Boeing How Safe is the Boeing 737 Max's MCAS System?

[artis]

Well sure they could have done this and that and would have been fine, to be honest I think it's a kind of stupid policy to take an instrument read out which is critical for safety on said plane and to make it as an additional package that one has the choice to buy separately.
Almost resembles these "top shop" TV ads where they say "Buy a car, call now" and then with much smaller words at the bottom of the screen it says "engine and wheels come separately"

 

[Gatekeeper1958]

MCAS, MCAS, MCAS...The flight instability with the 737 Max is structural. The problem was caused when Boeing placed the Larger CFM LEAP Engines forward and up in front of the Wings where they should NOT be. This caused the Max to fail the required FAA Flight Tests. What Boeing should have done is use taller main Landing Gear to be able to fit the larger Max Engines PROPERLY under the wing in a similar position as on the 737NG (Next Generation) Aircraft. The 737NG do not have, and do not need MCAS.

Boeing will then obtain near 737NG levels of flight stability, pass the FAA flight tests. The 737 Max 10 have 9.5 inch taller landing gear, and have more than enough room to Properly place the engines under the wing and maintain the 17 inches ground clearance required by the FAA. The Max 7,8, and 9 Aircraft could be re-equiped with the new, taller landing gear.

This Reengineering Solution only requires the Taller Landing Gear, and new engine hangers, thereby utilizing more than 98% of the existing hardware of the Max. I believe flight testing the new Reenginered Max could be accomplished in 6-12 months.

One reason I favor this solution is the mere mention of MCAS brings a feeling of fear, and mistrust, even nausea by the flying public. The Reenginered Max could also be renamed to something like 737 Eagle, something Majestic, and Safe. If you have ever seen an American Bald Eagle flying, it is certainly something magnificent to behold. I have seen several other articles by Aviation Engineers suggesting this solution. I personally will not fly a Max by any name unless the engines are placed properly on the wings. Dennis E Sullens, 29 year's Aviation Quality Assurance, 19 year's with Boeing, Retired.

 

[Gatekeeper1958]

MCAS, MCAS, MCAS References below:
¶
FOOTNOTE 01. Aviation Engineers Criticize Engine Placement.¶
¶
https://samchui.com/2019/07/10/easa-identifies-737-max-autopilot-fault/¶

