On October 28, 2018, thirteen minutes after takeoff, a Boeing 737 Max 8 airliner, operated by Lion Air, an Indonesian company, dove into the Java Sea, off the coast of Indonesia, killing all of the 189 people on board. Several experienced pilots who had flown these planes had expressed concern about them, and stated that they had not been told about certain problems. Even after this tragic event, Boeing was able to persuade the FAA (Federal Aviation Administration) to not prohibit further Max 8 flights. On March 10, 2019, another Max 8 crashed, under similar circumstances, 6 minutes after takeoff from Addis Ababa, Ethiopia, killing the 157 people on board.
The basic problem with the Boeing 737 Max 8 airliner, a twin-engine airplane, involves the engines, which are more efficient and powerful than those used in earlier versions of the plane, but which are also larger and heavier. They had to be mounted in an awkward position that, under certain circumstances, caused the nose of the plane to pitch up enough to cause a stall. Something called a "Maneuvering Characteristics Augmentation System" (MCAS) was developed in order to deal with such situations. Under circumstanced deemed likely to lead to a stall, the MCAS automatically pitches the nose of the plane downward [1]. The resulting dive cannot be stopped by the pilot manually operating the elevator. The MCAS must be turned off. Boeing considered the MCAS part of the flight control system, but elected to not describe it in the flight manual or other training materials for pilots [2].
Suppose statistics indicated that, out of 300,000 takeoffs of airliner X, the likelihood is that 299,999 will be successful, and that one will result in a fatal crash. At first this may seem reasonably safe. But think again! A Boeing 737 Max 8 airliner in normal airline service would likely take off 3 times a day, i.e., roughly 1000 times a year. There are about 350 of these planes in service. That would mean about 350,000 Max 8 take-offs annually. So, if nothing is done to deal effectively with the Max 8 problem, then, under the above assumption, we would expect, on average, a fatal Max 8 crash every year!
Boeing management was undaunted by the 2018 Max 8 crash. They persuaded the FAA to allow the Max 8 to continue flying, and took no major step to avert further crashes. In particular they did not even require Max 8 pilots to be instructed about the peculiarities of the Max 8--particularly the stall problem. Involving thousands of pilots, such training would have been very expensive. Note that there are probably over 50,000 airline pilots in the US, and the Boeing Max 8 is expected to be flown by thousands of them.
Given the consequences of a Max 8 crash, it is shocking that Boeing's management was so negligent about addressing the problem effectively. Even more disturbing is the way the FAA failed to do its job of ensuring that the Max 8 was a safe airplane before allowing it to carry passengers.
Altho the circumstances, including the immediate cause of the crash, were very different, the March 3, 1974 Turkish Airlines McDonnell Douglas DC-10 crash also reflected incompetence of the plane's designers, top management of a leading manufacturer of airliners, and the FAA.
What happened? The cargo hold was separated from the passenger compartment by the floor of the latter. In order to avoid the need for a very strong--and therefore heavy--floor, the cargo hold was pressurized to the same degree as the passenger compartment. For convenience in loading and unloading, and to save space, the cargo compartment doors opened outward. Hence, at about 12,000 feet, the difference between the air pressure inside the plane and the outside was sufficient to exert a large force operating to open the cargo compartment doors. It is critically important that the mechanism for latching these doors be well designed to withstand great force, and that it be obvious if one of these doors is not properly latched. Furthermore, the passenger compartment floor should be generously vented so that that, if either the cargo hold or the passenger compartment is suddenly depressurized--e.g. by a door opening, or a window popping open--the air pressure in the two compartments remains close enough to equal to avoid excessive strain on the cabin floor. These critical requirements were not met by the DC-10 designers.
On March 3, 1974, ten minutes after taking off from Paris, a Turkish Airlines DC-10 crashed, killing the 346 people on board (largest number of people ever killed in the crash of a single airliner). The immediate cause was an outward opening cargo compartment door bursting open when the plane reached an altitude of about 12,000 feet, where the difference between air pressure inside the plane and the low air pressure outside the plane forced open the door. The door latching mechanism was poorly designed; it was easy for baggage handers to mistakenly think the door was properly latched when it wasn't.
