Possible faulty equipment that led to the crash of Lion Air Flight 610 was the same sort of sensing gear that contributed to the crash of an Air New Zealand A320 off Perpignan 10 years ago.

A failure of air flow monitoring pitot tubes on board the Lion Air Boeing 737 has been cited as a possible contributor to yesterday's crash off Indonesia which killed 189 people.

A report in the New York Times says the erratic flight path before the high speed plunge indicated a problem with the pressure sensitive instruments near the nose of the plane.

"The erratic flight path makes us suspect a problem with the pitot-static system," said Gerry Soejatman, an Indonesian aviation expert.

Data from the flight indicated an ''erratic climb and ground speed problem", leading him to suspect a problem with the instruments had also been an issue then.

Advertisement

Several plane crashes have been blamed on blockages or other problems with pitot tubes which resulted in erroneous speed or altitude readings, the Times reported.

In November 2008 an Airbus A320 that had been leased by Air New Zealand to a European carrier crashed, killing two German pilots and five New Zealanders on board.

The plane had been on a routine test flight, prior to being handed back to Air New Zealand by XL Airways Germany, a charter company that had been leasing it for the previous two years.

An inquiry found that the crash was triggered by a test that was conducted at low speed and low altitude, throwing the plane into a stall from which it failed to recover.

The ill-fated manoeuvre arose especially from makeshift preparations for the exercise and poor coordination between the German and New Zealand crew on board, the Bureau d'Enquetes et d'Analyses (BEA) said after a 22-month inquiry.

But compounding their mistake was a malfunction in two out of three external probes that feed the A320's complex computerised flight system with vital data about air flow.

The plane had been repainted and rinsed by a French maintenance company three days before the test, the investigation found. Water entered these so-called angle of attack (AOA) sensors, causing them to freeze and thus skewing the avionics.

A year later, in 2009, a Rio-to-Paris Air France flight disappeared over the Atlantic with the loss of all 228 people on board. An inquiry found that the plane flew into a thunderstorm, which froze the crucial speed sensors, resulting in the pilots flying blind and leading to a mid-air stall.

Indonesian actress Conchita Caroline had concerns about the doomed Lion Air plane after flying on it the day before. Photo / Supplied

Today a passenger who was on the ill-fated Lion Air aircraft a day before the crash outlined concerns about the plane.

Indonesian actress and TV presenter Conchita Caroline said her flight from Bali to Jakarta struck problems.

As the plane readied for takeoff, an engine seemed to die several times, the air conditioning was faulty and the floor beneath her felt hot to touch.

Lion Air's chief executive Edward Surat said yesterday there was a report of a technical issue from that fight but that had been resolved ''according to procedure" before Flight 610 took off.

Following the crash Boeing's stock price fell by almost 7 per cent. Lion Air is an important customer for its 737s.

(Bloomberg) — The Lion Air jet that crashed into the Java Sea off Indonesia earlier this week had experienced problems with the sensors used to calculate altitude and speed on its previous flight, an issue that could help explain why the plane dove into the water.

Pilots on the nearly new Boeing Co. 737 Max 8 reported the issue after flying from Denpasar to Jakarta the night before the accident, Lion Air spokesman Danang Mandala Prihantoro said Wednesday. The instruments were checked by maintenance workers overnight and the plane was cleared to fly, Prihantoro said.

While it will be days or weeks before definitive information emerges in the crash shortly after takeoff with 189 people aboard, discrepancies in speed and altitude readings can cause confusion on the cockpit and have led to accidents in the past, including the 2009 crash of an Air France plane in the Atlantic Ocean.

Flight-tracking data before the two-month old Lion Air jet crashed showed the plane was varying its altitude and speed, a possible indication that the pilots weren’t getting accurate information from the aircraft’s air-pressure sensors.

The Brief Newsletter Sign up to receive the top stories you need to know right now. View Sample Sign Up Now

Erroneous sensors could be an explanation for the flight track data, said John Cox, president of Safety Operating Systems and a former airline pilot. But Cox and others cautioned that it’s too soon to say what happened on the Lion Air flight and some of the flight data — such as speeds that weren’t extreme and none of the highly abrupt maneuvers that preceded the Air France jet’s loss of control — may suggest some other cause.

Indonesia’s National Search and Rescue Agency has picked up signals from so-called pingers on the Flight JT610’s crash-proof flight recorders.

“We have located the area where we strongly believe the plane’s black box is located. The large parts of the aircraft should be nearby,” National Military Chief Hadi Tjahjanto said.

Inspections of the 737 Max 8 aircraft operated by Lion Air and Garuda Indonesia since the accident found no technical issues, according to a statement by the country’s Transport Ministry. A review of maintenance documents found no additional issues were reported on the airspeed and altimeter system in the past 3 months.

Investigators from around the world, including a team from Boeing, are onsite poring over evidence. For now, the planemaker has told 737 Max operators that it doesn’t recommend they take any action at this time.

Even with modern GPS tracking, planes need to calculate their precise speed through the air. To determine airspeed — which can vary substantially compared to the speed over the ground due to winds — aircraft rely on Pitot tubes which measure the air rushing into them.

By comparing that pressure against the ambient air pressure — which is obtained by what are known as static ports — aircraft can determine airspeed.

If either of the pressure sensors are blocked, it can cause erroneous readings. In the case of the Air France flight, investigators concluded that a high-altitude ice storm clogged the Pitot tubes.

Jetliners are equipped with three separate airspeed sensor systems as backups. If one goes bad, pilots are trained to check the other readings and disregard the one that’s incorrect.

United Technologies Corp. is a supplier of the systems to the 737 Max, according to Airframer.com, a website that tracks suppliers of aircraft components. A company representative said she wasn’t immediately able to confirm whether its equipment was on the Lion Air plane.

Lion Air and investigators haven’t provided details about the issue on the previous flight Sunday night. Data provided by flight tracking company FlightRadar24 showed that the jet took off and reached an altitude of 5,550 feet (1,692 meters), then dropped to 4,625 feet, an unusual altitude loss at a time when aircraft normally climb steadily.

The plane then resumed its climb, but never exceeded 28,000 feet. Jetliners usually don’t fly below 30,000 feet because cruising at the lower altitudes is less fuel efficient. However, planes with partially malfunctioning altitude sensors aren’t allowed above 28,000 feet.

“Every aircraft that we have will go through transit, pre-flight and post-flight checks,” said Lion Air’s Prihantoro. “We are conducting inspection and maintenance if needed on every aircraft.”

Air France

Indonesia’s National Transportation Safety Committee, which is leading the investigation, has interviewed pilots from the previous flight, Ony Soerjo Wibowo, an investigator, told a news conference on Tuesday.

In the Air France accident, investigators concluded that the Pitot tubes had become clogged with ice and all three of the plane’s speed indicators failed at different times, according to the final report of France’s Office of Investigation and Analysis.

The routine flight from Rio de Janeiro to Paris was interrupted with a cacophony of alarms and confusing informatio

ZHUHAI, China, Nov 7 (Reuters) - Boeing Co said on Wednesday it had issued a bulletin to airlines reminding pilots how to handle circumstances where there was erroneous data from “angle of attack” sensors, in the wake of the Lion Air crash in Indonesia last week.

The manufacturer said in a statement that the Indonesian National Transportation Safety Committee had indicated that the Boeing 737 MAX jet involved in the crash, which killed all 189 people on board, had experienced erroneous input from one of the sensors.

The angle of attack probe measures the attitude of the plane relative to the air flow and provides crucial data for flight controls. An angle that is too high can throw the aircraft into an aerodynamic stall.

The Boeing statement did not say whether its advice was specific to the 737 MAX or included other aircraft models. (Reporting by Tim Hepher in Zhuhai, China; Writing by Jamie Freed; Editing by Muralikumar Anantharaman)

Lion Air plane had angle of attack sensor replaced prior to crash; Boeing issues safety reminder

Updated

A crucial sensor that is the subject of a Boeing safety bulletin was replaced on a Lion Air jet the day before it plunged into the Java Sea and possibly worsened other problems with the plane, Indonesian investigators have revealed.

Key points: Boeing issues safety bulletin reminding pilots how to handle erroneous data from key sensor

The angle of attack sensors were replaced on the plane's second-to-last flight

Chairman of Indonesia's NTSC says airspeed indicator malfunctions were intertwined with the sensor issue

Indonesia's National Transportation Safety Committee (NTSC) said it had agreed with Boeing on procedures that the airplane manufacturer should distribute globally on how flight crews can deal with "angle of attack" sensor problems following the October 29 crash that killed all 189 people on board.

Experts say the angle of attack is a crucial parameter that helps the aircraft's computers understand whether its nose is too high relative to the current of air.

The sensor keeps track of the angle of the aircraft nose relative to oncoming air to prevent the plane from stalling and diving.

But a Boeing statement said a safety bulletin, sent to airlines this week, directs flight crews to existing guidelines on how they should respond to erroneous "angle of attack" data.

It was not immediately clear whether Boeing was planning to update the guidelines, though comments from Indonesian officials indicate they expect so.

Airspeed indicator malfunction and sensor issue linked

Transport safety committee chairman Soerjanto Tjahjono said airspeed indicator malfunctions on the jet's last four flights, which were revealed by an analysis of the flight data recorder, were intertwined with the sensor issue.

