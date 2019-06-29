SEATTLE — Early in the development of the 737 MAX, engineers gathered at Boeing’s transonic wind tunnel in Seattle to test the jet’s aerodynamics using a scale model with a wingspan comparable to that of an eagle.
The testing in 2012, with air flow approaching the speed of sound, allowed engineers to analyze how the airplane’s aerodynamics would handle a range of extreme maneuvers. When the data came back, according to an engineer involved in the testing, it was clear there was an issue to address.
Engineers observed a tendency for the plane’s nose to pitch upward during a specific extreme maneuver. After other efforts to fix the problem failed, the solution they arrived at was a piece of software — the Maneuvering Characteristics Augmentation System (MCAS) — that would move a powerful control surface at the tail to push the airplane’s nose down.
This is the story, including previously unreported details, of how Boeing developed MCAS, which played a critical role in two airliners nose-diving out of the sky, killing 346 people in Ethiopia and off the coast of Indonesia.
Extensive interviews with people involved with the program, and a review of proprietary documents, show how Boeing originally designed MCAS as a simple solution with a narrow scope, then altered it late in the plane’s development to expand its power and purpose. Still, a safety analysis led by Boeing concluded there would be little risk in the event of an MCAS failure — in part because of an FAA-approved assumption that pilots would respond to an unexpected activation in a mere three seconds.
The revised design allowed MCAS to trigger on the inputs of a single sensor, instead of two factors considered in the original plan. Boeing engineers considered that lack of redundancy acceptable, according to proprietary information reviewed by The Seattle Times, because they calculated the probability of a “hazardous” MCAS malfunction to be virtually inconceivable.
As Boeing and the FAA advanced the 737 MAX toward production, they limited the scrutiny and testing of the MCAS design. Then they agreed not to inform pilots about MCAS in manuals, even though Boeing’s safety analysis expected pilots to be the primary backstop in the event the system went haywire.
In the wake of the two crashes, despite an outcry from the public and from some pilot and airline industry officials, Boeing has defended the processes behind its MCAS design decisions and refused to accept blame.
The grounding of the MAX has entered its 15th week. Safety officials around the world are scrutinizing the changes to MCAS that Boeing has proposed to ensure such accidents won’t happen again. And they are assessing what training pilots may need on the new system.
“Safety is our top priority,” Boeing said in a statement. “Through the work we are doing now in partnership with our customers and regulators to certify and implement the software update, the 737 MAX will be one of the safest airplanes ever to fly.”
This investigation examines what’s known about the origins and operation of MCAS ahead of the final official accident-investigation reports, expected late this year for Lion Air Flight 610 and next year for Ethiopian Airlines Flight 302.
Wind-tunnel and simulator tests
Though Boeing was locked into a plan to revamp its popular 737 model, the Seattle wind-tunnel tests in 2012 revealed a problem.
During flight tests to certify an airplane, pilots must safely fly an extreme maneuver, a banked spiral called a wind-up turn that brings the plane through a stall. While passengers would likely never experience the maneuver on a normal commercial flight, it could occur if pilots for some reason needed to execute a steep banking turn.
Engineers determined that on the MAX, the force the pilots feel in the control column as they execute this maneuver would not smoothly and continuously increase. Pilots who pull back forcefully on the column — sometimes called the stick — might suddenly feel a slackening of resistance. An FAA rule requires that the plane handle with smoothly changing stick forces.
The lack of smooth feel was caused by the jet’s tendency to pitch up, influenced by shock waves that form over the wing at high speeds and the extra lift surface provided by the pods around the MAX’s engines, which are bigger and farther forward on the wing than on previous 737s.
This was verified in early simulator modeling, with planes tested in scenarios at about 20,000 feet of altitude, according to one of the workers involved.
While the problem was narrow in scope, it proved difficult to cope with. The engineers first tried tweaking the plane’s aerodynamic shape, according to two workers familiar with the testing. They placed vortex generators — small metal vanes on the wings — to help modify the flow of air, trying them in different locations, in different quantities and at different angles. They also explored altering the shape of the wing.
Two people familiar with the discussions said 737 MAX chief test pilot Ray Craig preferred such a physical solution to solve the plane’s aerodynamics. Philosophically, Boeing had long opposed efforts to create automated actions such as a stick-pusher — a device used on some aircraft that without pilot action pushes the control column forward to lower the jet’s nose — that would seize control of a situation from the pilot, according to one of the people.