As was the case for the Boeing planes, discussed above, the airline neglected several warnings about the problem. In 1970 when, during a ground test of the air pressure system in a hangar, a cargo door burst open, and the floor in the passenger compartment collapsed. A second warning, occurring in a real flight with passengers, was even more dramatic. A DC-10 took off from Detroit on June 12, 1972. When it reached about 12,000 feet, a cargo door burst open and the floor of the passenger compartment collapsed severing the controls for the tail engine, rudder and elevators. What saved the day was the foresight of the pilot, Captain Bryce McCormick. While familiarizing himself with the DC-10, McCormick, using a flight simulator, learned how to fly the plane using only the two wing engines and the ailerons (control surfaces on the wings). It was this knowledge that he skillfully employed to land the plane safely. Note that many analysts felt that even Bryce McCormick would not have been able to avoid the crash if the plane had the plane not been so lightly loaded (only 67 people on board--including crew).
Really fixing the problem would not have been all that difficult. Surely after the two events just described the designers of such a complex system as a jet airliner could have designed a foolproof door latching mechanism. Incorporating ample vents and perhaps some blowout panels in the DC-10 cabin floor, would have prevented the floor collapse resulting from the sudden great increase in the pressure difference between the passenger and luggage compartments. It was this collapse, which disabled the cables enabling the pilots to control the rudder, elevators and rear engine, that produced the fatal crash.
After the above described incident, there was a dispute between McDonnell Douglas and Convair, the subcontractor responsible for much of the detailed design of the DC-10 fuselage. Which company would be responsible for "fixing" the defects? This was apparently one of the underlying reasons that several obvious defects were not properly addressed. Another reason was that the FAA did not do its job of ensuring that the airplane was safe.
It is interesting that, on June 27, 1972, about 2 weeks after Bryce McCormick's heroic performance, Daniel Applegate, Director of Product Engineering for Convair, the DC-10 fuselage contractor, wrote a memo predicting that, because no effective action had been take to fix the problems, there would be a disastrous DC-10 crash. This, in fact, occurred about 2 years later). Applegate was not the only Convair or McDonnell Douglas engineer who anticipated such an event, but, like the others, when his warning was ignored by top management, he did nothing. There were no disruptive "whistle blowers" at any level of management of the companies involved, or, for that matter, in the FAA. The only ones who spoke out about the problems were a number pilots [3].
In the case of the DC-10 disaster the McDonnell Douglas Corporation explicitly refused to heed warnings about the danger of cargo doors opening, the cabin floor collapsing, etc., tho the danger was obvious. Prior to the crash, the National Transportation Safety Board recommended, but did not mandate, that the door latching mechanism be redesigned so as to be foolproof, and that the passenger compartment floor be properly vented so as to avoid a collapse that would sever the cables controlling the rudder, elevator, and rear engine. McDonnell Douglas refused to comply [4].
A modern airliner is indeed a very complex machine. Because defects of this machine can have such dire consequences to human lives, it is essential that the greatest care be taken to ensure that the design, construction, and operation of airliners be carried out correctly. Sadly, as illustrated in the cases discussed above, maximizing profit by cutting production and operational expenses, often at the cost of safety (e.g., using cheap door latching devices) is all too common. The problem is compounded by the fact that over 900 companies may be involved in the production of a modern airliner [5]
[1] , "Maneuvering Characteristics Augmentation System--Boeing 737 max", ,
[2] , "Maneuvering Characteristics Augmentation System--Wikipedia. "
[3] Tripti Lahiri, "What happened when one US pilot asked for more training before flying the 737 Max", Quartz, April 4, 2019
[4] Richard Within, "DC-10 Maker Balked At a Safety Analysis", NY Times, March 21, 1974, p. 85.
[5] Douglas MacMillan, Aaron Gregg, "Boeing's 737 Max design contains fingerprints of hundreds of suppliers", The Washington Post, April 5, 2019
Comments are welcomed and can be sent to me at unger(at)cs(dot)columbia(dot)edu
Don't forget to replace (at) with @ and (dot) with the symbol .
Return
to Ends and Means to see other articles that you might find
interesting.
***insert statcounter code***