If I was Paul Krugman, I’d have labelled this column “wonkish”. Or maybe “nerdly”.
This is a little off the beaten path, but it occurred to me that readers might be puzzled by the media discussion surrounding recent disasters involving the Boeing 737-MAX series. Two such aircraft crashing over a span of a few months is almost unheard of, these days. Why these airplanes? Isn’t the 737 one of the oldest and most reliable designs currently in widespread service? Haven’t there been literally thousands of the things flying around for years and years, with nothing alarming to report? Why now, suddenly, is it possible they have a design flaw? And what is this talk about the planes doing things their pilots neither commanded nor were able to stop?
Good questions!
First, yes, the 737 is about as tried and true an aviation design as could possibly exist, quite like the DC-3 was, back in the day. Production began way back in 1967, when I was only 6 (and had my whole life ahead of me, with no way of knowing that it would turn out like this). More than ten thousand have been built, with orders on Boeing’s books for thousands more, and the 737’s presence at any international airport you’re likely to visit is so ubiquitous as to render it almost generic – to just about everybody, this is what a medium range, medium haul airliner looks like. I’m reading here in Wikipedia that at any point during the day, any day of the year, something like 1,250 of these things are going to be airborne all over the world. God only knows how all of this translates into flight hours and air miles, but it’s safe to conclude that if there was something fundamentally wrong with the basic design, we’d have found out about it decades ago.
Modifications have of course been made at regular intervals, but over the decades, the changes to the original have been quite incremental. The object of the exercise is to transport as many large primates as possible over the greatest possible distance, while using the least amount of fuel, and thus the modifications to any civil airliner are apt to be tweaks to the length of the fuselage (more primates!), modification to certain aspects of the aerodynamics of the wings (better lift and airflow characteristics) or a change-out of the engines (better fuel consumption). You might well respond that changes to wings, fuselage and engines are, actually, changes to everything that matters, but the point is that these are generally not revolutionary alterations, when looked at in isolation. At a casual glance, most of the differences that result wouldn’t jump out for most people. For example, the original 737 engines and their cowlings looked like this:
As engine technology improved, the face of the turbofan moved forward and became wider, like so:
The latest MAX versions sport state of the art turbofans, which are far more fuel-efficient – more on these later:
Nothing very radical, at first glance (though those engines are starting to look a little big for their mounts, aren’t they?). Aerodynamically, before the MAX series, the most visually prominent changes have been to the wingtips, which began to sport “winglets”, vertical surfaces designed to corral the messy flow of air around the tips, known as “vortices”, and convert them from something that causes drag into energized flows of air that produce lift:
The snazzy winglets on the MAX series are obviously the product of some highly advanced aerodynamic analysis, and look very cool:
There are plenty of improvements in the cockpits, too, of course. This is what a 737 cockpit used to look like:
This is what’s referred to today as a “steam gauge” instrument layout, full of analog dials, knobs, buttons and displays with moving needles.
This is what the 737 flight deck looks like now:
This would be better, then.
In fact, almost everything is better, either by a little or a lot, while at first glance nothing has been done to alter the most basic aspects of the design. It’s not as if they changed wing sweep angle, or width of fuselage, or lengthened it too much – so what could have changed so significantly for the worse that the planes start crashing?
Well, a couple of things, one aerodynamic, one electronic.
The immediate cause of the crashes seems – stress seems at this point – to do with changes that have occurred invisibly under the skin, in the flight control systems, the mechanical and electronic means by which the pilot, holding a wheel or yoke in the cockpit, tells the aircraft what to do.
When the 737 began life, flight controls had evolved beyond the mere pulleys and cables that were typical of WW II aircraft, but they were still mechanical – that is, the pilot’s control column was actually connected to something physical that moved, which movements determined how the rudders, flaps and so on would behave, via direct mechanical connections. To oversimplify, they were a lot like the power steering systems then coming into common use in automobiles, and used hydraulic pressure to boost the power of the control inputs – they were thus “hydro-mechanical”. This made big planes with big control surfaces much easier to handle, and the stick and rudder work was no longer a tax on the pilot’s physical strength.
