The Boeing 737 Family

Boeing designs the 737 starting in 1964 as a short-to-medium range, smaller-capacity member of the Boeing single-aisle jetliner family. It uses the same fuselage cross section, cockpit, and controls technology as the predecessor 707 and 727 aircraft.  The initial seating design (on the 737-100) is for 85 passengers. However, airlines find this aircraft is too small and the first major production version is the lengthened 737-200 with 102 seats in two classes.

Because the 737 is intended to serve secondary airports with less-developed infrastructure (boarding stairs instead of jetways, limited baggage loading and engine servicing equipment, etc.), it is designed with short landing gear to allow the fuselage to sit as low as possible.  The initial engines are small-diameter JT8D low-bypass turbofans, mounted directly under the wings without pylons.

After a somewhat slow sales start, the 737 becomes very popular, eventually becoming the most-produced airliner family in the world (over 10,500 produced).  It supplants virtually all of its early competitors in the smaller jetliner segment (e.g., Douglas DC-9, BAC 1-11, Fokker F28/F50/F100, Sud Caravelle, BAe 146, etc.).

The design is extended to a number of growth versions with different length fuselage stretches.  These include the 737-300, 737-400, and 737-500. The engines selected for the new versions are more powerful CFM-56 high bypass turbofan engines.  To accommodate the larger diameter high-bypass engines while retaining adequate ground clearance, the nacelles are mounted higher and further forward and the nacelles are flattened on the bottom

The biggest change occurs with the 737 Next Generation (737NG) series that features enlarged and redesigned wings, larger fuel tanks for more range, new cockpits, and uprated CFM-56 engines. The 737NG series is first produced in 1996 and includes the 737-600, 737-700, 737-800, and 737-900.

All the new versions are certified by the FAA under the original 737 type certificate, even though the largest 737NG versions of them have nearly three times the original passenger capacity (230 in maximum density), twice the engine power, twice the range, all-digital “glass” cockpits, and serve different market segments than the original 737 design.

Boeing’s largest customer for the 737 family is Southwest Airlines, whose fleet is exclusively made up of 737 variants.  Like a number of Boeing’s other customers, Southwest wants its pilots to be able to fly any 737 version in its fleet with one pilot type certificate and common training.

Origin of the 737 MAX

The Airbus A320 family (A320, A319, A321, and A318) becomes the primary competitor to the 737 family.  First flying in 1987, the A320 is a clean-sheet-of-paper design not tied to previous Airbus aircraft. Because it is not optimized for serving secondary airports, it has a higher stance with plenty of ground clearance to accommodate large diameter engines.  The A320 family sells well.

Airbus introduces the A320 Neo family incorporating new technology ultra-fuel-efficient engines with larger engine diameters.  The A320 configuration accommodates the new engines easily. The first flight is in 2014. With its improved economics, the A320Neo family is very attractive to customers.

In order to avoid losing next generation single-aisle jetliner sales to Airbus, Boeing decides it needs to create a new 737 family with comparable ultra-fuel efficient engines.  This becomes the 737 MAX series. It is closely based on the 737NG family (737-600, 737-700, 737-800, and 737-900).

To be able to install the larger diameter engines on the 737 MAX design, the engine nacelles are moved even further forward and higher than the previous CFM 56 engines.

Selling the 737 MAX Family

Boeing aggressively markets the 737 MAX as being just like the previous 737 variants but much more economical to operate.  It claims essentially no additional training is required for a 737 pilot to transition to flying the 737 MAX. Only an hour or two’s study of instructional material on an iPad is sufficient.  Boeing takes orders for almost 5,000 737 MAX aircraft and sets up to produce about 60 units per month.

737 MAX Flight Characteristics 

Previous 737 models had the center of gravity well forward of the center of lift. In a stall, with neutral control inputs, the plane will nose down and recover on its own.  The natural nose-down force is counteracted by downward lift generated by the horizontal stabilizer. This lift creates drag and increases aircraft fuel burn. It appears that Boeing changed the 737 MAX’s relationship between the center of gravity and center of lift to minimize this trim drag effect and optimize efficiency.

In flight test, the 737 MAX variants are found to have flight characteristics that differ significantly from previous 737s.  This is particularly true at a high angle of attack where body lift from the large engine nacelles mounted ahead of the wings creates a strong nose-up force.  The center of lift shifts forward. The thrust from the low-mounted engines acting below the center of gravity also provides a nose-up force. This latter effect is especially pronounced at high power levels.

