Abstract
Recently, many regulatory documents have been adopted in the field of civil aviation safety, both internationally and nationally. Moreover, there is a continuous improvement in the design of aircraft to increase the level of passenger safety. Often, this improvement can even be attributed to the level of disruptive innovations.
Meanwhile, aviation experts around the world talk about the technical problems of the Boeing 737 MAX, which resulted in the death of 346 people in six months. In the paper, based on the analysis of the Lion Air 610 accident, it is shown that the lack of proper coordination between the efforts of regulators and the actions of aircraft manufacturers can lead to tragic results and an imbalance of the entire integrated safety management system.
Introduction
Improving flight safety in the global air transport system is the fundamental and most important strategic goal of both the International Civil Aviation Organization and all national regulators. Despite some improvement in recent years, the state of flight safety in civil aviation is not always satisfactory (Kuklev, Shapkin Filippov, and Shatrakov, 2019). Nevertheless, as practice shows, despite the availability and constant updating of safety standards, national regulators do not always properly fulfill their responsibilities.
For example, questions to the American aviation regulator arose after the crash of a Boeing 737 MAX 8 in Ethiopia in early March 2019. Earlier, a crash with a plane of a similar type occurred in Indonesia. Shortly thereafter, regulators from all countries suspended the flights of the Boeing 737 MAX 8.
According to experts, the Boeing 737 MAX 8 may have problems with the Maneuvering Characteristics Augmentation System, MCAS. U.S. media reported that during the tests, the FAA provided broad authority to evaluate the safety of Boeing itself, which raises questions about the objectivity of the tests (Keane and German, 2019).
The main issue at the hearing was how closely the regulator checked the new aircraft before permitting its operation in March 2017. In this regard, it seems appropriate to consider the prerequisites and causes of the situation that led to the occurrence of a risk event (plane crash), as well as its implications for further development of safety risks assessment and safety mitigating controls.
Background and Literature Review
The methodology for calculating the risks of negative consequences arising from the operating conditions of aviation equipment (control errors, a manifestation of the human factor, etc.) is based on a physical interpretation of the concept of risk in the form of “Risk ‑ possible danger,” i.e., predicted if possible conditions for the occurrence of a risk event are found (Kuklev, Shapkin, Filippov, and Shatrakov, 2019). Also, it is based on hidden threats depending on the residual risk inherent in the system at the stages of development and production of aviation equipment.
The key issues are the systematization and establishment of the relationship and the nature of phenomena in terms of the following: challenge, threat, danger, security, condition, factors, risks, security level, acceptable and target levels of security and risks, security management, risk management, risk factors, chains of random events.
The basis of the scheme under consideration is the basic principles of risk theory and the procedures for expert analysis and assessment of the negative consequences of danger factors in aviation operations based on risk assessment matrices using the ICAO methodology (Macrae, 2014). At the same time, in the triad of control actions (reactive, proactive, predictive), the main thing is to take proactive measures to change the state of the system before the predicted dangerous event occurs.
Moreover, the methods of expert risk analysis of the occurrence of negative scenarios of events using “risk analysis matrices” are of particular importance. This is the essence and universality of a unified approach to assessing safety through risks (Oster, Strong, and Zorn, 2013). The aviation management safety management system implements the principles of risk calculation and management based on two functional systems (Macrae, 2014; Stolzer and Goglia, 2016):
- The first subsystem implementing the initial procedure “Identification of risks and risk factors.”
- In subsystem No. 2, based on the base of risk factors and identifiable types of risk, it is possible to provide risk management and prevention of negative situations by the recommendations of ICAO, IATA, and other regulatory documents.
The safety management system for aviation activities consists of separate modules. They, in turn, make it possible to fully assess the level of security by identifying the characteristics of adverse single and rare events with a small sample of statistics that can lead to negative situations, take measures to eliminate and prevent them.