"The point is that after the AOA [sensor] is replaced the problem is not solved, but the problem might even increase. Is this fatal? NTSC wants to explore this," he said.

Lion Air's first two attempts to address the airspeed indicator problem did not work, and for the Boeing 737 MAX 8 plane's second-to-last flight on October 28, the angle of attack sensors were replaced, Mr Tjahjono said.

On that flight, from Bali to Jakarta, the pilot's and co-pilot's sensors disagreed.

The two-month-old plane went into a sudden dive minutes after take-off, which the pilots were able to recover from. They decided to fly on to Jakarta at a lower-than-normal altitude.

Indonesian investigators said their flight procedure recommendations to Boeing were based on how the flight crew responded to problems on the Bali to Jakarta flight.

"The draft of what will be conveyed by Boeing this morning has been presented to us," air accident investigator Nurcahyo Utomo said.

"There are some things that we ask for explanation and some that we ask to be removed, and there has been an agreement between NTSC and Boeing to release a new procedure to all Boeing 737 MAX users in the world."

Indonesia's search and rescue agency extended the search effort on Wednesday for a second time, saying it would continue until Sunday.

Body parts are still being recovered and searchers continue to hunt for the cockpit voice recorder.

The plane hit the water at very high speed just 13 minutes after take-off from Jakarta. Its flight crew had requested permission to return to the airport several minutes after taking off.

The Lion Air crash is the worst airline disaster in Indonesia since 1997, when 234 people died on a Garuda flight near Medan.

In December 2014, an AirAsia flight from Surabaya to Singapore plunged into the sea, killing all 162 on board.

Lion Air is one of Indonesia's youngest airlines but has grown rapidly, flying to dozens of domestic and international destinations. It has been expanding aggressively in South-East Asia, a fast-growing region of more than 600 million people.

AP/Reuters

Topics: disasters-and-accidents, air-and-space, indonesia, asia

First posted

A Boeing Co. warning to 737 Max operators around the globe provides the first clues about how bad data from an airflow sensor might have contributed to the deadly crash of an Indonesian airliner last week.

The bulletin and statements by Indonesian investigators suggest that the pilots on the Lion Air 737 Max 8 were battling the plane as its computers commanded a steep dive during its final moments of flight.

Boeing cautioned that the so-called angle-of-attack sensor can provide false readings in limited circumstances — such as when a plane’s autopilot is switched off — that cause the 737 Max to pitch nose downward. The sensor malfunction can essentially trick the plane into pointing its nose down to gain the speed it thinks it needs to keep flying.

The Boeing directive doesn’t call for operators to conduct new inspections or take other action. It merely stressed that pilots should follow procedures in the flight manual when encountering erroneous data. Following the protocol should be routine for pilots, though may be more challenging in the heat of the moment when equipment is malfunctioning and alarms are sounding.

American aviation regulators followed by issuing an emergency order Wednesday requiring that airlines follow Boeing’s instructions and add information to pilot manuals showing how to diagnose the problem and respond. Carriers will have three days to update their manuals under the order, issued by the Federal Aviation Administration, according to an emailed statement.

The FAA said the problem “could cause the flight crew to have difficulty controlling the airplane, and lead to excessive nose-down attitude, significant altitude loss, and possible impact with terrain.”

The sensor on the Lion Air jet been replaced the day before after it failed on a previous trip, the Indonesia National Transportation Safety Committee said in a briefing Wednesday. The malfunction can cause the plane’s computers to erroneously detect a mid-flight stall in airflow, causing the aircraft to abruptly dive to regain the speed it needs to keep flying.

On a previous flight from Bali to Jakarta, the angle-of-attack sensor feeding the captain’s flight displays registered a 20-degree difference from the device on the copilot’s side of the cockpit, the committee said. Pilots on that flight were able to compensate.

An angle-of-attack sensor that had been removed before that previous flight has been brought to the investigators and will be examined in the U.S., the Indonesian officials said.

It’s still possible the FAA may order Boeing to redesign the equipment or software as investigators piece together details of the Oct. 29 crash, which killed 189 people. The agency said it “will take further appropriate actions depending on the results of the investigation.”

Fresh Questions

The new information about Lion Air Flight 610 raises multiple questions investigators will want to examine on the pilots’ actions, how flight crews were trained and whether the maintenance performed on the system was adequate, said Roger Cox, a former NTSB investigator.

“I would definitely be looking at the man-machine interface and how pilots respond,” said Cox, a former airline pilot who flew earlier versions of the 737 and specialized at the NTSB in cockpit actions.

One of the puzzling things about the accident is that the plane was flying in clear skies during daylight, so pilots should have been able to handle the problems they faced with airspeed and erroneous sensors, Cox said. However, in rare instances, accidents have been caused by what investigators call a “startle factor.”

“If you don’t take the appropriate action because you’re surprised, you can make a serious error,” he said.

The pilots union at Southwest Airlines Co., the biggest customer of the 737 Max, hasn’t received any reports from its members of problems with faulty sensor readings, said Jon Weaks, president of the Southwest Airlines Pilots Association.

The airline confirmed that it hasn’t experienced any of the sensor troubles and said its 26 Max remain operational and no schedule disruption is expected.

United Technologies Corp. supplies the angle-of-attack sensors and indicator for the 737 Max, according to Airframers.net. The company didn’t respond to requests for comment. Honeywell International Inc. provides the air data inertial reference unit.

The Lion Air jetliner plunged into the Java Sea minutes after takeoff from Jakarta airport, nosing downward so suddenly that it may have hit speeds of 600 miles an hour before slamming into the water.

Moments earlier, the pilots radioed a request to return to Jakarta, but never turned back toward the airport, according to Indonesia’s safety commission and flight-tracking data. The agency said the pilots were dealing with an erroneous airspeed indication.

Boeing, which is headquartered in Chicago, said it is cooperating fully and providing technical assistance as the investigation continues. Boeing’s shares rose 1.5 percent to $372.02 at

A crucial sensor was replaced on a Lion Air jet the day before it plunged into the Java Sea, and that sensor replacement may have exacerbated other problems with the plane, Indonesian investigators said on Wednesday.

That sensor, known as the “angle of attack” sensor, keeps track of the angle of the aircraft nose to help prevent the plane from stalling and diving.

Earlier this week, Indonesian officials hinted that airspeed indicators played a role in the deadly October 29 crash that killed all 189 people on board.

The jet’s airspeed indicator malfunctioned on its last four flights, and that problem was related to the sensor issue, said Soerjanto Tjahjono, chairperson of Indonesia’s National Transportation Safety Committee, on Wednesday.

Lion Air’s first two attempts to address the airspeed indicator problem didn’t work, and for the Boeing 737 MAX 8 plane’s second-to-last flight on October 28, the angle of attack sensors were replaced, Tjahjono said.

On the October 28 flight, from Bali to Jakarta, the pilot’s and co-pilot’s sensors disagreed. The 2-month-old plane went into a sudden dive minutes after takeoff, which the pilots were able to recover from. They decided to fly on to Jakarta at a lower-than-normal altitude.

The next day, during the deadly crash, the plane hit the water at very high speed just 13 minutes after takeoff from Jakarta. Its flight crew had requested permission to return to the airport several minutes after taking off.

“The point is that after the AOA (sensor) is replaced, the problem is not solved but the problem might even increase. Is this fatal? NTSC (National Transportation Safety Committee) wants to explore this,” he said.

Even if an angle of attack sensor on a jet is faulty, there’s generally a backup system in place for the critical component, and pilots are trained to handle a plane safely if those sensors fail, airline safety experts said.

There are audio signals and physical warnings that can alert the pilot to malfunctioning equipment or other dangers, said Todd Curtis, director of the Airsafe.com Foundation.

“They should have been completely engaged in what was going on inside that cockpit, and any kind of warning that came up, they would have been wise to pay attention to it,” Curtis said.

Investigators are likely focused on how a single sensor’s failure resulted in a faulty command that didn’t take into account information from a second sensor, said John Cox, CEO of Safety Operating Systems.

“We don’t know what the crew knew and didn’t know yet,” Cox said. “We will.”

A new procedure release

Boeing, which manufactured the Lion Air plane, issues safety-related bulletins, and had previously circulated instructions about what flight crews should do if sensors fail.

Indonesia’s National Transportation Safety Committee said it had agreed with Boeing on procedures that the airplane manufacturer should distribute globally on how flight crews can deal with “angle of attack” sensor problems.

But a Boeing statement said a safety bulletin, sent to airlines on Tuesday, directs flight crews to existing guidelines on how they should respond to erroneous “angle of attack” data. It wasn’t immediately clear if it plans an update, though comments from Indonesian officials indicate they expect one.

Indonesian investigators said their flight procedure recommendations to Boeing were based on how the flight crew responded to problems on the Bali-to-Jakarta flight.

“The draft of what will be conveyed by Boeing this morning has been presented to us,” said air accident investigator Nurcahyo Utomo.

“There are some things that we ask for explanation and some that we ask to be removed, and there has been an agreement between the NTSC and Boeing to release a new procedure to all Boeing 737 MAX users in the world,” he said.

