The saga of Boeing’s 737 MAX serves as a case study in engineering incompetence, and in engineering ethics – or the lack thereof.
New details have emerged about the competitive pressures placed on Boeing 737 engineers as the aircraft manufacturer scrambled to fend off defections by major U.S. airlines to rival Airbus. The European consortium was challenging Boeing’s flagship product with its upgraded A320neo. According to reports, U.S. carriers like American Airlines were preparing to switch to the longer-range Airbus mode
Boeing responded with what it claimed was an upgraded version of its workhorse 737 equipped with a larger CFM LEAP engine providing longer range and greater fuel efficiency. The larger engines required Boeing engineers to place them far ahead of the wing leading edge to achieve ground clearance.
In order to accommodate the newer, larger engines, Boeing elected to move them farther forward on the wing. This change in design also changed the aerodynamics of the craft. To compensate, Boeing added a single sensor and a software fix: MCAS. (Source: Boeing)
That design decision meant the 737 MAX would tend to pitch up while accelerating or when the aircraft experienced a high angle of attack – the angle between the wing and the direction of flight. The proposed solution to the pitch-up problem—and a means of achieving flightworthiness certification—was a software system called MCAS.
Critics assert the engine placement effectively made the 737 MAX series a fundamentally different aircraft with different handling characteristics requiring new operational software and pilot training. The re-certification process Boeing sought to avoid for competitive reasons would have been lengthy and expensive.
In essence, these critics say, Boeing’s response to the challenge posed by Airbus was bumping passenger safety to a middle seat in economy class while financial considerations were upgraded to First Class. Boeing denies this
Among Boeing’s critics is Gregory Travis, a veteran software engineer and experienced, instrument-rated pilot who has flown aircraft simulators as large as the Boeing 757. Travis posted a damning critique of the 737 MAX fiasco last week that concluded: “It is likely that MCAS, originally added in the spirit of increasing safety, has now killed more people than it could have ever saved. It doesn’t need to be ‘fixed’ with more complexity, more software. It needs to be removed, altogether. (Travis is sharing his evaluation as a Google Doc, located here.)
Boeing 737 Max: Is Automation at Fault?
In an interview, Travis said “the most baffling thing to me is how this possibly could have happened” to a commercial aircraft with a long history of safety and reliability and built by a company with a sterling reputation for hardware engineering
Travis is unequivocal in his assessment of the Boeing 737 MAX. “It’s a faulty airframe. You’ve got to fix the airframe [and] you can’t fix the airframe without moving the engines” back and away from their current position.
The root problem with the engine-forward design is “once this thing pitches up, it wants to keep pitching up,” said Travis. “That’s a big no-no,” he continued, because pitch-up on an aircraft increases angle of attack.
Thus MCAS was born, which was implemented as the 737 MAX flight computer software. Using only a single data sensor, MCAS was designed to correct for what turned out to be a deadly design flaw by pitching the nose down based on data from a single angle of attack sensor. Travis insists that the pilots of the two fatal 737 MAX flights could not have overridden the system no matter how hard they pulled on the yoke. The only way the system could be overridden was by hitting a circuit breaker that should have been prominently displayed among the 737 MAX controls.
Boeing has attached larger engines to a frame that has not changed in size. With this latest version, the new engines barely clear the runway on takeoff. (Source: Boeing)
Boeing offered the single angle-of-attack sensor as standard equipment, and charged extra for a second along with a “disagree” indicator that would allow 737 MAX pilots to “cross-check” a faulty sensor. Citing those decisions, another observer noted: “Who would design a system with a single point of failure?”
EE Times provided Boeing a PDF-format copy of Travis’s analysis of the 737 MAX design and his conclusion that the manufacturer proposed to solve an airframe problem with MCAS as a less expensive way to achieve federal certification.
A Boeing spokesman declined to comment, citing the ongoing investigations into the Lion Air and Ethiopian Airlines crashes. We were referred instead to Boeing’s few public statements about the 737 MAX crashes.
Ultimately, Travis also bemoans what he calls “cultural laziness” within the software development community that is creeping into mission-critical systems like flight computers. “By laziness, I mean that less and less thought is being given to getting a design correct, and simple – up-front,” he wrote. “What needs to happen, I think, is for liability to accrue where it is generated.”
Incompetent or Unethical?
Whether the cautionary tale of Boeing 737 MAX is a question of ethical engineering – doing things right the first time, making damned sure mission-critical systems work with five nines (99.999 percent) or higher reliability with built-in redundancy – remains an open question.
“It may just be engineering incompetence,” Travis concludes.
That, or economic and competitive pressures that led Boeing to effectively conceal the existence of MCAS as a way to avoid a lengthy recertification process for the 737 MAX, a process requiring extensive pilot retraining on expensive new simulators. All would have raised the unit cost of each aircraft by millions of dollars, Travis noted, thereby reducing Boeing’s chances of competing with the Airbus 320neo.
The Boeing 737 MAX tragedies also recall the engineering decisions that led to the shuttle Challenger disaster in 1986 and the Apollo 1 fire in 1967. Boeing’s haste in responding to the Airbus challenge reminds Travis and others of the group-think curse called “Go Fever” during Project Apollo that eventually killed the crew of Apollo 1 during a launchpad simulation. In that case, crew safety was sacrificed in the name of schedule.
Boeing’s engineering decisions while hastily developing the 737 MAX have ultimately resulted in the deaths of 347 people.
Travis expects one of two possible outcomes for Boeing. “I see a scenario where they don’t sell any more of these planes.” More likely, he continues, is an announcement in coming days that the aircraft maker is fixing the MCAS software to handle inputs from multiple angle of attack sensors.
Either way, Travis concludes, “Software [now] stands between man and machine.”