Modern airliners are replacing these decidedly analog control systems with what are known as “digital fly-by-wire” systems, which operate much differently. A “fly-by-wire” system is named for the way it provides for a functional connection between what the pilot does in the cockpit, and the surfaces of the plane that control how it flies. There are no more mechanical linkages. Instead there are thin wires, with electrically-powered “actuators” at the business ends that move the flaps, rudders etc. As the pilot manipulates the stick, electric signals are sent down the wires to the actuators, and while the systems are designed to make it feel as if the aircraft is being controlled in the usual way, through devices that provide “artificial feel” to the stick – for example by making the stick a little harder to pull when the pilot is demanding more strenuous maneuvers – the pilot is, in effect, phoning it in. His stick isn’t connected to anything but a black box. He could just as well be pushing buttons, except this would be a horrible “human-machine interface” that wouldn’t work very accurately or efficiently.
Early fly-by-wire systems had several advantages over the prior kit, being much lighter, less prone to mechanical failure, and more responsive, the movement of control surfaces being more “crisp” and rapid. They were still, however, analog devices. It was electrical voltages, not streams of ones and zeroes, that were carrying the signals.
The first analog fly-by-wire systems were being deployed in military aircraft back in the mid-1960s, but the real change came with digital fly-by-wire systems, which – again to oversimplify – put a computer in the loop. In these systems, when the pilot moves the stick, this sends a signal to the computer, and the computer then turns that signal into commands that it further transmits to the actuators that move the control surfaces. In these systems the pilot, in a sense, is not flying the airplane at all – she’s telling the computer how she wants it to fly the machine.
Why do this? The initial impetus came from military aircraft designers. I’ll try to make a long story short here, as I can sense you’re already dozing off, but one of the biggest design challenges confronting the manufacturers of fighter aircraft is the fundamental tension between stability and agility. Any safe airplane should be inherently stable – it should tend to remain straight and level, and keep doing what it’s doing, without requiring constant work at the pilot’s end. On the other hand, to be agile – to be able to suddenly depart level flight and turn, bank, roll, and so on in the wink of an eye – it would be better if an aircraft was inherently unstable. It should, to be anthropomorphic, want to stop flying straight and level, and ideally it should want that very badly.
Digital fly-by-wire allows the designers to eat their cake and have it too. You can begin with an aircraft that’s designed to be very unstable, which would be very hard for a pilot using the old control systems to even keep in the air. The plane thus has a natural tendency to be a sort of flying bucking bronco. This would be ludicrously dangerous, except in the digital system the computer, which tells the plane what to do on behalf of the pilot, also works behind the scenes, without the pilot’s input, to keep the aircraft in stable flight until the pilot wants to do something that draws upon the deep well of available inherent instability. As the pilot sits there, perhaps doing nothing at all, the computer is ordering literally thousands of little control movements per minute, keeping the aircraft in what seems to the human operator like normal, effortless, steady flight. When, however, the pilot orders a sudden maneuver, the computers exploit the aircraft’s inherent instability, and very rapid, very radical departures from level flight are possible.
The first modern fighter to use digital fly-by-wire was the F-16, which gained the nickname “electric jet” when it first entered service. The F-16 was very nice to fly, all sedate and easy to handle, until the pilot ordered, say, a sudden banking turn, at which point the fighter could snap into a 9-G bat-turn so fast that it could literally knock the pilot unconscious. One second it’s a Sunday drive, and the next a force equal to nine times normal gravity is forcing the blood out of your brain and down towards your feet. Dealing with the sudden onset of high-G has been a crucial facet of pilot training ever since, and G-induced loss of consciousness, the dreaded “GLOC”, remains a serious threat.
The ability of the computers to keep a plane in level flight without pilot input, no matter how unstable it was, was also crucial to getting the F-117, the first stealth “fighter” of Desert Storm fame, into the sky. The F-117 was actually no fighter at all – it was a small bomber. It didn’t have a prayer of coming out on top in any sort of dogfight, and was designed to avoid such things, as well as the threat of anti-aircraft weapons, by being hard to detect on radar. Why fight your way in, when you can be sneaky about it and come and go unseen? The problem was, with the computer design power then available, the only method they could use to create an aircraft that scattered and dissipated incoming radar signals was to render the plane into a faceted shape that looked quite like a cut gem. All the flat, faceted surfaces were pointing off in different directions, and thus a radar pulse that hit the F-117 was deflected all over the sky, rather than bouncing back to the radar that sent it.