This, in turn, evidently should increase the level of safety (Medicine National Academies of Sciences, Engineering, et al., 2018). Accordingly, a failure in one of the subsystems can lead to the breakdown of the entire aviation safety management system, which happened in the Boeing 737-MAX catastrophe, being a clear sign of the FAA’s internal problems.
Examination of the chronology of events will help to understand the essence of the problem and the reasons for its occurrence. The final report states that on the early morning of October 29, 2018, Lion Air’s 610 flight departed from Jakarta, Indonesia, with 189 people on board (Petchenik, 2019). It was the new 737 MAX 8, which operated only four months, the latest model in the Boeing line of aircraft created back in the 1960s. Take-off and ascent to a height of approximately 1,600 feet (480 meters) were normal (Petchenik, 2019).
After that, as another investigative work reports, the pilots removed the flaps; at this point, the aircraft unexpectedly sank to 900 feet (270 meters) (Langewiesche, 2019). “During radio conversations with air traffic controllers, pilots reported a “problem with the control system” and asked for data on their altitude and speed displayed on the screens of controllers’ radars” (Petchenik, 2019, para 8).
Equipment in the cockpit gave volatile readings; pilots pulled out the flaps and climbed to 5,000 feet (1,500 meters), but after retracting the flaps, the nose of the aircraft sank and it began to lose altitude again (Petchenik, 2019, p. 76). Over the next six to seven minutes, the pilots fought with the aircraft ‑ they tried to maintain the level of the nose, but the automatic flight control system constantly lowered it down (Petchenik, 2019, p. 69). In the end, the plane ‘won’ and crashed into the water at high speed and all those on board died.
The second accident occurred, when Ethiopian Airlines flight 302 crashed six minutes after taking off from Addis Ababa, resulting in 157 people died (Campbell, 2019). The aircraft was also MAX 8, and it was operated only for two months; pilots reported control problems, and satellite observation data showed sharp altitude fluctuations (Campbell, 2019).
Due to the evident similarity with the above-mentioned Lion Air accident, a question was raised: if the same malfunction or a design defect caused both incidents, then there may be other accidents. In a few days, the 737 MAX fleet was suspended from flying on global scales, in many countries (Langewiesche, 2019). The data recovered from the accident on Flight 302 reinforced the suspicion that the two accidents were closely related. On both lethal flights, the new automated MCAS maneuvering correction system was designed to avoid incidents; instead, it sent planes twice at a fatal peak.
The ‘history’ of flight 610 Lion Air accident can be traced by the data extracted from the black box (Lakew, 2019). The graph shown in Figure 1 below was published as part of the preliminary report of the National Transport Safety Committee of Indonesia.
Lakew, analyzing the case, notes that a general idea of the accident ‘deploying’ is provided by the height tracking curve at the bottom of the graph (Lakew, 2019). The initial ascent is interrupted by a sharp descent; then, the further ascent is followed by a long, erratic “rollercoaster ride” (Lakew, 2019).
Finally, there is a dive, a little more than 10 seconds the aircraft descends 5,000 feet. The accident report states that “all these sharp ups and downs were caused by the movements of the horizontal stabilizer ‑ a small wing-like surface at the rear of the fuselage” (Petchenik, 2019, p. 78). The stabilizer controls the pitch angle of the aircraft, i.e., to where the nose is directed. On the Boeing 737, it does this in two ways: the elevator steering trimmer mechanism tilts the entire stabilizer; at the same time, the movement of the pilot control wheel moves the elevator ‑ a movable steering wheel at the rear of the stabilizer (Petchenik, 2019, p. 36-37).
In both cases, moving the back of the surface up causes rising the nose of the aircraft, and opposite; the commands given to the system of elevator trimmer and how they affected the aircraft are presented by three curves based on the flight data in Fig. 1 (Lakew, 2019). The line marked “trim manual” (blue) reflects the actions of pilots, “trim automatic” (orange) shows commands from the electronic systems of the aircraft, and “pitch trim position” (dark blue) shows the tilt of the stabilizer (Lakew, 2019).