EASA IDENTIFIES 737 MAX AUTOPILOT FAULT.¶
by AARON HILSZ-LOTHIAN, JULY 10, 2019¶
¶
"Past and present engineers within the aviation industry have flagged the aircraft as unsafe to fly because it is not a software problem, it is a structural problem that required the MCAS system in the first place."¶
¶
"A redesign of the engine position on the aircraft would cost a ridiculous amount of money and would likely render the grounded aircraft useless [I think a safe reenginered Max will sell and make billions of dollars]. Flight testing and new production methods would have to be conducted, leaving the idea in the scrap bin." [But there is still time for the Max 10, and may cost Billions more, and more death's if MCAS' short cut is pursued. The question that should be asked is: "What if MCAS can NOT safely solve the inherent Flight Instability in the Max? What if placing the larger Max Engines PROPERLY under the wing is the only safe solution, regardless of cost?]¶
¶
"Despite this the idea to add or redesign hardware hasn’t been completely disregarded as EASA director Patrick Ky said, retrofitting additional hardware relating to the angle of attack sensors was still an option."¶
¶
FLAGNOTE 01 (Continued).¶
¶
FORMER BOEING OFFICIAL REFUSES TO TURN OVER 737 MAX DOCUMENTS¶
By AARON HILSZ-LOTHIAN, SEPTEMBER 9, 2019¶
¶
https://samchui.com/2019/09/09/form...-to-turn-over-737-max-documents/#.XXqBj1NlA0M¶
¶
"A former Boeing official has refused to turn over crucial 737 MAX development documentation, after he cited the Fifth Amendment."¶
¶
"According to The Seattle Times, Mark Forkner, Boeing’s chief technical pilot on the 737 MAX program, refused to turn over documents requested by the U.S. Department of Justice as part of their investigation."¶
¶
"During his time at Boeing, it is said that he was often anxious about deadlines and management pressure, during the development of the 737 MAX, resulting in frequent visits to peers for help."¶
¶
"Adding to the curiosity within the investigation, Forkner was behind the suggestion of not informing customers of the Maneuvering Characteristics Augmentation System (MCAS)."¶
¶
"MCAS was designed in a last minute attempt to overcome a handling characteristic, this saw the nose pitch up as a result of the forward and high mounted CFM LEAP engines."¶
¶
"A flawed design, the system would take angle of attack data, from a single sensor, and adjust the horizontal stabiliser to point the nose down if a stall was imminent."¶
¶
"It is this system that is believed to be the cause of the crashes of Ethiopian Airlines Flight 302 and Lion Air Flight 610, both resulting in 346 lives gone."¶
¶
"Worsening the situation, the zero mention of MCAS was paired with an agreement to train pilots digitally through a one hour differences course."¶
¶
FLAGNOTE 01 (Continued).¶
¶
Software Won’t Fix Boeing’s ‘Faulty’ Airframe¶
By George Leopold, 03.27.19 ¶
¶
https://www.eetimes.com/document.asp?piddl_msgid=383631&piddl_msgposted=yes&doc_id=1334482&page_number=2¶
¶
The saga of Boeing’s 737 MAX serves as a case study in engineering incompetence, and in engineering ethics – or the lack thereof.¶
¶
New details have emerged about the competitive pressures placed on Boeing 737 engineers as the aircraft manufacturer scrambled to fend off defections by major U.S. airlines to rival Airbus. The European consortium was challenging Boeing’s flagship product with its upgraded A320neo. According to reports, U.S. carriers like American Airlines were preparing to switch to the longer-range Airbus mode.¶
¶
Boeing responded with what it claimed was an upgraded version of its workhorse 737 equipped with a larger CFM LEAP engine providing longer range and greater fuel efficiency. The larger engines required Boeing engineers to place them far ahead of the wing leading edge to achieve [FAA required 17 inches] ground clearance.¶
¶
That design decision meant the 737 MAX would tend to pitch up while accelerating or when the aircraft experienced a high angle of attack – the angle between the wing and the direction of flight. The proposed solution to the pitch-up problem—and a means of achieving flightworthiness certification—was a software system called MCAS.¶
¶
Critics assert the engine placement effectively made the 737 MAX series a fundamentally different aircraft with different handling characteristics requiring new operational software and pilot training. The re-certification process Boeing sought to avoid for competitive reasons would have been lengthy and expensive.¶
¶
Among Boeing’s critics is Gregory Travis, a veteran software engineer and experienced, instrument-rated pilot who has flown aircraft simulators as large as the Boeing 757. Travis posted a damning critique of the 737 MAX fiasco last week that concluded: “It is likely that MCAS, originally added in the spirit of increasing safety, has now killed more people than it could have ever saved. It doesn’t need to be ‘fixed’ with more complexity, more software. It needs to be removed, altogether. (Travis is sharing his evaluation as a Google Doc, located here.)¶
¶
Travis is unequivocal in his assessment of the Boeing 737 MAX. “It’s a faulty airframe. You’ve got to fix the airframe [and] you can’t fix the airframe without moving the engines” back and away from their current position.¶
¶
Ultimately, Travis also bemoans what he calls “cultural laziness” within the software development community that is creeping into mission-critical systems like flight computers. “By laziness, I mean that less and less thought is being given to getting a design correct, and simple – up-front,” he wrote. “What needs to happen, I think, is for liability to accrue where it is generated.”¶
¶
Incompetent or Unethical?¶
¶
Whether the cautionary tale of Boeing 737 MAX is a question of ethical engineering – doing things right the first time, making damned sure mission-critical systems work with five nines (99.999 percent) or higher reliability with built-in redundancy – remains an open question.¶
¶
“IT MAY JUST BE ENGINEERING INCOMPETENCE,” TRAVIS CONCLUDES.¶
¶
That, or economic and competitive pressures that led Boeing to effectively conceal the existence of MCAS as a way to avoid a lengthy recertification process for the 737 MAX, a process requiring extensive pilot retraining on expensive new simulators. All would have raised the unit cost of each aircraft by millions of dollars, Travis noted, thereby reducing Boeing’s chances of competing with the Airbus 320neo.¶
¶
The Boeing 737 MAX tragedies also recall the engineering decisions that led to the shuttle Challenger disaster in 1986 and the Apollo 1 fire in 1967. Boeing’s haste in responding to the Airbus challenge reminds Travis and others of the group-think curse called “Go Fever” during Project Apollo that eventually killed the crew of Apollo 1 during a launchpad simulation. In that case, crew safety was sacrificed in the name of schedule.¶
¶
Boeing’s engineering decisions while hastily developing the 737 MAX have ultimately resulted in the deaths of [346] people.¶
¶
Travis expects one of two possible outcomes for Boeing. “I see a scenario where they don’t sell any more of these planes.” More likely, he continues, is an announcement in coming days [Posted 27 March 2019] that the aircraft maker is fixing the MCAS software to handle inputs from multiple angle of attack sensors.[FN 01 and FN 04].¶
¶
Either way, Travis concludes, “Software [now] stands between man and machine.”¶
¶
— George Leopold is the former executive editor of EE Times and the author of Calculated Risk: The Supersonic Life and Times of Gus Grissom (Purdue University Press, Updated, 2018).¶
¶
FOOTNOTE 02. 737 Max 10 Landing Gear are 9.5 inches taller.¶
¶
https://www.flightglobal.com/news/a...details-737-max-10-landing-gear-design-451546/¶
¶
FLAGNOTE 03: Virgin Airlines switches Max 8 to Max 10's.¶
¶
https://www.google.com/url?sa=t&sou...FjAAegQIAxAB&usg=AOvVaw14wQobQHnwCduWhCVBskKx¶
¶
FLAGNOTE 04. EASA 737 MAX REQUIRED IMPROVEMENTS FOR CERTIFICATION:¶
¶
https://www.google.com/url?sa=t&sou...Vaw0luTe1ErtWK6xb9xdNly3m&cshid=1567041030325¶
¶
FLAGNOTE 05. US FAA Regulations for Anti Stall and Flight Stability of Commercial Aircraft against 737 Max.¶
¶
"The LEAP engine nacelles are larger and had to be mounted [if main landing gear is not taller as the B-Max 10] slightly higher and further forward from the previous NG CFM56-7 engines to give the necessary [17 inch] ground clearance. This new location and larger size of nacelle cause the vortex flow off the nacelle body to produce lift at high AoA [Angle of Attack]. As the nacelle is ahead of the C of G [Center of Gravity], this lift causes a slight [?] pitch-up effect (ie a reducing stick force) which could lead the pilot to inadvertently pull the yoke further aft than intended bringing the aircraft closer towards the stall. This abnormal nose-up pitching is not allowable under 14CFR §25.203(a) "Stall characteristics".¶
¶
Several aerodynamic solutions were introduced such as revising the leading edge stall strip and modifying the leading edge vortilons but they were insufficient to pass regulation. MCAS was therefore introduced to give an automatic nose down stabilizer input during elevated AoA [Angle of Attack] when flaps are up. [Dennis E Sullens: According to "Aviation Best Practices" and many Aviation Engineers (FN01), at this point of failing the Wind Tunnel and Flight Testing, Boeing should have made BOTH main and front Landing Gear taller and then place Lager Max Engines PROPERLY under the wing, thereby bringing the Max to near 737NG levels of flight stability, passing the FAA Flight Stability requirements, and thereby eliminating the need for MCAS. No MCAS, no Problems. Everybody is happy.]"¶
¶
14CFR §25.203 Stall characteristics.¶
¶
"(a) It must be possible to produce and to correct roll and yaw by unreversed use of the aileron and rudder controls, up to the time the airplane is stalled. No abnormal nose-up pitching may occur. The longitudinal control force must be positive up to and throughout the stall. In addition, it must be possible to promptly prevent stalling and to recover from a stall by normal use of the controls."¶
¶
http://www.b737.org.uk/mcas.htm¶
¶
FLAGNOTE 06. Flight Crashes Resulting In Death's, Aircraft Company and Model Compared.¶
¶
http://www.airsafe.com/events/models/rate_mod.htm¶
¶
Boeing's Troubled Tanker Has Its Wings Clipped Again¶

