In less than six months, two Boeing (BA) 737 "MAX 8" single-aisle transport aircraft have crashed to earth, leaving no survivors.
In October 2018, Lion Air Flight 610 went down in the Java Sea, claiming the lives of all 189 passengers and crew. Five months later, Ethiopian Airlines Flight 302 took off from Addis Ababa Bole International Airport in Ethiopia, carrying 157 passengers. Six minutes later, it had crashed -- again, with no survivors.
Blame for both disasters currently centers on Boeing's Maneuvering Characteristics Augmentation System, or MCAS, flight control system for the 737 MAX -- a system that was assessed as safe by the Federal Aviation Administration (FAA) when Boeing was getting the 737 MAX certified to fly. But as reported this week by The Seattle Times (ST), there appear to have been "several crucial flaws" in the System Safety Analysis (SSA) review that Boeing conducted on MCAS at the FAA's behest.
Yes, you read that right. The FAA appears to have delegated the job of evaluating MCAS's safety to Boeing, and then approved the company's report. Indeed, in some instances, ST reports, FAA managers, pressed for time, delegated even their review of Boeing's assessment of Boeing's work "back to Boeing" itself!
As one engineer quoted by ST lamented: "There wasn’t a complete and proper review of the documents... Review was rushed to reach certain certification dates."
Did this contribute to the 737 MAX's two crashes? Citing engineers "at the FAA and other aviation organizations ... directly involved with the evaluations or familiar with the document," ST further noted that the SSA:
- Understated by a factor of four the distance MCAS could automatically swivel the plane's horizontal tail (the stabilizer) in order to direct the plane downwards (to avert a stall). Initially designed to be limited to 0.6 degree of movement, MCAS ultimately was enabled to move the stabilizer 2.5 degrees. As a result, pilots may have been surprised at how difficult it would be to manually correct the automatic flight adjustments dictated by MCAS.
- Did not address MCAS's ability to reset itself and repeatedly re-swivel the tail to resume a dive, after pilot attempts to correct the move manually. Just two such swivels could theoretically have pushed the stabilizer its maximum distance, putting the plane into a full dive.
- Characterized the risk that MCAS would mistakenly trigger and point the plane's nose down "based on input from a single sensor" as only "major" or, at worst, "hazardous." In FAA-speak, neither of these danger levels highlighted a risk that MCAS could all on its own crash the plane "based on input from a single sensor."
And yet, the latest theories concerning the cause of the Lion Air Flight 610 crash, at least, center on the possibility that one single faulty "angle of attack" sensor did in fact send that plane into its dive. Experts cited in the story opined that, if this risk had been realized, the FAA probably would have required Boeing to ensure that MCAS compare readings from two angle of attack sensors (to minimize the risk of activation based on a single faulty sensor) before activating a dive.
Both Boeing and the FAA were informed of the specifics of the ST story and were asked for responses 15 days ago, before the second crash of a 737 MAX on March 10.