How Safe is the Boeing 737 Max's MCAS System?

[cyboman]

Well again, that's not one of the options. The trim needs to be stronger than the pilot otherwise the plane -basically any plane - wouldn't be flyable. Not even a little Cessna. Remember, trim has to be adjusted every time you change your speed or attitude and as you burn fuel. You can be overpowered by *not* adjusting trim, not just by over-adjusting it.

What I mean here is that the scenario of the airbus you gave was an undesirable scenario that you'd rather not be in, where the elevator controls are overpowered by the stab and there is no attitude control.

But unfortunately, computerized planes rarely hand the pilot manual control when the plane is fully functional -- they only do it when something fails. And when that happens, a pilot with a lot on his plate might not realize what is going on.

Ya I imagine that's a big issue with these types of failures. I think better HCI and feedback could help as we've suggested.

In the case I just linked, XL888, the pilots were given a notification that auto-trim was no longer active and either missed it or misunderstood it. For Ethiopian, I'm not sure if we know yet whether they followed the procedure correctly.

I think a constant feedback of the stab trim on the PFD would be better than a verbal notice or light. It just has so much pitch authority and now we have all these auto systems commanding it.

The preliminary report shows the Ethiopian flight followed procedure correctly for a runaway stab trim. Right before the final dive it looks like they switched the cutouts back to normal. I suggested this was likely a last ditch effort to regain manual electric control of the trim since the manual wheel wasn't working and the pilot is heard saying that, "It's not enough" after asking the co pilot to help him pull back on the yoke. The electric trim did work, as would be the case in the NG, but unlike the NG where they could command electric trim without auto trim systems, MCAS was now active again. MCAS did one final AND trim command effectively making the dive irrecoverable.

It's easy in hindsight to look at the situation and pick out all the things that could of been done better. Without really being in that situation we can't fully understand how much of it was human factors. We'll know more with the final report.

What I will say is that when you look at the graphed data from the FDR, it's pretty shocking how MCAS operates in these failure scenarios. It commands nose down trim for an incredibly long period of time, up to 10 seconds with a 5 second break and has no command limit. And when commanding any electric trim commands from the yoke are overridden. If you haven't read the report, I'd recommend it. Especially take a look at that FDR graph, it allows you to see the flight from a flight data perspective. You may wish to skip the historical facts I think it's titled, where it goes through the flight by time-code. I found that rather upsetting.

 

[cyboman]

Really? am not interested in going along that tangent with you.

Well that's the angle I get from how you seem to defend MCAS but I could be mistaken. You seem to feel like it's an easy fix if the pilots are trained. And you constantly reiterate it's activation parameters. I'm not really clear on why. These were well established in this thread hundreds of posts ago.

 

[cyboman]

that's fine, my reply you quoted was to you saying...
My reply was that (AP off) is not "typically normal flight regime..."

AP is off during take off. And climb out. It's also not used 99% of the time for landing. So I don't see AP off as non-normal. It's part of every flight.

 

[nitsuj]

AP is off during take off. And climb out. It's also not used 99% of the time for landing. So I don't see AP off as non-normal. It's part of every flight.

who said it wasn't ? rhetorical.

 

[cyboman]

who said it wasn't ? rhetorical.

You did I thought. I'm saying AP off is part of a "typically normal flight regime". You seemed to disagree.

 

[nitsuj]

You did I thought. I'm saying AP off is part of a "typically normal flight regime". You seemed to disagree.

The point isn't the frequency of it's use. The point is it's used for a very specific circumstance.

This whole point is to counter the position that the plane is "unstable" and requires mcas to maintain stability.

it's much worse than that.

mcas is to circumvent a new type certificate because that would make the plane difficult to sell.

That's why hundreds of people died, not the least of which many being humanitarians with this latest incident.

YOU seem to make defense of this disgusting scenario by suggesting that mcas is REQUIRED. that mcas must be there and we need to figure how to make it all work.

I am saying cuck mcas and train the pilots to do what the pilots are there to do.

 

[cyboman]

YOU seem to make defense of this disgusting scenario by suggesting that mcas is REQUIRED. that mcas must be there and we need to figure how to make it all work.

If that's what you gather from my posts I know you haven't read this thread in it's entirety. Or even understood my recent posts. In any case let's leave it at that. We're not really adding anything to the conversation.

 

[cyboman]

An interesting read, unfortunately it doesn't bode well for Boeing. Much of what we've assumed is fairly accurate, regarding cost cutting, managerial and certification pressures, competition, pushing an old airframe, MCAS in effect a sort of hack pushing an aging platform too far.