One of the company's flagship military programs suffers a fresh setback.¶

Lou Whiteman
(TMFeldoubleu)
Sep 14, 2019 at 4:32PM

¶
https://www.google.com/amp/s/www.fo...oubled-tanker-has-its-wings-clipped-agai.aspx¶

"In a worst-case scenario, cargo pallets rolling free in the cargo hold could be a danger to crew and could unbalance the aircraft, making it hard to control. It is not yet clear if the issue was limited to one defective latch, or there's a systemic problem that will lead to a comprehensive redesign and retrofit." End of Article.¶
¶
[Dennis E Sullens: if "comprehensive redesign and retrofit" is appropriate for a 767 cargo latch when the problem is "systemic" then even more so justified with the systemic 737 Max Flight Instability (due to improper engine placement), don't you think?]¶

 

[PeterDonis]

Engines forward and up in front of the Wings where they should NOT be

Plenty of other aircraft, including other Boeing aircraft (the 757 and 767, for example), have engines placed forward on the wings in a similar way. So to simply say that engines should not be there is too strong a claim.

This caused the Max to fail the required FAA Flight Tests.

What tests did it fail?

 

[Dr Transport]

https://www.seattletimes.com/business/boeing-aerospace/boeing-pushed-faa-to-arelax-737-max-certification-requirements-for-crew-alerts/

recent article on Boeing write offs, somewhere near $9 Billion, so far. I'm sure it will cost them more down the road and in lost orders.

 

[Gatekeeper1958]

Answer to PeterDonis' questions:

1.) The 757 and 767 did NOT have the Engines forward of the Center of Gravity.

2.) What FAA tests did the Max fail? FLAGNOTE 04.) Of the Reference section above in: 14CFR §25.203 Stall characteristics. See above for details.

Please read entire Reference Section. There are weblinks to the various Articles supporting the Reengineering solution that myself and others in the Aviation Industry suggest.¶

 

[PeterDonis]

The 757 and 767 did NOT have the Engines forward of the Center of Gravity.

I didn't say they were. I said they were forward on the wing, which they are, as a simple look at a photograph will tell you. You said:

Engines forward and up in front of the Wings where they should NOT be

If what you meant was "engines forward of the center of gravity where they should NOT be", then that's what you should have said.

Also, from your earlier post:

That design decision meant the 737 MAX would tend to pitch up while accelerating or when the aircraft experienced a high angle of attack

The 757 and 767 have this same behavior. But they had it when they were first designed, so their original designs took it into account, and so did their original type certifications from the FAA. That's a huge difference between them and the 737 MAX.

FLAGNOTE 04.) Of the Reference section above in: 14CFR §25.203 Stall characteristics.

I see nothing in that link that references that 14CFR section or talks about the 737 MAX failing it.

There are weblinks to the various Articles supporting the Reengineering solution that myself and others in the Aviation Industry suggest.

Just to be clear, I am not in any way disputing that there are better solutions than the one Boeing chose.

 

[Gatekeeper1958]

Reply to PeterDonis'questions:
The 757 and 767 Engines are not above the wings, and forward of the Center of Gravity, as is the case with the Max Aircraft. Yes, I could of been more clear. The conclusion that I made that the Max Engines are improperly placed causing Flight Instability, and Stall during FAA required maneuvers is heavily substantiated by the referenced Articles and Aviation Engineers.

PeterDonis said:
"I see nothing in that link that references that 14CFR section or talks about the 737 MAX failing it."
Gatekeeper 1958, Dennis E Sullens said in
FLAGNOTE 05. US FAA Regulations for Anti Stall and Flight Stability of Commercial Aircraft against 737 Max.¶
¶
"The LEAP engine nacelles are larger and had to be mounted [if main landing gear is not taller as the B-Max 10] slightly higher and further forward from the previous NG CFM56-7 engines to give the necessary [17 inch] ground clearance. This new location and larger size of nacelle cause the vortex flow off the nacelle body to produce lift at high AoA [Angle of Attack]. As the nacelle is ahead of the C of G [Center of Gravity], this lift causes a slight [?] pitch-up effect (ie a reducing stick force) which could lead the pilot to inadvertently pull the yoke further aft than intended bringing the aircraft closer towards the stall. This abnormal nose-up pitching is not allowable under 14CFR §25.203(a) "Stall characteristics".¶
¶
Several aerodynamic solutions were introduced such as revising the leading edge stall strip and modifying the leading edge vortilons but they were insufficient to pass regulation. MCAS was therefore introduced to give an automatic nose down stabilizer input during elevated AoA [Angle of Attack] when flaps are up. [Dennis E Sullens: According to "Aviation Best Practices" and many Aviation Engineers (FN01), at this point of failing the Wind Tunnel and Flight Testing, Boeing should have made BOTH main and front Landing Gear taller and then place Lager Max Engines PROPERLY under the wing, thereby bringing the Max to near 737NG levels of flight stability, passing the FAA Flight Stability requirements, and thereby eliminating the need for MCAS. No MCAS, no Problems. Everybody is happy.]"¶
¶
14CFR §25.203 Stall characteristics.¶
¶
"(a) It must be possible to produce and to correct roll and yaw by unreversed use of the aileron and rudder controls, up to the time the airplane is stalled. No abnormal nose-up pitching may occur. The longitudinal control force must be positive up to and throughout the stall. In addition, it must be possible to promptly prevent stalling and to recover from a stall by normal use of the controls."¶

PeterDonis said:"The 757 and 767 have this same behavior.
Gatekeeper1958, Dennis E Sullens Reply: All engines below the wing tend to pitch up upon Maximum Thrust. Your point about the 767 and 757 having the "same behavior" is not applicable to the 737 Max for the following reasons:
1.) The 767 and 757 passed the FAA flight tests, the Max failed.
2.) After failing the FAA Flight Tests, the Max needed MCAS (if Engines were not repositioned), the 767 and 757 do not need MCAS.
3.) The 767 and 757 have their engine placement very close to the Center of Gravity. The Max's do NOT.
4.) The 767 and 757 are some of the safest Aircraft ever made. The Max is one of the most dangerous. For example, the 737NG have a 0.06 chance of crashing per 1,000,000 hour's of flight. The 737 Max has a 3.08 per million hours of flight, about 50 times worse. The 767 crash rate is 0.28 per Million hours, and the 757 is 0.22 per Million hours. So they have Engines forward of the wing, but not up and in front of the wing, and not forward of the Center of Gravity. Big differences, and not really the "same behavior."