Indonesia’s search and rescue agency on Wednesday extended the search effort for a second time, saying it will continue until Sunday. Body parts are still being recovered and searchers continue to hunt for the cockpit voice recorder.

The Lion Air crash is the worst airline disaster in Indonesia since 1997, when 234 people died on a Garuda flight near Medan. In December 2014, an AirAsia flight from Surabaya to Singapore plunged into the sea, killing all 162 on board.

Lion Air is one of Indonesia’s youngest airlines but has grown rapidly, flying to dozens of domestic and international destinations. It has been expanding aggressively in Southeast Asia, a fast-growing region of more than 600 million people.

News24

The FAA has issued an emergency directive to anyone flying the Boeing 737 MAX, the type of plane that crashed in the Lion Air Flight JH 610 incident, related to the faulty sensors that reportedly fed bad information to the pilots. Meanwhile, investigators have reported that the plane received a replacement angle-of-attack sensor (a system that measures whether the plane's nose is too high relative to the current of air) the day before the deadly crash.

As Bloomberg reported earlier this week, Boeing issued a bulletin to 737 MAX operators warning them that faulty inputs from airflow sensors could have contributed to the Lion Air crash. The Boeing statement gave few details, saying that “the investigation is ongoing.” The FAA's directive backs up that bulletin by giving anyone who flies the 737 MAX three days, starting Wednesday, to revise their airplane flight manual for that model.

The FAA said it was taking the action to “address possible erroneous angle of attack inputs” that could put the plane in a sudden dive. The FAA said airline operators need to revise the manual “to give crew Horizontal stabilizer trim procedures to follow under certain conditions." In the U.S., the order affects American, Southwest, and United, which together operate 45 MAX jets.

Here's the official statement:

“Boeing has released a Flight Crew Operations Manual Bulletin regarding the potential for erroneous angle of attack input on 737 Max aircraft. The FAA plans to mandate the Flight Crew Operations Manual Bulletin by issuing an Airworthiness Directive (AD). The FAA continues to work closely with Boeing, and as a part of the investigative team on the Indonesia Lion Air accident, will take further appropriate actions depending on the results of the investigation. The FAA has alerted affected domestic carriers and foreign airworthiness authorities who oversee air carriers that use the 737 MAX of the agency’s forthcoming action."

The new revelation—that the doomed 737 received a new sensor after a flight on October 28, the day before the deadly crash—adds to the growing evidence of a serious problem with the sensors and flight data being fed to the crew of Lion Air 610. Data downloaded from the flight data recorder, which was recovered by divers searching the underwater crash site, have revealed a series of glitches in three flights prior to the crash that gave flawed airspeed and other information to the cockpit.

If AOA sensors fail, it can cause the plane’s computers to incorrectly show the plane is heading into an aerodynamic stall—which, in turn, can put the jet into a sudden dive to restore airspeed.

“It’s too early to tell if the sensors caused the accident,” said John Goglia, an aviation safety expert and former member of the National Transportation Safety Board. He said that sensor equipment has become more automated with each new generation of aircraft, and that, in turn, introduces a new risk.

“This could be a training issue,” he said. “The automation keeps marching forward and this is most advanced model that Boeing has built.” It’s still unclear whether the issue is one of an actual flaw, or a procedure that wasn’t correctly followed.

(CNN) Problems were reported on a Lion Air jet that crashed into the sea off Jakarta even after technicians replaced a sensor on board the aircraft, investigators said.

Indonesian authorities confirmed Wednesday that the angle of attack (AOA) sensor was replaced after a flight from Manado, in North Sulawesi to Denpasar, Bali on October 28. The Boeing 737 MAX 8 then made another flight to Jakarta that same day, and the pilots reported further problems.

All 189 people on board Flight 610 died when the new Boeing 737 MAX 8 crashed into the sea on October 29, 13 minutes after taking off from Jakarta on a short flight to Pangkal Pinang on the Indonesian island of Bangka.

Investigators said the jet experienced problems on its last four flights -- including, crucially, the flight that crashed, according to Soerjanto Tjahjono, the head of the National Transportation Safety Committee (KNKT).

Boeing released an operational bulletin on Wednesday, warning all airlines about how to address any erroneous readings related to the AOA sensor. The Federal Aviation Administration (FAA) later issued its own directive that advised pilots about how to respond to similar problems.

Search for voice recorder

Almost two weeks after the crash, authorities are still searching for the plane's cockpit voice recorder (CVR), which is believed to be buried under deep mud. If found, it should reveal what happened in the cockpit in the final seconds of the flight.

Investigators are already examining the flight data recorder that was pulled off the sea bed, some 30 meters under water, on November 1.

Photos: In photos: Lion Air plane crashes off Indonesia A relative of one of the crash victims tosses flower petals from an Indonesian Navy ship on Tuesday, November 6. Hide Caption 1 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Victims' families and colleagues react on a Navy ship as they're ferried to the crash site on November 6. Hide Caption 2 of 27 Photos: In photos: Lion Air plane crashes off Indonesia An Indonesian official examines a turbine engine from the plane on Sunday, November 4. Hide Caption 3 of 27 Photos: In photos: Lion Air plane crashes off Indonesia People in Jakarta grieve over the coffin of a relative on November 4. Hide Caption 4 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Indonesian Navy divers recover a flight data recorder on Thursday, November 1. Hide Caption 5 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Families of the victims look through personal items that were recovered from the wreckage. Hide Caption 6 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A police officer arranges shoes recovered during search operations. Hide Caption 7 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A Navy ship arrives at a search area in the waters of Karawang. Hide Caption 8 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A relative of a passenger cries at a Jakarta hospital on Tuesday, October 30. Family members have been providing authorities with DNA samples to help identify victims of the crash. Hide Caption 9 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Officials transport a body bag in Jakarta. Hide Caption 10 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Indonesian President Joko Widodo inspects debris. Hide Caption 11 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Victims' relatives embrace at a police hospital in Jakarta. Hide Caption 12 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Soldiers drag ashore an inflatable raft containing debris from the plane. Hide Caption 13 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A wallet is seen in the water where the plane went down. Hide Caption 14 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A relative of a passenger cries at a hospital in Jakarta. Hide Caption 15 of 27 Photos: In photos: Lion Air plane crashes off Indonesia President Widodo (front row, second from right) tours the operations center in Jakarta where debris is laid out. Hide Caption 16 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Police work to identify personal belongings that are believed to be from the plane's wreckage. Hide Caption 17 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A police officer studies a map in the search-and-rescue command center. Hide Caption 18 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A diver with the Indonesian Navy enters the water off the north coast of Karawang. Hide Caption 19 of 27 Photos: In photos: Lion Air plane crashes off Indonesia Rescue workers carry a body that was recovered from the waters near Jakarta on October 29. Hide Caption 20 of 27 Photos: In photos: Lion Air plane crashes off Indonesia A woman in Pangkal Pinang prays as she and others wait for news on October 29. Hide Caption 21 of 27 Photos: In photos: Lion Air plane crashes off

AFP/Getty Images

[Updated: Nov. 13]

The FAA issued an emergency airworthiness directive Wednesday to airlines operating the new Boeing 737 MAX, calling on them to better instruct pilots on how to deal with a potential faulty reading from a key gauge, an angle of attack sensor, that's supposed to help keep planes from falling out of the sky. The directive follows the discovery that the sensor was malfunctioning on a Lion Air 737 MAX that plunged into the sea off Indonesia on Oct. 29, killing all 189 aboard.

The accident and the FAA warning, which comes after Boeing issued a similar bulletin, may be less an indication that there’s anything wrong with the new version of Boeing’s top-selling plane than a sign of how increasingly automated flight systems are eroding pilot skills, says Keith Mackey, a Florida-based safety consultant who’s a former airline pilot and accident investigator.

To put it simply, says Mackey, the FAA’s directive tells pilots to turn off the plane's autopilot system, and if necessary the pitch trim system too, and fly the plane yourself.

“It’s unfortunate that they even have to write something like this,” says Mackey. “It should be understood.”

The angle of attack sensor is a vane on the wing that gauges airflow to determine if the wing is generating enough lift. That airflow can be disrupted if the plane slows down or goes into too steep a climb, putting the plane in danger of stalling. In that situation the 737 MAX has a pitch trim system that automatically pushes the nose down to prevent a stall. The FAA's and Boeing's bulletins explain to pilots how to disengage the system in the event that a faulty reading from the angle of attack sensor leads it to push the nose down.

Shortly after takeoff from Jakarta, the Lion Air plane’s pilots requested to return to the airport, but they never turned back, plunging into the water at high speed.

Based on the evidence available, says Mackey, the pilots may not have disengaged the autopilot or the trim system, which given the faulty angle of attack reading, may have lowered the nose and dived the plane into the water.

“The pilot should have recognized that I’m getting an erroneous indication on my airspeed,” he says. “It’s a nice day, you can look out the window and see that the airplane isn’t flying nose high.”

He sees the accident as indicative of two problems: the increasing use of autopilot is giving pilots less flight time to maintain basic skills, and a lower level of experience and training among pilots in the developing world.

Many airlines will require pilots shortly after takeoff to engage the autopilot, which in modern jets essentially manage the direction, speed and altitude of a plane based on instructions programmed by the pilot. Planes can also auto land at airports that have the necessary equipment.

