By Andrew Tangel, Andy Pasztor and Mark Maremont
Almost as soon as the wheels of Ethiopian Airlines Flight 302
spun free from the runway March 10, the instruments in front of
Capt. Yared Getachew went haywire.
The digital displays for altitude, airspeed and other basic
information showed dramatically different readings from those in
front of his co-pilot. The controls in Capt. Getachew's hands
started shaking to warn him the plane was climbing too steeply and
was in imminent danger of falling from the sky.
Soon, a cascade of warning tones and colored lights and
mechanical voices filled the cockpit. The pilots spoke in clipped
bursts.
"Command!" Capt. Getachew called out twice, trying to activate
the autopilot. Twice he got a warning horn.
Another powerful automated flight-control system called MCAS
abruptly pushed down the jet's nose. A computerized voice blared:
"Don't sink! Don't sink!"
The pilots wrestled with the controls, desperate to raise the
nose of their Boeing 737 MAX. Three times Capt. Getachew instructed
co-pilot Ahmed Nur Mohammed, "Pull up!"
At the same time, a loud clacking warned the preoccupied pilots
that the plane was flying too fast.
Four minutes into the flight, the pilots finally touched on the
source of their problems, simultaneously calling out "Left alpha
vane!"
Erroneous signals from that malfunctioning sensor tricked the
onboard computers into believing the jetliner's nose was angled too
high, causing MCAS to push it down again and again.
It was too late. Flight 302 nose-dived at nearly the speed of
sound, hitting the ground with such force that an airliner with 157
people aboard was largely reduced to fragments no bigger than a
man's arm.
Five months earlier, Lion Air Flight 610 had plunged into the
Java Sea, killing 189 people, under similar circumstances.
Regulators have focused since the crashes on MCAS, its reliance
on a single sensor and Boeing's decision not to tell pilots about
the new system. At the root of the miscalculations, though, were
Boeing's overly optimistic assumptions about pilot behavior.
In designing the flight controls for the 737 MAX, Boeing assumed
that pilots trained on existing safety procedures should be able to
sift through the jumble of contradictory warnings and take the
proper action 100% of the time within four seconds.
That is about the amount of time that it took you to read this
sentence.
Boeing bet nearly everything on those four ticks of the clock.
The company's belief in its engineering, and its reliance on pilots
to be flawless cogs, enabled Boeing to speed the latest iteration
of its most important airliner to market and ultimately saved money
for its customers.
Now, the aerospace giant is sorting through the consequences:
two crashes, a global grounding of the MAX fleet, frustrated
airlines and the gravest threat to Boeing in its modern
history.
The company is under investigation by federal prosecutors,
securities regulators, aviation authorities and lawmakers. It faces
more than 100 lawsuits from families of the 346 dead. It may have
to further slow or temporarily halt production of the MAX if flight
restrictions last much longer. And its troubles are disrupting
travel for passengers as well as clouding the outlook for airlines,
aerospace suppliers and their tens of thousands of workers.
Interviews with current and former Boeing employees, pilots,
airline officials, federal regulators and documents reviewed by The
Wall Street Journal show that Boeing repeatedly minimized the risks
posed by MCAS, without detailed scrutiny or pushback from U.S.
regulators. Engineers assumed pilots would be able to almost
instantly counteract an MCAS malfunction, like the ones on the two
doomed flights, by executing a long-established emergency procedure
for a similar problem.
The assumptions dovetailed with a vital company goal. To make
the plane as inexpensive as possible for airlines to adopt, Boeing
was intent on persuading regulators that pilots of earlier 737s
should be allowed to start flying the MAX without simulator
training. That training would have been required if there were
substantial safety differences between the models, boosting the
plane's cost to airlines since training cuts into time flying
paying passengers.
"Our marching orders are no training impact on this airplane.
Period," Richard Reed, a former Federal Aviation Administration
engineer, recalled a senior Boeing official telling him during a
meeting in the early years of the MAX's development.
The company had promised its biggest customer for the MAX,
Southwest Airlines Co., that it would pay it $1 million per plane
ordered if pilots needed to do additional simulator training,
according to Rick Ludtke, a Boeing engineer who worked on the jet's
cockpit systems, and another person who had been involved in the
airplane's development.