 

[berkeman]

@Gatekeeper1958 -- Please use the Quote/Reply feature when quoting other users. Click-drag across the text you want to quote, and click the "Reply" popup. That pastes that text into the Edit window inside a Quote Box with the other user's username and a link to the post that you are quoting. That makes it much easier to read your replies that have quotes in them.

Like this:

Gatekeeper 1958, Dennis E Sullens said in
FLAGNOTE 05. US FAA Regulations for Anti Stall and Flight Stability of Commercial Aircraft against 737 Max.

Thank you.

 

[PeterDonis]

FLAGNOTE 05

Ok. You said FLAGNOTE 04 before, so that's where I looked.

The 767 and 757 passed the FAA flight tests, the Max failed

Yes, because the 767 and 757 were designed from the start with the engines mounted forward on the wing, but the 737 was not, and so moving the engines forward on the 737 MAX changed its behavior. If the 737 had been designed from the start with engines forward on the wing, proper account of that would have been taken from the start, like it was with the 767 and 757.

The 767 and 757 have their engine placement very close to the Center of Gravity. The Max's do NOT.

Is there an available reference online that shows where the CG is on these aircraft? I have not been able to find one.

 

[Gatekeeper1958]

Is there an available reference online that shows where the CG is on these aircraft? I have not been able to find one.

Why is it necessary? The mere fact that the 767 and 757 passed the FAA required Wind Tunnel and Flight Testing, and the lack of MCAS, and the decade's of safe flying all point to a well designed aircraft, where the Max is not. Back in the 1980's this was common knowledge to Boeing employees like myself, and I could have called the Engineering Dept. to get the information you requested. But for now, I am now retired, and do not feel the need to relearn what to me appears obvious. I am sure you can research, and acquire a weblink if you are still in doubt. If you can get a photo of the side of the Aircraft, the Center of Gravity is approximately in the middle. Best wishes, Dennis E Sullens.

 

[hutchphd]

Why is it necessary? The mere fact...

It seems to me simple "no I don't have access to that anymore" would have sufficed...

 

[PeterDonis]

Why is it necessary?

Because we like to have references here.

I am sure you can research, and acquire a weblink if you are still in doubt.

I've already tried that. If I had found something on the web I wouldn't have needed to ask the question.

If you can get a photo of the side of the Aircraft, the Center of Gravity is approximately in the middle.

Yes, but that "approximately" doesn't help much if I'm trying to assess a statement like this:

The 767 and 757 have their engine placement very close to the Center of Gravity. The Max's do NOT.

Side views of the 737 max and 767, in particular, look very similar.

 

[Gatekeeper1958]

Side views of the 737 max and 767, in particular, look very similar.

The photo of the side view of the 767-300 shows the Engine maybe 6 inches ahead of the forward edge of the Wing to Body join. The 737 Max 10 is closer to 2 feet ahead of the forward edge of the Wing to Body join. See photos.

 

[PeterDonis]

The photo of the side view of the 767-300 shows the Engine maybe 6 inches ahead of the forward edge of the Wing to Body join. The 737 Max 10 is closer to 2 feet ahead of the forward edge of the Wing to Body join.

Ok, thanks, this makes the issue much clearer.

 

[artis]

I think for some this may be a bit emotional to admit that Boeing (which is the largest airplane manufacturer of the US) has made such apparent errors but it seems and everything points that they indeed have.Engineers make bad choices too, the questions is when ad why, if something that is unknown to our scientific knowledge affects a design then at least we can say "no one knew" but sadly here as well as elsewhere it;s the role of money. Pressure from shareholders and as we see not always competition is a good thing in a free market economy.
Competition is good when there are many many smaller parties at play, but for large , high revenue companies where there are only say few players in the field like in aerospace such competition can lead to bribery, relaxing of standards etc.
Normally rules and regulation take care of this , the question is why Boeing was able to slip through these?

 

[Gatekeeper1958]

I think for some this may be a bit emotional to admit that Boeing (which is the largest airplane manufacturer of the US) has made such apparent errors but it seems and everything points that they indeed have.

I agree with everything Artis said. Not just the above quote. When Alan Alda playing a US Senator in the 2004 movie "The Aviator" asked Howard Hughes if hiring Prostitutes, and paying for Fancy Hotel rooms and dinner's for US military officials could be considered "a bribe," Leonardo DiCaprio playing Hughes answered "Yes."

Later, in real life when US Senator McCain asked the CFO of Boeing the same question about bribing Airforce officials in regards to the 767 Tanker contract worth billions of dollars, the CFO (who served prison time) almost could not believe the question being asked, because he was not the only one. It is simply, the Music Stopped, and there were no more chairs for him to sit on. In other words, it was his turn. Boeing paid the 500 million dollar Government fine with the bonus monies it had promised to the Union workers like me, with the US promise of no further Dept. of Justice prosecutions. The CEO resigned with no prison time, and no indightments. This is all because the Aircraft industry is so corrupt. I won't give further details, needless to say, Artis is correct, and I agree with his comments above. There are many Articles on the subject. I list just one below by "The Herald."

https://www.heraldnet.com/news/boeing-has-a-tense-past-with-mccain/

 

[Gatekeeper1958]

The CEO resigned with no prison time, and no indightments.

"... no prison time, and no indictments." Spelling correction.