“You get a lot of takeoffs and landings but no one gets much flying practice,” says Mackey. “They’re getting to be good computer programmers, they know which buttons to push and when to push them. When something begins to fail it becomes a puzzlement.”

The 737 MAX is the only Boeing plane in which the angle of attack sensor triggers automated movements of the jet's tail, the aviation safety consultant John Cox told the Seattle Times.

Boeing appears not to have informed pilots and airlines that a new automated trim system had been introduced in the MAX, failing to add mention of it to the flight crew operations manual or to include it in training for pilots, Aviation Week and the Wall Street Journal reported Nov. 13.

"If [it] was not covered in the MAX training, that is an error," says Mackey, but "a pilot proficient in hand flying the airplane should have recognized an automation failure issue quickly and reverted to hand flying the airplane to an uneventful landing, with or without the training."

In developing countries with small military and private aviation sectors, airlines tend to rely on Western schools for pilot training, putting many pilots at the controls of large aircraft with fewer flight hours, he says.

Those same factors limit the pool of trained mechanics. With air travel taking off in Asia, that can lead to systematic maintenance issues at growing airlines, says Mackey.

The Lion Air plane’s angle of attack sensor had registered incorrect airspeed readings on the four flights prior to the one that crashed, according to the Indonesia National Transportation Safety Committee, and the sensor had been replaced the day before.

Mackey says it’s a red flag that the issue went unaddressed for so long.

Boeing has a lot riding on the 737 MAX: It has more than 4,500 orders on the books and has delivered 219. Lion Air was the launch customer for the 737 MAX 8, the variant of the plane that crashed, and the MAX 9.

Boeing's bulletin states that the angle of attack sensor can trigger the 737 MAX's automatic pitch trim system to push the nose down for as long as 10 seconds. If pilots manually pull the nose back up, the system can reengage

Indonesia's National Transportation Safety Committee said on Wednesday that a crucial sensor had been replaced on a Lion Air jet the day before it plunged into the Java Sea, killing all 189 people on board.

That sensor, known as the "angle of attack" (AOA) sensor, keeps track of the angle of the aircraft nose to help prevent the plane from stalling and diving.

Experts say the sensor is a crucial parameter that helps the aircraft's computers understand whether its nose is too high relative to the current of air. If the sensor fails to send correct information, it can confuse both the aircraft's computer and its pilots, throwing an aircraft into an aerodynamic stall and making it fall.

An Indonesian National Transportation Safety Commission official examines a turbine engine from the crashed Lion Air flight JT610 in Jakarta, Indonesia, November 4, 2018. /VCG Photo

Earlier this week, Indonesian officials hinted that airspeed indicators played a role in Lion Air crash. One of the black boxes showed that the airspeed indicator on the jet malfunctioned on its last four flights, and that problem was related to the sensor issue, said Soerjanto Tjahjono, chairman of Indonesia's National Transportation Safety Committee, on Wednesday.

Lion Air's first two attempts to address the airspeed indicator problem didn't work, and the AOA sensors were not replaced until the Boeing 737 MAX 8 plane's second-to-last flight on October 28, said Tjahjono.

On the October 28 flight, from Bali to Jakarta, the pilot's and copilot's sensors disagreed. The 2-month-old plane went into a sudden dive minutes after takeoff, which the pilots were able to recover from. They decided to fly to Jakarta at a lower-than-normal altitude.

Workers load up recovered debris and belongings believed to be from crashed Lion Air flight JT610. /VCG Photo

The next day, during the deadly crash, the plane hit the water at very high speed just 13 minutes after takeoff from Jakarta. Its flight crew had requested permission to return to the airport several minutes after taking off.

"The point is that after the AOA sensor is replaced, the problem is not solved but the problem might even increase. Is this fatal? NTSC (National Transportation Safety Committee) wants to explore this," he said.

Warnings must not be ignored

Airline safety experts said the aircraft usually have a backup system that responds to sensor faults, and pilots are trained to handle a plane safely if those sensors fail.

There are audio signals and physical warnings that can alert the pilot to malfunctioning equipment or other dangers, said Todd Curtis, director of the Airsafe.com Foundation.

"They should have been completely engaged in what was going on inside that cockpit, and any kind of warning that came up, they would have been wise to pay attention to it," Curtis said.

Relatives of the victims of the Lion Air crash sprinkle flowers at the crash site. /AP Photo

Investigators are likely focused on how a single sensor's failure resulted in a faulty command that didn't take into account information from a second sensor, said John Cox, CEO of Safety Operating Systems.

"We don't know what the crew knew and didn't know yet," Cox said, adding "We will."

The Boeing 737 MAX has three such AOA sensors, Reuters quoted an informed source.

FAA says sensor problem detected in 246 Boeing 737 MAX airplanes worldwide

The US Federal Aviation Administration (FAA) on Wednesday issued an emergency airworthiness directive on 246 Boeing 737 Max airplanes worldwide, of which 45 airplanes in the US are operated by Southwest Air Co, United Airlines and American Airlines Group Inc.

It warned airlines that erroneously input from an AOA sensor could cause "repeated nose-down trim commands of the horizontal stabilizer." If this condition is not addressed, it could lead the flight crew to have difficulty controlling the airplane.

A Boeing 737 MAX parked outside the hangar. /VCG Photo

"We are issuing this airworthiness directive because we evaluated all the relevant information and determined the unsafe condition is likely to exist or develop in other products of the same type design," said the FAA.

The directive dictates that operators "revise the airplane flight manual to give the flight crew horizontal stabilizer trim procedures to follow under some conditions."

Boeing 737 Max jet is the latest version of the US aircraft maker, which has been in service for just over a year. And the Lion Air crash was the first involving the new jet.

(With inputs from AP)

During the three weeks before Lion Air Flight 610 plunged into waters off Indonesia, Southwest Airlines Co. LUV, +0.25% replaced two malfunctioning flight-control sensors of the same type that has been publicly implicated in the crash, according to a summary of Southwest maintenance records reviewed by The Wall Street Journal.

Both U.S. maintenance issues involved a Boeing Co. BA, +2.56% 737 MAX 8, the same model that crashed last month in Indonesia. The sensors measure whether the jetliner is angled above or below level flight. Those sensors, or related hardware, needed repairs in the Southwest instances, according to the summary document. The document also indicates Southwest pilots reported they couldn’t engage automated throttle settings, similar to cruise control on a car.

A Southwest spokeswoman said the sensors didn’t fail and were removed as a precautionary measure as part of a troubleshooting process. She said at least one was repaired.

Investigators have confirmed the same type of sensor failed on the Lion Air flight, but they haven’t determined precisely what happened between that failure and the crash.

Since the accident, which killed 189 people, Boeing has warned airlines about the potential for erroneous data from what are called “angle-of-attack” sensors. “We have not experienced a sensor failure or flight issue as described in Boeing’s bulletin,” the Southwest spokeswoman said.

The Southwest incidents didn’t result in emergencies and no one was hurt. They prompted what appear to be routine reports by mechanics checking out problems with the sensors.

An expanded version of this report appears on WSJ.com.

Data from the fatal Oct. 29 flight that killed 189 people, and from the prior day's flight of the same jet, raises questions about three factors that seem to have contributed to the crash.

A key instrument reading on Lion Air flight JT610 was faulty even as the pilots taxied out for takeoff. As soon as the Boeing 737 MAX was airborne, the captain’s control column began to shake as a stall warning.

And from the moment they retracted the wing flaps at about 3,000 feet, the two pilots struggled — in a 10-minute tug of war — against a new anti-stall flight-control system that relentlessly pushed the jet’s nose down 26 times before they lost control.

Though the pilots responded to each nose-down movement by pulling the nose up again, mysteriously they didn’t do what the pilots on the previous day’s flight had done: simply switched off that flight-control system.

The detail is revealed in the data from the so-called “black box” flight recorder (it’s actually orange in color) from the fatal Oct. 29 flight that killed 189 people and the prior day’s flight of the same jet, presented last Thursday to the Indonesian Parliament by the country’s National Transportation Safety Committee (NTSC).

This data is the major basis for the preliminary crash-investigation report that was made public Wednesday in Indonesia, Tuesday evening in Seattle.

The flight-recorder data is presented as a series of line graphs that give a clear picture of what was going on with the aircraft systems as the plane taxied on the ground, took off and flew for just 11 minutes.

The data points to three factors that seem to have contributed to the disaster:

A potential design flaw in Boeing’s new anti-stall addition to the MAX’s flight-control system and a lack of communication to airlines about the system.

The baffling failure of the Lion Air pilots to recognize what was happening and execute a standard procedure to shut off the faulty system.

And a Lion Air maintenance shortfall that allowed the plane to fly repeatedly without fixing the key sensor that was feeding false information to the flight computer on previous flights.

Anti-stall system triggered

Peter Lemme, a former Boeing flight-controls engineer who is now an avionics and satellite-communications consultant, analyzed the graphs minute by minute.

He said the data shows Boeing’s new system — called MCAS (Maneuvering Characteristics Augmentation System) — “was triggered persistently” as soon as the wing flaps retracted.

