A technical overview of the 737 MAX failures
Note: this is an older post from a previous blog of mine. If you see any linking errors, that’s why!
Image Credit: Bloomberg
This is not a “who did what,” or “what caused the crashes.” This is simply a technical explanation for what happened in the cockpit and leading up to these flights. While I may personally point blame, that is not the point of this post. I simply want to educate on some of the technology used in the 737 MAX series, and how this new tech was involved in the crash.
A brief history of the 737
The 737 started service in 1969, as a short-to-mid-range passenger jet boasting 1500 miles of range. It received 30 orders of the -100 variant, before quickly being outpaced by the nearly one thousand orders of the -200 variant.
What is a variant, you might ask? Think of it this way: You know how cars have model years? For example, the 2019 Ford Fusion is an upgraded version of the 2018 “variant?” It’s similar with planes. However, because they are much larger, and take more time to build, they instead classify variants by an obscure naming scheme that the company decides - much like how there are many video games that go “original,” followed by “2,” followed by “5,” followed by “1.” Suffice it to say the -200 is the “upgraded” form of the -100.
Plane junkies will kill me for that last sentence, because it’s not technically correct, but it’s good enough for now.
Whenever an aircraft model enters service in the USA, it must receive a type rating. What is a type rating? Essentially, it is an official training classification. Certification in a type rating means you can fly all the aircraft with that same type rating - usually specific by manufacturer, and then by model of the aircraft. If you are certified the 737 “type rating,” it means you can fly any 737 in existence.
And therein lies the problem.
The original 737 was certified under the 737 type rating, from back in 1968. It had a cockpit filled with steam gauges, those little rotary dial things that nobody actually knows how to read anymore.
Image credit: airliners.net
Notice how that looks very different from modern day aircraft. It ‘s almost like it’s from the ’60s.
The 737 type rating is derived from this original aircraft. Every pilot that flies the 737 today is certified to fly any 737, including the original -100. Fun fact: nobody worth their salt flies anything earlier than a -600 in the USA. There are approximately 20 aircraft of the -500 variant or older in service in the United States.
What is a type, you may ask? A type is literally a “type” of aircraft. A 737 is a type, along with a 747, an A380, or a little Cessna.
Why type ratings are important
When a company purchases an aircraft, they need to have pilots to fly it. In order to fly in the USA, pilots are legally required to be adequately trained on the aircraft, according to the individual aircraft’s certification program. So where do they draw the line between two different aircraft? For starters, you don’t want somebody that just learned to fly those tiny little prop aircraft to be flying a jumbo jet. But at the same time, every single aircraft can not have its own type rating. Why? Every pilot needs to be trained in the aircraft’s type rating in order to fly it.
Certifying a pilot to fly a type can cost in the realm of tens to hundreds of thousands of dollars. A balance needs to be struck between low cost and ensuring all pilots are properly trained in every aircraft they fly. The creation of type ratings is important because it allows pilots to fly a type “at will.” It means that a pilot who is certified for the 737 that flew with American Airlines can start flying the same type with United, repeating as little training as possible. Not to mention, the simulators the pilots train in cost in the order of tens of millions of dollars apiece.
Granted, it is slightly more complex than this, however, for the purposes of this post, the above description will suffice.
These type ratings are a necessary part of aviation, for two reasons. One: it allows pilots to change companies at will, allowing there to be more competition in the job market for airlines. Two: the cost, as mentioned before. But not only the cost of training - pilots need to be paid while they’re being trained, and a pilot that can’t fly is essentially just someone you pay to exist. Good deal, though, if you can pull it off.
So why does a type rating matter?
Well, let’s look at an example. Say the 737 gets upgraded, as it has been many times before. If the aircraft’s fuselage is made slightly longer, but no other changes are made, does it need a new type? As much as one could say yes, because a “major change” was made to the aircraft, the general consensus among the aviation community is no. Mainly because of the cost of training with regards to the lack of changes to what the pilot would actually do in the aircraft.
A type rating changes when switches, buttons, or levers in the cockpit
change.
Usually. It’s complicated.
