In Test of Boeing Jet, Pilots Had 40 Seconds to Fix Errorwww.nytimes.comThey had just moments to override an automated system and avert disaster in simulations of problems with the Lion Air plane that crashed last fall.
During flight simulations recreating the problems with the doomed Lion Air plane, pilots discovered that they had less than 40 seconds to override an automated system on Boeing’s new jets and avert disaster.
The pilots tested a crisis situation similar to what investigators suspect went wrong in the Lion Air crash in Indonesia last fall. In the tests, a single sensor failed, triggering software designed to help prevent a stall.
Once that happened, the pilots had just moments to disengage the system and avoid an unrecoverable nose dive of the Boeing 737 Max, according to two people involved in the testing in recent days. Although the investigations are continuing, the automated system, known as MCAS, is a focus of authorities trying to determine what went wrong in the Lion Air disaster in October and the Ethiopian Airlines crash of the same Boeing model this month.
The software, as originally designed and explained, left little room for error. Those involved in the testing hadn’t fully understood just how powerful the system was until they flew the plane on a 737 Max simulator, according to the two people.
Compounding the flaws, pilots received limited training about the system before the first crash. During the final minutes, the captain of the Lion Air flight flipped through a technical manual trying to figure out what was happening.
In a tacit acknowledgment of the system’s problems, Boeing is expected to propose a software update that would give pilots more control over the system and make it less likely to trigger erroneously, according to three people, who spoke on the condition of anonymity to describe the private meetings.
There are common procedures in place to counteract MCAS, as currently designed. If the system starts pushing the plane’s nose down, pilots can reverse the movement via a switch at their thumb, a typical reaction in that situation. In doing so, they can potentially extend the 40-second window, giving them more time to avoid a crash.
To fully neutralize the system, pilots would need to flip two more switches. That would shut off the electricity to a motor that allows the system to push the plane toward the ground. Then the pilots would need to crank a wheel to correct whatever problems had emerged.
The pilots, in the simulations, followed such procedures to successfully shut off the system and land safely. But they did so with a far better understanding of how it worked and prior knowledge that it would be triggered — benefits that the pilots of the fatal 737 Max crashes did not have.
If pilots don’t act hastily enough, attempts to disable the system can be too late. In the Lion Air crash, pilots used the thumb switch more than two dozen times to try to override the system. The system kept engaging nonetheless, most likely because of bad readings from a sensor, until the plane crashed into the Java Sea, killing all 189 people on board.
John Cox, an aviation safety consultant and a former 737 pilot, said pilots are highly likely to use the thumb switch to extend the 40-second window to several minutes. But that may still not be enough time to diagnose and solve the problem, especially if the pilots, like the Lion Air crew, were not informed of the system.
“There is a limited window to solve this problem, and this crew didn’t even know that this system existed,” he said.
A Boeing spokesman said that existing procedures for flying the 737 Max include how to respond to similar conditions. The spokesman added that Boeing had reinforced those procedures in a bulletin to pilots after the Lion Air crash.
“Our proposed software update incorporates additional limits and safeguards to the system and reduces crew workload,” the spokesman said in a statement.
The new software system was designed to be a safety feature, operating in the background to help avoid a stall. Taking data from a sensor, the system would engage if the nose of the jet was too high. It would then push down the nose of the plane to keep it from stalling.
In the current design, the system engages for 10 seconds at a time, with five-second pauses in between. Under conditions similar to the Lion Air flight, three engagements over just 40 seconds, including pauses, would send the plane into an unrecoverable dive, the two people involved in the testing said.
That conclusion agreed with a separate analysis by the American Airlines pilots’ union, which examined available data about the system, said Michael Michaelis, the union’s top safety official.
One of the people involved in the training said MCAS was surprisingly powerful once tested in the simulator. Another person found the system controllable because it was expected. Before the Lion Air crash, Boeing and regulators agreed that pilots didn’t need to be alerted to the new system, and training was minimal.
At least some of the simulator flights happened on Saturday in Renton, Wash., where the 737 Max is built. Pilots from five airlines — American, United, Southwest, Copa and Fly Dubai — took turns testing how the Max would have responded with the software running as it was originally written, and with the updated version, known as 12.1.
In the simulations running the updated software, MCAS engaged, though less aggressively and persistently, and the pilots were also able to control the planes.
Boeing’s software update would require the system to rely on two sensors, rather than just one, and would not be triggered if the sensors disagreed by a certain amount, according to the three people. Given that the 737 Max has had both sensors already, many pilots and safety officials have questioned why the system was designed to rely on a single sensor, creating, in effect, one point of failure.
The update would also limit the system to engaging just once in most cases. And it would prevent the system from pushing the plane’s nose down more than a pilot could counteract by pulling up on the controls, the three people said.
In conversations with pilots and airline officials over the weekend, Boeing executives didn’t directly address why MCAS was designed with such flaws, one person with direct knowledge of the meetings said. Instead, the company stayed focused on the software update, the person said.
The software changes still require approval by the Federal Aviation Administration. Pilots’ unions have said they are comfortable with the proposed changes but want to review them before making a decision. Pilots will be required to complete a training on the updated system on their iPads.
)