The data confirms that a sensor that measures the plane’s angle of attack, the angle between the wings and the air flow, was feeding a faulty reading to the flight computer. The two angle-of-attack sensors on either side of the jet’s nose differed by about 20 degrees in their measurements even during the ground taxi phase when the plane’s pitch was level. One of those readings was clearly completely wrong.

On any given flight, the flight computer takes data from only one of the angle-of-attack (AOA) sensors, apparently for simplicity of design. In this case, the computer interpreted the AOA reading as much too high an angle, suggesting an imminent stall that required MCAS to kick in and save the airplane.

When the MCAS system pushed the nose down, the captain repeatedly pulled it back up, probably by using thumb switches on the control column. But each time, the MCAS system, as designed, kicked in to swivel the horizontal tail and push the nose back down again.

The data shows that after this cycle repeated 21 times, the captain ceded control to the first officer and MCAS then pushed the nose down twice more, this time without a pilot response.

After a few more cycles of this struggle, with the horizontal tail now close to the limit of its movement, the captain resumed control and pulled back on the control column with high force.

It was too late. The plane dived into the sea at more than 500 miles per hour.

Previous crew handled similar situation

Remarkably, the corresponding black-box-data charts from the same plane’s flight the previous day show that the pilots on that earlier flight encountered more or less exactly the same situation.

Again the AOA sensors were out of sync from the start. Again, the captain’s control column began shaking, a stall warning, at the moment of takeoff. Again, MCAS kicked in to push the nose down as soon as the flaps retracted.

Initially that crew reacted like the pilots of JT610, but after a dozen cycles of the nose going down and pushing it back up, they turned off MCAS using two standard cutoff switches on the control pedestal “within minutes of experiencing the automatic nose down” movements, according to the NTSC preliminary investigation report.

There were no further uncommanded nose-down movements. For the rest of the flight, they controlled the jet’s pitch manually and everything was normal. The jet continued to its destination and landed safely.

Because the cockpit voice recorder has not yet been recovered from the sea bed, it’s a myste

Investigators have yet to recover the cockpit voice recorder, which could provide further insight into the steps taken by the pilots and whether they followed the correct procedures.

Despite Boeing’s insistence that the proper procedures were in the handbook, also called the emergency checklist, pilots have said since the accident that Boeing had not been clear about one potentially vital difference between the system on the new 737s and the older models. In the older versions, pilots could help address the problem of the nose being forced down improperly — a situation known as “runaway stabilizer trim” — by pulling back on the control column in front of them, the pilots say.

In the latest 737 generation, called the Max, that measure does not work, they said, citing information they have received since the crash. The pilots on Lion Air Flight 610 appear to have forcefully pulled back on their control columns to no avail, before the final dive, according to the information from the flight data recorder.

Capt. Dennis Tajer, spokesman for the American Airlines pilot union and a 737 pilot, said he could not comment on any aspect of the investigation. But, he said, “in the previous model of the 737, pulling back on the control column, Boeing says will stop a stabilizer runaway.”

Information provided to American Airlines from Boeing since the crash, Captain Tajer said, “specifically says that pulling back on the control column in the Max will not stop the runaway if M.C.A.S. is triggered. That is an important difference to know.”

Boeing said in its statement on Tuesday that the existing procedures covered the latest 737 model.

Bulletins from Boeing and the Federal Aviation Administration of the United States since the crash indicate that pilots could overcome an incorrectly activated M.C.A.S. with a series of steps. First, they would have had to activate switches on the outside of the control columns in front of both the pilot and co-pilot. Those switches are for electrically controlling the trim — the angle of the stabilizers on the plane’s tail. The pilot of Flight 610 appears to have done that repeatedly to bring the nose up, but the M.C.A.S. reactivated each time, as it was designed to do, forcing the nose back down, and the pilot had to repeat the process again and again.

A malfunctioning sensor at the centre of the investigation into the Oct 29 crash of a Lion Air jetliner into the Java Sea wasn't repaired before the fatal flight even though it had failed on the plane's previous trip, according to a preliminary investigative report.

[JAKARTA] A malfunctioning sensor at the centre of the investigation into the Oct 29 crash of a Lion Air jetliner into the Java Sea wasn't repaired before the fatal flight even though it had failed on the plane's previous trip, according to a preliminary investigative report.

A mechanic worked on other sensors and equipment during a night shift before the early morning departure, but not on the so-called angle-of-attack vane, according to Indonesia's National Transportation Safety Committee. Portions of the committee's report were viewed by Bloomberg News before a scheduled release on Wednesday.

The report doesn't offer a cause for the accident but provides the most detailed look so far into the chaotic minutes before the crash and into the steps that were taken to address malfunctions that occurred on the plane the previous night. On both flights, pilots reported that they had difficulty figuring out basic information such as speed and altitude.

The pilots on Flight 610, which plunged into the Java Sea more than 11 minutes after it took off from Jakarta, appeared not to understand what was happening to them as they radioed air traffic controllers asking for their altitude and speed. They said they had an unspecified "flight control problem," according to the report. Lion Air spokesman Danang Prihantoro didn't answer calls seeking comments when tried on his mobile phone on Wednesday.

sentifi.com Market voices on:

Everyone aboard died in the crash, although there are conflicting counts for the death toll. A weight and balance calculation lists 188 people - two pilots, five flight attendants and 181 passengers. Another listing known as a voyage report lists an extra flight attendant for a total of 189 people.

The Boeing Co 737 Max 8's angle-of-attack sensor, which measures how high or low the plane's nose was pointed relative to the oncoming air, had malfunctioned on the previous flight as well as in the minutes before the crash, according to the report. The sensor erroneously concluded the nose was pointed too high and the aircraft was in danger of losing lift, prompting a stall warning in the cockpit and triggering safety software that attempted to put them into a dive.

The two sets of pilots reacted differently to the multiple errors messages and malfunctions. On the previous flight, the pilots were able to shut off the motor that was trying to push down the nose relatively soon after taking off.

For reasons that haven't been explained, the pilots on Flight 610 didn't take that step - which is part of a long-standing emergency procedure. The plane's crash-proof cockpit recorder hasn't been recovered, so investigators don't have much insight into what they were thinking as they responded to the emergency.

Boeing declined to comment on the preliminary report. It is working as a technical adviser to the Indonesian investigation.

"We will analyze any additional information as it becomes available," the aircraft maker said in a statement on Tuesday. "We are taking every measure to fully understand all aspects of this accident, working closely with the investigation team and the relevant government authorities."

Earlier this month the manufacturer issued a bulletin to operators of the Max reminding them that such a cascade of failures could be addressed by an existing emergency procedure. The manufacturer has said it's confident in the safety of the latest version of its 737 model.

EARLIER FLIGHT

On the Oct 28 flight that landed safely in Jakarta, the captain told investigators that he scanned cockpit instruments and determined that the copilot's readings matched a third standby system and were accurate. He turned over control of the plane to the copilot.

By contrast, the captain on the flight that crashed radioed a controller about a minute before the plane disappeared from radar to say that all of the plane's altitude gauges were different and they couldn't determine how high they were.

Investigators will focus on how the airline performed maintenance on the plane.

The captain on the Oct 28 flight reported problems with speed and altitude readings and with a system called Feel Differential Pressure, which controls the force pilots need to push or pull the control column that raises and lowers the nose, according to the report. There was no indication that the angle of attack sensor was malfunctioning.

An angle of attack sensor had been replaced and tested just before the Oct 28 flight. According to flight data from the plane, the sensor on the left was reading about 20 degrees differently from the one on the right.

On both flights, a device known as a stick shaker - a warning that the wings are about to lose lift, which vibrates the control column

JAKARTA, Indonesia – A malfunctioning sensor and an automated response from the aircraft’s software stymied pilots’ efforts to control a doomed Indonesian flight that went careening into the sea last month, according to a preliminary investigative report released Wednesday.

The report, which stops short of determining the cause of the crash or analyzing findings, chronicles the chaotic moments on the Lion Air flight before it crashed into the waters off the coast of Java last month, killing all 189 passengers and crew on board.

It details how sensors and other equipment were checked and fixed before the aircraft’s final flight, but not the “angle of attack” sensor. That measures where the nose is pointing and was showing erroneous readings throughout the short time the plane was airborne.

With the sensor insisting the nose was too high, an automatic feature kicked in, sending the plane plummeting as the pilots wrestled to regain control. Unable to trust their readings, the pilots resorted to asking air traffic control about their speed and altitude.

Lion Air Flight 610 plunged into the Java Sea on Oct. 29 just after taking off from the Indonesian capital, Jakarta, killing the eight crew members and 181 passengers on board, including a child and two infants.

The crash appears to have been caused by a mix of brand new technology and cockpit confusion as the pilots fought to gain altitude after an early-morning takeoff from Jakarta. The flight crew – at an altitude of just 5,000 feet – had very little time to resolve the issue before the plane crashed into the sea at a reported 450 miles per hour.

Though the report contains no conclusion assigning blame, its descriptions of automated systems overtaking the aircraft – leaving pilots both confused and powerless – poses questions for Boeing and Lion Air about whether the cockpit crew was prepared for this scenario. After the Lion Air crash, pilots in the United States accused Boeing of withholding safety information on its new 737 model.

The aircraft’s pilots asked to return to Jakarta just two minutes after takeoff, reporting a “flight-control problem” but not specifying what it was.