You see, because the 737 has been upgraded so incrementally over time, there was no clear cutoff between when it transitioned from the “old” aircraft to the “new” one. Of course, we can look back and say “the -600 was too far an upgrade for the -500, so let’s give it a new type.” However, the lawyers and airlines don’t like that. New type rating means lots of money to spend, meaning airlines don’t buy the planes, meaning Boeing doesn’t sell their brand new aircraft. And it’s not just selfish reasons to want to upgrade the planes and sell more - for example, when new safety features are added to the aircraft, does that mean it needs a new type rating? But what about all the old aircraft? They don’t have the safety feature - do we really want it to be that expensive to make the fleet safer?
The fun bit is when lawyers get involved. The new variants 737 will get approved to fly under the old type rating, even though it is moderately different. When the next variant gets released, the lawyers tell the FAA:
But the aircraft is so minorly different from the current type rating! It doesn’t need a whole new certification process!
But where did the current type rating come from? The upgrade that made the previous aircraft. And where did that type rating come from…?
Unfortunately, it’s not always cut and dry
As I’ve shown, it’s really not a simple issue to solve. Hindsight is 20/20, but unfortunately, legal matters are pi over triangle. What do I mean? Exactly.
For an exercise in thought, try to think of every perspective involved. If you wanted to go out and buy a new car, you wouldn’t want to have to take another driver’s test just for that car, would you? But then again, knowing how the car functions could make you a safer driver. The government, police, healthcare services, and insurance companies likes safe drivers. But if driving safely costs you tens of thousands of dollars extra per car, would drivers buy that car? If nobody buys the car, the company that makes it realizes they can’t make the car require a new driver’s test. But what if they want to give new features to the car?
What tends to cause a “new” type rating to be required is a difference in the aircraft’s procedures. For example, the movement of buttons and switches - if the engine starters move from right in front of the windshield to be over the First Officer’s head, that means a new procedure is needed.
So, in order to share the type rating, the procedures need to be kept identical. And it’s not for purely selfish reasons - if the aircraft requires a new type rating, they literally won’t be able to sell it to airlines, at all, as I’ve already talked about. Also, any pilots that fly the old aircraft would have a hard time transitioning to the new one, so even if the airlines wanted the plane, it’s possible nobody could fly it. However, if no upgrades to any aircraft design were ever made, the rate of accidents would be far higher today than it currently is. Safety in aviation learns through its accidents, and change helps.
One of the main examples of why this gets a little bit funky is the fuel cutoff switches on the throttle quadrant.
Think of a fuel cutoff switch as literally a valve - open it, the engines
get fuel. Close it, the engines don’t
In the older 737s, along with many aircraft in service, it was a physical lever that would be pulled out, moved upwards, and then clicked into place, whereupon it would be hard to remove. This is because it is directly linked to the engine ‘s fuel feed.
But with newer aircraft, this is computerized for safety.
In the 777 and 787, these are electronic switches, which are essentially the pilot’s manual override. They can tell the engines when to not have fuel, or the pilots can leave it up to the computer - essentially setting it to “open.” Computerizing the process is to prevent fuel from being pumped in while the engine is off, stalled, on fire, etc.
It is also to manage flameouts and adverse starts. If the engine fails to start, it is automatically cooled down for a period of time, then the computer tries to restart the engine again. When the engine is cooling down, it really doesn ‘t want fuel. If it fails to restart more than a set amount of times in a row, the computer will text the maintenance department of the airline, saying the engine has a problem, as well as including a readout of the sensor values.
This greatly increases safety, and is an unquestionably necessary and advantageous improvement on the aircraft.
But remember before how I said it’s a switch?
Yeah. They can’t make it a switch in the 737 without a new type rating. So it stays a lever. But it’s actually a switch. But it moves like a lever. Ish. But it doesn’t lock into place.
This very issue - the fuel cutoffs not locking into place, along with the lack of training on the new system - is suspected to be involved in the Ethiopian Airlines accident.
An open-ended question, harkening back to the discussion before:
At what point should one require new training for an upgraded aircraft?
There is no correct answer. But I encourage readers to try to come up with a solution themselves, and if they believe it could work, feel free to comment below, or send it to the FAA on their official site at faa.gov.
The real issue - the known-faulty Angle of Attack sensors
Let me explain a concept in physics.
There are two kinds of “pitch” values for an aircraft. The first one is the angle of the aircraft’s nose relative to the ground. The “real” pitch value.
The other is Angle of Attack, or AoA. This is the difference between the nose and the relative motion of the air around the aircraft.
