On October 29, 2018, a nearly brand new Boeing B737-8 operated by Indonesia’s Lion Air as Flight JT610 crashed into the sea shortly after takeoff from Jakarta, killing all 189 passengers and crew aboard. On November 7, 2018, the Federal Aviation Administration (FAA) issued an emergency airworthiness directive (AD 2018-23-51) requiring all operators of B737-8 and -9 airplanes to modify their operating procedures. That’s eight days between crash and reaction; light speed given the FAA’s usual snail’s pace when it comes to regulatory action.
One had to know where to look to find this AD (www.faa.gov/aircraft/safety/alerts/) because its issuance was not accompanied by a public announcement or press release from a suddenly energized FAA. Maybe not surprising, as the FAA provided the certification on March 9, 2017, giving the go-ahead for the B737-8 and -9 series to be operated worldwide, and flown by pilots of average skill. Certification is the blessing from on high, the final approval for an airplane to enter full-rate production and to be sold or leased to airlines. Without FAA certification, the design wouldn’t go anywhere. We may presume the FAA’s quietness reflects that of a collective guilty conscience. Maybe, and probably based on past experience, the FAA was too cozy, too trusting, and too casual in granting manufacturer Boeing the critical and much-coveted certification certificate. Certainly Boeing has a lot at stake, with 4,700 orders worldwide for the new MAX family of B737-8/-9 airplanes (about 200 already are operated by U.S. airlines).
Although the Indonesian National Transportation Safety Committee’s investigation is only in its early stages, with a final report issued at least a year hence, it appears that one of the airplane’s three nose-mounted angle of attack (AOA) sensors malfunctioned, based on a preliminary readout from the flight data recorder recovered from the undersea wreckage. These sensors provide critical airplane attitude information, respectively, to the captain’s primary flight display (PFD), the first officer’s PFD, and to a standby instrument (which is used by the flight crew in the event of the failure of the first two PFD’s).
What is clear is that the FAA has pronounced a problem with sensing AOA. According to the Emergency AD, an “unsafe condition” exists based on “analysis performed by the manufacturer” showing that:
“(When) an erroneously high single angle of attack (AOA) sensor input is received by the flight control system, there is a potential for repeated nose-down trim commands of the horizontal stabilizer. We are issuing this AD to address this potential resulting nose-down trim, which could cause the flight crew to have difficulty controlling the airplane, and lead to excessive nose-down attitude, significant altitude loss, and possible impact with terrain.” (Italics added)
A few comments are necessary here:
► The FAA directive basically incorporates wholesale verbiage sent November 6 by Boeing to its B737-8/-9 customers regarding procedures for pilots to follow in the event of an uncommanded nose down maneuver . Boeing’s notice, Flight Crew Operations Manual Bulletin (FCOM) Number TBC-19, was for information purposes. The FAA’s emergency AD makes the action mandatory, but it only applies to U.S. operators. Besides which, if the FAA is simply in the business of copying manufacturers’ bulletins, there is something seriously amiss here regarding regulatory oversight. If Boeing had not issued its FCOM Bulletin, would the FAA have done anything? Surely, FAA bureaucrats can do better than plagiarize.
► Smooth airflow over the top of the wing is necessary for lift. Angle of attack is the measure of the wing’s incidence to the surrounding airflow. If AOA is too high, the airflow separates from the curvature of the wing’s upper surface and becomes turbulent, resulting in a loss of vital lift. The immediate corrective is to drop the nose, reducing AOA and increasing lift. This is done through the tail mounted horizontal stabilizers.
► While the airplane is equipped with three AOA sensors, if a single sensor generates a false reading, the flight control computer will automatically issue repeated commands to drop the nose. If the false readings of AOA persist, the computer will repeatedly issue nose-down commands. Correct readings from the other two AOA sensors will be ignored.
► The airplane experienced repeated instances of incorrect nose-down pitch commands in the two days before the crash. The number of such instances in the worldwide fleet remains unknown.
► Even if the pilot attempts action through the control yoke to hold the correct attitude, the computerized system will override and continue to issue commands to drop the nose. It does this because the faulty AOA sensor transmits readings of an approach to stall situation, which means the cessation of flight-sustaining lift. Dropping the nose is the most expedient means of restoring lift (even if none has been lost — remember, a falsely reading AOA sensor).