Some quotes:

Boeing’s 737 Max: 1960s Design, 1990s Computing Power and Paper Manuals

By 2011, Boeing executives were starting to question whether the 737 design had run its course. The company wanted to create an entirely new single-aisle jet. Then Boeing’s rival Airbus added a new fuel-efficient engine to its line of single-aisle planes, the A320, and Boeing quickly decided to update the jet again.

“We all rolled our eyes. The idea that, ‘Here we go. The 737 again,’” said Mr. Ludtke, the former 737 Max cockpit designer who spent 19 years at Boeing.

“Nobody was quite perhaps willing to say it was unsafe, but we really felt like the limits were being bumped up against,” he added.

Some engineers were frustrated they would have to again spend years updating the same jet, taking care to limit any changes, instead of starting fresh and incorporating significant technological advances, the current and former engineers and pilots said.

When engineers did make changes, it sometimes created knock-on effects for how the plane handled, forcing Boeing to get creative.

The larger size and new location of the engines gave the Max the tendency to tilt up during certain flight maneuvers, potentially to a dangerous angle.

To compensate, Boeing engineers created the automated anti-stall system, called MCAS, that pushed the jet’s nose down if it was lifting too high.

A second electronic system found on other Boeing jets also alerts pilots to unusual or hazardous situations during flight and lays out recommended steps to resolve them.

On 737s, a light typically indicates the problem and pilots have to flip through their paper manuals to find next steps. In the doomed Indonesia flight, as the Lion Air pilots struggled with MCAS for control, the pilots consulted the manual moments before the jet plummeted into the Java Sea, killing all 189 people aboard.

https://www.nytimes.com/2019/04/08/business/boeing-737-max-.html

 

[nitsuj]

NYTimes - "The larger size and new location of the engines gave the Max the tendency to tilt up during certain flight maneuvers, potentially to a dangerous angle."

It's this part that is misleading and imo an insult to pilots and washes over what is imo the "crux" of the issue. It helps justify mcas, for what appears to be reasonable grounds.

Pilots would not maneuver the plane in such a way as to unnecessarily reach a dangerous AoA, ever.

Ceteris parabis, it is IF they flew the max version (without mcas active) the same as the previous version then it could POTENTIALLY reach dangerous aoa . (ergo flies different to a remarkable enough degree as to require new training new type certificate as per FAA rules)

Trained for the plane or not a pilot would never do such a thing, that's just crazy; the pilot, or even someone who's merely played a flying game lol would push the yoke forward just a bit and or reduce thrust a bit until the plane is at the desired pitch. Then maybe trim it to that and carry on.

A pilot doesn't NEED an automated process to do this maneuver; the FAA does though, in order to give boeing a pass on this clearly new aircraft.

no justification for mcas beyond boeings financial concerns. FAA should be held accountable equally imo.

 

[cyboman]

NYTimes - "The larger size and new location of the engines gave the Max the tendency to tilt up during certain flight maneuvers, potentially to a dangerous angle."

It's this part that is misleading and imo an insult to pilots and washes over what is imo the "crux" of the issue. It helps justify mcas, for what appears to be reasonable grounds.

Pilots would not maneuver the plane in such a way as to unnecessarily reach a dangerous AoA, ever.

Ceteris parabis, it is IF they flew the max version (without mcas active) the same as the previous version then it could POTENTIALLY reach dangerous aoa . (ergo flies different to a remarkable enough degree as to require new training new type certificate as per FAA rules)

Trained for the plane or not a pilot would never do such a thing, that's just crazy; the pilot, or even someone who's merely played a flying game lol would push the yoke forward just a bit and or reduce thrust a bit until the plane is at the desired pitch. Then maybe trim it to that and carry on.

A pilot doesn't NEED an automated process to do this maneuver; the FAA does though, in order to give boeing a pass on this clearly new aircraft.

no justification for mcas beyond boeings financial concerns. FAA should be held accountable equally imo.

What you're not acknowledging is that this fix (MCAS) was to solve fundamental aerodynamic deficiencies created by pushing an aging airframe too far with larger engines. This article shows such a concern was legitimate and expressed from the engineers themselves. It's not solved by simply certifying in a new class with additional training.

 

[nitsuj]

What you're not acknowledging is that this fix (MCAS) was to solve fundamental aerodynamic deficiencies created by pushing an aging airframe too far with larger engines. This article shows such a concern was legitimate and expressed from the engineers themselves. It's not solved by simply certifying in a new class with additional training.

oh, okay.

 

[anorlunda]

https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer

I am impressed by this article. It is a long read, but very informative and insightful IMO.