A higher position on the chart indicates a command to raise the nose. This is where the struggle between humans and machine is evident. Thus, the cause of the incorrect behavior of the automatic pitch balancing system was identified namely in the MCAS of the new system of the 737 MAX model series.
The design miscalculation is the basis for the accident. During the development and further certification of the system, designers did not properly study the probability of losing control of the aircraft and did not put any fuse in the MCAS in case of failure. Recent changes in aircraft systems were not even reflected in the safety assessment that Boeing provided to the FAA. As a result, the federal agency could not fully analyze the operation of the MCAS system.
Only after the crash of the Boeing-737 MAX of the Indonesian Airline Lion Air on October 29, 2018, the FAA learned that the system, bypassing the pilot, could shift the stabilizer not by 0.6 degrees, as in the report, but by as much as 2.5; moreover, it can do it several times (Shepardson and Johnson, 2019).
In addition, it turned out that it relied on the data of one angle of attack sensor, which on the crashed plane was faulty. None of the engineers knew about the new limits, but the most critical thing is that many pilots learned about the existence of MCAS only after the first crash.
The Case of Boeing 737-MAX from the Standpoint of Safety Risks Assessment and Safety Mitigating Controls
Today, many aviation administrations in the world, together with carriers, are developing new ways to manage safety in air transport. The principles of exposure to existing risks are being introduced not only in the financial activities of aircraft operators but also in production units.
The most promising areas are the development and implementation of risk management programs in the safety management system. In this regard, existing methods for the quantitative assessment of flight safety receive a new stage of development. At present, the levels of flight safety and airworthiness are determined by the statistics of events (aircraft accidents, incidents, failures, malfunctions, etc.). This approach gives a clear picture of the level of safety at the enterprise when comparing it with the previous period.
A modern approach to solving the problem of improving flight safety involves the development of a safety management system for each airline, and the basis of the system is the safety risk management process. At the same time, however, the concept of indicators of an acceptable safety level is interpreted differently, depending on the available/applied methods for their assessment and the ways of implementation in the flight safety system.
At present, preset safety levels and safety indicators are determined not functionally and often with distorted pronounced models describing their contextual contents, as well as ways to integrate them into the airline’s safety management system (Musa and Wu, 2017). Thus, the inadmissibility of giving safety risks assessment and safety mitigating controls to airlines or aircraft manufacturers is obvious.
The process of transferring responsibility for aircraft to manufacturers has been in the United States for many years. Thus, they hoped to reduce the number of bureaucratic procedures while coordinating the design of new models. However, in the end, namely, this allowed manufacturers to challenge safety regulatory claims. The culmination of the process was the permission for Boeing from FAA to ignore in 2014 several requirements for the onboard crew warning system (§25.1322, Boeing 737 Max certification documents).
In turn, Boeing had a good reason not to focus on the features of the new aircraft. One of the key marketing benefits of the Boeing-737 MAX is the quick retraining of pilots of the previous-generation Boeing-737 NG, saving airlines millions of dollars in retraining. It essentially boils down to an hour-long familiarization on the tablet screen, even without flying on an airplane simulator.
Namely, for this (and speeding up certification) Boeing went to break its long tradition ‑ to maintain full control of the pilot over the aircraft. One of the tasks of MCAS was to make the Boeing-737 MAX behave like a Boeing-737 NG, despite the engines being significantly large and very advanced (Keane and German, 2019). According to experts, the following critical flaws were present in a report written by the Boeing developers (Campbell, 2019):
- Four times underestimated possible angle of deviation of the aircraft stabilizer to dive by the MCAS system;
- It was not indicated that the system can be reactivated after each pilot reaction. This did not allow assessing the real risk of the aircraft entering a dive;
- The threat of malfunctioning of the system below the “catastrophic” level. However, even with a “dangerous” threat level, the MCAS system did not have to rely on data from a single sensor.
