Nation/World

Indonesia’s devastating final report blames Boeing 737 MAX design, certification in Lion Air crash

SEATTLE -- The final report by air accident investigators into the Lion Air crash of a 737 MAX in Indonesia that killed 189 people a year ago provides a devastating critique of the design and certification of Boeing’s new flight-control system on the airplane.

It also provides a detailed account of the fatal flight. And it apportions blame to Lion Air’s maintenance work and its pilots, as well as a Florida firm that supplied a component.

"The design and certification of the MCAS (Maneuvering Characteristics Augmentation System) did not adequately consider the likelihood of loss of control of the aircraft," the report states. "A fail-safe design concept and redundant system should have been necessary for the MCAS."

The report found that after Boeing changed the original MCAS design, increasing its authority to move the horizontal tail, or stabilizer, from 0.6 degrees to 2.5 degrees, "the higher limit caused a much greater movement of the stabilizer than was specified in the original safety assessment document."

After that change, as first reported in The Seattle Times in March, the company's Stabilizer System Safety Assessment for the Federal Aviation Administration (FAA) was not updated in time, with the result that the "FAA would not be able to reassess the safety of the design change," the report states.

It also criticizes Boeing's failure to detect a software error that resulted in a warning light on the MAX not working, as well as its failure to provide pilots any information about the flight-control system. Both failures contributed to the crew's inability to understand what was happening, the report said.

"The absence of information about the MCAS in the aircraft manuals and pilot training made it difficult for the flight crew to diagnose problems and apply the corrective procedures."

ADVERTISEMENT

The report also found that a critical sensor, a secondhand unit repaired and supplied by a Florida company, was faulty, and it found strong indications that the device was not tested during installation by Lion Air maintenance staff.

And though similar faults had occurred on the previous flight of the same airplane, Lion Air's maintenance staff failed to ground the airplane, the report says.

The previous flight "that experienced multiple malfunctions was classified as a serious incident and should have been investigated," the report states.

The report also faulted the two pilots on Lion Air JT610, particularly the first officer, who was unfamiliar with procedures and had shown himself in training to have problems in handling the aircraft. He failed to follow a checklist procedure that could have stopped MCAS from operating.

And the report found the crew failed to coordinate their responses to multiple failures and alerts.

After the captain successfully countered the airplane's nose-down movements more than 20 times, he handed over to the first officer, who was under stress and proved unable to maintain control. Shortly after, the plane nose-dived into the Java Sea, killing all on board.

Missed opportunity to fix the jet

The flight history of the MAX that crashed recorded intermittent technical issues in the days leading up to the accident. This led to the installation of a faulty replacement component that would trigger the cascade of events that brought down the plane.

On Oct. 28, the day before the crash flight, following a series of cockpit warnings about airspeed and altitude, a maintenance engineer installed a new angle of attack sensor.

Though he was supposed to do an installation test to ensure it was correctly calibrated and installed, the maintenance records show no such test, the report found. The engineer did produce several photos of the flight display, which he claimed showed the test had been performed. But investigators could not confirm that the photos were taken in the plane that crashed and clearly suspected they were not.

"The investigation could not determine with any certainty that the AOA sensor installation (was) successful," the report states.

The report also found that 31 pages were missing from the aircraft's October maintenance logs.

The replacement AOA sensor was a secondhand component supplied by a certified aviation repair shop, Xtra Aerospace in Miramar, Florida.

The part was faulty. On the flight directly before the fatal flight, the replacement sensor was off by 21 degrees from the one on the other side of the plane.

The report states that this difference indicates that the sensor "was most likely inadvertently mis-calibrated" during test and calibration in Florida. Xtra Aerospace's procedures did not include an extra check required to validate the calibration.

The report notes that the FAA, which is supposed to oversee quality control at component suppliers missed this, and concludes that its "oversight was not effective."

On the Oct. 28 flight, the 21 degree angle of attack sensor fault set off the same series of events that would show up again a day later on the accident flight. The captain's stick shaker went off immediately, the airspeed and altitude warnings appeared.

And after the pilot retracted the flaps, MCAS -- assuming the angle of attack was too high because of the input from that one bad sensor -- activated and began to push the nose of the aircraft down.

ADVERTISEMENT

Since Boeing hadn't informed airlines or pilots about MCAS, the captain and his first officer didn't understand what was happening. But they were lucky in that a third pilot, another Lion Air first officer, was along for the free ride, sitting in the jump seat in the cockpit. That third set of eyes seems to have been crucial in helping the crew troubleshoot, stay calm and find a way out of the situation.

After discussion among the three of them, the captain flipped a pair of switches that cut off electrical power to the tail. That allowed him to regain control. When he flipped them back and the nose-down movements resumed, he cut off power again.