 

[anorlunda]

When we speak of automation and uncommanded actions, we must not use narrow definitions. All autopilots are automation. All take uncommanded actions (duh, that's their purpose.) Using broad definitions, we can say that they are all AI, no matter how old fashioned.

My boat could steer itself using uncommanded actions with this non-electronic wind-powered automation system. It had no redundant sensors, no redundant actuators. My backup was to steer manually 24x7xWeeks until port. If I couldn't do that, the results could be fatal to all on board.

Some might say that this self-steering is not comparable to MCAS because MCAS is digital and has software. My reply to that is, "baloney."

 

[Gatekeeper1958]

All autopilots are automation. All take uncommanded actions (duh, that's their purpose.)

The difference between Auto Pilot and MCAS is the Human Pilot engages the Auto Pilot, where MCAS engages without consent of the Human Pilot or Co-Pilot. MCAS is supposed to work in the background. Now that Boeing has "Watered Down" MCAS so that it will NOT engage if the two Angle of Attack sensors do not agree, will cause future Crashes and loss of life due to the Max's tendency to stall during certain required manoeuvers by the FAA. Or when the MCAS only activates one time, when more times are needed. So MCAS won't kill them, but the Max's inherent Flight Instability and tendency to Stall, will kill people if Boeing continues with this very bad Software Solution.

What Boeing should do is solve the "Root Cause" of the Flight Instability by placing the Larger CFM Leap Engines under the wing, near the Center of Gravity similar to the 737NG. The 737NG do not have, and do not need MCAS. This can be done using the 9.5 inch taller main Landing Gear of the Max 10 on the smaller Max 7,8, and 9 aircraft. The taller landing gear will provide more than enough room for the FAA required 17 inches of ground clearance. Then the Max's will pass the FAA required manoeuvers without MCAS.

No MCAS. No problems. Everybody is happy.

 

[PeterDonis]

All autopilots are automation. All take uncommanded actions (duh, that's their purpose.)

Yes, agreed.

My boat could steer itself using uncommanded actions with this non-electronic wind-powered automation system. It had no redundant sensors, no redundant actuators. My backup was to steer manually 24x7xWeeks until port. If I couldn't do that, the results could be fatal to all on board.

Yes, and if you were trying to sell commercial travel by boat to paying customers, you would find yourself either having to add more automated redundancy to the system or having to keep enough backup humans on board to ensure that someone who was sufficiently awake and functional was always on watch to respond to problems. Or most likely both.

Some might say that this self-steering is not comparable to MCAS because MCAS is digital and has software.

I agree with you, your self-steering system is a perfectly good automated system. (Older Navy ships had similarly non-digital non-computer control systems for things like boilers.) The difference between it and MCAS is just the safety requirements, not any inherent distinction between digital/software and non-digital/non-software automated systems.

 

[PeterDonis]

The difference between Auto Pilot and MCAS is the Human Pilot engages the Auto Pilot, where MCAS engages without consent of the Human Pilot or Co-Pilot.

The stability trim system in previous 737 models also engages without consent of the human flight crew. So while both that and MCAS are different in that respect from the autopilot, I don't think that's the crucial factor. I think the crucial factor is that MCAS was implemented badly (and, as you say, was only implemented at all because of a serious change in the flight characteristics of the plane due to the new engines, which could have been avoided by making other design changes from the start such as the longer landing gear--whereas the previous stability trim system, as far as I can tell, is dealing with flight characteristics that pretty much every plane has).

 

[Gatekeeper1958]

The stability trim system in previous 737 models also engages without consent of the human flight crew.

Yes, this is true about the "Stability Trim" system working in the background on the 737NG, and also "Rudder Stability" during heavy Cross-Wind also work's in the background.

The bottom line is that the 737NG's are among the safest Aircraft in the world with a crash rate of 0.06 per million hours of Flight Time, compared to the Max's 3.08 per million hours of Flight Time, about 50 times greater chance of death, than the NG's.

If another Max crashes because of a Faulty Angle of Attack sensor did not agree, disengaging the MCAS, and the Max goes into a Stall unprotected. This could be dissaterous for Boeing.

No, the MCAS was a bad idea from the very start. Boeing needs to reposition the Engines. Then there will be no need for MCAS, and the Max's should enjoy a safe Crash status, just as the Next Generation 737 have. This is the only Happy Ending that I can figure out. But the Lawmakers, Boeing, FAA, are not talking about this Engine repositioning solution to the problem. Only Patrick Ky of EASA talked about this idea briefly in July.

I am very worried we will have more Max crashes, more blood on the hands of Boeing and the Regulators. Boeing will become the "Sony" of the Aviation Industry only assembling the aircraft, and putting their label on it, with very little "Value Added." And the Max will become the "Corvair" of the Aviation Industry. Remember Ralf Nader's book: "Corvair, Unsafe at any Speed." This might be what the future holds for the 737 Max.

The News Articles I listed above [MCAS, MCAS,MCAS References] have the Weblinks to the statistics I mentioned here in this comment.

 

[anorlunda]

Yes, and if you were trying to sell commercial travel by boat to paying customers, you would find yourself either having to add more automated redundancy to the system or having to keep enough backup humans on board to ensure that someone who was sufficiently awake and functional was always on watch to respond to problems. Or most likely both.

I think that is a bit overstated. The vessel itself meets all applicable USCG requirements as is. To carry passengers commercially requires a Captain's license but no additional equipment for the boat.

Worldwide, even big cruise ships require seagoing tows to get back to port several time per year. What does that tell us about multiple layers of backup/redundancy?

Regulators can and do impose layer after layer of detailed engineered safety systems on airplanes and nuclear power plants. All of them are anti-KISS by definition. I wish we had agreed upon methods to conclusively prove whether they add to safety or subtract from it.

In the case of automobiles, we have a much larger statistical base. That makes it practical to conclusively prove that features like seat belts or airbags really do save lives. But in other fields with sparse statistical data, the benefits of adding complexity for engineered safeguards must be taken on faith. We can argue that they are more effective than a Saint Christopher medal, but we can't prove it.

More redundant sensors plus systems to resolve disagreements? Sure; why not? Anti-KISS. Who cares about KISS? If you want to argue KISS, you must carry the burden of proof.