The accidents became an occasion for lawmakers to point out flaws in the current regulatory system, which gave manufacturers too much freedom. In this case, even if there are strong doubts regarding security, FAA officials should conduct an investigation or inspection to substantiate their opinion (which could potentially take a long time). Only then can they regain control of what is happening. However, airline managers intercepted the regulatory functions of the regulator.
Results
In addition to self-eliminating the FAA from regulatory intervention, in this case, it should be noted that Boeing itself gained one of the biggest victories in lobbying ‑ thanks to the aircraft manufacturer, a law was passed that effectively suspended the US government from approving new aircraft projects. In fairness, it must be said that the FAA explicitly stated that the current legislative regulation does not contribute to security (Keane and German, 2019, para 4).
The FAA also expressed concern that the new rules are turning it into fiction, as it can only intervene after “the plane crashes and people die” (Timmons and Frost, 2019) ‑ characteristically, that is exactly what turned out be.
The fact that the transfer of control to aircraft manufacturers will make them more competitive compared to foreign companies, primarily the French Airbus, Boeing, and its industry organizations have been talking about since 2014. According to industry lobbyists, the FAA allegedly arbitrarily interpreted the rules, slowing the development process (Timmons and Frost, 2019).
To solve this problem, representatives of aviation manufacturers urged lawmakers to introduce a delegation system similar to the European one ‑ , for example, checking of insignificant elements of European aircraft, such as bathrooms and seats, can be outsourced (Taneja, 2017). This shortens the certification process and benefits Airbus and other competing Boeing companies.
However, the freedom granted led to a feeling of complete own rightness, impunity, and negligence. In the situation with MCAS, as noted above, the Boeing developers acted very unconventionally ‑ they did not inform anyone about this new product. Before the Indonesian disaster, neither the pilots, nor the technical services, nor the airline leaders knew about this program.
Not only that, the system is designed so that the program was hard to detect: MCAS turned on silently when the computer seemed to comprehend that the nose pulled up too hard, worked for several seconds, directing the plane to the ground, and then went back into sleep mode until the next critical, according to the computer, mode.
Discussion
Most experts agree that the Boeing corporation, perhaps seeking to win a competitive race with Airbus, has relied on the modernization of the Boeing 737, which first took off in 1967. The plane was very successful, which made it possible to modernize it many times. However, improvements and an increase in the size of the aircraft led to the fact that the original model with its excellent flight characteristics and a well-thought-out control system began to be equipped with new wings, more powerful engines, lengthening the fuselage to accommodate more passengers.
All this led to the fact that the new aircraft was less stable, and to keep it in the air, increasingly more “crutches” were needed. One of them was the MCAS electronic system, which should take the nose of the aircraft down if it is raised to a dangerous angle, behind which the stall begins. In this regard, experts have a question: is there too much electronics in the control of modern aircraft, because of which they turned into “flying laptops.”
According to statistics, up to 85 percent of air crashes are due to the human factor (Stolzer and Goglia, 2016). However, technology also fails, because, in its development, there is also a human factor influence. In particular, in modern aircraft, Fly-by-wire technology is increasingly being used. Such systems first appeared on the Airbus A320 in the late 1980s (Kisesa, 2016).
Its essence is simple: instead of mechanical control methods (cables, hydraulic lines, transmitting power amplifiers), electric drives controlled by a computer and connected simply by wire are used, from where the name of the technology comes from. The advantages are obvious: the aircraft becomes much easier, cheaper, and more reliable, including in terms of protection from the human factor. The more aircraft systems that are controlled exclusively by a computer, the more things an autopilot can do (Wilson and Binnema, 2014).
For example, it is not only controlling the direction, speed, and altitude of the flight, but also at the right time, releasing the flaps at the right angle, then the landing gear, activating automatic braking, that is, ultimately completing a fully automatic landing without the participation of the pilot. It will be enough to remotely download the parameters to the computer route and desired approach pattern.
However, by analogy, one should recall the cases of accidents, including fatalities, in which Tesla unmanned vehicles fell, deprived of the option of “manual” control of the driver. In the event of any emergency, the onboard computer operates according to the algorithms laid down in it, which, however, cannot provide for all possible combinations of factors in each emergency, due to which the actions of the autopilot may turn out to be erroneous.