 

[FactChecker]

https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer

I am impressed by this article. It is a long read, but very informative and insightful IMO.

I worked at a competitor and only on military airplanes, so I can't vouch for the Boeing non-military flight control engineers. IMHO, this article's characterization of the flight control software engineers knowledge is completely wrong. I think they would have designed, programmed, and tested redundant systems and fault analysis for decades. They live and breath that. At least that was true of the people I worked with.

 

[nsaspook]

https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer

I am impressed by this article. It is a long read, but very informative and insightful IMO.

"So Boeing produced a dynamically unstable airframe, the 737 Max"

Everything I've read about the 737 Max says this is not true. No, the 737 MAX is not aerodynamically unstable in any part of its flight envelope.

 

[nitsuj]

"So Boeing produced a dynamically unstable airframe, the 737 Max"

Everything I've read about the 737 Max says this is not true. No, the 737 MAX is not aerodynamically unstable in any part of its flight envelope.

It was certified stable, in the previous vid of that "series" he says and shows this and gives the FAA regulation number.

Of all the various vids I've seen on the incident; his by far are most accurate and well said.

I time stamped the vid below to where Juan explicitly states the 737 max flies "normal" without mcas.

 

[PeterDonis]

It was certified stable

Yes. I agree that statements that the 737 MAX is "unstable" without MCAS are not justified.

Juan explicitly states the 737 max flies "normal" without mcas

"Normal" means the pilot can control the plane. Yes, that's true. But "normal" is not the same as "feels similar enough to previous 737 models to allow pilots that are type certified in the 737 to fly it without additional training". The latter is what MCAS was intended to address.

 

[PeterDonis]

For reference, here is the portion of the FAA airworthiness standards that addresses "stick force":

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

 

[PeterDonis]

Here are some other relevant references. First, the FAA's current list of all aircraft type ratings:

https://registry.faa.gov/TypeRatings/
The B-737 type rating:

http://fsims.faa.gov/wdocs/fsb/b737_rev_16.pdf
And for comparison, the B-757/B-767 type rating (since these aircraft have engines mounted forward on the wing and so have a similar pitch up moment to the 737 MAX):

http://fsims.faa.gov/wdocs/fsb/b-757_767 fsbr7.pdf

 

[nitsuj]

Yes. I agree that statements that the 737 MAX is "unstable" without MCAS are not justified.
"Normal" means the pilot can control the plane. Yes, that's true. But "normal" is not the same as "feels similar enough to previous 737 models to allow pilots that are type certified in the 737 to fly it without additional training". The latter is what MCAS was intended to address.

You're just restating facts; am not sure you're saying anything new or addressing anything specific.

Just being correct is all...I see.

 

[anorlunda]

The Seattle Times is not an engineering journal. However, this new article goes much deeper into the details of the failures and remedies than previous coverage.

https://www.seattletimes.com/business/boeing-aerospace/newly-stringent-faa-tests-spur-a-fundamental-software-redesign-of-737-max-flight-controls/

Shockingly, they attribute the root cause to the KISS principle. Horrors! I am a big KISS advocate. However, the completely stated KISS principle should say, "as simple as possible (but no simpler)" The article accuses Boeing of ignoring that parenthetical clause.

The remedies are also more extensive than I expected. It is not a matter of bugs, or patches. They are restructuring the entire architecture. That may be needed and overdue, but doing it under intense schedule pressure is another cause of worry.

I recommend reading the article, the whole article.

 

[FactChecker]

Shockingly, they attribute the root cause to the KISS principle.

I'm not sure I would characterize it that way. To have two flight control computers, but totally ignore one, seems like they were snatching defeat from the jaws of victory. It's like someone was not convinced of the need for redundancy, even though it was readily available. Many airplanes with digital flight control computers have three or more computers so that there is a tie-breaker in the case of a disagreement.

 

[berkeman]

Many airplanes with digital flight control computers have three or more computers so that there is a tie-breaker in the case of a disagreement.

Yeah, I wonder how they handle that with just two computers. If there is a disagreement above some threshold, take the mean value and sound an alarm?

 

[FactChecker]

Yeah, I wonder how they handle that with just two computers. If there is a disagreement above some threshold, take the mean value and sound an alarm?

If one doesn't work right, it can put out such a bad number that a mean value is bad. There may be a "safe" simpler backup calculation that the flight controls can switch to. At the very least, the pilot should be notified. I don't know a better way to handle it. Everything I worked on had more redundancy and there was a tie-breaker computer.

 

[berkeman]

Everything I worked on had more redundancy and there was a tie-breaker computer.

Yeah, I guess that 3rd computer would have been way too heavy for this plane...

