Sunday, October 17, 2021

There’s No Good Answer to the 737 MAX Disaster

A grand jury faults one executive’s serious error of omission, but the larger mystery is unsolved.



The Wall Street Journal 
By Holman W. Jenkins, Jr.
Appeared in the October 16, 2021, print edition.


With the indictment of a former Boeing employee in the two 737 MAX crashes that killed 346, have we finally got to the bottom of a colossal industrial screwup? No. As persuasive as the indictment might be, it doesn’t try to persuade that the crashes were caused by Mark Forkner, who served as chief technical pilot for the 737 MAX.

The allegation: Mr. Forkner at first inadvertently misled federal aircraft certifiers about the function of a new software system in the MAX known as MCAS, or Maneuvering Characteristics Augmentation System. A year later, on belatedly discovering that Boeing engineers had altered the system, he failed to inform the Federal Aviation Administration as the plane approached certification despite many opportunities to do so.

Mr. Forkner understood, as his emails at the time showed, that on this question turned tens of millions of dollars in additional training expense for airlines that would have cut into what Boeing could charge for the planes. Though the indictment doesn’t say so, the FAA likely would have required more training, which in turn might have helped pilots in the Lion Air crash in Indonesia in October 2018, and a similar disaster involving Ethiopian Airlines a few months later, to cope with the system’s unexpected misbehavior.

If the government can’t say (and it can’t) this really would have prevented either crash, I find it easy to suggest what might have: In the course of designing the required training, it’s hard to believe Boeing wouldn’t have discovered MCAS’s nasty potential and simply fixed it.

Even with the new indictment in hand, as boggling as ever is how engineers at Boeing could have significantly changed MCAS without a cascade of high-priority emails raining down through the organization, calling forth an effort to examine and understand the implications for every conceivable failure scenario, including the failure of pitch indicators vulnerably located on the plane’s exterior.

Mr. Forkner, who was expected to appear in court on Friday, was instrumental in negotiating for the plane’s certification with the FAA. He worked closely with the customers who would have to operate it. Yet he didn’t learn about the change until he stumbled on it during a simulator session.

MCAS had been designed to counter the tendency of the plane’s nose to rise in a maneuver that would never be experienced in normal operations, a high-speed, ever-tightening turn that would cause pandemonium in the passenger cabin if it were tried during a commercial flight. Mr. Forkner discovered only in the simulator, and then by contacting a Boeing engineer, that the system had been belatedly altered to intervene even during low-speed maneuvers.

Nothing in the indictment suggests that, in a flash of insight, he realized how badly things might go if MCAS, in response to a faulty pitch reading, began persistently trying to push the nose toward the ground after takeoff. Neither does the indictment explain why Boeing’s routine processes didn’t uncover this risk, which should never have depended on Mr. Forkner.

Mr. Forkner’s failure was a failure to blow a perfunctory whistle, and surely something would have happened had he alerted the FAA, though we can’t know what. The FAA’s job is not to design the plane or substitute for Boeing in understanding all the implications of every design choice.

Perhaps getting us closer to the real problem, Mr. Forkner, in one of his MCAS-related emails, refers to a system “designed by clowns, who in turn are supervised by monkeys.” Zoologically, he’s off-base. Engineers at Boeing presumably were acting in good faith when they changed MCAS for whatever narrow reason motivated them. The mystery is why the organization let the change flow through without examining every likely and unlikely effect, especially because Boeing had every reason to know the MAX would be flown by pilots in every corner of the globe who are not always splendidly trained or highly experienced or working for world-class carriers.

Wafting through this story is a certain vague intimation. Some in Boeing saw their products as an agglomeration of systems whose saving grace was their built-in redundancy, on top of which was the final redundancy of an alert and skilled crew. But this still doesn’t explain the process failures that left MCAS’s risks undiscovered. In all the reporting and all the official investigations so far, nobody has yet given a good explanation of how this happened.

10 comments:

  1. Failures that lead to the crash of two 737 MAX. I would start with the forced merger by the government of a failed company called McDonnell Douglas into Boeing. Then the inexplicable series of decisions that placed the executives of the failed company MD in charge of the combined Boeing/ MD entity. Then the decision of this executive team to reengineer a 60 year old airframe that had already been extended multiple times and powered up multiple times with not just stronger but physically much larger engines that required movement of the engines making an always present instability a massive instability during thrust then putting marketing in front of engineering again by simply electronically papering over the instability with MCAS, then not telling anyone it had an instability.

