Newly revealed software glitch, deception by Boeing
For more than a year after the 737 MAX had been in service, Boeing kept mum about the fact that two critical safety features were not performing as airlines would have expected. Boeing confirmed that it failed to disclose the error and indicated that both the company and the Federal Aviation Administration (FAA) missed the malfunction when the planes were certified in 2017. Airlines and others did not learn about the problem until after the first of two deadly plane crashes involving the aircraft.
The malfunction involved alerts directed to the cockpit when two Angle of Attack (AOA) sensors disagree and send conflicting data to the Maneuvering Characteristics Augmentation System (MCAS), the new flight control system. Combined with other issues the company hasn’t been completely forthright about, the more information that is uncovered, the more questions are raised about the development and certification of the aircraft.
Alleged software glitch deactivates safety features
Following the two fatal crashes involving the 737 MAX, as discussed in a previous Report, preliminary findings from investigations of the two crashes show alarming similarities, and at the heart of these findings is how the AOA sensors, AOA indicator, AOA disagree light and the MCAS work together in the 737 MAX.
More than a month after the Ethiopian Airlines crash, Boeing was finally pressured into admitting the company and the FAA allegedly missed a glitch in the software that operates the MCAS in connection with the AOA sensors, how the information is communicated – or not – to pilots through the AOA indicator with the disagree light serving as a warning, the Wall Street Journal reported.
In previous versions of the 737, the AOA sensors, indicator and disagree light had been standard. The sensors collect the data and feed it to the indicator, which displays it for the pilots. If the data from the sensors was conflicting, the disagree indicator on the aircraft’s flight deck would light up to warn pilots that the data may be flawed. Pilots and airlines believed these features were also standard on the MAX. While the alerts were incorporated as part of the MAX, the MCAS was a new addition to counter the negative and unintended side effects of the MAX’s redesign. The MAX’s alerts and MCAS, therefore, operated differently. However, to keep a competitive advantage, Boeing refused to inform pilots about the MCAS.
The aircraft manufacturing giant developed the 737 MAX to compete with its rival Airbus’ equivalent aircraft the Airbus A320neo, which was as performing identical to its predecessor, therefore requiring no additional, expensive training for pilots. Boeing adopted this strong selling benefit to compete for the business of especially cost-conscious airlines, misleading regulators to believe the system was the same and declaring that there was no need for pilots to acquire new training before flying the 737 MAX.
Consequently, it designed the MCAS to be concealed and function independently from the autopilot system. If data from the AOA sensor indicated the plane’s nose was pointed too high, the MCAS would automatically adjust the horizontal tail stabilizer and cause the nose to push down.
Boeing intended for the MCAS to only operate when it sensed an imminent stall; however, the system is flawed and, as occurred during the Lion Air and Ethiopian Airline flights, the system engages when it should not. Pilots who were never informed about, much less adequately trained on, the MCAS did not know what was happening to the aircraft or how to overcome the problems caused by a malfunctioning MCAS.
Further complicating dangerous circumstances, alerts that Boeing said were to be a standalone feature that should continue to operate on all 737 MAX aircraft as they had in previous iterations, were not operable. Findings from the investigation of the two crashes revealed that the alerts were not operable on most of the aircraft. Boeing confirmed that a software glitch rendered the alerts inoperable unless airlines upgraded features that were supposed to be standard safety features on all planes. The manufacturer minimized the importance of what it deemed optional features, saying that the alerts were supplemental safety features and were not necessary to safely fly the plane. This led some airlines to delay purchasing the features or forgoing purchasing them altogether.
Boeing has not provided many specific details about the glitch or what initiated the confusion over the once-standard alerts. Yet, former employees have been revealing details that paint a picture of a haphazard development process that yielded a dangerously defective aircraft and sacrificed hundreds of lives in order to maintain a competitive advantage and continue raking in profits.
Bloomberg has reported that among those former employees speaking out about the company are former Boeing engineers. Rick Ludtke was a Boeing engineer who was part of the flight crew operation team. The team managed how pilots interacted with the aircraft’s software and controls, including the alerts and the MCAS. After the MAX was certified, the team was cut by half and Ludtke was laid off. He explained that the constant shuffling of employees along with an internal culture that discouraged reporting things such as malfunctioning aircraft parts has “eroded the company’s ability to successfully design and manage programs.”
What Ludtke reports lines up with the shift in the company’s priorities beginning nearly 20 years ago. The company’s focus shifted to efficiency and profits with a message that shareholders’ interests would come first. After the company’s current Chairman and Chief Executive, Dennis Muilenburg, took the helm in 2015, the focus on efficiency was heightened further. Among other cost-saving steps, Muilenburg implemented a 7% cut in workforce and imposed stricter cost demands on engineers. These steps served only to reinforce the “no tell” culture so that when engineers discovered the malfunctioning AOA disagree light months before the first deadly crash, they did not report it to federal regulators.
