The Boeing 737 MAX Crisis: An Opinionated Guide to the Perplexed

Editors’ note: As indicated in the headline and article, the views expressed in this op-ed are those of the author’s and do not necessarily reflect the views of INFORMS.

How the mighty have fallen. Commercial aviation began in the United States with the flight of the Wright Brothers in 1903. In the ensuing century, U.S. airlines, aircraft makers and regulators were viewed as the embodiment of aviation safety. But things look different after the two recent crashes of new Boeing 737 MAX jets that took 346 lives. The old saying, “If it’s not Boeing, I’m not going,” has been replaced with the hashtag, “If it’s Boeing, I’m not going,” and the U.S. Federal Aviation Administration (FAA) was sharply overruled by safety authorities the world over when it hesitated to ground the MAX after the disasters.

But what reasonably can be said about the current crisis, which will have grounded the whole MAX fleet for six months by the time you read this? Here we consider several key questions and my own brief answers to them, with which not everyone will agree.

Is Boeing really as blameworthy for the crisis as everyone seems to think?

In a word, yes. In my judgment, Boeing has exhibited a shocking combination of incompetence and deceit and caused what is arguably the worst failure of analytic engineering in the 21st century.

Unlike some others, I don’t believe that anyone at Boeing intentionally put profits before safety. But I do believe that a rush to bring the MAX to market and the suppression of information about how the MAX differed from earlier 737s had the predictable effect of compromising safety, with tragic consequences.

As has been widely reported, the MAX included a new maneuvering characteristics augmentation system (MCAS) that automatically deployed when a single angle-of-attack sensor – correctly or not – detected the danger of a stall. MCAS strongly pushed the nose of the plane down, and pilots could not successfully countermand an erroneous activation unless they turned MCAS off. Astoundingly, Boeing told the airlines that bought the MAX virtually nothing about the existence of MCAS, let alone about the procedure to disable it. Pilots at American and Southwest Airlines – two of the world’s safest air carriers – were shocked and embittered that Boeing had previously concealed such vital information. Put bluntly, MCAS was directly responsible for two fatal crashes, Lion Air Flight 610 in Indonesia and Ethiopian Airlines Flight 302.

Why did Boeing initially say nothing about MCAS? It is not that the single sensor almost never gave false alerts; at least 216 such errors have been reported to FAA since 2004 [1]. And the dependence on one sensor violates the principle of redundancy, under which no single failure can cause the loss of the aircraft. Weirdly, Boeing argued that redundancy did exist: the pilots were the backup system that would disable an improperly deployed MCAS. In other words, Boeing depicted pilots who were not even told of the existence of MCAS as the ultimate guarantors of its safety!

Indicative of Boeing’s sloppy development of the MAX is a cockpit light that didn’t work. There were two angle-of-attack sensors on the MAX, one of which did not affect MCAS. Boeing devised a cockpit warning light that would come on if the two sensors gave highly divergent readings. Whether knowing this could help pilots who weren’t told how MCAS works is not clear. In any event, a production error meant that the light that was supposedly a standard feature of the MAX could never come on, except when the airline customer bought some optional equipment. Boeing discovered the error in 2017 but saw no reason even to mention it to the airlines until after the first MAX crash a year later. How does that make sense?

Now Boeing is supposedly fixing the problems with MCAS, though some aspects of the overhaul are puzzling. The deployment of MCAS will no longer be based on a single angle-of-attack sensor; it will instead depend on two of them and, if one detects a dangerous tilt while the other does not, the technology will not deploy. But what if the erroneous sensor is the one that says things are normal? Is the “false negative” rate of the sensors so small that this possibility can be neglected? Given Boeing’s mishandling of false positive rate, its skill in estimating risk parameters cannot be taken for granted. More prudent is the policy followed by Airbus, which generally uses three sensors and goes with the majority when there is disagreement.

Wait. Did Boeing ever conduct a cost-benefit analysis of moving to the three-sensor system? Given that the feature is standard on Airbus planes, it is far from obvious that having three sensors is infeasible or prohibitively expensive. And if the MAX were to suffer yet a third crash because of the performance/nonperformance of MCAS, the consequences would be staggering. What a calamity if Boeing never conducted such an analysis. And how unnerving if it did perform the analysis and quickly concluded that three sensors were too expensive.

What about the role of the FAA?

Here the picture is mixed. It has certainly been established that the FAA exercised only weak oversight over Boeing in the development of the MAX, and that it virtually abdicated a supervisory role with respect to MCAS. Its reluctance to ground the MAX after the second crash in Ethiopia was, in my view, arrogant and indefensible. But more recently it has played a constructive role.

In the first days after the Ethiopian crash, virtually every nation in the world except the United States banned MAX operations within its borders. But the FAA resisted, stating, “. . . we have not been provided data to draw any conclusions or take any actions” (italics mine). It suggested that the rest of the world was reacting emotionally rather than rationally to the disasters and indicated that evidence linking the two crashes was a necessary condition for grounding. Only when satellite data tied MCAS to both disasters did FAA join the worldwide consensus.