Forgive my rant. I wish we could apply the same rigor to safety engineering that we do to physics. If we had rigor, we wouldn't need threads with 500+ posts full of opinions (including this post )

 

[russ_watters]

1.) The 767 and 757 passed the FAA flight tests, the Max failed.
2.) After failing the FAA Flight Tests, the Max needed MCAS (if Engines were not repositioned), the 767 and 757 do not need MCAS.

.Now that Boeing has "Watered Down" MCAS so that it will NOT engage if the two Angle of Attack sensors do not agree, will cause future Crashes and loss of life due to the Max's tendency to stall during certain required manoeuvers by the FAA.

Yeah, I really want to see your sources for this too. I don't know if you are being sloppy again, but you are saying that the Max was designed, built and flown without MCAS, then it failed a certification test (for internal testing or official), then it was redesigned to include MCAS. This is something I've never heard and it would be incredible and newsworthy if true. Among other things it would mean that Boeing engineers were incapable of predicting how the geometry change would affect flight characteristics. It also implies the Max should not be certifiable - and I don't see anyone of note suggesting that.

Further, you seem to be saying the Max will stall on it's own, without pilot input. But my understanding of the behavior of the Max is that it never requires forward pressure on the yoke to avoid stall but rather just doesn't have a progressively increasing backpressure (without MCAS). This means it will not stall on its own; if you let go of the yoke the nose will drop. But the PILOT may inadvertently cause a stall by holding a constant backpressure and not expecting the nose to keep rising.

From your post #503:

this lift causes a slight [?] pitch-up effect (ie a reducing stick force) which could lead the pilot to inadvertently pull the yoke further aft than intended bringing the aircraft closer towards the stall. [emphasis added]

I've never seen a source describe clearly and precisely how the uncorrected Max behaves and how it feels to the pilot. Most news sources use imprecise language.

 

[Gatekeeper1958]

I've never seen a source describe clearly and precisely how the uncorrected Max behaves and how it feels to the pilot. Most news sources use imprecise language.

There have been articles on the web about the Angle of Attack sensors disagreeing with each other, as is the case in both the Oct 2018 crash in Ethiopia, and the March 2019 Lion Air crash. Also pilots reports where there were uncommanded runaway Stabliser with "Near to a Crash" where the US Pilots reported the incidents to the FAA.

So the tendency to Stall, and the tendency of the Angle of Attack sensors to fail is evident by my reconning. This means that in the future an MCAS unprotected Max could Stall, Crash, and kill more people. All this because Boeing is not solving the Root Cause of the problem, which is the placement of the larger Leap Engines too far forward of Center of Gravity. There was an excellent video on YouTube made by Boeing on the development of the Max, that has since been deleted.

I share Russ Watters concern, I have written to CNBC, NPR, CNN and other news organizations, I have written to the FAA, Patrick Ky of EASA, Canada, Brazil and other Civil Aviation Authorities. I have written to US Texas Sen. Kruz, and others on the Senate Committee that questioned Boeing. I have written to Muilenburg and others at Boeing to try to WAKE THEM UP to the reality that Boeing now had Taller main Landing Gear and all they need to do is make new Engine Hangers to place the Engines near the Center of Gravity as on the 737NG Aircraft, and not need MCAS. Then the pilots could share the same type certificate.

The larger Leap Engines have 10% more thrust so the Pilots will have to point the nose down a little to compensate. Back in the 1980's when Airlines switched to the new more powerful CFM Engines for the first time, the Pilot's had to compensate by pushing the nose down during full thrust. And these 1980's Pilots had no problems, and needed no MCAS.

Russ Waters, your question is a good one, and would have been answered by the now deleted Boeing YouTube video. I hope they don't delete the September 2018 video showing the 9.5 inch taller Max 10 Landing Gear.

Back in the late 1990's a flight test of a 737 ended with the collapse of the front Landing Gear, causing tremendous damage to the front under belly of the fuesalage. There was a very stunning video of the crash (no fire, no injuries) that went viral all throughout the Boeing Company. I was working in the Fabrication Division in Auburn, Washington about 20 miles South of Renton, Wa Boeing Airfield where the Crash took place. The computers were able to download the video, but it was too big to save to a 1.44 MB floppy disc, and USB drives were in their infancy, and not available. The file size was too big to email. So the download to our local computer was the only option. Within one hour of the Crash Boeing's Technical people had traced every location that the Video had been downloaded, and erased the video. No one could find the Video on the Boeing "Intranet." There was no mention of the accident on the News. It was as if it had never happened. The 737 was quietly repaired of its extensive damage, and the Customer this Aircraft was delivered to, was never informed. It was truly Spooky.

To my memory, and putting together the pieces of information listed in my "MCAS MCAS MCAS References" above, the "uncorrected Max" has a tendency to stall at low speeds, and high AoA, such as Take Off at an Airport. Also, the Uncorrected Max can stall when banking steeply to the left or right. Both of these manouvers are required by FAA and the Uncorrected Max failed them both. The best solution being the use of taller landing gear, and repositioning the Engines closer to the Center of Gravity. The Deadly Software Solution being proposed will not resolve Boeing's Bad Airframe.

FN01: "Past and present engineers within the aviation industry have flagged the aircraft as unsafe to fly..."

"MCAS was designed in a last minute attempt to overcome a handling characteristic, this saw the nose pitch up as a result of the forward and high mounted CFM LEAP engines."

"A flawed design, the system would take angle of attack data, from a single sensor, and adjust the horizontal stabiliser to point the nose down if a stall was imminent."

"That design decision meant the 737 MAX would tend to pitch up while accelerating or when the aircraft experienced a high angle of attack – the angle between the wing and the direction of flight. The proposed solution to the pitch-up problem—and a means of achieving flight worthiness certification—was a software system called MCAS."

"Travis is unequivocal in his assessment of the Boeing 737 MAX. “It’s a faulty airframe. You’ve got to fix the airframe [and] you can’t fix the airframe without moving the engines” back and away from their current position."