► If two of the three AOA sensors are providing correct readings, the computer apparently ignores them, paying myopic attention to the one faulty input.
► At this juncture, it should be noted that the FAA preaches the gospel of redundancy — multiple load paths in structure, a doctrine that could just as easily apply in the design of avionics by reconciling the measures from three AOA sensors to establish a given reading. In this case, the software could ignore the one false reading of AOA and go with the two other readouts that are in agreement. Result, no mysterious (to the pilots) nose-down pitch.
► This airplane was approved by the FAA for routine flight duty on the basis of redundancy, when in truth there appears to be nil redundancy in measuring AOA. One wrong reading overwhelms two correct readings. One would assume the software would poll all three AOA sensors and throw out the deviant reading, always opting for the majority view.
► For the pilots, instead of “difficulty” maintaining desired control, an extremely difficult and subtle situation occurs — the pilots are dealing with a computer that has inexplicably lost its mind.
► Impact with “terrain” is the final insult to injury here, a thinly-veiled diversion of attention from Flight JT610s impact with the water (let the record reflect that two-thirds of the world’s surface is covered with water). The “analysis” performed by Boeing occurred after Flight JT610’s fatal impact with water, and was not some routine high level review conducted recently at leisure.
The second part of the emergency AD calls on operators to promptly modify their B737-8 and -9 flight manuals to feature the following verbiage:
Disengage autopilot and control airplane pitch attitude with control column and main electric trim as required. If relaxing the [control] column causes trim to move, set stabilized trim switches to CUTOUT. If runaway continues, hold the stabilized trim wheel against rotation and trim the airplane manually.
Note: The 737-8/-9 uses a flight control computer command of pitch trim to improve longitudinal handling characteristics. In the event of erroneous Angle of Attack (AOA) input, the pitch trim system can trim the stabilized nose down in increments lasting up to 10 seconds.
In the event of an uncommanded nose down stabilizer trim … [ensure] that the STAB TRIM CUTOUT switches … stay in the CUTOUT position for the remainder of the flight.”
Again, some salient comments:
► “Runaway” stabilizer means the trim tabs on the horizontal stabilizer at the tail of the airplane could move to the full up or full down position. If uncorrected, the airplane could climb or dive. “Runaway” means the airplane is out of control absent timely pilot intervention.
► The trim wheel is located on the center console between the two pilots. CUTOUT may be insufficient and the wheel must be forcibly and physically restrained by the pilots This is the expedient blessed by the FAA for a recently certificated and high technology airplane.
► “Improving” handling characteristics may be a misnomer; the whole idea is to forestall the wings from stalling.
► The computerized trim system will command nose down in “increments” lasting up to 10 seconds; in aviation, 10 seconds can often spell the difference between life and death. Note that “increments” suggest repeated attempts to drop the nose, each lasting as long as 10 seconds. Since we are dealing with a single rogue AOA sensor, continued bad lone readings seem likely to provoke multiple 10 second bouts of inappropriate stabilize trim (unless the pilots are forcibly restraining the trim wheel, assuming they have correctly divined the problem associated with the trim wheel’s movement in the first place). The accident pilots, Captain Bhavye Suneja and First Officer Harvino, did not have the benefit of the post-crash guidance issued by Boeing.
In the emergency AD, operators were given three days to incorporate the new runaway stabilizer information in their airplane flight manuals. So let’s see, the FAA apparently was blithely unaware of the hazard throughout the months of certification trials, testing and whatnot but, caught by surprise, operators are enjoined to comply immediately.
No mention that pilots must have assimilated this new guidance in the same time frame. No mention of how much time is allowed for carriers to add the new guidance to their simulator training for pilots.
Not a word about an FAA-conducted review of the (apparently) non-voting software which allows one of three inputs of AOA to dominate, even if its readings are wrong. Such a review, and resulting software changes, seem to be of primary urgency. So much for the safety inherent to redundancy the FAA extols. It is supremely ironic that software lodged in the flight control computer intended to enhance safety may have led to nose-down pitch commands that contributed centrally to this fatal crash. How this software was approved gets back to the procedures — or lack thereof — by which the FAA certified the new B737 MAX family of highly computerized airplanes.