A Boeing spokesman said the design and certification of MCAS,
including reliance on pilots as the ultimate safety net, were part
of a methodical six-year effort that followed accepted industry
practices. He also said overall approval of the MAX met "stringent
standards and requirements" set by federal regulators.
"We will continue to learn from the reviews and the lessons from
these accidents to continue improving safety," the spokesman said,
citing the continuing investigations.
In trying to get the MAX flying again, Boeing will now rely on
two sensors, give pilots information it had withheld about the
existence of MCAS and lessen the system's authority. It will also
turn on safety alerts that had only operated in a small number of
the planes and make emergency procedures no longer dependent upon
textbook pilot reactions.
The FAA is reassessing some of its key assumptions. The agency
said certification procedures are "well-established and have
consistently produced safe aircraft designs," but it is rethinking
reliance on average U.S. pilot reaction times as a design benchmark
for planes that are sold in parts of the world with different
experience levels and training standards.
Boeing began developing the MAX in 2011 as bitter rival Airbus
SE began making inroads with its A320neo. Boeing, needing a
fuel-efficient single-aisle airliner to avoid losing market share,
rushed to lock in deals before its board approved building the
jet.
To use less fuel, the design called for larger engines that
would be moved forward and higher than in the previous model. The
changes affected how the plane handled, though. Its nose pitched up
in certain high-altitude conditions, risking a stall, the term for
a sudden loss of force called lift that keeps planes aloft.
Engineers developed MCAS, which stands for Maneuvering
Characteristics Augmentation System, to manage that. The system
operated behind the scenes, pushing down the plane's nose by moving
the horizontal stabilizer on the tail by small increments of 0.6
degree.
Boeing officials were focused on making the MAX fly as similarly
as possible to earlier 737s. The fewer differences, the less likely
the FAA would require pilots to undergo retraining.
Mr. Ludtke, the former Boeing cockpit engineer, said company
managers put pressure on engineers to avoid tweaks in designs that
could result in pilots needing to learn new maneuvers in a
simulator.
At one point around 2013, Boeing officials fretted the FAA would
require simulator training, the person involved with the plane's
development said. But the officials, including chief MAX engineer
Michael Teal, opted not to work with simulator makers to
simultaneously develop a MAX version because they were confident
the plane wouldn't differ much from earlier 737s.
"It was a high-stakes gamble," this person said.
The Boeing spokesman said that as with any new version of an
existing airplane, minimizing differences was a goal for the MAX.
"But this design objective was only that -- an objective -- and was
always subordinate to other requirements, including safety." Boeing
always had a plan to help develop a MAX simulator and didn't delay
it out of concerns the FAA might require pilot training, he
said.
Some Boeing engineers who worked on the MAX said MCAS wasn't
seen as an important part of the flight-control system. They
focused on other functions they deemed to be more critical to
safety, such as an auto-landing system.
In meetings with Boeing officials at an FAA office in the
Seattle area around 2013, the plane maker described the system as
simply a few lines of software code, according to Mr. Reed, the
former FAA engineer who participated in those discussions.
The company outlined how a single sensor that measured the angle
of the plane's nose would trigger MCAS, Mr. Reed recalled, but
argued a failure wasn't likely and the system would kick in only in
extreme conditions.
"Let's quit messing around about the chances of this happening
being rare," Mr. Reed remembered saying. "If it can happen, it's
going to happen."
Boeing assigned MCAS a technical-hazard rating of "major" during
everyday operations, meaning its failure was unlikely to result in
death or the loss of the plane. Multiple sensors aren't required by
the FAA for that designation, on the assumption that the crew could
handle any failure. Boeing said another sensor would have added
unneeded complexity. Other systems on earlier 737s relied on single
sensors, according to former Boeing engineers and others familiar
with the designs.
The Boeing spokesman said a single sensor "satisfied all
certification and safety requirements," and potential additional
training wasn't considered when assessing MCAS hazards.
