by Stephen Bryen
A version of this article appeared in Asia Times.
The discovery of foreign object debris (FOD) in the fuel tanks of two thirds of the recently manufactured MAX jets in storage has appalled Boeing’s top leadership. Boeing has had issues with FOD for some time, not just on the 737 Max. FOD has shown up in air refueling tankers recently delivered to the U.S. Air Force and on other commercial jets. The concern of Boeing’s CEO, while somewhat laudatory, comes rather late in the day for sure.
But FOD is not the only problem with the 737 or more generally with Boeing.
In fact, Boeing faces two problems: one is engineering and the other is manufacturing. Both raise deep concerns about Boeing aircraft and both need urgent attention. So far the Federal Aviation Administration (FAA) has approach Boeing’s issues with blinders on, trying to only address one problem, and that one only partially. The FAA needs to do a much better job and it had best begin by demanding a complete re-inspection of Boeing aircraft delivered to customers, not just the 737 Max’s.
The MCAS Saga
MCAS is the Maneuvering Characteristics Augmentation System Boeing grafted onto the 737 Max design when it was forced to relocate the new plane’s bigger engines, changing the aircraft’s center of gravity. Without MCAS, Boeing engineers understood the plane would pitch up on take off and go critical, possibly causing a stall (when the airplane does not have enough lift) and a subsequent crash.
There is nothing particularly special about the need for MCAS. Modern airplanes, both commercial and military today use “fly by wire” systems to control elevators, rudders and ailerons –that is the flight controls. Fly by wire (originally analog but today fully digital) run the aircraft and make it far easier for the pilot to control the plane. It also allowed military jets to optimize certain flight performance characteristic that, without a fully digital fly by wire system these planes would not fly at all. Fly by wire uses the planes sensors, gyros and flight computers to do its work.
Boeing needed MCAS to add a feature to the 737 Max fly by wire system to prevent stalls during take off procedures. But it took a shortcut: it linked the MCAS to a single sensor, the angle of attack sensor. There are two angle of attack sensors on the Boeing: one on the pilot’s side, the other on the co-pilot’s side of the aircraft. But the original MCAS took input only from one sensor and did not allow the pilot to change to the other if the sensor inputs appeared wrong or data output was erratic. (The choice of input sensor is varied from one sensor to the other for each flight.) We know for sure that erratic sensor outputs doomed the two fatal 737 Max crashes because it left the pilots fighting the control system and losing the battle. Boeing claims it has fixed all this by “permitting” the pilots to switch to the “correct” sensor and also by limiting the MCAS to only one flight control correction, instead of multiple and repetitive corrections causing a death spiral that the pilots could not correct.
All of these changes by Boeing sound good, but they still raise serious doubts. The FAA seems be be not asking important questions. These questions are, among others: why didn’t MCAS take input from other sensors to arrive at a flight solution, such as from the plane’s artificial horizon, airspeed indicator, altitude data and other computer solutions on the flight profile? And what happens if the problem is not the sensor, but the wiring that connects the sensor to the flight computer and thence to the flight software and MCAS? It is known by now that the MCAS solution was a rush job and some whistle blowers from the company claim that MCAS was not properly designed or tested. Nor were pilots properly trained, or simulators able to replicate the MCAS gone haywire. The training and simulator issue is being addressed, but not the wiring or the weakness in the actual design, or why the sensors and algorithms ignore other possible inputs.
Also MCAS is not being altitude limited –that is, it can trigger off at any time in the plane’s climb out. Yet when the plane is still very low to the ground, MCAS could forces its nose down. In such cases pilots might not have time to react and correct the attitude of the aircraft. This potential issues remains.
Before Lion Air Flight 610 crashed the pilots on a previous flight reported an erratic angle of attack sensor, or so they thought. While the sensor tested good, maintenance replaced it anyway. What happened next was the crash. The crash has been analyzed and investigated, but the conclusion overlooks a key point: these sensors don’t typically fail; the presumably faulty sensor in any case was replaced with a new one, yet it is credited with giving readings that led to the crash. While mentioned, the idea of faulty wiring or poor connectivity was not really addressed. Could it be that the angle of attack sensor was giving false readings because of loose connections spiking the results that went into the flight computer, meaning that the sensor itself was good but the hook up was bad, or was getting cross information from other data traversing the wiring or processed by the computer? The answer is we do not know the answer and it does not seem to be part of either the investigation or the proposed fix to the problem, meaning that the threat is not necessarily being entirely eliminated.
The MCAS saga leads directly to the issue of the plane’s manufacturing and, more importantly quality control. The fact that two thirds of the recently manufactured 737 Max aircraft had FOD in their fuel tanks, and this applies to other planes manufactured in other Boeing factories, suggests that management and oversight and quality control are completely broken down. While Boeing no doubt tests different plane components on test stands, there are many problems that need visual inspection and careful checking, or problems that only show up in real use under use and stress. Keep in mind that the planes that crashed were both virtually new, but they were put into service and disaster struck because the testing protocols were inadequate. No one has suggested longer flight testing is needed before aircraft are delivered to the customer and go right to the commercial flight line.
On February 15, 1996 in a launch of an Intelsat satellite on board a Chinese Long March 3B rocket took off, turned sideways, flew over the Xichang Satellite Launch Center fence and crashed into a nearby village (causing fatalities and damages). This Long March rocket launch was an important event supported by Loral Space Systems, which made the satellite, and involving the US government, concerned that the technology of the satellite might leak to China. In the crash aftermath it was determined that the launch failed because of a cold solder joint in one of the rocket gyros, something that bench testing never revealed.
For such reasons, testing and quality control has to be rigorous and can’t be left to testing methods that rely solely on technical measurements. Human visual inspection may have revealed the cold solder joint in the gyro; similarly, visual inspection might have quickly seen the FOD in Boeing-built fuel tanks. How many disasters were averted since Boeing finally checked planes that not only were completed in the factory, but had already been flown to storage yards? And if the Max’s already delivered to customers are reinspected, the chances are extremely good they too will be saturated with FOD.
Why would anybody fly on these aircraft without thorough re-inspection, even if it means the aircraft have to be torn down. Companies that have already had Max’s delivered would be well advised to get going on a total re-inspection program, but not a single owner has yet announced they are doing so, and the lethargic FAA has not issued any Airworthiness Directives or Orders demanding a re-inspection before the planes can be deemed airworthy.
Boeing has to radically improve the quality of its inspections at the assembly line, and significantly change how it goes about determining that an airplane part or segment is air worthy. If the FAA were actually doing its job, it would review Boeing’s quality control system and make sure it is adequate to the task. There is no indication that the FAA is doing it, despite Boeing’s rather late in the day “alarm,” and as noted here, the FAA is yet to demand re-inspection of these aircraft.