According to procedures, the pilot should have turned the plane around and landed as soon as possible. Instead, the crew flew on to their destination.

Upon landing, the captain reported only the issues that had shown up on his flight display: the airspeed and altitude warnings and a light indicating a difference in the feel of the control column. Fatally, he did not report the activation of the stick shaker, the way the stabilizer had pushed the nose down or his use of the cutout switches to resolve the problem, resulting in an "incomplete report."

That omission, the report found, was critical to the maintenance engineer not realizing how serious the state of the plane was. It should have been grounded. But the next morning it would take off on its next flight, with the same pattern of faults, a different crew, and a deadly outcome.

Boeing’s faulty assessment

The report confirms multiple flaws in Boeing's MCAS design as well as a separate problem with a warning light to tell the pilots that the AOA sensors were in disagreement.

Because of a software bug, that light was working only on MAXs where the airline had installed a separate optional feature. Lion Air hadn't bought that option.

The report concludes this contributed to the crew "being denied valid information about abnormal conditions."

ADVERTISEMENT

However the main flaw found was in the design of MCAS. The report examined the safety assessment of the system, which it says was entirely delegated to Boeing by the FAA.

"The certification was done by Boeing ... without properly considering the severity of the problem," the report states.

It found that when Boeing engineers assessed possible failure scenarios, they did not consider "multiple erroneous MCAS activations and only considered the activation of the MCAS function for three seconds (up to .81 degrees), not to the maximum authority of 2.5 degrees."

Boeing assumed in its safety assessment that pilots would respond within three seconds to a system malfunction. The report found that on both the previous flight, when the crew recovered control, and on the accident flight, when they did not, it took both crews about 8 seconds to respond.

The report says Boeing reasoned that the cutout switches, while available to the pilots, would not be required and that an MCAS failure could be countered by the pilot pulling back on the control column alone. But events and subsequent tests showed that MCAS could only be stopped by the cutoff switches.

In December, 2018, the investigators along with Boeing conducted tests in a simulator configured for the 737 MAX and found that after just two activations of MCAS, absent any counter from the pilot, the control column force became "too heavy" to move.

The report notes that certification of flight controls "must permit initial counteraction of failures without requiring exceptional pilot skill or strength."

Unfortunately, on flight 610, Boeing's flawed system met a crew that lacked exceptional skill.

Crew shortcomings

Beyond the already well-known account of the flight -- that the captain struggled repeatedly against MCAS pushing the nose down but after countering it more than 20 times handed control to the co-pilot who failed to do so -- the final report adds new detail.

The first officer on flight 610, Harvino, a 41-year-old Indonesian who like many Indonesians used only one name, had not been scheduled for the flight, but had been awakened at 4 a.m. with a schedule change.

And the captain, 31-year-old Indian national Bhavye Suneja, told Harvino he had the flu and on the cockpit voice recorder was heard to cough 15 times in an hour during the preflight checks.

The report notes that during training at Lion Air, Harvino had shown unfamiliarity with standard procedures that were supposed to be memorized and had displayed weak aircraft handling skills.

ADVERTISEMENT

When the stick shaker went off and the various warnings showed on the display, Suneja asked Harvino to perform the Airspeed Unreliable checklist. He had to be asked twice and it took him four full minutes to find it in the Quick Reference Handbook (QRH).

"The First Officer was not familiar with the memory item ... (and) not familiar with the use of the QRH."

The procedure should have allowed him to crosscheck between the airspeeds showing on the captain's side and on his side and determine which was correct. The checklist then says that once that's done, autopilot can be engaged. MCAS is disabled when autopilot is engaged.

Harvino failed to do this.

Meanwhile, the captain, occupied with countering the nose-down movements, didn't understand what was happening. The report speculates that he may have thought there was something wrong with another system, the Speed Trim System, which wouldn't have been nearly as aggressive in its actions. He didn't apply the cutoff switches.

The captain wasn't coordinating with Harvino as he fought MCAS. Then, perhaps because he wanted a break to think about what was wrong or because he was becoming stressed, he "asked the first officer to take over the aircraft control for a while." The report notes that Suneja did not communicate to Harvino exactly what he needed to do.

ADVERTISEMENT

Harvino quickly lost control and the plane plunged into the sea.

The report concludes with a long series of recommendations for all parties involved, including improved pilot training and maintenance procedures at Lion Air.

Among the recommendations for Boeing:

-- A fail-safe redesign of MCAS.

-- Adequate information about MCAS to be included in pilot manuals and training

-- Closer scrutiny in future of any system capable of taking over primary flight control actions from the pilot.

-- Design consideration of the effect of all possible flight deck alerts and indications on pilot recognition and response.

-- Larger tolerance in Boeing’s designs to allow operation by a diverse population of pilots.

ADVERTISEMENT