Great, but if your aircraft is designed according to the laws of radar wave propagation, rather than aerodynamics, it becomes a bit of a basket case in the flying department. All those flat facets created an unholy mess in the airflow, and in early tests the plane was nicknamed the “Wobbly Goblin” for its tendency to do quite violent things when you least expected them; it was said that the prototypes did “everything but flip over on their backs when you taxied down the runway”. In earlier times this would have been a fatal flaw, but with digital fly-by-wire, the computers could be programmed, after much trial and error, with “flight control laws” that provided for stable flight, even as the Wobbly Goblins fought like hell to flip over and crash. Once perfected, the fly-by-wire system’s use of the computer as intermediary between pilot and aircraft allowed the electronics to do all the heavy lifting involved in just keeping the damned thing in the air, apparently placid, while the pilot then layered his own commands on top. In between doing what the pilot wanted, the computers were labouring furiously, tirelessly, and continuously to keep the plane from departing controlled flight.
The computer algorithms in fly-by-wire systems are called “control laws” for a reason. They are, quite literally, the law. The flight control systems are designed these days to take note of what the pilot has ordered, but to overrule him if he’s asking for something stupid. An F-16 jockey might yank his stick in such a way that he’d throw the plane into a spin, or stall it out, or over-stress the airframe, if the computer simply relayed his commands. But the computer won’t do it. It will allow the pilot the next-best safe maneuver. For example, the F-16 is limited to flying such that its angle of flight differs from its direction of flight – the “angle of attack”, familiar to any kid who’s played in a car by thrusting her hand out the window and into the airstream – to 26 degrees. That’s a “hard limit”. The pilot can yank and push as hard as he likes, but the plane won’t exceed 26 degrees AOA. Other control laws stop the plane from exceeding its 9-G stress limit – again, the pilot can order a turn that would rip the plane’s wings off, except the plane will flat-out refuse to do it. You can have 9 Gs, buster. No more.
In some planes, particularly Russian fighters, the pilots can override the fly-by-wire limiters if they choose. In others, like most Western designs, the planes are more paternalistic. They know what’s best. You can’t override them. Sorry, sonny, that’s just not safe. You’ll put your eye out, kid. Some pilots over the years have bridled at this. They’ve given control laws that can’t be over-ruled by human operators a derisive nickname: “fascist software”.
The benefits of such fascist software to aircraft safety are obvious, and this is what makes digital fly-by-wire systems an attractive option for airliners, which have no need for inherent instability or banking into 9-G turns. Human brains being prone to error as they are, it’s simply much safer when the computers know best. They won’t permit the inevitable human errors to matter. If the pilots do something silly, the flight control system will refuse to go along, and do something safe instead. There is no doubt whatever that this is a sound way of doing things, but sometimes there are unintended consequences. Sometimes, very nearly never, but sometimes, the computer gets it wrong.
For example, fascist software was to blame when this very expensive F-22 prototype did this – advance to the one minute mark:
Some quirk in the algorithms interpreted the current flight state improperly, and the computer decided it had to do something about it fast, ordering the plane to use its huge tail surfaces to paddle through the air like a deranged duck. KABOOM. (The pilot was unharmed). Still a few bugs to iron out at that point.
It’s not always flaws in the software, but bad information, that causes the problem. A few years ago this hugely, nay grotesquely expensive B-2 stealth bomber crashed on takeoff, fighting the pilots all the way, because one of the little probes that gauge airflow – one of the “air-data sensors” – got clogged with water rammed into it by heavy rain, and sent the computers erroneous information about airspeed and angle of attack. Given what they were being told, the computers reacted appropriately, it’s just that they were being told the wrong things. The pilots were up front yanking and straining, but the system knew best, and ignored what the fallible meat computers were telling it to do until you got this:
Pity, that. There were only 21 B-2s built, each of which cost about 900 million 1997 dollars, you know, with all the spare parts thrown in, plus the genuine Corinthian leather seats and the quad cupholders – 2.1 billion each, if you pro-rate the entire research and development program cost on a per-airframe basis. Still – KABOOM. The control laws don’t care how expensive the plane is. (The pilots were again OK).
