Quick Recap: After the second fatal Boeing 737 Max 8 crash (Lion Air, Then Ethiopian Air), we learned that the Max was not simply a stretch of the 737 NG series, but had major changes to flying characteristics due to more powerful engines mounted up and forward compared to prior models. We also learned that, in order to make it fly as much like the prior models as possible, and resist a tendency for the changed dynamics to push the nose up into a potential stall, Boeing had added the “Maneuvering Characteristics Augmentation System” (MCAS).
Where we got from that information to the viewpoint of “Safety Optional” was the discovery that MCAS relied on a single Angle of Attack (AOA) sensor, even though two were installed (on either side of the nose), and that a warning of disagreement between the sensors (which might imply that MCAS was falsely indicating and acting on a potential stall) was only available if airlines purchased an optional safety information package!
Making matters worse, Boeing exec, Mike Sinnet, reportedly told American’s pilot’s union shortly after the Lion Air crash that “this wouldn’t happen to you because you bought the optional warning system! (Paraphrase) Of course Sinnet cannot recall making that statement, and Boeing said he was not available for comment.
Now we get to the new and interesting stuff. A few days ago, Andy Paztor, writing in the Wall Street Journal, reported that the “AOA Disagree” idiot light (above) which had been a standard feature on the 737 NG (737-600, -700, -800, -900), was non-functional on the 737 Max unless the more advanced AOA disagree warning on the Primary Flight Display (PFD) had been purchased. Neither Southwest, United, nor the FAA were made aware of this lapse until after the Lion Air crash. As a result, flight manuals for the 737 Max issued by airlines which also owned 737 NG aircraft, such as Southwest and United, still contained a reference to the presence of the basic AOA Disagree idiot light, even though it did not work!
Via CNBC, we have Southwest’s statement on the issue:
Upon delivery (prior to the Lion Air event), the AOA Disagree lights were depicted to us by Boeing as operable on all MAX aircraft, regardless of the selection of optional AOA Indicators on the Primary Flight Display (PFD). The manual documentation presented by Boeing at Southwest’s MAX entry into service indicated the AOA Disagree Light functioned on the aircraft, similar to the Lights on our NG series. After the Lion Air event, Boeing notified us that the AOA Disagree Lights were inoperable without the optional AOA Indicators on the MAX aircraft. At that time, Southwest installed the AOA Indicators on the PFD, resulting in the activation of the AOA Disagree lights – both items now serve as an additional crosscheck on all MAX aircraft.
It’s (almost) inconceivable that Boeing intentionally removed a critical safety warning, but we do have to ask:
- Did Boeing’s product managers incorrectly specify that both the idiot light and the PFD graphical warning should be linked together and only activated if purchased?
- Did their software designers and developers mistakenly conflate the optional advanced AOA disagree display with the basic AOA disagree idiot light so that both were enabled/disabled together?
- Did Boeing’s QA department specifically test which features were enabled/disabled with the extra warnings package?
- Did the test flights explore the envelope of the warning system, or “disable” one AOA sensor to exercise MCAS and the warnings?
- Did the FAA inspectors “walk through” the design changes and ask questions?
From last weekend’s WSJ article, you can see reluctance at the FAA to act on a hunch that things weren’t right:
Less than a month after the Lion Air jet went down, one FAA official wrote that AOA-related issues on MAX jetliners “may be masking a larger systems problem that could recreate a Lion Air-type scenario.”
About two weeks later, other internal emails referred to a “hypothetical question” of restricting MAX operations, with one message explicitly stating: “It would be irresponsible to have MAX aircraft operating with the AOA Disagree Warning system inoperative.” The same message alluded to the FAA’s power: “We need to discuss grounding [Southwest’s] MAX fleet until the AOA Warning System is fixed and pilots have been trained” on it and related displays.
The email discussions, previously unreported, were fleeting red flags raised by a small group of front-line FAA inspectors months before the Ethiopian jet nose-dived last month.
Within days, the concerns were dismissed by some involved in the discussions. These people concluded that the alerts provided supplemental pilot aids rather than primary safety information, and therefore no additional training was necessary. Boeing and the FAA continued to publicly vouch for the aircraft’s safety.
Yes, somebody in the FAA actually wrote: “It would be irresponsible to have MAX aircraft operating with the AOA Disagree Warning system inoperative.” YA THINK!?! This is the epitome of regulatory ‘capture’ by the regulated entity. Good Grief!
Testifying before a Senate panel last month, acting FAA chief Daniel Elwell said one important factor is prioritizing what data pilots receive. “Every piece of real estate in a cockpit is precious,” he said. “You put one gauge up there, you are sacrificing another.”
He’s right about real estate, but whilst that could apply to the visual AOA angle disagree graphic intruding on the Primary Flight Display, there’s no way the idiot light should have been disabled.
After WSJ shone the spotlight on the missing alert, Boeing put out a statement this Monday confessing to “an additional software problem.” In a follow-up article in the WSJ, yesterday, we find more details:
Boeing Co. on Monday said certain safety alerts on its 737 MAX jets didn’t operate as airlines would have anticipated because of a previously undisclosed error on its part.
The Monday statement suggests Boeing engineers and management, as well as U.S. air-safety regulators, either missed or overlooked one more software design problem when the model was certified two years ago. Before Monday, neither Boeing nor the Federal Aviation Administration had disclosed that an additional software glitch—rather than an intentional plan by the plane maker—rendered so-called angle of attack alerts inoperable on most MAX aircraft.
[The] statement raises new questions about what Boeing told customers, pilots, regulators and others in the wake of the first MAX crash in October.
One [internal] email distributed to a handful of midlevel FAA officials asked: “Did Boeing foul up on the MAX by not ensuring” the alerts would operate even “if the customer chose not to pay for” associated safety features?
You betcha! Specifications, design, testing, inspection… multiple layers designed to prevent screw-ups from impacting the public broke down here.
So, was safety optional or for sale, or was this a confidence-eroding error? How will Boeing get the public’s trust back?
What do readers think?