Black-box data released by Indonesian investigators showed that the pilots were pulling back on the control column, attempting to raise the plane’s nose, with almost 100 pounds of pressure before they crashed.

The Indonesian National Transportation Safety Committee, which produced the report, also said that Lion Air, a Jakarta-based low-cost airline, should improve its “safety culture.”

No engineer briefed the pilots of the crashed plane on the multiple problems the aircraft experienced on previous flights, and it was up to him to review the maintenance logs.

The report, however, contains no conclusion on who was at fault.

“When it comes to faulting, I don’t know. Our job isn’t to find faults,” National Transportation Safety Committee investigator Nurcahyo Utomo said at a news conference Wednesday.

The aircraft was the most recent incarnation of the venerable Boeing 737, a plane that first flew in 1967 and has gone through multiple iterations before it emerged as the 737 Max.

The 737 Max was equipped with more-powerful engines that are mounted farther forward on the wing, requiring that additional software be added to the autopilot to provide more control.

That software, which has been described as several lines of coding, was identified in the Boeing manual as the maneuvering characteristics augmentation system, or MCAS.

When the sensors transmitted faulty data to the cockpit of Flight 610, the new MCAS system sensed a stall – that point at which planes do not have enough airspeed to create lift – and sought to correct for it by repeatedly pointing the nose of the aircraft down.

A feature in previous 737 models that allowed pilots to manually override an “electric trimming” process – which automatically budges the nose downward to prevent a stall, does not work in Boeing’s 737 Max 8 planes, Boeing explained in a Nov. 7 bulletin.

That same week, the Federal Aviation Administration issued an emergency notice to all airlines that fly the 737 Max, warning them that erroneous sensor inputs “could cause the flight crew to have difficulty controlling the airplane,” leading to “possible impact with terrain.”

The deviation probably was caused by what is called a “runaway stabilizer.” Stabilizers are essentially those small wings on either side at the tail end of the plane. They each have flaps – called elevators – that help control the elevation of the plane.

In case of a runaway stabilizer, pilots are instructed in the cockpit checklist to hold the control column firmly, disengaging the autopilot that, in this case, contained the MCAS program. Next, they are told, disengage the auto throttle and manually fly the plane.

“This corner of the performance charts is called the ‘coffin corner,’ ” said Mary Schiavo, an aviati

National Transportation Safety Committee investigator Nurcahyo Utomo holds a model of an airplane during a press conference on the committee's preliminary findings on their investigation on the crash of Lion Air flight 610, in Jakarta, Indonesia, Wednesday, Nov. 28, 2018. Black box data collected from their crashed Boeing 737 MAX 8 show Lion Air pilots struggled to maintain control as the aircraft's automatic safety system repeatedly pushed the plane's nose down, according to a preliminary investigation into last month's disaster. (AP Photo/Achmad Ibrahim)

JAKARTA, Indonesia (AP) — Pilots fought against an automated system that pitched a Boeing jetliner’s nose down repeatedly because of a faulty sensor until they finally lost control and plunged into the Java Sea last month, Indonesian investigators said Wednesday.

At a news conference, safety officials said they were still struggling to understand why the plane crashed, killing all 189 people on board.

The National Transportation Safety Commission’s Nurcahyo Utomo said investigators were trying to figure out from interviews with engineers why they certified that the Boeing 737 MAX 8 was airworthy and whether they had followed required maintenance procedures. Pilots of previous flights had reported problems with control systems on the brand-new jet.

The board issued a preliminary report that stopped short of placing blame for the crash — the investigation is continuing — but it provided new details about the pilots’ struggle to fly the highly automated jet and Lion Air’s inability to fix problems with sensors on the plane.

Sensors that measure speed were flushed and checked, and an electrical plug was cleaned before the fatal flight. Mechanics, however, did not check sensors that measure whether the nose of the plane is pointing up or down.

An “angle of attack” sensor gave faulty readings throughout the short flight, triggering a system that automatically pointed the plane’s nose down more than two dozen times, with pilots responding by manually fighting to correct the pitch. Pilots even asked air traffic controllers to tell them how fast and high they were flying.

The malfunctions and warnings from the plane’s control system appeared to overwhelm the pilots almost as soon as the jet became airborne, said another investigator, Ony Suryo Wibowo.

“The problem is if multiple malfunctions occur all at once, which one should be prioritized?” Wibowo said.

In a statement following release of the report, U.S.-based Boeing declared that the MAX, its newest plane, is safe. The manufacturer played up the possibility of pilot error.

Boeing noted that the crew of the plane’s previous flight one day earlier had responded correctly to the automatic nose-down pitch and flew the plane manually. They also ran safety checklists. The preliminary report does not say whether pilots on the deadly flight took those steps, Boeing pointed out.

Boeing has said that the procedure to correct an automatic nose-down pitch is in the plane’s operating manual and pilots should have known about it.

Several experts said, however, that Boeing likely will have to consider changes in the new anti-stall system, perhaps developing an algorithm to disregard sensor readings that appear off-base.

The report offered new details on persistent problems with sensors on the Lion Air jet and the airline’s efforts to fix them.

John Cox, a safety consultant and former airline pilot, said Lion Air should have taken the troubled plane on a maintenance test flight.

“I don’t think the airplane was ready for passenger service because they had not validated that they had fixed the problem,” he said.

Searchers have not yet recovered the plane’s cockpit voice recorder, which could tell investigators what the pilots were doing — or failing to do — to regain control of the plane during the brief, erratic flight.

The report by Indonesia’s safety commission did not draw conclusions about why the crew lost control of the plane, but it repeated earlier recommendations that pilots be better versed in emergency procedures and aware of past aircraft problems. They recommended that Lion Air, a fast-growing low-cost airline based in Jakarta, ensures that pilots follow proper procedures “to improve the safety culture.”

Mary Schiavo, a former inspector general of the U.S. Department of Transportation, said the preliminary report offered a road map of final recommendations that are likely to emerge from the investigation.

“They will be looking for more precise reporting of problems (by pilots), and certainly a better maintenance response,” she said.

Peter Lemme, an expert in aviation and satellite communications and a former Boeing engineer who wrote an analysis of the data on his blog, compared the scene in the cockpit to “a deadly game of tag” in which the plane pointed down, the pilots countered by manually aiming the nose higher, only for the sequence to repeat about five seconds later.

That happened 26 times during the 11-mi

JAKARTA, Indonesia (AP) — Pilots fought against an automated system that pitched a Boeing jetliner’s nose down repeatedly because of a faulty sensor until they finally lost control and plunged into the Java Sea last month, Indonesian investigators said Wednesday.

At a news conference, safety officials said they were still struggling to understand why the plane crashed, killing all 189 people on board.

The National Transportation Safety Commission’s Nurcahyo Utomo said investigators were trying to figure out from interviews with engineers why they certified that the Boeing 737 MAX 8 was airworthy and whether they had followed required maintenance procedures. Pilots of previous flights had reported problems with control systems on the brand-new jet.

The board issued a preliminary report that stopped short of declaring a probable cause of the crash — the investigation is continuing — but it provided new details about the pilots’ struggle to fly the highly automated jet and Lion Air’s inability to fix problems with sensors on the plane.

Sensors that measure speed were flushed and checked, and an electrical plug was cleaned before the fatal flight. Mechanics, however, did not check a sensor that measures whether the nose of the plane is pointing up or down.

That “angle of attack” sensor gave faulty readings throughout the short flight, triggering a system that automatically pointed the plane’s nose down more than two dozen times, with pilots responding by manually fighting to correct the pitch. Pilots even asked air traffic controllers to tell them how fast and high they were flying.

The malfunctions and warnings from the plane’s control system appeared to overwhelm the pilots almost as soon as the jet became airborne, said another investigator, Ony Suryo Wibowo.

“The problem is if multiple malfunctions occur all at once, which one should be prioritized?” Wibowo said.

In a statement following release of the report, U.S.-based Boeing declared that the MAX, its newest plane, is safe. The manufacturer played up the possibility of pilot error.

Boeing noted that the crew of the plane’s previous flight one day earlier had responded correctly to the automatic nose-down pitch and flew the plane manually. They also ran safety checklists. The preliminary report does not say whether pilots on the deadly flight took those steps, Boeing pointed out.

Boeing has said that the procedure to correct an automatic nose-down pitch is in the plane’s operating manual and pilots should have known about it.

Searchers have not yet recovered the plane’s cockpit voice recorder, which could tell investigators what the pilots were doing — or failing to do — to regain control of the plane during the brief, erratic flight.

The report by Indonesia’s safety commission repeated earlier recommendations made just after the disaster that pilots be better versed in emergency procedures and aware of past aircraft problems. They recommended that Lion Air, a fast-growing low-cost airline based in Jakarta, ensure that pilots follow proper procedures “to improve the safety culture.”

Mary Schiavo, a former inspector general of the U.S. Department of Transportation, said the preliminary report offered a road map of final recommendations that are likely to emerge from the investigation.

“They will be looking for more precise reporting of problems (by pilots), and certainly a better maintenance response,” she said.