Which brings us back to the tried and true 737, and the possible problems with the MAX series. These planes employ flight computers that can take over the aircraft – the MAX design is not fully fly-by-wire, but a hybrid, with fly-by-wire controls for a few of the primary flight control surfaces. For our purposes, what matters is not the mechanics of how it’s done, but the operating principle, which is computer override when flight safety is interpreted to require it. It seems that at certain points in the “flight envelope”, the computers are ordering things that they’ve decided are necessary, but which may in fact be fatal. This could be a problem with the control laws, or the processing of information from the air-data sensors, or something else – the investigation is in its early days. However, the occurrence of two crashes so close together points to something more serious than a fluke such as, for example, a clogged or broken air data sensor. Is there something else – something the flight control system is meant to deal with, but for some reason can’t? What could that be, in such a proven design? If humans using the old analog systems had no problem with the 737, why on Earth should the computers be flummoxed? A simple programming gaffe? Or something else?
Something else, apparently. As further details have emerged, a protracted and ongoing series of incremental changes to the aerodynamics, one that can be detected by looking carefully at juxtaposed images of the 737 as it has progressed through generations of improvements, is now being cited as crucial to understanding what’s going on. It has to do with the engines.
When it began life, the 737 had slender engines mounted directly beneath the low-slung wings. This is the prototype:
The engines look to be located almost perfectly to promote stability, with the weight distributed right where the plane is producing the most lift off the wings – thus the center of gravity and the center of lift are aligned, and this creates a docile, well-balanced flying machine that tends to fly level.
Later generations have been designed to capitalize on improved engine technology, using powerplants that are more powerful, more fuel-efficient, less prone to noxious emissions, and even quieter. Great strides have been made, but with the effect, for various reasons, that the engines have become progressively larger, particularly in diameter, as the “fan stage”, the disc that mounts the blades at the front of the engine, has grown in size. This is a 737-500, a mid-life version typical of those produced from 1984 to 2000:
Look at the engines now. They’ve grown too large to mount directly under the 737’s low-mounted wings – there wouldn’t be enough clearance for them on the ground. So, the engines are pushed forward, and mounted a little higher. The weight, therefore, is beginning to creep forward of the center of lift, something that was probably addressed by other changes – perhaps moving some fuel tanks a little further aft (just a thought – I have no idea).
The latest 737 MAX airframes mount ultra-modern turbofans that greatly increase fuel efficiency, the most crucial factor in aircraft profitability, and one that pits Boeing in fierce competition with rival Airbus. These are the”LEAP” series of engines – LEAP stands for Leading Edge Aircraft Propulsion – produced by CFM, a joint venture between General Electric and French multinational Safran. LEAP engines are touted by GE as bringing “double-digit improvements in fuel efficiency, emissions and noise, with the legendary reliability and low cost of ownership of its predecessor”, the CFM-56. Fuel consumption is claimed to be reduced by as much as 15% of the predecessor engines, a huge advantage, and one immediately seized by Airbus, who have been busy installing LEAP propulsion on its 320 series, the most direct competitors to the 737 in the global marketplace. Boeing was compelled to install the engines on its new 737 series aircraft if it wanted to stay competitive.
LEAP engines are quite large – bigger than anything mounted before on a 737. This image of an Airbus 321 mounting the new powerplants gives some illustration:
Here it is on the 737 MAX:
Compare the above with the prior generation of engines:
Look how high, and far forward, the engines are in the middle picture above. I don’t have the credentials to know for sure, but this certainly looks to be pushing the weight of the engines about as far in front of the center of lift as one dares on a civilian airliner. If any such redistribution of weight is too large to be counteracted by shifting other things around inside, and assuming nothing is done to the wings, tail, etc., you end up creating just the sort of weight vs. lift distribution that fighter aircraft designers use to deliberately create the inherent instability of the fly-by-wire generation of fighters. While the degree of inherent instability will, of course, be nowhere near what’s built into something like an F-16, it’s possibly still enough, other things being equal, to sometimes make the plane dangerously unstable at higher angles of attack, like those that can be reached at takeoff.
