Boeing's 'single point failure': Why was there no backup system on 737 Max jet?

Chris Woodyard
Updated

When it comes to safety, modern commercial aircraft are known not only for having backup systems, but in some cases, backups of their backups.

So even as Boeing has taken responsibility for a fatal flaw in a key anti-stalling system in its 737 Max 8, mystery still surrounds why the software was designed to be dependent on a single outside sensor though it was equipped with two, triggering a chain of events that led to the crashes of Lion Air and Ethiopian Airlines jetliners less than five months apart.

Boeing "violated a basic principle of aircraft design by allowing a single point failure to trigger a sequence of events that could result in a loss of control," said Brian Alexander, an attorney for a law firm specializing in aviation accidents, Kreindler & Kreindler in New York, that is contemplating lawsuits on behalf of victims' families in the Ethiopian Airlines crash.

Based on an initial report from crash investigators, Boeing CEO Dennis Muilenburg acknowledged Thursday that erroneous data sent to the system led to the Lion Air crash off Indonesia in October that killed 189 passengers and crew and the Ethiopian Airlines disaster in Africa that took 157 lives on March 10, both in the 737 Max 8. He vowed Boeing would fix the problem.

Others, however, aren't so sure that Boeing can find an adequate repair and say the twin crashes are proof that the plane's problems run deeper than flawed sensors. They say the design itself has created inherent problems that simple fixes won't solve.

"You go to the source of the problem, not the symptom," said consumer advocate Ralph Nader, who lost a niece in the Ethiopian Airlines crash. "An aircraft has to be designed stall-proof, not stall-prone."

For now, all Boeing 737 Max 8 and 9 aircraft around the world have been grounded amid investigations into the source of the problem. Boeing, on the basis of inquiries into the two crashes, has focused on the Maneuvering Characteristics Augmentation System, or MCAS.

The system is supposed to automatically push down the plane's nose when either of two angle-of-attack sensors, one mounted on each side of the fuselage, detects that the plane had pointed upward so steeply that it can stall. MCAS was added because of the possibility the nose can pitch up as a result of the larger, heavier engines that were added to the Max.

But in an unusual move, engineers designed MCAS to initiate when it detected too steep of an ascent from either sensor. The sensors didn't work in tandem.

In a statement to USA TODAY, a Boeing spokesman said the commercial aircraft giant followed established industry "assumptions and processes" in creating the fight control systems.

"Single sources of data are considered acceptable in such cases by our industry, and additional changes to the system were not deemed warranted," spokesman Peter Pedraza said.

The company felt safe in adding MCAS because if there was a malfunction, "a pilot would be able to counteract erroneous system input" using either of two methods, Pedraza said.

One way would be to use switches on the control wheel to adjust the plane's trim, which adjusts control surfaces to make the plane easier to fly, like cruise control in a car. Or the same task can be done manually. Either way, the goal would have been to control the angle of the aircraft.

Crash aftermath: Boeing to slow production of 737 Max as it continues working on software fix

Yet apparently those procedures didn't work for the Lion Air and Ethiopian Airlines crews. In the case of Ethiopian, which encountered problems soon after takeoff from Addis Ababa, pilots tried Boeing's procedures for an MCAS malfunction repeatedly and still couldn't control the plane, Ethiopian Minister of Transport Dagmawit Moges said Thursday.

The single source of data seems unusual given the lengths Boeing has gone to build redundancies into its jetliners.

For the 777, Boeing's twin-aisle intercontinental jet, engineers created triple redundancy for its computers, hydraulics, communications and electrical power. Perhaps the best illustration of the lengths the company was willing to go on backups was found in the plane's primary flight computer. It was built with three microprocessors instead of one, and each came from a different manufacturer: Intel, AMD and Motorola, according to an account by a Boeing engineer.

The decision on how many backups to have isn't easy, said Peter Seiler, an associate professor of aerospace engineering at the University of Minnesota who used to work at Honeywell, a subcontractor for Boeing. It depends on how critical to safety the system is considered, how much it will distract an already-busy flight crew if it fails, and the odds of it failing, among other factors.

"I spent four years working on the 787, and I spent all my time thinking about every possible way things can go wrong," he said.

It may be that Boeing didn't consider MCAS crucial enough to warrant a backup. It was designed, after all, as part of an overall goal of making Max jets fly and feel like the previous 737 version, the Next Generation or NG, and the ones before it.

"If the MCAS fails, the crew loses a little bit of stall protection, but stall protection is primarily the responsibility of the crew," said Clint Balog, a 42-year pilot and an associate professor at Embry-Riddle Aeronautical University.

With the 737 update, Boeing saved time by not having to create an all-new jet. It also could sell the 737 to airlines on the basis that because Max was just an update, pilot training costs would be limited.

Boeing's proposed fix of the problem to the FAA involves requiring that MCAS constantly monitor readings from the two sensors and disengage if they differ widely from each other, and to make standard a cockpit warning light that used to be an option.

"Whenever there is an accident or incident, our industry has a history of going back and challenging the basic assumptions, and when appropriate, making changes," Boeing spokesman Pedraza said. "This process has led to over 50 years of continuous safety improvement."


This article originally appeared on USA TODAY: Boeing's 'single point failure': Why was there no backup system on 737 Max jet?