The two tragic crashes of Boeing’s best-selling 737 Max planes increasingly look to be caused in part by a malfunctioning automated system—and the pilots’ lack of training around how to deal with it—that was designed to keep the aircraft from stalling out. The final reports aren’t in yet, but the similarities between the crashes in Indonesia and Ethiopia that together killed 346 people, and the log of complaints from other pilots about the system, all point to trouble with the Maneuvering Characteristics Augmentation System, or MCAS.
In short, a combination of an unfamiliar, potentially faulty automation system and a crew that was not adequately informed in how to operate or override that system probably led to both crashes, according to preliminary findings. One thing that’s striking about this is that it’s precisely the hazardous scenario that a top aviation safety forecasting group has warned of for over a decade.
In 2004, the Future Aviation Safety Team (FAST), a group first convened in 1999 by a consortium of international flight regulators and co-chaired by Brian E. Smith of NASA Ames Research Center, published a report on “Increasing Reliance on Flight Deck Automation”—a trend that was already underway. According to FAST, the report had “two main conclusions”:
a) that there will be problems with maintaining “hands-on” currency due to future advances in flight deck automation and
b) that stress and fatigue will increase rapidly when the flight crew does not understand what flight deck automation is asking the aircraft to do.
The report termed this “automation surprise,” and it accurately describes what appears to have happened to the pilots attempting to overcome the MCAS system to keep their Boeing Max planes from going down. (‘Automation surprise’ is such a potent and useful term, it’s one that can be applied to how we get confounded and overwhelmed by unfamiliar automated systems more generally.)
Essentially, because the new 737 Max 8 planes have engines that sit further forward on the wing than previous models, they’re prone to stalling easily if pilots tilted the nose too high—so the MCAS automatically kicks in to lower the nose. In the Indonesia crash, battling an MCAS that was responding to erroneous sensor data, the pilot fought to keep the nose up, manually pushing it up 21 times only to have the computer system push it back down after every correction—MCAS, it seems, ultimately downed the plane into the Java Sea. So far, the flight data from the Ethiopia crash indicates a similar pattern.
Now, it is possible to override the MCAS autopilot system, but Boeing apparently did not disclose how the new automation worked to pilots, in what seems to be an effort to maintain the same “type rating” of plane—even as it withheld information about the hazards it posed—which helped the company avoid numerous hours of costly pilot training.
So in both Indonesia and Ethiopia—and on flights that pilots logged complaints about that problem but did not crash—pilots were subjected to automation surprise. The unfamiliar system kicked in, erroneously, in the case of the Lion Air flight in Indonesia, and they did not have the tools or knowledge to override it in time.
For 20 years, FAST has worked on identifying dozens of Areas of Change (AoCs) in the aviation field, which range from “New cockpit and cabin surveillance and recording systems” to “Global organizational models” to “New hypersonic aircraft” to our “Reliance on automation supporting a complex air transportation system,” and researching them deeply to understand how they stand to impact passenger and pilot safety.
In the case of the 50-page “Increasing Reliance on Flight Deck Automation” study, according to FAST, the “information came from a pilot survey among more than 190 respondents, with a mean of 10,000 flying hours and 20 years in the business.”
The top five hazards FAST identified with emerging autonomous flight systems were:
- Flight crew spending excessive time in a monitoring role potentially compromising their ability to intervene when necessary
- Failure of the flight crew to remain aware of automation mode and aircraft energy state
- Unfamiliar modes of aircraft automation may result in a perfectly normal flying aircraft suddenly taking on characteristics that the pilot has seldom or never previously encountered
- Latent flaws in the displays or primary flight control system may go undetected, because not enough human-in-the-loop testing is performed
- Pilots may not be adequately trained to understand the philosophy of the automation design when the functionality is being automatically degraded in particular situations for reasons know only to the software
Each of the hazards I bolded above—i.e., all but the first—all seem to have befallen the two Boeing MAX flights that ended in devastating crashes.
FAST continued to study the automation AoC as it evolved, and in 2016, in a report called “Aviation Safety Concerns for the Future,” the authors wrote that “Although the increasing reliance on flight deck automation has been a major factor in the current favorable safety record of western commercial aviation, the misuse/misunderstanding of automation has been implicated in certain high-profile accidents.”
They looked back on at least five flights where crashes were attributable to automation surprise, like Air France Flight 447, where confusion over both an automated control stick and a computer system that intervened with misinformation at a crucial moment contributed to a dramatic crash that killed all 228 passengers onboard the Airbus A330-200 plane. (Interestingly, at the time of that crash, Boeing was publicly resistant to employing too much automation. While Airbus used control sticks that pilots could quickly program and release—leaving them in what can appear to copilots to be a neutral position, which is one of the sources of confusion in the 447 crash—Boeing still used easily identifiable “old-fashioned” levers that resembled their mechanical forebears, and declined to embrace “auto-throttling” in its cockpits as Airbus did.
“In each of the accidents listed in Table II automation surprises led the crews away from appropriate action,” the FAST report explains. “It is yet unclear whether revised training - e.g., upset recovery training, new procedures or design changes can prevent the occurrence of such cases in the future, because we do not fully understand human decision making in unusual situations,” before calling for further research into behavior around automated systems.
As FAST points out, automated systems have improved safety in a great number of ways, and have likely prevented a good many accidents—but that’s no excuse for ignoring the hazards that arise by bringing new automated systems onboard. Especially hazards that were explicitly pointed out by aviation safety groups with a large public footprint over a decade ago. Yet this keeps happening—Boeing’s Max planes are merely the latest and perhaps particularly egregious example.
Ultimately, 346 people have lost their lives apparently due, in part, to automation surprise. But if Boeing had done its homework, and hadn’t cut corners to keep costs down, there’s a good chance there would have been no such shock. And maybe, no fatalities.
I’ve reached out to the FAA for comment on whether they’re aware of the FAST report and its recommendations and will update if I hear back. Thanks to Hugh MacMillan for the tip.