 

[anorlunda]

Yeah, I wonder how they handle that with just two computers.

The article explains that. In the new architecture, if there is disagreement, there will be no automated action, and the plane goes to fully manual control of the pilot. So the pilot is the tie breaker.

In other fields like nuclear safety, we use 2/3 or even 3/4 voting but there is no option for the computers to shut themselves off and leave it to the operator.

I'm not sure I would characterize it that way.

Characterizations are not like facts. We are all entitled to our preferred characterization.

Re the KISS characterization: The KISS argument is that each redundant string should have its own independent set of sensors. A non-KISS solution, might be something like 2/3 voting on the sensor readings then passing the verdict down to the redundant strings of computing steps That might be better, but we must admit it is also more complex. Carried to the extreme, if there are M parallel strings, and N sequential steps in processing, there could be N sets of (M-1)/M voting; one after every step.

Another strategy is to use diversity in redundant strings to dodge repeated vulnerabilities or bugs. For example, analog in parallel with digital, or contractor A's software in parallel with contractor B's software. Some people like that, but they are not KISS.

 

[Gatekeeper1958]

I have 29 year's in Aviation Quality Assurance, 19 year's with Boeing.

MCAS is a Patch or Band Aid solution to the problem created by moving the larger Max jet Engines forward and up in front of the wing creating inherent Aerodynamic instability in the flight characteristics of the Max. This is because the FAA required 18 inches of ground clearance.

The safe solution that was suggested by the European Union Aviation Safety Agency (EASA) in July 2019 was to make the landing gear taller and then place the new larger Max Engines properly under the wing, thereby eliminating the need for MCAS. Keep in mind the design and engineering has already been accomplished on the 737 Max 10, that has 9.5 inch taller main and front landing gear.

With the Max Engines placed properly under the wing, and restoring flight stability to 737NG levels, will eliminate the need for MCAS. No MCAS, no problems, everybody is happy.

Several Airlines have switched their Max 8 orders to Max 10's for the above reasons.

The Max 7,8,9 versions did NOT pass the Wind Tunnel and Flight Tests. This created a problem that Boeing should have solved as EASA suggested, instead Boeing decided on a Patch or Band Aid solution.

This reminds me of the Baseball comedy where the Owner is trying to discourage her team players by reducing Comfort and Safety. The LA baseball team approached their charter aircraft usually quite new and comfortable, this time an old DC-3 and see the Maintenance Mechanic using DUCT TAPE to "repair" one of the propellers. Everybody in the audience laughed. Little did they know how close to the truth this Joke was! Ref: 1987 Major League with Charlie Sheen as the "Wild Thing" pitcher.

Boeing will resist this Solution because of the short term cost. But in truth, they have the Safety reputation of 5,000 Max Jet's costing billions of dollars at stake, as well as Boeing's over 100 year history of quality and safety at stake. I think they have no other choice that would satisfy everyone. What do you think?

 

[FactChecker]

@Gatekeeper1958 , I will concede to your expertise in this and to your recommended solution. But IMHO, they have other problems in their design and attitude. MCAS seemed to have no access to the redundant sensors and had too much authority while fighting the pilot inputs. That is a tragedy waiting to happen.

 

[gmax137]

What do you think?

anecdotally, i have heard a number of people say, "I will never fly in one of those things.". So, i think you are spot on with the idea that the company itself is at stake.

 

[Gatekeeper1958]

anecdotally, i have heard a number of people say, "I will never fly in one of those things.". So, i think you are spot on with the idea that the company itself is at stake.

Yes, I think the Boeing Company would be in a very steep dive toward bankruptcy, if they do not consider the long term affects of their tragic mistakes with the 737 Max.

I do not think they are considering the solution suggested by EASA. No, I think they will pursue the MCAS, muscle it through the FAA, and Rebrand the Aircraft with a New Name. Heavily publicised flights with Airline and Boeing executive's flying with their wife and children on the Max to boost confidence in the new and improved aircraft. This will only partially succeed, and Boeing will continue it's slow spiral downward to destruction. It may take 10 year's or more.

However, I truly think they can build a safe Max if they realized the damage that has been done, and the fear in people's hearts at the mere mention of MCAS. It also should be renamed. I will NOT fly a Max by any name that doesn't put the Engines properly on the wing's as EASA has suggested. If we could somehow get EASA and China to demand the proper changes before the FAA gives it's reluctant "OK" then Boeing would be forced to do "The Right Thing."