Peter Lemme, an expert in aviation and satellite communications and a former Boeing engineer who wrote an analysis of the data on his blog, compared the scene in the cockpit to “a deadly game of tag” in which the plane pointed down, the pilots countered by manually aiming the nose higher, only for the sequence to repeat about five seconds later.

That happened 26 times during the 11-minute flight, but pilots failed to recognize what was happening and follow the known procedure for countering incorrect activation of the automated safety system, Lemme told The Associated Press.

Lemme said he was troubled that there weren’t easy checks to see if sensor information was correct, that the crew of the fatal flight apparently wasn’t warned about the problems on previous flights and that the Lion Air jet wasn’t fully repaired after those flights.

“Had they fixed the airplane, we would not have had the accident,” he said. “Every accident is a combination of events, so there is disappointment all around here,” he said.

The U.S. National Transportation Safety Board and Boeing experts are helping the Indonesian investigators.

Boeing has a great deal at stake in defending its plane.

More than 200 MAX jets have been delivered to airlines around the world. Pilots at American Airlines and Southwest Airlines complained this month that they had not been given all information about the new automated anti-stall safety system on the MAX.

Boeing shares fell 14 percent in the last three weeks through Tuesday, as investigators focused on t

Why did the 737 Max plunge into the sea in Indonesia, killing all 189 on board? Pilots must know about every change on the jets they fly: Our view

Indonesians recover a plastic box containing the data recorder of Lion Air Flight 610 on Nov. 1, 2018. (Photo: Pradita Utama, epa-EFE)

“Know your airplane, fly your airplane” is a bedrock principle for pilots.

But pilots can’t know their airplane if the maker fails to disclose a new emergency feature in its flight operations manual, as happened with the Boeing 737 Max.

On Oct. 29, the feature, known by the acronym MCAS, relentlessly pushed down the nose of Indonesia’s Lion Air Flight 610 more than 20 times before the jet plunged into the Java Sea, killing all 189 on board.

Pilots struggled against the new system, which is designed to prevent a stall by automatically pushing the nose down. Tragically, on Flight 610 it was apparently triggered by a sensor delivering a false reading. There was no stall.

The 737 Max, Boeing's newest version of the workhorse 737 series, is flown by airlines around the world, including American, Southwest and United. Hundreds more are on order. Since the Lion Air crash, American and Southwest pilots have complained about Boeing’s failure to communicate.

BOEING: Safety will always be a core value

“The key to any emergency is identifying the system that is betraying you or failed,” says Dennis Tajer, a veteran 737 captain and spokesman for the Allied Pilots Association, which represents pilots at American.

“We did not know about the system" until after the Lion Air crash. It was not on previous versions of the 737. Jon Weaks, a Southwest captain and president of Southwest Airlines Pilots Association, put it simply: "We should have known the system existed."

With all the safety built into today’s jetliners, it typically takes a cascading series of events to bring down a plane. Based on a preliminary report released last week by Indonesian authorities and questions raised by safety experts, the final flight of Lion Air 610 is a textbook example of multiple failures.

Investigators will need to get to the bottom of several issues involving:

►Boeing. A potential design or manufacturing flaw might have allowed a single sensor, with an erroneous reading, to trigger MCAS — which stands for Maneuvering Characteristics Augmentation System — and the nose-down movements. Two sensors on the jet were measuring what’s known as angle of attack, “one giving you an accurate reading, one inaccurate,” says former National Transportation Safety Board Chair Mark Rosenker. “The problem was the inaccurate one appeared to take over.” He questioned why a single malfunctioning sensor could create a situation potentially leading to a catastrophic failure. The answer might be that it shouldn't.

Within days of the crash, Boeing issued a bulletin telling 737 Max pilots to deal with erroneous sensor data and nose-down movements by turning off the automatic system, in accordance with “existing procedures.” A Federal Aviation Administration directive followed, warning that erroneous readings could cause “difficulty controlling the airplane” and “possible impact with terrain.”

►Lion Air. The day before the crash, Lion Air maintenance replaced the sensor on the same plane. But pilots got erroneous readings on that flight and experienced a nearly identical problem to the one on Flight 610. Was the sensor installed properly by company crews? Based on the serious problems on Oct. 28, should the plane have been grounded before the fatal flight?

►Flight 610 pilots. On the Oct. 28 flight, pilots initially reacted to the nose-down movements the same way as pilots on Flight 610 the next day. When that didn’t work, they used two switches to cut off the system — a standard emergency procedure. It is baffling that the pilots on Flight 610 failed to do the same thing. Perhaps faced by an inaccurate reading from a faulty sensor and a system they likely knew nothing about, they were confused in the emergency. Perhaps they were not well-trained. For now, that remains a mystery.

The causes of the crash will be determined by Indonesian authorities and the U.S. National Transportation Safety Board, which has an interest in keeping American fleets safe.

Boeing issued a statement asserting, “We are confident in the safety of the 737 MAX." A company spokesman added that the “function performed by MCAS is referenced” in the flight manual, and “existing procedures” to deal with it are documented. The chairman of the United Airlines branch of the Airline Pilots Association echoed that statement, breaking with two other unions and his own union leadership.

Backup systems, what the industry calls redundancy, are designed to keep planes in the air if one component fails. The ultimate safety backups are the pilots — who deserve to know about every change on the aircraft they fly.

USA TODAY's editorial opinions are decided by its Editorial Board, separate from the news staff. Most editorials are coupl

Present day Air travel is one of the safest modes of travel. Statistics from the US Department of Transportation show that in 2007 and 2016 there were 11 fatalities per trillion miles of commercial air travel. This is in stark contrasts to the 7,864 fatalities per trillion miles of travel on the highway ( You can check the statistics here: fatalities and miles of travel per mode of transport). Incremental improvements to air travel is a marvel of technical innovation. However, when an aircraft accident does occur, we are forced to take notice due to the magnitude of a single event.

Air travel today is at a level of technical maturity that when a plane crashes by accident (i.e not due to man-made causes like terrorism or misfiring of missiles), then it is surprisingly due not to pilot error or physical equipment failure but rather because of a computer error. That is, an aircraft accident is caused by a software bug.

Everyone today is intimately familiar with software bugs. Microsoft blue screen of death and the use of ctrl-alt-delete have been burned into our experiences. Even in better designed operating systems that we find in smartphones, it’s is not uncommon to force a reboot. This is much less common that we often have to look up the procedure, but it does happen nevertheless.

Software is notoriously difficult to make bug free. It is the nature of the beast. This is because, to build bug-free software systems, we need to explicitly list all the scenarios that can go wrong and how, and then test our software for those conditions. Unfortunately, that list tends to be unbounded if our designs don’t restrict the scope of a software’s applicability. In short, software developers are able to manage the unbounded complexity by narrowing the scope of applicability. That is why even the most sophisticated “artificial intelligent” applications work well in the most narrow of areas. It is very easy to get frustrated by the limitations of voice assistants like Alexa. That’s because AI technology has not reached the level of maturity that is required for open-ended general conversation. In short, bug-free depends fundamentally on a narrow scope of application and extensive testing within this narrow scope.

As we build more sophisticated software that has higher degrees of complexity, we need to understand the scope of an application and an ever-increasing scope demands more on the testing of these systems. Thus to understand this complexity better, we need to understand the kinds of automation we are building.

As I mentioned earlier, the USDOT shows that there were over 37,000 fatalities in highway accidents in 2017 alone. Thus it makes logical sense to understand how automation affects the safety of road vehicles. The Society of Automation Engineering (SAE) has an international standard which defines six levels of driving automation (SAE J3016). This is a useful framework for classifying the levels of automation in domains outside that of cars. A broader prescription is as follows:

Level 0 (Manual Process)

The absence of any automation.

Level 1 (Attended Process)

Users are aware of the initiation and completion of the performance of each automated task. The user may undo a task in the event of incorrect execution. Users, however, are responsible for the correct sequencing of tasks.

Level 2 (Attended Multiple Processes)

Users are aware of the initiation and completion of a composite of tasks. The user, however, is not responsible for the correct sequencing of tasks. An example will be the booking of a hotel, car, and flight. The exact ordering of the booking may not be a concern of the user. However, failure of the performance of this task may require more extensive manual remedial actions. An unfortunate example of a failed remedial action is the re-accommodation of United Airlines’ paying customer.

Level 3 (Unattended Process)

Users are only notified in exceptional situations and are required to do the work in these conditions. An example of this is in systems that continuously monitor the security of a network. Practitioners take action depending on the severity of an event.

Level 4 (Intelligent Process)

Users are responsible for defining the end goals of automation, however, all aspects of the process execution, as well as the handling of in-flight exceptional conditions, are handled by the automation. The automation is capable of performing appropriate compensating action in events of in-flight failure. The user however is still responsible for identifying the specific context in which automation can be safely applied to.

Level 5 (Fully Automated Process)

This is a final and future state where human involvement is no longer required in the processes. This, of course, may not be the final level because it does not assume that the process is capable of optimizing itself to make improvements.

Level 6 (Self Optimizing Process)

This is automation that requires no human involvement and is also capable of improving itself over time. This level goes beyond the SAE requirements but may be required in certain high-performance competitive environments such as Robocar races and stock trading.

