The problem for everybody is the 2 airlines involved: Lion Air and Ethiopian Airlines.
Lion Air has a pathetic safety and maintenance record and in the past has occasionally been banned from operating any aircraft whatsoever into and over Europe and elsewhere.
Ethiopian Airlines fares slightly better than Lion Air but is, nevertheless, not known as an exemplary carrier. I, for instance, would hesitate to fly with them, even before the crash.
The point is that, if these accidents happened with top-of-the line carriers such as Lufthansa or SWISS, there would've been very little concern about the standard of operations of the airlines involved, and the accidents would've pointed unequivocally to problems with the plane itself.
As it is - the Lion Air crash should not have happened. There were known issues with defective instruments even before the plane started its takeoff run. The 737 has standard and very simple procedures in place for the pilots to follow in the case of stabiliser-runaway, which they inexplicably failed to execute. All they had to do was to flip a switch - this would certainly have saved the plane.
This does not necessarily absolve the plane, but at the very least the fact remains that sloppy maintenance and insufficient pilot skill contributed substantially and perhaps totally to the plane coming down.
For the Ethiopian Airlines crash not enough data is yet available. On the face of it, it seems to be similar to the Lion Air crash, although there is still a probability that it was due to an entirely different set of circumstances. In which case it is just an unfortunate coincidence that two aeroplanes of the same type crashed within such a short space of time. Otherwise, if the root causes are the same, the Ethiopian plane would once again have been fine with sufficiently skilled pilots.
So is the physical design of the plane fatally flawed? (That is probably the most urgent concern of the Boeing executives right now). I don't think so.
But I believe that there is a flaw in the system design:
The MAX 8 has larger engines than any of the 737 versions before. The 737 is famously close to the ground, and finding the space to fit its engines under the wings was always a problem. So what they did with the larger engines was to move the engines forward of the wing, and up. This changed the handling characteristics of the airframe and introduced a tendency for to frame to pitch up at low speeds when a lot of power is applied to the engines - which could initiate a stall. To compensate for this, and to make the handling of the plane
feel like that of all previous 737s, Boeing introduced a system that would adjust the stabilizer (horizontal tail section) to pitch the nose of the plane down when the angle between the wing and the airflow over the wing becomes to large (i.e. a stall is imminent). This is supposed to be transparent - the pilot should not notice that it is happening - like the driver of a car does not notice its power-steering. Boeing called this system MCAS and it is currently the focus of everybody concerned with the situation.
I personally do not believe that the MCAS and the design changes that made MCAS necessary are, in principle, flawed. What I believe
IS flawed is that:
In the past, the instrumentation that provided angle-of-attack data (the angle between the wing and the airflow incident on the wing) did so for information purposes only. Therefore, however useful it may have been, there is no historical data on how accurate these measurements actually are, and on the inherent reliability of these instruments.
But with MCAS, this data is suddenly being used as inputs into a control system. This is a totally different ballgame. Furthermore, the Boeing engineers used the input of only one angle-of-attack sensor, even when there are more available. So it looks as if the engineers simply assumed that the sensors are accurate and reliable, (this is an easy thing to do - these things have been in service for forever, and nobody ever complained about them, so the tendency is to think of them as a mature technology) and designed an entire and crucial control paradigm on that assumption.
So, I feel that MCAS and its associated changes are fine, and that MCAS in itself is performing as it should, but that it is being fed bad data - that is, it does the right things but with the wrong data. Since the data it receives is crucial, it is also crucial to ensure that it gets good data. I would hazard a guess that there are many controls that the design engineers could/can implement to ensure this. For one thing, I'd run a program to establish if the current angle-of-attack sensors are capable of performing with the accuracy and reliability required to output signals that are used to drive a control system. Once that is established, one should look at using the inputs of all the angle-of-attack sensors available, rather than just one - some aeroplanes have 4. (I think that when a finger eventually points to the worst design decision made for this airplane, it would be the decision to use only one sensor). I would look at the calibration procedures performed on these sensors, both during routine maintenance and when they are replaced. I would also have the system do a calibration check on its angle-of-attack sensors during startup, by comparing the input of every sensor against all the others. (E.g. for the Lion Air crash, the difference between the left and right angle-of-attack sensors was 20°, which is enormous. If the system just checked this difference to begin with, it would've flagged a critical fault and the takeoff would've been aborted).
In the end, it maybe comes down to a situation where a system that was previously a nice-to-have informational system suddenly becomes a critical control system - where everybody, together with the support infrastructure around that system still treats it conceptually as a nice-to-have without appreciating or even being aware of the consequences. There is a HUGE difference between how systems oversee the prevention of trivial failures and potentially lethal failures in equipment. It is this transition which I think is the principal thing that Boeing got wrong.