After admitting yet another oversight, Boeing has promised that the alerts would be made standard on all 737 MAX jets at no additional charge. All the while, Muilenburg continues minimizing the alerts’ importance saying that they “provide secondary or supplemental information, not critical safety data pilots must rely on to fly.”
Rejected alternatives to increase safety
Additionally, Boeing also admitted to using data from only one AOA sensor in the MAX version of the 737 while previous versions of the aircraft used data from two AOA sensors. Experts and industry stakeholders question Boeing’s reasoning for relying on a sole AOA sensor, especially after the FAA had flagged it 216 times for failing, requiring maintenance or needing to be replaced, according to Business Insider. Approximately one-fifth of the incidents involved Boeing aircraft so the company was well aware of the sensor’s tendency to malfunction. Using only one sensor is shocking to many in an industry that is wedded to redundancy to maintain safety.
A former Boeing flight engineer, Peter Lemme, told CNN that “[fr]om the beginning [the airplane’s system] should have been a fail-safe design, which would have relied on two inputs to make sure that you weren’t sensitive to one failure.” Boeing, however, continues to defend its design, explaining that “single sources of data are considered acceptable in such cases by our industry.”
This wasn’t the first time the airline experienced a single-source failure in its aircraft, Bloomberg reported. Ten years ago, faulty readings from a single altimeter forced a Boeing 737-800 to reduce the throttle, causing it to idle prematurely. Correct readings from the plane’s second altimeter made no difference because the automatic throttle was connected to the faulty altimeter. The malfunction caused the Turkish Airlines plane bound for Amsterdam to crash. Nine people were killed, 120 people were injured, and Boeing was prompted to change the throttle system so that it no longer relied only on a single altimeter reading.
Finally, less than a month following the Lion Air crash, the FAA became aware of the AOA sensor problem and that it may be a bigger problem than anyone had realized. One FAA official raised concerns that the problems related to the AOA sensor, “may be masking a larger systems problem that could recreate a Lion Air-type scenario.” Weeks later, the Wall Street Journal reported, “other internal emails referred to a ‘hypothetical question’ of restricting MAX operations.” One message specifically discussed how irresponsible it would be to allow the MAX to continue flying with an inoperable AOA disagree indicator and urged discussing grounding the aircraft until the defect was fixed and pilots were trained on the related displays.
The use of a single sensor will be part of the investigation conducted by the House Transportation and Infrastructure Committee. The committee’s chair, Representative Peter DeFazio (D-Oregon) announced an investigation into the Boeing 737 MAX design and certification process. It is in addition to other ongoing investigations including a criminal probe by the Department of Justice (DOJ) and Department of Transportation’s Office of Inspector General (OIG).
Further, Boeing’s own test pilots have revealed that their advice and guidance regarding the MAX’s development were significantly limited toward the end of the development, according to the Wall Street Journal. The test pilots are elite, full-time pilots who test systems on new aircraft before the designs and cockpit procedures are finalized. The pilots reported that they were often locked out of key discussions and did not receive detailed briefings about the aircraft’s MCAS. They weren’t even aware that the system was reliant on only a single AOA sensor. The pilots stopped short of saying that their involvement would have improved the final design of the MCAS but explained that their being excluded was a departure from Boeing’s longstanding practice of seeking their input to ensure the plane and its many parts and systems were safe.
Although Boeing executives deny receiving warnings about keeping pilots out of the conversation and actively involved in the MAX development, one senior pilot disagrees. He said he warned a Boeing executive that by leaving pilots out of the process “[s]omething is going to get by, and it’s not going to be pretty.”
The details surrounding the MAX, its defective design and the certification process will continue to unfold for some time. While consumers and families of those who perished in the two fatal MAX crashes wait for more answers, evidence continues to mount that shows Boeing callously disregarded consumer safety and human life as it worked to maintain its competitive advantage with the MAX.
Mike Andrews, a lawyer in the firm’s Personal Injury and Products Liability section, focuses much of his practice on aviation accident litigation. He has represented people seriously injured in aviation crashes, and the families of those killed in both civilian and military airplane crashes and helicopter crashes. Mike will represent the family of an Ethiopian Airlines crash victim, and is investigating both deadly Boeing crashes on behalf of families. He also has written a book on the subject to assist other aviation lawyers, “Aviation Litigation & Accident Investigation.” The book offers an overview to the practitioner about the complexities of aviation crash investigation and litigation.
This story appears in the June issue of The Jere Beasley Report. For more like it, or to subscribe, visit the Report online.