After the Lion Air 610 disaster last year, we learned the Boeing 737 Max 8 was equipped with a new system designed to automatically prevent stalls under certain conditions. Pilots had never been trained on or told the system existed. After Ethiopian Airlines Flight 302 crashed, these points have all been revisited. Did the pilots respond properly? Were they aware that deactivating the MCAS (Maneuvering Characteristics Augmentation System) would allow them to regain control of the aircraft? Were they familiar with the process for doing so?
Understanding what happened in the cockpit is critical to determining which safety changes are required to prevent the future loss of any additional aircraft. New reports, however, paint a damaging picture of how the MCAS system behaved. Sources speaking to Reuters have stated that the MCAS system reactivated even after being properly turned off. The system may have kicked in as many as four times before the aircraft crashed, though a third source who spoke to Reuters stated both that the system had fired up again after being manually disabled, while also saying it had only triggered in one “significant” episode.
The Wall Street Journal reports a slightly different sequence of events. It states that the pilots initially disabled the system (following Boeing’s recommendations) but were unable to regain control of the aircraft. The system was either manually reactivated by the pilots themselves as part of an absolute last-ditch effort to recover the aircraft or came back online automatically. The WSJ points towards the former conclusion, while Reuters appears to have heard the latter. Either way, we now know the pilots reportedly disabled the system properly, yet were either unable to regain control of the aircraft after it had activated or unable to prevent it from activating again. The reasons why this happened are themselves still unknown.
The entire regulatory process that granted approval to the 737 Max 8 is itself under review. The Senate is conducting hearings into reports from multiple whistleblowers that the regulators entrusted to approve the aircraft had not been properly trained for the task.
A letter sent to the acting head of the FAA by the Senate Committee on Commerce, Science, and Transportation reads:
Allegations from these whistleblowers include information that numerous FAA employees, including those involved in the Aircraft Evaluation Group (AEG) for the Boeing 737 MAX had not received proper training and valid certifications. Some of these FAA employees were possibly involved as participants on the Flight Standardization Board (FSB). As you know, the AEG formed an FSB to evaluate the 737 MAX 8 to determine the requirements for pilot type ratings, to develop minimum training recommendations, and to ensure initial flightcrew member competency.
The FAA’s practice of allowing aircraft manufacturers to self-certify their own adherence to safety requirements, enacted after 9/11 to speed aircraft safety evaluations, has come under fire in recent weeks. These whistleblower allegations and the fact that the aircraft’s software may have reactivated after being disabled would be incredibly damaging for Boeing.
One other potential piece of the puzzle? Boeing had initially planned to have the FAA approve its software fix by last week. A review by non-Boeing engineers, however, reportedly turned up problems with the proposed software solution. There’s been no word on what caused the delay, but it’s possible that Boeing’s initial fix wasn’t quite as comprehensive as the company intended.
ET-AVJ, the aircraft destroyed in the crash of Flight 302.
These findings raise significant questions about the FAA’s initial delay in de-certifying the 737 Max 8 and what the Lion Air investigation may have revealed. This is all information that should have come out in the aftermath of that investigation, particularly given the withering feedback from pilots who didn’t even know MCAS existed prior to the Lion Air 610 crash. Pilot and software engineer Gregory Travis has shared his own thoughts on the 737 Max 8 disaster in a Google Doc that’s well worth reading. As he writes:
If I have not been clear, so far, let me say it succinctly. Boeing produced a dynamically unstable airframe, the 737 MAX. That is big strike #1. Boeing then tried to mask the 737’s dynamic instability with a software system, similar to the systems used in dynamically unstable fighter jets (though those jets are fitted with ejection seats). Big strike #2. Finally, the software system relied on systems known for their propensity to fail (angle of attack indicators) and did not appear to include even rudimentary provisions to cross check the outputs of the angle of attack sensor against other sensors, including the other angle of attack sensor. Big strike #3.
Add on the questions regarding the FAA’s approval and grounding process, and that does indeed appear to be the state of play. The regulatory process and safety system reviews are literally supposed to keep this kind of problem from ever happening. Whether the fault was with the software team that built the MCAS, the FAA regulators, the larger culture of safety at Boeing (or Boeing and the FAA), or a different problem altogether isn’t yet clear. What does seem clear, at this point, is that the MCAS system should never have been flown in its current condition — and someone at Boeing or the FAA should have realized what they were walking into before it happened.