now been compeletely revised, and contain updated procedures that concentrate particularly on the operation of the horizontal stabilisers and trim controls, both in normal operation and in the case of all potential faults. The drills deal with runaway stabilizer, speed-trim failure, stabilizer out of trim, stabilizer trim inoperative, airspeed unreliable, altitude disagree, and AoA disagree.
Computer based training (CBT), containing video of crew exercises using the real controls, teaches drills for the following: airspeed unreliable, runaway stabilizer, the speed trim system, trim controls, and differences between the autopilot flight director system (AFDS) in the NG series and the Max series.
Testing the changes
Boeing and the FAA say they have put in 391,000 engineering and test hours developing the solutions, which have then been tried for 1,847 hours in simulators and for 3,000 airborne hours in the real aircraft.