But the aerodynamic solutions didn’t produce enough effect, the two people said, and so the engineers turned to MCAS.
It was simple in concept but powerful in effect, quickly solving the issue.
In the midst of a wind-up turn, the software would automatically swivel up the leading edge of the plane’s entire horizontal tail, known as the horizontal stabilizer, so that the air flow would push the tail up and correspondingly push the nose down.
As the pilot pulled on the control column, this uncommanded movement in the background would counter the jet’s tendency to pitch up and smooth out the feel of the column throughout the maneuver.
An engineer recalled Craig testing MCAS for the first time in the simulator.
“Yeah! This is great,” Craig gushed after seeing how MCAS responded, according to the engineer. (Craig left Boeing before the operation of MCAS was revised.)
This original version of MCAS, according to two people familiar with the details, was activated only if two distinct sensors indicated such an extreme maneuver: a high angle of attack and a high G-force.
Angle of attack is the angle between the wing and the oncoming air flow. G-force is the plane’s acceleration in the vertical direction.
How much MCAS moved the tail when activated was a function of the angle of attack and the jet’s speed, said one of the people familiar with the MCAS design who, like many of the sources in this story, asked for anonymity because of the sensitivity of ongoing investigations.
The fix didn’t stir much controversy.
Another Boeing plane, the KC-46 Air Force tanker, has a software-driven system that similarly moves the stabilizer in a wind-up turn and even has the same MCAS name, though the design is very different.
Boeing’s failure analysis
When Boeing was ready to certify the 737 MAX, it laid out its plan for MCAS in documents for the FAA.
Under the proposal, MCAS would trigger in narrow circumstances. It was designed “to address potentially unacceptable nose-up pitching moment at high angles of attack at high airspeeds,” Boeing told the FAA in a proprietary System Safety Assessment reviewed by The Times.
In a separate presentation made for foreign safety regulators that was reviewed by The Times, Boeing described MCAS as providing “a nose down command to oppose the pitch up. Command is limited to 0.6 degrees from trimmed position.”
Two people involved in the initial design plans for MCAS said the goal was to limit the system’s effect, giving it as little authority as possible. That 0.6-degree limit was embedded in the company’s system safety review for the FAA.
The Boeing submission also included an analysis that calculated the effect of possible MCAS failures, with each scenario characterized as either a minor, a major or a hazardous failure — increasingly severe categories that determine how much redundancy must be built in to prevent the event.
Virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the “major failure” requirement, which is that the probability of a failure must be less than 1 in 100,000.
A “major failure” is not expected to produce any serious injuries and is defined more as something that would increase the cockpit crew’s workload. Such systems are therefore typically allowed to rely on a single input sensor.
Boeing analyzed what would happen if, in normal flight mode, MCAS triggered inadvertently up to its maximum authority and moved the horizontal stabilizer the maximum 0.6 degrees.
It also calculated what would happen on a normal flight if somehow the system kept running for three seconds at its standard rate of 0.27 degrees per second, producing 0.81 degrees of movement, thus exceeding the supposed maximum authority.
Why three seconds? That’s the period of time that FAA guidance says it should take a pilot to recognize what’s happening and begin to counter it.
Boeing assessed both of these failure modes as “major.” Finally, the analysis looked at the inadvertent operation of MCAS during a wind-up turn, which was assessed as “hazardous,” defined in a cold actuarial analysis as an event causing serious or fatal injuries to a small number of people, but short of losing the plane (that’s called “catastrophic”).
Hazardous events typically demand more than one sensor — except when they are outside normal flight conditions and unlikely to be encountered, such as a wind-up turn.
According to a document reviewed by The Seattle Times, Boeing’s safety analysis calculated this hazardous MCAS failure to be almost inconceivable: Given the improbability of an airliner experiencing a wind-up turn, compounded by the unlikelihood of MCAS failing while it happened, Boeing came up with a probability for this failure of about once every 223 trillion hours of flight. In its first year in service, the MAX fleet logged 118,000 flight hours.
So even though this original version of MCAS required two factors — angle of attack and G-force — to activate, Boeing’s analysis indicated that just one sensor would be acceptable in all circumstances