For example, if an aircraft is flying at 20 degrees pitch, but is actually moving at an angle of 10°, this would result in a pitch of 20°, but an AoA of 10°.
Image credit: me
Alternatively, you can think of AoA kind of like drifting a car. The car moves “forward,” but is actually pointed to the side. The “straight ahead” for the car is not the same as the direction it is moving in. The difference between the direction of its motion and the direction it is pointing is comparable to the AoA.
To simplify it further, AoA is just the pitch of the air.
Sensor voting
On most aircraft, there are multiple redundant sensors for every possible parameter. There are redundant airspeed sensors (ever wonder what those spiky things coming out of the front of the nose and wings are?), fuel sensors, GPS receivers, the whole package. And with good reason.
What if you’re flying through the air, and suddenly a critical system, like an airspeed sensor, fails? You don’t want to be in a lot of trouble - you want to be safe.
In addition, most large passenger aircraft have redundant flight computers. These are the things that not only calculate the navigation parameters, but also parse the sensor data, and in the case of fly-by-wire systems, actually control the aircraft’s movements.
So when any single part of this system fails, the rest of the pieces all just collectively ignore the failing piece - much like one would ignore their drunk friend during a night out.
What’d you say? You want a taco? Yeah, yeah, alright, let’s get you in the car.
But what about the 737?
Well, long story short, they don’t do multiple AoA sensors. There are two sensors, but there ‘s a catch. Isn’t there always?
The aircraft has a system called the MCAS (Maneuvering Characteristics Augmentation System) that is designed to override the pilots if necessary to prevent an accident. This system is amazing - its addition to the fleet of aircraft ensures many incidents can never be repeated - a system like this in the ’70s could have saved hundreds of lives in multiple accidents, by preventing stalls, overspeeds, and dozens of other possible incidents.
The MCAS is fed data from a multitude of sensors to determine what it “should do.” Usually, you don’t even notice it’s there. It’s kind of like the collision avoidance systems in newer cars. You don’t ever really see it operating, except for when it saves your life. And then you’re thankful it exists.
One of the sensors this system relies on is the AoA sensor. That’s standard operation - it should have as much data as possible to keep the aircraft as safe as possible.
But the 737 is special. Even though it has two AoA sensors - which is not
good to begin with - the MCAS only uses one of them.
The reason why using two sensors is bad to begin with: it doesn’t allow voting. If each of the two sensors gives wildly different data, it is impossible to determine which is correct. While one could guess at the correct sensor, you don’t want the lives of two hundred people to be hinged on a guess. Having three sensors allows a majority to overtake the erroring minority, ensuring a constant reliable stream of data. I.e., two sensors saying the same value, with one of them saying something dumb. But what if one of the two remaining sensors fails? Well, then statistics hates you and a whale is about to fall on your plane.
The MCAS system is only wired into one of these two AOA sensors. If it goes wrong? Well, that’s too bad for you - the plane wants to nosedive.
Harkening back to the remarks before about common type rating - the early 737s had no such system. Even current-day 737s don’t. Only the MAX series, which are just being delivered, have this system. Most of the pilots that fly the 737, because they were trained before the addition of MCAS, are unfamiliar enough with its function that it becomes a hinderance. Yes, MCAS can be disabled - but if you don’t know what MCAS does, how do you know where to begin to look to disable it?
Remember how I said they were known faulty?
Yeah. There are maintenance records in Boeing that showed that they broke a lot. Fun fact.
But it gets better
There is a system in place to determine if the two Angle of Attack sensors disagree with each other. Because the internal displays on the 737 are all digital now, it is a small notification to one side of the central display that literally says “AoA disagree.” Why didn’t the pilots originally look at it and notice there is an issue?
The light costs extra.
Seriously.
They didn’t buy the light.
Who’s at fault here?
In all seriousness, it’s a lot of issues that on their own are negligible. There is a specific quantity of pieces on an aircraft that are allowed to be broken while still being legally fit to fly. Maybe that list doesn’t reflect the importance of some systems? Maybe the techniques in the maintenance handbook to repair them were inadequate?
But really, the MAX series was rushed to market. Even before these accidents, the aircraft was visibly rushed through its prototyping stage, along with its flight worthiness checks.
There are a lot of things that could have been done better. No single person, company, or organization could really be blamed. If there is one thing to take away from this - the whole issue is very distinctly muddy.