Boeing has long embraced the power of redundancy to protect its jets and their passengers from a range of potential disruptions, from electrical faults to lightning strikes.
The company typically uses two or even three separate components as fail-safes for crucial tasks to reduce the possibility of a disastrous failure.
Its most advanced planes, for example, have three flight computers that function independently, with each computer containing three different processors manufactured by different companies.
So even some of the people who have worked on Boeing’s new 737 MAX aircraft were baffled to learn that the company had designed an automated safety system that abandoned the principles of component redundancy, ultimately entrusting the automated decision-making to just one sensor — a type of sensor that was known to fail.
Boeing’s rival, Airbus, typically has depended on three such sensors.
“A single point of failure is an absolute no-no,” said one former Boeing engineer who worked on the MAX, who requested anonymity to speak frankly about the program in an interview with the Seattle Times.
“That is just a huge system engineering oversight. To just have missed it, I can’t imagine how.”
Boeing’s design made the flight crew the fail-safe backup to the safety system known as the Maneuvering Characteristics Augmentation System, or MCAS.
The Times has interviewed eight people in recent days who were involved in developing the MAX, which remains grounded around the globe in the wake of two crashes that killed a total of 346 people.
A faulty reading from an angle-of-attack sensor, or AOA — used to assess whether the plane is angled up so much that it is at risk of stalling — is now suspected in the October crash of a 737 MAX in Indonesia, with data suggesting that MCAS pushed the aircraft’s nose toward Earth to avoid a stall that wasn’t happening.
Investigators have said another crash in Ethiopia this month has parallels to the first.
Boeing has been working to rejigger its MAX software in recent months, and that includes a plan to have MCAS consider input from both of the plane’s angle-of-attack sensors, according to officials familiar with the new design.
“Our proposed software update incorporates additional limits and safeguards to the system and reduces crew workload,” Boeing said in a statement.
But one problem with two-point redundancies is that if one sensor goes haywire, the plane may not be able to automatically determine which of the two readings is correct, so Boeing has indicated that the MCAS safety system will not function when the sensors record substantial disagreement.
Some observers, including the former Boeing engineer, think the safest option would be for Boeing to have a third sensor to help ferret out an erroneous reading, much like the three-sensor systems on the airplanes at rival Airbus.
Adding that option, however, could require a physical retrofit of the MAX.
Andrew Kornecki, a former professor at Embry-Riddle Aeronautical University who has studied redundancy systems in Airbus and Boeing planes, said operating the automated system with one or two sensors would be fine if all the pilots were sufficiently trained in how to assess and handle the plane in the event of a problem.
But, he said, if he were designing the system from scratch, he would emphasize the training while also building the plane with three sensors.
“As they say, belt and suspenders,” Kornecki said.