From the start, safety-assessment documents Boeing provided to
the FAA assumed pilots would be able to handle misfires.
Regulators endorsed that determination, along with the single
sensor. The FAA certification rules under which the MAX was allowed
to fly assume pilots react correctly to certain emergencies 100% of
the time.
As part of its calculus, Boeing decided it didn't need to tell
cockpit crews about MCAS or how it worked. During early design
phases, Boeing referred to the system by name in a draft manual,
parts of which were reviewed by the Journal, and explained
generally what it was supposed to do. Those references disappeared
before it was issued to airlines.
The company reasoned that pilots had trained for years to deal
with a problem known as a runaway stabilizer that also can force
the nose of the plane to dip. The correct response to an MCAS
misfire was identical. Pilots didn't need to know why it was
happening.
Late in the design process, however, Boeing gave MCAS greater
authority. Test pilots for the company and FAA discovered that the
MAX's controls didn't stiffen as needed during certain lower-speed
maneuvers, according to people familiar with the MCAS design. They
suggested MCAS be expanded to work at lower speeds so the MAX could
meet FAA regulations, which require a plane's controls to operate
smoothly, with steadily increasing amounts of pressure as pilots
pull back on the yoke.
To adjust MCAS for lower speeds, engineers quadrupled the amount
the system could repeatedly move the stabilizer, to increments of
2.5 degrees. The changes ended up playing a major role in the Lion
Air and Ethiopian crashes.
After increasing the system's potency, though, Boeing didn't
submit a new safety assessment to the FAA, according to people
familiar with the matter. While a top FAA pilot knew about the
changes, other officials were in the dark and some now say an
updated safety assessment could have provided a chance to find
problems.
The system's evolution and lack of an updated safety assessment
were earlier reported by the Seattle Times. The FAA has said Boeing
wasn't required to update the document.
The assumptions about pilot reaction stayed the same even though
a misfire could now lead to a fatal battle between pilot and
machine.
The Boeing spokesman said engineers determined the changes
didn't affect the overall hazard assessment, saying the company
briefed the FAA and international regulators on MCAS, including its
final configuration, several times.
Those specifics, including the system's expanded authority at
lower speeds, were mentioned in a letter and in a number of Boeing
presentations to FAA officials monitoring the MAX, according to
people briefed on the communications. But senior FAA officials in
Washington weren't told, and many others inside the agency
continued to depend on Boeing's initial descriptions of MCAS.
FAA training experts, unaware MCAS had been made more potent,
ultimately decided the MAX's handling characteristics were close
enough to those of previous 737s that pilots could learn changes in
a few hours on a laptop or tablet. It went into service in
2017.
Southwest Airlines, the jet's first and biggest customer,
followed Boeing's lead and deleted MCAS from the manuals and
emergency procedures it devised for its pilots. Other carriers
didn't mention it, either.
On Oct. 28, 2018, an alarm called a stick shaker went off on a
Lion Air 737 MAX flight from Denpasar, Indonesia, to Jakarta,
causing one of the pilots' controls to vibrate heavily, warning of
an aerodynamic stall.
MCAS pushed down the plane's nose. Faulty data from a
malfunctioning sensor had set off a false-stall alarm and caused
MCAS to misfire.
The puzzled cockpit crew checked a quick reference handbook,
running through other emergency steps before successfully regaining
control of the plane by executing the checklist for a runaway
stabilizer. That turned off MCAS and the crew flew manually for the
rest of the trip.
Indonesian aviation officials said the pilots had difficulty
finding a solution because they had trouble diagnosing the problem.
"It's instinct. Not in the book," said Avirianto, the
Transportation Ministry's director of airworthiness and aircraft
operations, who uses one name, like many Indonesians.
T he cockpit crew and mechanics didn't note the severity of the
issue in maintenance logs. The next day, the same aircraft took off
from Jakarta as Lion Air Flight 610 with the faulty sensor.
The flight crew immediately faced the same problem. The nose
repeatedly pushed down. The crew counteracted the system some two
dozen times, using thumb switches on the controls. But the pilots
never ran the full emergency procedure that would have turned off
MCAS.
