Thursday, December 6, 2018

Boeing Omitted Safety-System Details, Minimized Training for Crashed Lion Air 737 Model: After the Flight 610 crash, some regulators and pilots are asking why details on the plane’s MCAS anti-stall system weren’t in the Boeing manual

An Indonesian transportation safety investigator with a Boeing 737 model at a November 28th news conference in Jakarta. 

The Wall Street Journal 
By Andrew Tangel and Andy Pasztor
Dec. 5, 2018 11:04 a.m. ET

An automated flight-control system on Boeing Co.'s 737 MAX aircraft, which investigators suspect played a central role in the fatal October 29th jetliner crash in Indonesia, was largely omitted from the plane’s operations manual and was the subject of debate inside Boeing, government and industry officials say.

Pilots of Lion Air Flight 610 battled systems on the Boeing 737 MAX for 11 minutes after the plane took off from Jakarta, until it crashed into the Java Sea, killing all 189 people on board. Boeing is devising a software fix and trying to re-instill confidence in the cockpit systems of the 737 MAX, which U.S. airlines have called safe.

Fatal Flight

Lion Air Flight 610 pilots battled systems on the Boeing 737 MAX for 11 minutes before the plane crashed into the Java Sea.

Debate inside Boeing on what the 737 MAX manuals should say about the automated system and how much training would be required before pilots could safely slide behind the controls was more intense than usual, industry officials recall.

The decision to omit the new control system from manuals has put a Boeing design principle at the center of a probe into a fatal airliner crash for the first time in more than two decades. It has sparked public scrutiny of a typically behind-the-scenes process and threatens to tarnish Boeing’s reputation for safety and its tradition of prioritizing pilot authority over automation.

Former Boeing and current airline and government officials said there was a strong push to keep 737 MAX training to a minimum—a common goal for the introduction of new models. One former Boeing official recalls a colleague expressing concern about keeping their job if regulators rejected the company’s proposed guidelines. The program was eventually approved.

Boeing said it didn’t intentionally keep relevant information from aviators and had discussed the new system—known by its acronym, MCAS—with airlines at conferences in recent years. A spokesman disputed the characterization of the debate as unusually heated, saying, “Discussions were consistent with our regular process.”

“When Boeing developed its training and materials, it followed a process that was absolutely consistent with introducing previous new airplanes” and new models, the spokesman said. The goal, he said, is to ensure that pilots have all the information they need and that maintenance crews understand how to service the aircraft.

Boeing arrived at the decision in a typical way, with internal discussions and dialogue with airlines and regulators, according to U.S. government and industry officials familiar with the details. From the start Boeing and its customers were keen to keep training to a few hours of self-instruction on computers to ease the burden on airlines, the officials said.

Engineering, training and other experts inside Boeing had differing views on the precise language to be used in manuals. People familiar with the process said there was a sharp focus on one point: avoiding added simulator training.

Some regulators and pilots are among those asking why Boeing decided against detailing how the new system worked and why pilots weren’t trained on its specific characteristics. Key aspects of the system differ markedly from systems on older versions of the 737.

“Airline pilots need to know everything they can know about how the airplane works,” said Gordon Bethune, a former Boeing executive who oversaw earlier 737 models and later was chief executive of Continental Airlines. “The ball was dropped,” he said.

Preliminary data released by crash investigators points to the MCAS system misfiring during the Lion Air flight, when a signal from a single malfunctioning sensor prompted the system to repeatedly push down the plane’s nose prior to its plunge into the Java Sea.

“It’s pretty surprising that there isn’t a cross check or redundancy” to prevent such a hazard, said Randy Babbitt, a former Federal Aviation Administration chief.

The Boeing spokesman said the system “was designed and certified using aerospace industry best practices.”

Boeing began developing the 737 MAX in 2011, a year after European rival Airbus SE introduced the A320neo single-aisle planes, which require minimal pilot training.

Regulators eventually approved the Boeing program, and the plane’s launch customer, Southwest Airlines Co. , embraced it. A Southwest spokeswoman said the airline developed its 737 MAX training based on Boeing’s information and “was a recipient of, not a driver of, the training” mandates.

That plane’s success surprised even Airbus, while Boeing was losing market share.

No airlines are challenging the basic safety of the 737 MAX, which went into commercial service about a year ago. Since the accident, three of Boeing’s biggest 737 MAX customers— American Airlines Group Inc., Southwest and United Continental Holdings Inc. —have said the plane is safe and their pilots are well-trained to fly it.

Investigators in the Lion Air crash are also delving into apparent maintenance lapses and pilot errors in what is expected to be a monthslong probe. Meanwhile, Lion Air co-founder Rusdi Kirana said the carrier may cancel orders for more than 200 Boeing planes, as relations with the plane maker sour. He has taken issue with a Boeing statement that he said cast aspersions on the airline, and claimed in an interview, “Boeing didn’t make a proper manual.” Boeing said Lion Air is “a valued customer.”

From the 737 MAX’s inception, Boeing teams sought to make the plane maneuver like its predecessor, the 737 NG, and thereby preclude the need for extra flight-simulator sessions. It proved tricky, however, to reduce handling differences between the two models.