Without corrective input, at a high angle of attack a 737 MAX will continue to pitch up further, leading to a stall.  As a result, Boeing finds the 737 MAX design does not satisfy Federal Aviation Authority (FAA) airworthiness criteria for stability, particularly Federal Aviation Regulation (FAR) 25-173 [see appendix].  If the angle of attack of the aircraft exceeds 14 degrees, the nose will rise on its own until the aircraft stalls, unless a corrective action is taken.

Creating a Fix for the Stability Problems 

Rather than doing an aerodynamic redesign of the airplane, Boeing decides the quickest and least expensive fix for the flight characteristics of the 737 MAX is to provide a new software system. Called the Maneuver Characteristics Augmentation System (MCAS), it endeavors to make the 737 MAX aircraft behave like previous 737NG versions through flight control software algorithms.

As a priority, MCAS is intended to prevent the aircraft from getting into a hazardous unstable flight regime.  In addition to traditional pilot warning mechanisms (e.g., a “stick shaker” stall warning system), the MCAS will automatically drive the stabilizer trim to force the nose down when sensor data indicate a dangerously high angle of attack.

Characteristics of the initial design of the MCAS software include the following:

• • It electronically manipulates the aircraft horizontal stabilizer trim to increase the lift on the tail to force the nose down
  • It activates automatically when
    • The sensed angle of attack is above a pre-set value
    • The autopilot is off
    • Flaps are up (at low altitude and low airspeeds MCAS is also cued to operate with flaps lowered).
  • MCAS moves the horizontal stabilizer trim upward at 0.27 degrees per second, up to 9.26 seconds at a time
  • Then system pauses for about 5 seconds.  If the sensed angle of attack is still high, the MCAS repeats the process
  • The MCAS is supposed to deactivate when angle of attack is sufficiently reduced or pilots cut out power to the stabilizer trim.

A 737 MAX with the MCAS operates in a manner that can be rather disorienting to pilots accustomed to flying earlier 737 models without the software. A pilot may raise the nose by pulling back on the control yoke but then observe the stabilizer trim wheel moving to trim the nose down opposite to his or her input.  This is a result of the aircraft’s computer calculating that the optimum angle of attack for maximum lift is less than the angle which the pilot is demanding through moving the control yoke.

As long as the angle of attack sensor is providing a high signal, the MCAS will drive the trim repeatedly, overriding pilot input.  Note that the nose-down force provided by the stabilizer trim is stronger than the pilot’s ability to counter it by pulling back on the control yoke to raise the elevators.

Recommended Pilot Responses to MCAS Malfunctions

Like any flight control system, the MCAS can malfunction.  There are a number of hardware and software faults that can cause the system to behave incorrectly.

Boeing’s position has been that pilots should respond to an MCAS malfunction as though it were a case of runaway stabilizer trim.  This is a condition that pilots routinely train for in a simulator. The handbook procedure for this problem is to cut off electrical power to the stabilizer trim motors and trim the stabilizer back manually using a hand crank in the cockpit.

Unfortunately, Boeing’s assumptions about pilots’ ability to respond in such a situation may not be realistic.  Smaller pilots may not have sufficient strength to pull back on the control yoke to recover from the dive caused by the MCAS.  And when the airspeed is high, aerodynamic forces on the horizontal stabilizer may make it too difficult for pilots to manually trim the horizontal stabilizer with the hand crank.  In particular, if they are simultaneously holding strong force on the control yokes they may not have a free hand to rotate the trim crank.

When the MCAS is acting to prevent a stall, the cockpit is full of audible and visual alarms that can be highly distracting.  And the time available to understand the situation, diagnose the fault, and take the necessary corrective actions can be very short before a fatal dive angle and descent rate occurs, particularly at low altitude.

Corner Cutting

At the time the 737 MAX program is being developed, Boeing management is obsessively focused on driving down costs in every area in order to maximize shareholder value.  Top management compensation is tied to increases in the company share price, providing strong incentives.

Boeing does not follow generally-accepted design practice when it incorporates the MCAS into a safety-critical flight control system for the 737 MAX.  Airbus aircraft have four angle of attack sensors, with comparison among sets of three in order to use the data from the two sensors that most closely agree. Although newer Boeing jetliner designs (e.g. the 777 and 787) use three, only two angle of attack sensors are provided for the 737 MAX.  The MCAS only reads data from one of the sensors on a given flight, and then switches to the sensor on the other side of the fuselage on the next flight. If the MCAS gets a reading of a high angle of attack from the one sensor it is using, it will command nose-down stabilizer trim.

However, it is well known that angle of attack sensor malfunctions are relatively common.  A number of things can cause problems, including icing, careless aircraft washing, damage from contact with a jetway, bird strikes, and maintenance errors.