After 11 minutes in the air, the crew lost control, and the
plane crashed into the sea.
Several days after the crash, Kevin Greene, the FAA's chief
engineering test pilot for the MAX, told about a dozen agency
officials on a conference call that MCAS was suspected of having
played a role in the accident, according to a person familiar with
the agency's response.
"What's MCAS?" one FAA official asked, according to people
familiar with the call. The FAA declined to make Mr. Greene
available for comment.
Agency officials were surprised to learn documents on file at
its Seattle-area office failed to mention how the souped-up version
of MCAS worked, according to people familiar with the matter. Those
papers described MCAS as having one-fourth the control it now had
and made no mention that it fired repeatedly.
Around the same time, an internal FAA assessment determined the
brawnier MCAS posed an unreasonably high safety risk, one that
could result in a similar malfunction on another MAX within
months.
Boeing decided for the first time to detail MCAS's function in a
bulletin to airlines. The manufacturer and the FAA also reminded
pilots of the emergency procedure. This was supposed to buy Boeing
time to work on a permanent solution: a software fix that would
include comparing data from both onboard sensors.
Despite the confusion that enveloped the Lion Air cockpit, FAA
leaders still backed Boeing's reliance on swift, unerring pilot
response, according to an FAA official who was part of the
deliberations. The company and the FAA assured the public the MAX
was meanwhile safe to fly.
In the weeks after the crash, outside pilots, FAA officials and
U.S. safety investigators were brought in to help Boeing engineers
recheck their assumptions about pilot response, people familiar
with the matter said.
Simulator tests revealed that an MCAS misfiring produced more
alarms than pilots would see with a typical runaway stabilizer, the
person familiar with the FAA response said.
What surprised FAA officials, this person said, was a
demonstration that showed what happened if pilots failed to take
action as expected under Boeing's design assumptions -- more than
two MCAS misfires could push the plane's nose down so much that it
became uncontrollable and likely to end in catastrophe.
"It made us realize that this was pretty serious," the person
said.
Still, the pilots in those simulator sessions responded as
expected, people familiar with the results said, executing Boeing's
emergency procedure properly and in time.
"Nobody...walked away saying, 'There's a mistake here,'" one of
the people familiar with the MCAS design said. Still, the tests
left company officials with the feeling: "OK, we see that that is
confusing, and somehow we got two flight crews who responded
differently than we would have expected."
The FAA agreed no urgent changes were required. The MAX fleet
kept flying without restrictions or additional pilot training.
Historically, Boeing's engineering philosophy has put aviators
at the center of every new design -- ensuring pilots could override
computer commands -- while simultaneously embracing automation to
reap the safety benefits. The year before the Lion Air crash was
the safest world-wide in the history of commercial air travel. U.S.
airlines suffered a single passenger fatality over roughly a
decade.
From 747 jumbo jets in the 1970s through the latest wide-body
777 and 787 models, the concept thrived. Boeing prided itself on
building airliners that allowed crews to overcome almost any
automated function without having to take extra steps to disable
underlying systems. Even as automation helped pilots cope with
problems from engine failures on takeoff to excessive speed during
landings, they retained ultimate control.
Since the late 1990s, though, U.S. accident investigators have
recognized that real-world reactions by pilots don't always measure
up to FAA expectations.
"No consideration is...given to imperfect human performance,"
Benjamin Berman, a former National Transportation Safety Board
staffer who investigated the 1994 crash of a USAir 737 near the
Pittsburgh airport, argued in a 2003 paper.
FAA rules typically assume "the human will intervene reliably
every time, " Mr. Berman added, calling it "an unrealistic
assumption for human performance."
In 1996, an FAA study of a subset of experienced propeller-plane
pilots found that only one out of 26 reacted to a similar
stabilizer emergency within four seconds.
A 2008 study for the FAA, one of the most recent, found
commercial pilots in simulator tests sometimes became confused when
confronted with unfamiliar failures and reiterated that
certification standards were unrealistic.
There are many accidents where "pilots theoretically should have
been able to save the day, but they took the wrong action, or no
action," said Tony Lambregts, a retired FAA engineer who studied
the interaction between people and machines.