Boeing engineers determined the MAX’s design required additional stall protections in extreme maneuvers, partly to gain essential FAA certification, according to people familiar with the matter. So Boeing developed MCAS, which automatically and repeatedly pushes down the nose of the plane under certain manual flying conditions.

Pilots said they weren’t explicitly informed until the Lion Air crash that the system could give such strong and persistent commands and ultimately push the nose down as far as possible. By contrast, the anti-stall system on the earlier 737 NG could be countered relatively easily, by pulling back the control yoke.

It is up to manufacturers and regulators to determine which information to include in manuals and how to train pilots. People familiar with the Boeing manual said MCAS was mentioned, but only in the glossary spelling out the acronym (for Maneuvering Characteristics Augmentation System). Details of the new system were included in early documents related to the manual, before Boeing decided they would be redundant, some of these people said. The FAA agreed and approved the final manual.

A Boeing spokesman said one section still “expressly advises flight crews to expect automatic nose-down” commands as the plane approaches stall speed. Boeing also has stressed that its manuals include the procedure for turning off stall-protection systems, which pilots are trained to follow whether in the MAX or older planes.

Boeing concluded pilots were unlikely to ever encounter situations where the new anti-stall system kicked in, according to a Southwest memo reviewed by The Wall Street Journal. “They would never see the system in action,” a person familiar with Boeing’s development of the system said.

Boeing in recent weeks has privately said it was a judgment call that details about the new system weren’t necessary in the manuals, according to people familiar with the company’s discussions with aviators and customers. Boeing has been meeting with airlines and pilot unions as it works on the software fix expected in coming weeks.

Boeing’s position has some support. A top executive at a 737 MAX customer agreed pilots didn’t need to know the system’s details. “They’re not engineers and their job is to fly the aircraft,” this executive said.

A United Airlines union official said in a note to pilots that despite the omission from the Boeing manual, aviators have been instructed to stop nose-down commands in older and newer 737s the same way: turn off the system. “Regardless of the source or cause,” the note said, “you will do exactly as you have been trained.”

The Lion Air aircraft that crashed had experienced various flight-control malfunctions on all of its four previous flights. The preliminary crash report makes clear technicians failed to solve the problem, because the same malfunctions reoccurred just before the crash.

In the ill-fated flight, according to the preliminary report, the plane’s flight-control alerts malfunctioned again, providing erroneous stall warnings from the instant the aircraft lifted off the runway. Cockpit instruments displayed a barrage of fault warnings, including unreliable airspeed and altitude, according to the report. The crew battled more than two dozen repeated automated nose-down commands by manually commanding nose-up maneuvers, until they lost control some 11 minutes after takeoff.

The FAA confirmed it is reviewing its decision to accept Boeing’s initial risk analyses of the automated system and other approved systems on the new plane. The FAA and Boeing also are developing a test of the entire MCAS system, which wasn’t previously required.

Southwest’s pilot union president, Jon Weaks, said he was encouraged by Boeing’s commitment to pilot feedback, telling members in a note that he was assured “there will be no more surprises.”

—Robert Wall, Elisa Cho, 
Jim Oberman and Ben Otto contributed to this article.

Original article can be found here:


Anonymous said...

I would expect systems that are specifically designed to point the nose at the ground to receive extra care. They changed how you override the system from pulling back on the yoke, which is intuitive in the way tapping the brakes to disengage cruise control is intuitive in a car, into a procedure that involves reaching into the center console area and turning off a couple of toggle switches protected by flip covers. Imagine that you need to twist the stalk of your turn signal and then pull the handbrake. Not impossible, but the kind of thing you want to know in advance when it comes to a system that could easily kill you if it malfunctioned.

Jim B said...

I do not care how many fuzzed explanations are presented.

(1) People died.
(2) Reputations and product trust are damaged.
(3) Changes were made that confused already trained pilots into losing control.

Were the pilots able to disconnect the autopilot? If they could then they are at fault. If not, then other considerations come into play.

An autopilot is one very useful item but very dangerous when malfunctioning.

D Naumann said...

Jim B. I may be wrong but I don't think the autopilot was involved. The MCAS system is an anti-stall system that is active all the time, whether hand flying or with the autopilot engaged. I would guess that when the MCAS system activates, the autopilot, if engaged, would be automatically disengaged. Maybe someone with 737MAX training could clarify.

Anonymous said...

Yet another system designed by a committee far removed from the realities of the cockpit. Agile process and hugging the intended customer it is not. Can't wait for the Tesla effect to invade aviation.

Jim B said...

D Naumann,

Thanks for pointing that fact out.

Here's a bit more info that I had not initially read:



So if you think about it, it is possible a bird or service ladder could have hit/bent the AOA sensor blade, iced up, or other failure and pushed the aircraft into the sea.

No way to disconnect it? then the aircraft and its occupants are doomed because the pilots are not in ultimate control when they must be at all times.

The article says manual movement of the trim will disconnect MCAS. Same is true with a KAP-140 (in autopilot) to my experience. That is assuming the trim activation / disconnect circuit is actually working and may not be, at any time.

In that case the main fuse/breaker is your last resort, and you must already be trained/ready to use that option.