Boeing Co. engineers working on a flight-control system for the 737 MAX omitted key safeguards that had been included in an earlier version of the same system used on a military tanker jet, people familiar with the matter said.
Accident investigators have implicated the system, known as MCAS, in two deadly crashes of the jetliner that killed a total of 346 people.
The engineers who created MCAS more than a decade ago for the military refueling plane designed the system to rely on inputs from multiple sensors and with limited power to move the tanker’s nose—which one person familiar with the design described as deliberate checks against the system acting erroneously or causing a pilot to lose control.
“It was a choice,” this person said. “You don’t want the solution to be worse than the initial problem.”
The MAX’s version of MCAS, however, relied on input from just one of the plane’s two sensors that measure the angle of the plane’s nose. The system also proved tougher for pilots to override. Investigators have implicated the system in the fatal nosedives of a Lion Air jet in October 2018 and of an Ethiopian Airlines MAX in March. Indonesia is expected to fault that MCAS design, in addition to U.S. oversight lapses and pilot missteps, in its final report on the Lion Air crash into the Java Sea, The Wall Street Journal has reported.
Now, Boeing’s expected fix for the 737 MAX will make its MCAS more like the one used in the tanker, according to people familiar with the matter.
Details of the system’s history and engineers’ desire to build in safeguards on the tanker version of MCAS haven’t been previously reported. The existence of a version of MCAS on the tanker was earlier reported by Air Force magazine.
MCAS stands for the Maneuvering Characteristics Augmentation System. A Boeing spokesman declined to explain why the systems differ on two airplanes, but said, “The systems are not directly comparable.” The contrast in design highlights how different teams of Boeing engineers wound up including protections on one airplane but not on a later model of another aircraft.
Boeing has said the MAX, with its revised MCAS, will be among the safest airplanes ever to fly.
After the MAX operated by Lion Air crashed, Air Force officials said they were concerned their tanker, known as the KC-46A Pegasus, shared the same problems. An Air Force spokeswoman said senior officials met with their Boeing counterparts to confirm the tanker’s MCAS complied with military requirements for designs that prevent a single faulty sensor from causing a system to fail.
Boeing developed the MCAS for the military tanker around the early 2000s, another person familiar with the project said. The tanker was a military derivative of Boeing’s wide-body 767 commercial jet and included pods on its wings used for air-to-air refueling of fighters and other war planes. Those wing pods added lift and caused the tanker’s nose to pitch up in some flight conditions, risking the plane’s ability to meet Federal Aviation Administration safety requirements, people familiar with the matter said. So engineers devised MCAS software, which automatically pushes down the tanker’s nose if necessary, to comply with FAA standards, these people said.
In a key difference from the subsequent version of the system used on the MAX, the system on the tanker moves the plane’s horizontal stabilizer—the control surface perpendicular to the airplane’s tail—once per activation and not repeatedly, the person familiar with the tanker project said.
The tanker engineers also gave the system only limited power to nudge the plane’s nose down to ensure that pilots would be able to recover if it accidentally pushed the plane into a dive, said the person familiar with the tanker’s MCAS design. That meant MCAS had little authority over the stabilizer, which made it much easier for pilots to counteract.
Boeing began developing the MAX in 2011 amid competition with rival Airbus SE, which had been enticing airline customers with its new single-aisle passenger jet.
The MAX’s new fuel-efficient engines were larger and placed farther forward on the wing than on previous 737 models. That caused the plane’s nose to pitch up in certain extreme flight conditions, endangering the plane’s ability to win FAA certification, people familiar with the matter said. The large engines on the MAX essentially had the same effect on the plane’s aerodynamics that the refueling pods had on the military plane.
Engineers who had worked on the tanker suggested MCAS as a possible solution for the MAX engineers, people familiar with the matter said.
Boeing said it isn’t aware of any consideration to rely on both sensors that measure the angle of the plane’s nose when its engineers designed MCAS for the 737 MAX. A single “angle of attack” sensor was deemed sufficient, and Boeing has said it complied with safety and regulatory requirements. Other systems on earlier 737s relied on single sensors, former Boeing engineers and others familiar with the designs have said.
Boeing instead relied primarily on pilots as the backstop should that plane’s MCAS misfire. MAX engineers determined pilots would quickly identify an MCAS misfire as an emergency known as a runaway stabilizer, then counteract the system with a longstanding cockpit procedure.
The more advanced flight-control computer systems on the tanker also made it easier for MCAS to compare data from multiple sensors, the person familiar with the tanker project said. “The underlying architecture was there to take advantage of,” this person said.
Aside from sensors, the tanker MCAS has another key safeguard. Pilots of the tanker can override MCAS by simply pulling back on controls, according to a senior Air Force official and others familiar with the matter.
“We have better sensor data,” said Will Roper, an assistant Air Force secretary who is the branch’s procurement chief. “But most importantly, when the pilot grabs the stick, the pilot is completely in control.”
On the MAX, MCAS’s design required it to remain active even if pilots pulled back on the controls, making it more complicated to stop the system from forcefully and repeatedly pushing down the nose.
Since days after the March crash of a 737 MAX in Ethiopia, that aircraft has been grounded world-wide. The flight ban has thrown a wrench into airline finances and planning, and disrupted customers’ travel plans.
The new MCAS for the 737 MAX is expected to rely on two sensors to verify data. It will fire once, not repeatedly, each time it activates. And pilots will be able to override the system by pulling back on the controls.
https://www.wsj.com
No comments:
Post a Comment