FN05: "The LEAP engine nacelles are larger and had to be mounted [if main landing gear is not taller as the B-Max 10] slightly higher and further forward from the previous NG CFM56-7 engines to give the necessary [17 inch] ground clearance. This new location and larger size of nacelle cause the vortex flow off the nacelle body to produce lift at high AoA [Angle of Attack]. As the nacelle is ahead of the C of G [Center of Gravity], this lift causes a slight [?] pitch-up effect (ie a reducing stick force) which could lead the pilot to inadvertently pull the yoke further aft than intended bringing the aircraft closer towards the stall. This abnormal nose-up pitching is not allowable under 14CFR §25.203(a) "Stall characteristics".

14CFR §25.203 Stall characteristics.¶
¶
"(a) It must be possible to produce and to correct roll and yaw by unreversed use of the aileron and rudder controls, up to the time the airplane is stalled. No abnormal nose-up pitching may occur. The longitudinal control force must be positive up to and throughout the stall. In addition, it must be possible to promptly prevent stalling and to recover from a stall by normal use of the controls."MCAS, MCAS, MCAS References below:
¶
FOOTNOTE 01. Aviation Engineers Criticize Engine Placement.¶
¶
https://samchui.com/2019/07/10/easa-identifies-737-max-autopilot-fault/¶