At the same time, if on the roads, it is a risk to the life and health of one or several people, in civil aviation, hundreds of human lives are “at stake,” which are increasingly dependent on the algorithms and program codes of electronic aircraft automatic control systems.
Conclusion and Further Implications
Despite all the regulatory “ups and downs,” the consideration of the case of the Lion Air 610 air crash involving the Boeing 737-MAX clearly shows that the pilots became very dependent on autopilots and other computerized flight control systems. Abuse of on-board automation can lead to a loss in the ability of pilots to quickly respond to emergencies in which an aircraft can get. In addition, improper operation of automation itself can lead to emergencies.
At the same time, the systems of modern aircraft cannot accurately predict the danger and make the right decision for the given situation. In other words, excessive reliance on automation threatens the aircraft and its passengers.
Pilots became dependent on automation, and this dependence was supported both by themselves to alleviate stress during the flight, and by airlines in an attempt to reduce the number of deviations. Regulators also made their contribution by tightening requirements for flight safety parameters.
However, many aviation crashes of our time are somehow connected with the fact that the pilots could not recognize a situation in which the automatics were behaving incorrectly ‑ in particular, in the recent Boeing 737MAX crashes, in which the MCAS system, without a command from the failed angle of attack sensor, shifted the stabilizer driving a liner into a dive.
Thus, large-scale studies and consultations with the participation of representatives of airlines, regulators (including international ones such as ICAO), as well as the largest players in the aircraft industry, are urgently needed to be held to discuss the current situation in the field of flight safety and find measures to eliminate existing critical consequences.
Reference List
Campbell, D. (2019) ‘Redline: the many human errors that brought down the Boing 737 Max,’ The Verge, 2019.
Keane, S. and German, K. (2019) ‘Report on 737 Max 8 crash blames Boeing design, Lion Air staff,’ CNet News, 2019. Web.
Kisesa, H. (2016) Aeronautical information management ‑ establishment, professionalism & challenges. Surbiton: Grosvenor House Publishing Limited.
Kuklev, E. A., Shapkin V. S., Filippov, V. L., and Shatrakov, Y. G. (2019) Aviation system risks and safety. New York: Springer.
Lakew, S. T. (2019). A reasonable explanation for both Boeing 737 Max 8 recent accidents. Oxford: Oxford University Press.
Langewiesche, W. (2019) ‘What really brought down the Boeing 737 Max?’ New York Times, 2019.
Macrae, C. (2014) Close calls: managing risk and resilience in airline flight safety. London: Palgrave Macmillan.
Medicine National Academies of Sciences, Engineering et al. (2018) In-time aviation safety management: challenges and research for an evolving aviation system. Washington, D.C.: National Academies Press.
Musa, S. M. and Wu, Z. (2017). Aeronautical telecommunications network: advances, challenges, and modeling. Boca Raton: CRC Press.
Oster, C. V., Strong, J., and Zorn, K. (2013) ‘Analyzing aviation safety: problems, challenges, opportunities,’ Research in Transportation Economics, 43, pp. 148-164.
Petchenik, I. (2019) ‘Indonesian investigators release final Lion Air 610 crash report,’ Flightradar24, 2019.
Shepardson, D. and Johnson, E. M. (2019) ‘U.S. regulator cites new flaw on grounded Boeing 737 MAX,’ Reuters, 2019.
Stolzer, A.J. and Goglia, J. J. (2016) Safety management systems in aviation. Abingdon: Routledge.
Taneja, N. K. (2017). 21st century airlines: connecting the dots. Abingdon: Routledge.
Timmons, H. and Frost, N. (2019) ‘How money and influence flows between the US government and Boeing,’ Quartz, 2019.
Wilson, D. and Binnema, G. (2014) Managing risk: best practices for pilots. Newcastle: Aviation Supplies & Academics.