Did the FAA’s insistence on “data” reflect careful reasoning or its opposite? It helps to consider two extremes. If a new aircraft type enters service and two planes crash the first day, no one in their right mind would say that “we lack the data to justify grounding.” Yet if thousands of planes of a given type have flown for many years without incident, it would be excessive to ground the plane at the first mysterious crash. As safety authorities the world over rightly recognized, the MAX record was far closer to the low end of this spectrum than the high one. Perhaps these safety authorities were influenced by some other data: As of March 2019, the death risk to passengers who flew the MAX was more than 25 times as high as the worldwide air-passenger death risk from all causes combined over 2008-2017 (approximately 1 in 300,000 versus 1 in 7.9 million).

Actually, it’s not clear why the FAA focused on whether the two crashes were linked. Would it not have been far worse if the Ethiopian MAX crashed for a completely different reason from the Indonesian plane, which would mean that taming MCAS would not have reduced the danger?

The most recent developments, however, reflect more favorably on the FAA. It was an FAA test pilot who discovered a software flaw that could make it harder for MAX pilots to recover from an erroneous MCAS deployment. A remedy for that shortcoming is to be part of the MAX’s repair package. Here the FAA is making a tangible contribution to the ongoing safety overhaul, thereby benefitting MAX users throughout the world.

Also, the FAA has apparently abandoned any thought of approving the resumption of MAX flights before its sister agencies overseas are ready to do so. The FAA was the last to ground the MAX, and it hesitated for reasons that were widely rejected. If it were to be first to “unground” the MAX, there could well be widespread fear that it had once again conducted a defective risk analysis. Waiting for the regulators in Europe and China might cause some grumbling among FAA officials but, in terms of both appearance and substance, it is the right thing to do.

Did the pilots fail to avert disaster because they lacked adequate skill?

Boeing and others have assigned the pilots of the two MAXs that crashed a prominent link in the chain of misfortunes that led to disaster. As best as I can tell, it is far more reasonable to treat these pilots as innocent victims of Boeing’s colossal errors.

Boeing’s defenders/apologists have correctly noted that the night before the Lion Air crash, the same failed sensor caused MCAS to deploy, but the pilots managed to deactivate it. The obvious implication was that skillful pilots could counteract an errant MCAS. But this narrative is misleading, because the earlier pilots first made several unsuccessful attempts to regain control, and only then managed through “a shot in the dark” [2] to disarm MCAS using a procedure that Boeing had recommended for a different problem. That the pilots of Flight 610 did not likewise guess correctly in a startling and incomprehensible situation does not signify incompetence. Before Flight 610 crashed, its pilots fought hard against MCAS, raising the nose two dozen times before the system overpowered them. Given what Boeing had told them about MCAS (i.e., nothing), they didn’t really stand a chance.

After the Lion Air crash, Boeing finally described MCAS and indicated how to turn it off. Yet Ethiopian Airlines Flight 302 crashed because of MCAS four months later. However, far from ignoring Boeing’s advice on how to cancel a false deployment, the pilots managed to turn MCAS off. But they could not arrest the downward movement of the plane. In apparent desperation, they turned some electrical circuits back on, which restarted MCAS. The plane plunged to earth after six minutes aloft, killing all 157 people on board.

Some critics have asserted that the Ethiopian pilots unaccountably failed to slow the plane down after turning MCAS off, making the plane uncontrollable. Other pilots, however, have argued that attempting to do so would have been very dangerous in itself. I myself lack the knowledge to referee this debate, but Captain Chesley Sullenberger – the hero of the Miracle on the Hudson – does not. Testifying before Congress, he strongly rejected the suggestion that the pilots were to blame for the MAX crashes. Similarly, the head of the American Airlines pilots’ union concluded that MCAS “left the pilot with no ability to regain control of the aircraft if it went to the full limit,” as happened on Flight 302. Cynics might say that “these guys are pilots, so of course they will side with the MAX pilots.” I assume, however, that these men epitomize such integrity and expertise that their judgments deserve great weight.

Will passengers hesitate to fly the MAX once it returns to service?

I believe that the answer is essentially no. I think little attention should be paid to surveys suggesting that many travelers will avoid the MAX for years. After a doctor was dragged off a United Airlines flight, surveys indicated a major boycott of United flights; in reality, the boycott was so small as to be statistically undetectable. The DC-10 jet was grounded in 1979 after 273 people died in a horrendous crash in Chicago; six months after the crash, however, there was no empirical evidence of DC-10 avoidance [3]. Furthermore, if passengers started to book away from MAX flights, revenue management systems would raise fares on other flights while lowering those on the MAX, creating a counterpressure to the tendency.

A Final Thought

Boeing is a company with a spectacular history and a capacity to learn from this “teachable moment.” In time, I imagine that its MAX crisis will be viewed as an aberration. The FAA will probably get more inquisitive during aircraft certification and more respectful of the views of its counterparts abroad. Still, this story cannot end with the words “happily ever after.” Not after two horrible tragedies and 346 needless deaths.

References

1. Devine, C. and D. Griffin, 2019, “Boeing Relied on Single Sensor for 737 Max That Had Been Flagged 216 Times to FAA,” CNN Investigates, https://www.cnn.com/2019/04/30/politics/boeing-sensor-737-max-faa/index.html.
2. See Campbell, D., 2019, “The Many Human Errors that Brought Down the Boeing 737 Max,” The Verge (May 2), https://www.theverge.com/2019/5/2/18518176/boeing-737-max-crash-problems-human-error-mcas-faa.
3. Barnett, A. and A.J. Lofaso, 1983, “After the Crash: The Passenger Response to the DC-10 Disaster,” Management Science, Vol. 29, No. 11, pp. 1225-1236.