Ah, but other things aren’t equal. The new 737 has some elements of a digital fly-by-wire control system that can be programmed to redress the issue, and maintain safe, stable flight – the Maneuvering Characteristics Augmentation System (MCAS), which imposed control laws that were designed to counteract any instability that might occur. In the 737’s case, the new design might tend to go “nose up”, and point skyward at an angle that could cause the plane to stall, if nothing was done to prevent it. The MCAS would prevent it. And that’s where the problem seems to be.
The suspicion is that the MCAS is mistakenly ordering a sudden downward movement of the nose, the textbook countermeasure to a pending stall. The pilots in these planes are able to disengage the computers and take over, but they may not have the time, the presence of mind, or the proper training to do so. This is from Vox, on what investigators think happened to the Lion Air 737 MAX that crashed a few months back in Indonesia:
The Boeing 737 Max 8 model of the Ethiopian Airlines flight is the same model of the Indonesian airline Lion Air Flight 610 that crashed in October, killing all 189 people on board. In November, investigators determined in an initial probe that pilots were engaged in what CNN described as a “futile tug-of-war with the plane’s automatic systems” minutes before the crash. A sensor erroneously reported that the plane was stalling and erroneously sent the plane nose down, and pilots couldn’t override it. Investigators also concluded that the plane was “no longer airworthy” when the crash occurred.
https://www.vox.com/2019/3/12/18262359/boeing-737-max-controversy-faa-trump
A futile tug of war with the plane’s automatic systems. That is, a losing battle with the fascist software. That’s how a design with a safety record like that boasted by the 737, with decades of operation and perhaps billions of incident-free air miles under its belt – but changed enough that it now relies on computers to keep it on the straight and narrow – can suddenly start ploughing itself into the ground.
If something as inherently unstable as a modern fighter can be made safe by computerized flight control systems, there was every reason to expect that the latest 737 could be kept within stable flight parameters. I doubt the plane is aerodynamically compromised to the point that it can’t be made to behave properly, not if the Wobbly Goblin could be made docile with the technology available 40 years ago. The fix may be as easy as downloading a software patch, just as you would on your home computer. This is what Boeing is now proposing as the solution.
Whether the public is happy to fly on a plane that’s even a bit like an F-117, and wouldn’t be safe but for the computers working hard to iron out the unfortunate flight characteristics, is another question.
Woe to Boeing, if it turns out that they rushed the jets into production before they’d done sufficient testing, or worse, knew of the issues and accepted that there were aerodynamic glitches that weren’t yet perfectly addressed in the flight control system, but figured the plane was safe enough for now and that they could fix that up later. Never mind the morality of taking such a risk; this is the kind of callous corporate decision that kills trust in a manufacturer’s whole product line, and puts a company in a position to be sued into oblivion. Boeing has a great deal on the line here.
Make no mistake: computers that take over when human error is evidenced by flight data instruments make aircraft much, much safer. This is incontrovertible. But nothing is 100% safe, and in the air, as everywhere else these days, we find ourselves at the mercy of electronic brains that mean well, but can still screw up, however rarely. Sometimes it may be a previously undetected flaw in the software. Sometimes it may be a random glitch in a five dollar part that screws up the air data sensors. Sometimes, it may even be because the manufacturer decided to accept the risk – which might be, but hopefully isn’t, what Boeing did with the latest 737. That doesn’t mean planes aren’t getting safer. It just means that nothing can be fully immunized against certain minimum, irreducible risks, some of them inherent in the limits of all technology, some of them arising from the rare but terrible failings of human nature.
Something to keep in mind, and to keep in perspective, as we transition to self-driving automobiles.
Update: Not looking good for Boeing:
https://www.cnn.com/2019/05/15/us/boeing-737-max-audio-meeting-with-pilots/index.html
the needlefish 