    It is notable to me that since the acquisition of McDonnell Douglas, Boeing has a troubled 787 program, a failed 737 Max program, and a failed Star Liner program. Compare this to the homerun success of the 777 pre-merger.

    ReplyDelete
    Replies
    1. Operating with critical sensors requires a minimum of three, comparing the difference between them, dropping malfunctioning sensors that fail the comparison and controlling to the consensus of the remaining sensors.

      If investigations could get the full story, they would have found the emails where a middle level manager over ruled the design engineering team and caused the single sensor implementation. The second AOA sensor option available at add-on cost is a clue on why the baseline design used just one.

      Engineering compromised by "cost control" edicts is an industry wide trend, not just a Boeing merger and headquarters location problem.

      Delete
    2. How did you come to the conclusion that you "...would start with the forced merger by the government of a failed company called McDonnell Douglas into Boeing." What forced merger? This isn't China. That merger was a windfall for both companies at almost $50 billion in revenue at the time. It was a counter to the rise of Airbus. Also, while orders for MD's civilian aircraft division were drying up, Boeing had no meaningful military offerings so the merge was very smart, playing to the strengths of both entities. Boeing's recent issues have been difficult but corporate culture must change and the ouster of CEO Muilenburg was a good place to start. Maybe some pruning of upper management will bring things back to order.

      Delete
  2. If you are talking about generic system failures; its probably about the engineers feeling constrained in their checking procedures by the takeover by Boeing by Accountants. If you are wondering about what went wrong here: it was the instructions to overly rely on computers to make flying of the aircraft easier and more accessible to airlines without extensive pilot training (the airlines with the crashes being examples - young pilots with young airlines and taught to always believe the computers.

    ReplyDelete
  3. Watch the PBS program Frontline 2021 season Episode 18 "Boeing's Fatal Flaw". The emails from Mark Fortner align with Boeings corporate greed culture. Shocking.

    ReplyDelete
  4. "Nothing in the indictment suggests that, in a flash of insight, he realized how badly things might go if MCAS, in response to a faulty airspeed reading ..."

    That is incorrect. The faulty data came from the left Angle of Attack probe.

    Left unmentioned: the crews of both mishaps mishandled the aircraft (particularly the second). Three things were required to not crash: control airspeed, Autopilot/Auto-throttles off, Primary Trim system power off.

    Those three steps together take a matter of five seconds, and are matters of basic airmanship and systems knowledge.

    ReplyDelete
    Replies
    1. I had the same impression from everything I read, particularly the two accident reports (another Lion Air crew did actually manage it prior as a runaway trim), but rarely had anyone stating it as this clearly.
      Nevertheless implementing a single point of failure system without teaching the pilots is criminal - beancounters love numbers and money more than people. J
      So in the end it is just as with so many other accidents that the holes in the cheese all lined up, with the very first one deliberately punched in at some office at the manufacturer, and the last line of defense, a well trained crew, was not - and could not be - well enough trained.

      Delete
    2. That is correct. I noticed that early on. Non-Western nations are not up to standards with the rest of the West on training for basic stick and rudder airmanship. They rely heavily on automation to get around and less so on the old fashioned protruding control surface moving tools sitting in front of them not being used. Western nation pilots never crashed one. Of course saying that is politically incorrect, or if you watch CNN incessantly for your only news outlet, it's "racist."

      Delete
  5. Boeing was a great company when run by engineers rather than bean counters. This is just another example. The whole reason for the MCAS system was that Boeing didn't want to spend the money to design a new plane, which is what was really needed. So they tried to make some patches to an old design. Even so, they should have done enough checking to find single points of failure, and software glitches. So maybe this fellow was guilty, but lots of other people at Boeing, including at the top, share the responsibility. I am by the way a STEM professor, so I try to drill these lessons into my students.

    ReplyDelete
    Replies
    1. The WSJ had a number of great articles on Boeing's problems, unfortunately Mr. Jenkins musings are not among them. MCAS was, as he noted, originally designed to deal with a rare event and was therefore not designed as a critical fail safe device.

      Later Boeing discovered that the placement of new engines made the airplane unstable in certain aspects. An expedient decision was made to extend MCAS to this situation as well, one far more common than it's original domain of operation. MCAS had now become a critical component, but couldn't be redesigned to increase reliability without significant time.

      Pressure to meet corporate objectives over-rode concerns about reliability and engineers and managers could talk themselves into believing other backups would be sufficient. The Challenger disaster was likewise founded on these dynamics.

      While the technical pilot failed in his duty, he is but a scapegoat with senior Boeing management getting a pass.

      Delete