The automobiles of today have extremely sophisticated software that controls many parts of the functioning of the system. This software works at many levels and at each level the risks are different. Some software works at an extremely narrow scope that we are unaware that it is operating. So for example, a car’s fuel injection system is, in fact, fully automated. We can say this about many of the functions of a car that deals with its engine performance. So for example, many car enthusiasts buy programmers and chips that provide after-market tweaks on a car’s performance characteristics. Failure of any of these kinds of systems can still be fatal. SAE’s standards described above however apply to driving automation and not engine automation. There is a stark difference in automation that affect steering and automation that maintains the smooth running of engines.

Automation such as traction control or car stabilization does affect steering. These are engaged in exceptional narrow conditions to ensure greater passenger safety. Controlled behavior is injected in a situation so that a driver can gain better control of a vehicle that he otherwise could not have done so himself. In this context, a driver is actually momentarily not controlling the car.

There have been many cases of planes falling from the skies due to software bugs. My earliest memory of this kind of a catastrophe is Lauda Air Flight 004 in May 1991. This is when one of the engines reverse trusters engaged in mid-flight forcing the plane to spiral out of control and crash. There was no official conclusion as to the cause, however, the aviation writer Macarthur Job said that “had that Boeing 767 been of an earlier version of the type, fitted with engines that were controlled mechanically rather than electronically, then that accident could not have happened.”

More recently, there is the case of Air France 447 in 2009. The official conclusion was that there was a “temporary inconsistency between the measured speeds, likely as a result of the obstruction of the pitot tubes by ice crystals, causing autopilot disconnection and reconfiguration.” The verdict was that the human pilots were eventually part of the fault due to their inability to react appropriately to the anomalous situation. To say this differently, the pilots received incorrect information from the instrumentation and thus took inappropriate action to stabilize the plane.

There are other cases of computer caused failures. Qantas flight 72, it was determined that the CPU of the air data inertial reference unit (ADIRU) corrupted the angle of attack (AOA) data. Malaysia Air 124 that plunged 200 feet in midflight. The instrumentation displayed that the plane was “going too fast and too slow simultaneously”.

In general, it is the responsibility for the pilots to properly perform compensating actions in the case of equipment failure (known as alternate law). The point though is that computer error due to equipment failure should be no different from regular equipment error and it is the responsibility of the pilots to take appropriate measures. Typically, on equipment error, the autopilot is disengaged and the plane is to be flown manually. This is Level 3 (unattended process) automation where the scope when automation is in play is explicit. In Level 3, a pilot is made aware of an exceptional condition and takes manual control of the plane.

In Level 4 (intelligent process), a pilot must be able to recognize the exceptional condition and is able to specify when automation is applicable. Today, we have self-driving cars that are deployed in narrow applications. We have cars that can self-park and we have cars that can drive in good weather conditions on the highway. These are Level 4 automation where is up to the judgment of the driver to engage the automation. Autopilot in planes are Level 4 automation and is engaged in contexts of low complexity.

Then there is the case of Boeing’s 737 Max 8’s MCAS. This I will argue is a Level 5 automation, this is a fully automated process wherein it is expected to function in all scenarios. Like electronics that control engine performance, fully automated processes aren’t generally problematic, however, when you involve driving (or steering for planes) then it opens up the question of the maturity of this level of automation.

Airbus has what is called ‘Alpha Protection’:

“Alpha protection” software is built into every Airbus aircraft to prevent the aircraft from exceeding its performance limits in angle of attack, and kicks in automatically when those limits are reached.

From the definition, Alpha protection is automation that is always measuring, however, it isn’t always active. It is like a speed limiter that exits in cars today, it is constantly measuring, but is activated only when measurements exceed thresholds. However, what happens when the measurements are incorrect due to faulty sensors? One could argue that this might have been what happened to Air France 447. That is, the automation became active when the pilots did not expect it. Faulty sensors are always problematic, but faulty sensors that can trigger automated behavior can be extremely dangerous.

The Boeing 737 Max 8 has a system known as Maneuvering Characteristics Augmentation System (MCAS). The business motivation behind MCAS is itself quite revealing. Apparently, it is analogous to a software patch that attempts to fix a physical flaw of the aircraft. The Boeing 737 aircraft, introduced in 1968, is an extremely mature and reliable aircraft. The 737 is the best selling aircraft in the world, selling over 10,000 aircraft since its inception. It is has been favored by many short-haul budget airlines that have risen in the past decade. Its main competitor in the Airbus A320, where over 8,000 planes have been delivered since its inception in 1988.

In 2008, a joint American-French company CFM launched a more fuel and cost-efficient engine known as the Leap engine. Airbus fitted their new planes (Airbus A320neo) with this new engine. The reason behind the economy of the Leap engine is due to its much larger air intake diameter.

To be competitive, the Max 8, was retrofitted also with this new engine. However, unlike the A320neo, there was not enough ground clearance for the Leap engine. To compensate for this problem, Boeing reduced the distance between the engine and the underside of the wing. This, however, had the effect of changing the center of mass of the plane. The Max 8 now had the dynamic tendency of raising its nose and as a consequence increasing the risk of a stall.

To paper over this tendency, Boeing developed MCAS. The purpose of MCAS is that it is software dedicated to compensating for this flaw:

Boeing engineers, in turn, came up with another makeshift solution. They developed a software that would work in the background. As soon as the nose of the aircraft pointed upward too steeply, the system would automatically activate the tailplane and bring the aircraft back to a safe cruising plane. The pilots wouldn’t even notice the software’s intervention — at least that was the idea.

Employing software to paper over a plane’s natural instability is not new. Many of the more advanced fighter jets are designed to be unstable to ensure greater maneuverability. The fighter pilots are also trained to anticipate the peculiar flight characteristics of their planes. In contrast, there have been many complaints that pilots of the Max 8 were not properly informed of the existence of the MCAS system:

“There are 1,400 pages and only one mention of the infamous Maneuvering Characteristics Augmentation System (MCAS) … in the abbreviations sections. But the manual does not include an explanation of what it is…”

Perhaps Boeing determined that information about this system wasn’t worth attention by pilots. After all, the intention of the MCAS system was to make the 737 Max 8 to give the same “feel” as the previous model the 737 NG. This is what we call in software circles as virtualization. That is, this is software that renders a virtual machine on the pilot’s user interface to the plane so it feels and acts like another kind of plane (i.e. one that is structurally balanced).

There is a “law” in software development knows as “The Law of Leaky Abstractions” which states “All non-trivial abstractions, to some degree, are leaky.” MCAS is perhaps a leaky abstraction, that is, it tries to creates a virtual abstraction of a legacy 737 NG without Leap engines, to hide an unbalanced airplane. Surely, nothing can leak with this kind of abstraction? It is one thing to abstract away virtual machinery and its entirely another thing to attempt to abstract away physical reality. However, in both cases, something will eventually leak through.

So does the MCAS behave when its abstractions begin to leak? Here is what is reported by pilots of the plane:

“On both the NG and the MAX, when you have a runaway trim stab this can be stopped temporarily by pulling the control column in the opposite direction. But when the MCAS is activated because of a high angle of attack, this can only be stopped by cutting the electrical trim motor.”

How a pilot responds to an abstraction leak can be very different from that of the real thing it is trying to abstract. With faulty sensors, one can turn this off and use one’s understanding of the situation and the plane to make good decisions. However, when one’s understanding of the nature of the plane is virtual and not real, then you just can’t revert to reality. Reality is outside of the pilot’s comprehension and thus a cause to inproper decision making. A virtual trashcan works like a regular trash can in that you can still recover the documents you place in the trash before it is emptied. Reality however is very different than the virtual world, many times there is no undo function!

Then there’s this leaky abstraction when the plane itself has exhibited its own intentions:

But the EFS never acts by itself, so we were astounded when we heard what the real reason was. (…) However, in some cases — as happened on Flight 610 — the MCAS moves by itself.

and this:

MCAS is activated without pilot input and only operates in manual, flaps up flight.

This is because, a virtual abstraction of a real plane, is the same as Level 5 automation! If MCAS is turned off, the pilots will find themselves to be flying an entirely different plane. When you abstract away interaction with reality, you cannot avoid introducing a process that mediates between a pilot’s action and the actual actions of the plane. The behavior of the real plane will depend on the environment that it is in. The behavior of a virtual plane will depend on just the working sensors that are available to render the virtual simulation. Level 5 automation requires a kind of intelligence that is aware of what sensors are faulty and furthermore is able to navigate a problem with partial and unobserved information. The smarts to enable this kind of Artificial Intelligence is simply not available in our current state of technological development.

In short, Boeing has decided to implement technology that is simply too ambitious. Not all software has the same level of complexity. This is not an issue of insufficient testing to uncover logical flaws in the software. This is not an issue of robustly handling sensor and equipment failure. This is an issue of attempting to implement an overly ambitious and thus a dangerous solution.

Air travel is extremely reliable, but introducing software patches as a means to virtualize physical behavior can lead to unintended consequences. The reason that we still fly planes with pilots in them is that we expect pilots to be able to solve unexpected situations that automation cannot handle. MCAS like virtualization, handcuffs pilots from differentiating between the real and the simulated. I would thus recommend to regulators that in the future, MCAS like virtualization should be treated and tested very differently from other automation. They should be treated as Level 5 automation with a more exhaustive level of scrutiny.