In addition to using only one angle of attack sensor at a time, Boeing does not follow generally-accepted design practice by providing redundant electrical and signal buses with fail-safe design approaches.  This results in several different single-points-of-failure paths in the 737 MAX flight control system.

Boeing makes several cockpit safety features, such as an angle of attack display, extra-cost options with a high price.  As a result, many budget airlines do not order these options. Although a warning light indicating disagreement between the two angle of attack sensors is standard, it does not function if the angle of attack display isn’t installed. The non-functionality of this warning light is not documented.

Recently, it is reported that rather than using experienced in-house experts, Boeing outsourced much of the development and testing of 737 MAX software to temporary-hire software developers paid as low as $9 an hour by Indian contractors HCL Technologies and Cyient.

Boeing’s Lack of Transparency

Boeing obscures the existence of the MCAS flight control system as a fix to the aircraft flight characteristics problems.  It doesn’t have it reviewed by the FAA during the 737 MAX certification process, doesn’t communicate about it to the airline customer technical representatives, doesn’t document it in the flight manuals for the pilots, doesn’t incorporate it in any training materials, and doesn’t represent it in any 737 simulators for pilot training.  Until the first crash of a 737 MAX in late 2018, no one outside Boeing even knows of the existence of the MCAS or the design of the systems feeding data to the MCAS.

Certification of the 737 MAX

The FAA takes a hands-off approach on certifying the 737 MAX and trusts Boeing to effectively self-certify the new aircraft.  The type certificate from the original 737 design, nearly 50 years old, is used for the new variants. This policy is partly because the FAA certification department is drastically under-staffed due to many years of budget cutbacks.  Other nations accept the FAA certification of the 737 MAX and do not independently evaluate the aircraft’s design and airworthiness.

Accidents and the Grounding of All 737 MAXs

Two fatal crashes of 737 MAX aircraft occur in 5 months.  The crashes, traceable to flight control problems unable to be overcome by the pilots, expose the existence of the MCAS.  All 737 MAX aircraft worldwide are grounded until the aircraft can be determined to be safe. Airlines operating nearly 400 737 MAX aircraft scramble to replace the lost capacity with other aircraft.  They are forced to cancel many scheduled flights, and incur significant financial losses.

Investigations to determine the full details of the causes of the two crashes are underway, but will take a significant time to reach definitive conclusions. While the operation of the MCAS is clearly a factor, there are indications that a number of other aspects of the design may be involved in the overall failure chains.

Passenger confidence in the 737 MAX series evaporates.  People indicate they are unwilling to fly on a 737 MAX, at least until the aircraft is positively demonstrated to be safe.  Aircrews also express apprehension about the airplane.

Airlines begin cancelling their orders if they are able.  However, their contracts with Boeing make this very difficult.

Boeing continues to produce over 40 unmodified existing 737 MAX aircraft every month while no customers take delivery.  Boeing has difficulty finding places to store all the airplanes coming off the production line. Employee parking lots are filled with 737 MAXs.

Boeing management asserts in public testimony that the company has done nothing wrong.  The 737 MAX design is safe, Boeing’s design and certification processes for the airplane were sound, and that the pilots in the two crashes should have been able to overcome the problems even though they had no knowledge of the existence and operation of the MCAS.

Boeing tries to show that pilots should have been able to deal with the problems in the two crashes by reproducing the conditions in simulators.  However, the pilots in the simulator trials appear to have known what to expect, rather than being taken completely by surprise, so a successful recovery in a simulator may not be a realistic confirmation of the system safety.  There are doubts that the simulator trials are realistic in other respects as well.

Lawsuits against Boeing begin piling up, with many different plaintiffs filing suit.  Boeing’s stock price declines.

At the same time as the 737 MAX crisis, news comes out about serious manufacturing defects in other Boeing jetliners currently being produced.  These defects include tools, even ladders being left inside structural compartments after being closed up. The defects also include damage to electrical power and signal cabling that can cause shorts and defective data.  The U.S. Air Force refuses to accept additional Boeing KC-45 tanker aircraft (modified 767s) because of these production quality control defects. Boeing 787 Dreamliners are also reported to have serious manufacturing quality control problems.

A separate defect independent of the MCAS software is discovered in the 737 MAX flight control system. A microprocessor can get overwhelmed by the volume of data to be handled and cause significant delays in processing.

Although the investigation of the detailed causes of the crashes is far from being completed, Boeing is desperate to get the 737 MAX back into service as soon as possible.  Boeing engineers work on modifications to the MCAS software. However, no changes are made to the physical systems (sensors, signal and power buses, etc.). There is no guarantee that changes to the MCAS algorithms are sufficient to make the airplane safe.