Boeing compounded the problem with the MAX, he said, by
initially not notifying pilots MCAS existed. "The pilots were
hopelessly unprepared to deal with that," Mr. Lambregts said. "They
hadn't been adequately instructed and trained for it."
One thing Boeing failed to account for, pilots and some FAA
officials said, is that there are different methods for
straightening up a jetliner whose nose is pointed too far down.
Some pilots use switches on the controls in different ways, and
many may instinctively pull back on the yoke to bring the nose
up.
In earlier 737s, pulling back on the yoke also turned off a
different automated flight-control system and allowed the pilots to
manually fly. Boeing didn't tell pilots that the MAX was different:
When they pulled back on the controls, the nose could rise, but it
didn't shut off MCAS, which could keep misfiring, pushing the nose
down. MCAS's design required the change, according to people
familiar with the matter.
As details of the Lion Air crash trickled out, pilots pressed
Boeing about why they had been kept in the dark.
In late November, Boeing officials, including Mike Sinnett, the
vice president for product strategy, Craig Bomben, a senior pilot,
Allan Smolinski, sales director for the Americas, and John Moloney,
director of transportation policy, visited American Airlines' pilot
union in Fort Worth, Texas.
The pilots wanted to know why Boeing had excluded MCAS from
their manuals, except for a mention in the glossary, when they were
expected to be the ultimate, non-automated backstop for the
system.
"We are the human element," Capt. Mike Michaelis, then-chairman
of the union's safety committee, told them, according to a
recording.
Mr. Sinnett asked the pilots why they needed to know whether
MCAS or another problem was pushing down the plane's nose.
"We struggle with this," Mr. Sinnett said. "If there are three
or four or five things that could cause a runaway stabilizer, why
do you need to know which one it is before you operate the
procedure?"
"This particular one is masked by so many other distractions,"
one pilot responded. "I think it's very unique."
With no mention of MCAS, or the ways it could fail, in the
manual, many pilots might have a difficult time coming up with the
correct response in an emergency.
Four months after the meeting, Ethiopian Airline Flight 302
would prove the point in deadly fashion.
In warning airlines about MCAS after the Lion Air crash, Boeing
and the FAA made note of the alerts that could help diagnose a
malfunction, including one alert that was a feature on earlier 737
models, called the "AOA Disagree."
It was supposed to tell pilots when the MAX's two
"angle-of-attack" sensors showed different readings. Even though
MCAS used data from only one, other onboard systems could compare
both and warn pilots.
"Please be informed that if there are any other associated
message like AOA DISAGREE or there is an airspeed difference the
runaway stabilizer checklist must be done first before proceeding
to the other checklists," Capt. Theodros Asfaw Tilahun, a
management pilot for Ethiopian Airlines, emailed colleagues on Nov.
8, shortly after the Lion Air crash.
Trouble was, that alert feature wasn't activated on MAX jets
operated by Ethiopian and many other airlines. A contractor had
made mistakes in software meant to activate them, but Boeing had
told only certain airlines.
Boeing, which maintains the alerts aren't critical safety items,
instead billed them as part of an optional package. The Boeing
spokesman said Ethiopian didn't purchase it, noting that one of the
plane maker's bulletins, after the Lion Air crash, indicated the
alerts would only work with that package. The airline didn't
respond to requests for comment.
Among the recipients of the email about the nonexistent alert
was Mr. Getachew, the captain who wrestled with a misfiring MCAS on
March 10. During that desperate struggle, the crew turned off MCAS,
only to later switch it back on.
About five minutes after takeoff, the doomed 737 MAX slammed
into the brown earth of a farm near Bishoftu, Ethiopia, at more
than 550 miles an hour.
--Alison Sider, Robert Wall, Daniel Michaels, Ben Otto and
Gabriele Steinhauser contributed to this article
(END) Dow Jones Newswires
August 16, 2019 10:58 ET (14:58 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Boeing (NYSE:BA)
Historical Stock Chart
From Aug 2024 to Sep 2024
Boeing (NYSE:BA)
Historical Stock Chart
From Sep 2023 to Sep 2024