 

[etudiant]

I don't believe Boeing has much control over the process at this point.
The Chinese grounded the MAX well before the FAA did and in the current environment, I'd be astonished if they released the aircraft based on the FAA's decision.
The bulk of the MAX market is in Asia, where China is the largest single market, so China must be satisfied for the MAX to continue. If that requires the EASA retrofit, it will get done.

 

[gleem]

I know this thread is about worn out but the link below seems like a good up to date summary of both 737 MAX crashes and the current status of the investigations.

https://www.msn.com/en-us/news/world/what-really-brought-down-the-boeing-737-max/ar-AAHtnDu?li=BBnb7Kz

 

[PeterDonis]

the link below seems like a good up to date summary of both 737 MAX crashes and the current status of the investigations

As far as factual information goes, yes, the article is a good summary. However, I don't completely agree with the author's conclusion:

Who in a position of authority will say to the public that the airplane is safe?

I would if I were in such a position. What we had in the two downed airplanes was a textbook failure of airmanship. In broad daylight, these pilots couldn’t decipher a variant of a simple runaway trim, and they ended up flying too fast at low altitude, neglecting to throttle back and leading their passengers over an aerodynamic edge into oblivion. They were the deciding factor here — not the MCAS, not the Max. Furthermore, it is certain that thousands of similar crews are at work around the world, enduring as rote pilots and apparently safe, but only so long as conditions are routine. Airbus has gone further than Boeing in acknowledging this reality with its robotic designs, though thereby, unintentionally, steepening the very decline it has tried to address. Boeing is aware of the decline, but until now — even after these two accidents — it has been reluctant to break with its traditional pilot-centric views. That needs to change, and someday it probably will; in the end Boeing will have no choice but to swallow its pride and follow the Airbus lead.

I think the author is right to point out that "rote pilots" are an issue; but I don't think that means the 737 MAX and MCAS are safe. Now that the design of MCAS has been looked at in detail, it has obvious flaws that IMO, in a proper regulatory environment, should have disqualified it before it ever flew with passengers aboard.

I'm also not sure I agree with the author's opinion that the right fix for the "rote pilot" issue is to go the Airbus route and make planes pilot-proof. As the saying goes, "It is impossible to make anything foolproof because fools are so ingenious." Unless one is willing to go even further and make the planes self-flying--no pilots at all, which would of course require a degree of automation and artificial intelligence that doesn't currently exist, though I suspect it will at some point--I don't think treating the pilots as fools is a workable solution. If there are going to be humans in the system, those humans have to meet the system's requirements.

 

[etudiant]

Afaik, the MCAS trim control was undocumented to the pilots and the control horn switches that cut out the automatic trim were overridden by the MCAS.
So I think it is wrong to blame the pilots for not responding to a system malfunction that they did not know existed.
It seems clear to me that many of the world's aviation regulators feel very much let down by Boeing and by the FAA, so the return to grace will be difficult for the FAA and arduous for Boeing. I do not know whether the MAX will survive the process. At this point, more than 4 months past the grounding and with no visible progress, I'd take the under.

 

[PeterDonis]

I think it is wrong to blame the pilots for not responding to a system malfunction that they did not know existed.

They didn't know MCAS existed, but they certainly knew that the automatic stability trim system existed; that system has been on every 737 ever made. They also knew that a runaway trim scenario was possible, since that scenario is part of every pilot's training to fly the 737, and that the corrective action for runaway trim is to shut off the automatic stability trim system and trim the plane manually. If that action had been taken by the pilots of the Lion Air and Ethiopian Air flights at the first sign of a problem with trim, those crashes would not have happened. And, as I think was noted a while back in this thread, if you look through the reports that US pilots submit to the FAA regularly on unusual situations they encounter, you will see plenty of reports from pilots who saw unusual behavior of the stability trim system on 737 MAX aircraft and responded by shutting it off and trimming the plane manually for the rest of the flight. Those pilots didn't know about MCAS either (these events happened before either of the crashes), but they knew enough to spot unusual stability trim behavior and take the right corrective action to prevent it from jeopardizing the safety of the flight.

So, as I said, I agree with the author of the article that there is an issue with pilots in other parts of the world not having the same understanding of how to respond to unusual situations that pilots in the US and other developed countries do. I just don't think that means MCAS itself is safe.

 

[etudiant]

I believe the MCAS operation differed from that of runaway trim in that with MCAS, trim could be restored, but after a six second interval, MCAS would aggressively trim down again. That leaves the pilots in an impossible situation where the plane seems fine and then goes haywire again. Add to that lots of alarms and the stick shaker, accidents seem inevitable.
In subsequent tests, FAA flight crews using the simulator were unable to recover the airplane in a sufficiently high percentage of the runs to cause consternation among the regulators.