Problems with Boeing’s Proposed Solution

Boeing proposes the fix for the 737 MAX is a software change to the MCAS so that it will only push down one time and not repeatedly.

This does not correct the multiple single-point-of-failure cases: depending on a single angle of attack sensor, a single data bus, and a single electrical circuit connecting the angle of attack information into the flight control computer.

This also does not correct the fact that MCAS does not take into account other data that show the aircraft is not in danger of stalling.  The flight data recorders from both crashes indicate that the other systems were showing that the nose attitude was down (not up), the trim was full nose down, the altitude, airspeed, power, and ground proximity warning all provided contrary indications to a stall situation and were opposite to what MCAS was designed to prevent.  A proper implementation of the MCAS would involve a complete integration with other flight data systems to provide backup, redundancy, and corroboration, so the MCAS cannot act alone or contrary to the majority of other indications.

Furthermore, MCAS bypasses pilot display of the situation and pilot control as primary, contrary to all good transport aircraft design practice.

There is a strong likelihood that damaged wiring may have caused the faulty inputs to the MCAS function.  On one of the aircraft that crashed, the angle of attack sensor produced faulty readings on flights the previous day.  Before the fatal flight, it was replaced with a brand new unit, indicating that the sensor itself was unlikely to be the source of the problems.  Boeing’s proposed fix does nothing to correct the possibility of damaged wiring from manufacturing quality control defects.

In one of the 737 MAX crashes, it appears that the powered stabilizer trim may have re-engaged itself after the pilots acted to disengage it.  This is not being addressed in Boeing’s proposed MCAS software fix.

The proposed fix does not have a means to disable the MCAS software functions altogether.  MCAS will continue to operate, regardless of pilot actions.

Boeing is not proposing to provide new training for 737 MAX pilots as part of the fix.  In particular, 737 flight simulators are not being upgraded to accurately represent the MCAS functionality and possible failures.

Importantly, Boeing is trying to avoid a full FAA (and other nation airworthiness agency) certification review of the modified aircraft, because this could delay returning the 737 MAX aircraft to service for a substantial period.

Pilot Views

Chesley "Sully" Sullenberger, the pilot for the “Miracle on the Hudson” water landing of an Airbus airliner in 2009, told the House Transportation Committee during a hearing on the 737 MAX that it is critical that pilots not be faced with "inadvertent traps."  He said "We must make sure that everyone who occupies a pilot seat is fully armed with the information, knowledge, training, skill and judgment to be able to be the absolute master of the aircraft and all its component systems and of the situations simultaneously and continuously throughout the flight."  Boeing’s attempt to avoid specific training for the 737 MAX and its specific characteristics is viewed very negatively by pilots.

Conclusions

Boeing has been driven by economic incentives into producing a product with deficiencies, seriously harming its reputation as a trusted supplier of safe aircraft.  By selling the 737 MAX as not requiring detailed certification review and needing no significant pilot training for the new characteristics of the aircraft, Boeing has failed in its responsibilities to be honest with regulatory authorities, airline customers, aircrews, and the flying public.  It is not clear at the present time (July 2019) when appropriate corrective actions can be completed to make the 737 MAX aircraft safe to return to regular airline service, even as large numbers of unmodified aircraft continue to roll off the production lines.

Appendix: Federal Aviation Regulation Airworthiness Criteria

• Sec. 25.173 — Static longitudinal stability.

Under the conditions specified in §25.175, the characteristics of the elevator control forces (including friction) must be as follows:

(a) A pull must be required to obtain and maintain speeds below the specified trim speed, and a push must be required to obtain and maintain speeds above the specified trim speed. This must be shown at any speed that can be obtained except speeds higher than the landing gear or wing flap operating limit speeds or VFC/MFC, whichever is appropriate, or lower than the minimum speed for steady unstalled flight.

(b) The airspeed must return to within 10 percent of the original trim speed for the climb, approach, and landing conditions specified in §25.175 (a), (c), and (d), and must return to within 7.5 percent of the original trim speed for the cruising condition specified in §25.175(b), when the control force is slowly released from any speed within the range specified in paragraph (a) of this section.

(c) The average gradient of the stable slope of the stick force versus speed curve may not be less than 1 pound for each 6 knots.

(d) Within the free return speed range specified in paragraph (b) of this section, it is permissible for the airplane, without control forces, to stabilize on speeds above or below the desired trim speeds if exceptional attention on the part of the pilot is not required to return to and maintain the desired trim speed and altitude.

[Amendment 25–7, 30 FR 13117, Oct. 15, 1965]

• 25.601 General.

The airplane may not have design features or details that experience has shown to be hazardous or unreliable. The suitability of each questionable design detail and part must be established by tests.