EASA IDENTIFIES 737 MAX AUTOPILOT FAULT.¶
by AARON HILSZ-LOTHIAN, JULY 10, 2019¶
¶
"Past and present engineers within the aviation industry have flagged the aircraft as unsafe to fly because it is not a software problem, it is a structural problem that required the MCAS system in the first place."¶
¶
"A redesign of the engine position on the aircraft would cost a ridiculous amount of money and would likely render the grounded aircraft useless [I think a safe reenginered Max will sell and make billions of dollars]. Flight testing and new production methods would have to be conducted, leaving the idea in the scrap bin." [But there is still time for the Max 10, and may cost Billions more, and more death's if MCAS' short cut is pursued. The question that should be asked is: "What if MCAS can NOT safely solve the inherent Flight Instability in the Max? What if placing the larger Max Engines PROPERLY under the wing is the only safe solution, regardless of cost?]¶
¶
"Despite this the idea to add or redesign hardware hasn’t been completely disregarded as EASA director Patrick Ky said, retrofitting additional hardware relating to the angle of attack sensors was still an option."¶
¶
FLAGNOTE 01 (Continued).¶
¶
FORMER BOEING OFFICIAL REFUSES TO TURN OVER 737 MAX DOCUMENTS¶
By AARON HILSZ-LOTHIAN, SEPTEMBER 9, 2019¶
¶
https://samchui.com/2019/09/09/form...-to-turn-over-737-max-documents/#.XXqBj1NlA0M¶
¶
"A former Boeing official has refused to turn over crucial 737 MAX development documentation, after he cited the Fifth Amendment."¶
¶
"According to The Seattle Times, Mark Forkner, Boeing’s chief technical pilot on the 737 MAX program, refused to turn over documents requested by the U.S. Department of Justice as part of their investigation."¶
¶
"During his time at Boeing, it is said that he was often anxious about deadlines and management pressure, during the development of the 737 MAX, resulting in frequent visits to peers for help."¶
¶
"Adding to the curiosity within the investigation, Forkner was behind the suggestion of not informing customers of the Maneuvering Characteristics Augmentation System (MCAS)."¶
¶
"MCAS was designed in a last minute attempt to overcome a handling characteristic, this saw the nose pitch up as a result of the forward and high mounted CFM LEAP engines."¶
¶
"A flawed design, the system would take angle of attack data, from a single sensor, and adjust the horizontal stabiliser to point the nose down if a stall was imminent."¶
¶
"It is this system that is believed to be the cause of the crashes of Ethiopian Airlines Flight 302 and Lion Air Flight 610, both resulting in 346 lives gone."¶
¶
"Worsening the situation, the zero mention of MCAS was paired with an agreement to train pilots digitally through a one hour differences course."¶
¶
FLAGNOTE 01 (Continued).¶
¶
Software Won’t Fix Boeing’s ‘Faulty’ Airframe¶
By George Leopold, 03.27.19 ¶
¶
https://www.eetimes.com/document.asp?piddl_msgid=383631&piddl_msgposted=yes&doc_id=1334482&page_number=2¶
¶
The saga of Boeing’s 737 MAX serves as a case study in engineering incompetence, and in engineering ethics – or the lack thereof.¶
¶
New details have emerged about the competitive pressures placed on Boeing 737 engineers as the aircraft manufacturer scrambled to fend off defections by major U.S. airlines to rival Airbus. The European consortium was challenging Boeing’s flagship product with its upgraded A320neo. According to reports, U.S. carriers like American Airlines were preparing to switch to the longer-range Airbus mode.¶
¶
Boeing responded with what it claimed was an upgraded version of its workhorse 737 equipped with a larger CFM LEAP engine providing longer range and greater fuel efficiency. The larger engines required Boeing engineers to place them far ahead of the wing leading edge to achieve [FAA required 17 inches] ground clearance.¶
¶
That design decision meant the 737 MAX would tend to pitch up while accelerating or when the aircraft experienced a high angle of attack – the angle between the wing and the direction of flight. The proposed solution to the pitch-up problem—and a means of achieving flight worthiness certification—was a software system called MCAS.¶
¶
Critics assert the engine placement effectively made the 737 MAX series a fundamentally different aircraft with different handling characteristics requiring new operational software and pilot training. The re-certification process Boeing sought to avoid for competitive reasons would have been lengthy and expensive.¶
¶
Among Boeing’s critics is Gregory Travis, a veteran software engineer and experienced, instrument-rated pilot who has flown aircraft simulators as large as the Boeing 757. Travis posted a damning critique of the 737 MAX fiasco last week that concluded: “It is likely that MCAS, originally added in the spirit of increasing safety, has now killed more people than it could have ever saved. It doesn’t need to be ‘fixed’ with more complexity, more software. It needs to be removed, altogether. (Travis is sharing his evaluation as a Google Doc, located here.)¶
¶
Travis is unequivocal in his assessment of the Boeing 737 MAX. “It’s a faulty airframe. You’ve got to fix the airframe [and] you can’t fix the airframe without moving the engines” back and away from their current position.¶
¶
Ultimately, Travis also bemoans what he calls “cultural laziness” within the software development community that is creeping into mission-critical systems like flight computers. “By laziness, I mean that less and less thought is being given to getting a design correct, and simple – up-front,” he wrote. “What needs to happen, I think, is for liability to accrue where it is generated.”¶
¶
Incompetent or Unethical?¶
¶
Whether the cautionary tale of Boeing 737 MAX is a question of ethical engineering – doing things right the first time, making damned sure mission-critical systems work with five nines (99.999 percent) or higher reliability with built-in redundancy – remains an open question.¶
¶
“IT MAY JUST BE ENGINEERING INCOMPETENCE,” TRAVIS CONCLUDES.¶
¶
That, or economic and competitive pressures that led Boeing to effectively conceal the existence of MCAS as a way to avoid a lengthy recertification process for the 737 MAX, a process requiring extensive pilot retraining on expensive new simulators. All would have raised the unit cost of each aircraft by millions of dollars, Travis noted, thereby reducing Boeing’s chances of competing with the Airbus 320neo.¶
¶
The Boeing 737 MAX tragedies also recall the engineering decisions that led to the shuttle Challenger disaster in 1986 and the Apollo 1 fire in 1967. Boeing’s haste in responding to the Airbus challenge reminds Travis and others of the group-think curse called “Go Fever” during Project Apollo that eventually killed the crew of Apollo 1 during a launchpad simulation. In that case, crew safety was sacrificed in the name of schedule.¶
¶
Boeing’s engineering decisions while hastily developing the 737 MAX have ultimately resulted in the deaths of [346] people.¶
¶
Travis expects one of two possible outcomes for Boeing. “I see a scenario where they don’t sell any more of these planes.” More likely, he continues, is an announcement in coming days [Posted 27 March 2019] that the aircraft maker is fixing the MCAS software to handle inputs from multiple angle of attack sensors.[FN 01 and FN 04].¶
¶
Either way, Travis concludes, “Software [now] stands between man and machine.”¶
¶
— George Leopold is the former executive editor of EE Times and the author of Calculated Risk: The Supersonic Life and Times of Gus Grissom (Purdue University Press, Updated, 2018).¶
¶
FOOTNOTE 02. 737 Max 10 Landing Gear are 9.5 inches taller.¶
¶
https://www.flightglobal.com/news/a...details-737-max-10-landing-gear-design-451546/¶
¶
FLAGNOTE 03: Virgin Airlines switches Max 8 to Max 10's.¶
¶
https://www.google.com/url?sa=t&sou...FjAAegQIAxAB&usg=AOvVaw14wQobQHnwCduWhCVBskKx¶
¶
FLAGNOTE 04. EASA 737 MAX REQUIRED IMPROVEMENTS FOR CERTIFICATION:¶
¶
https://www.google.com/url?sa=t&sou...Vaw0luTe1ErtWK6xb9xdNly3m&cshid=1567041030325¶
¶
FLAGNOTE 05. US FAA Regulations for Anti Stall and Flight Stability of Commercial Aircraft against 737 Max.¶
¶
"The LEAP engine nacelles are larger and had to be mounted [if main landing gear is not taller as the B-Max 10] slightly higher and further forward from the previous NG CFM56-7 engines to give the necessary [17 inch] ground clearance. This new location and larger size of nacelle cause the vortex flow off the nacelle body to produce lift at high AoA [Angle of Attack]. As the nacelle is ahead of the C of G [Center of Gravity], this lift causes a slight [?] pitch-up effect (ie a reducing stick force) which could lead the pilot to inadvertently pull the yoke further aft than intended bringing the aircraft closer towards the stall. This abnormal nose-up pitching is not allowable under 14CFR §25.203(a) "Stall characteristics".¶
¶
Several aerodynamic solutions were introduced such as revising the leading edge stall strip and modifying the leading edge vortilons but they were insufficient to pass regulation. MCAS was therefore introduced to give an automatic nose down stabilizer input during elevated AoA [Angle of Attack] when flaps are up. [Dennis E Sullens: According to "Aviation Best Practices" and many Aviation Engineers (FN01), at this point of failing the Wind Tunnel and Flight Testing, Boeing should have made BOTH main and front Landing Gear taller and then place Lager Max Engines PROPERLY under the wing, thereby bringing the Max to near 737NG levels of flight stability, passing the FAA Flight Stability requirements, and thereby eliminating the need for MCAS. No MCAS, no Problems. Everybody is happy.]"¶
¶
14CFR §25.203 Stall characteristics.¶
¶
"(a) It must be possible to produce and to correct roll and yaw by unreversed use of the aileron and rudder controls, up to the time the airplane is stalled. No abnormal nose-up pitching may occur. The longitudinal control force must be positive up to and throughout the stall. In addition, it must be possible to promptly prevent stalling and to recover from a stall by normal use of the controls."¶
¶
http://www.b737.org.uk/mcas.htm¶
¶
FLAGNOTE 06. Flight Crashes Resulting In Death's, Aircraft Company and Model Compared.¶
¶
http://www.airsafe.com/events/models/rate_mod.htm¶
¶
Boeing's Troubled Tanker Has Its Wings Clipped Again¶

One of the company's flagship military programs suffers a fresh setback.¶

Lou Whiteman
(TMFeldoubleu)
Sep 14, 2019 at 4:32PM

¶
https://www.google.com/amp/s/www.fo...oubled-tanker-has-its-wings-clipped-agai.aspx¶

"In a worst-case scenario, cargo pallets rolling free in the cargo hold could be a danger to crew and could unbalance the aircraft, making it hard to control. It is not yet clear if the issue was limited to one defective latch, or there's a systemic problem that will lead to a comprehensive redesign and retrofit." End of Article.¶
¶
[Dennis E Sullens: if "comprehensive redesign and retrofit" is appropriate for a 767 cargo latch when the problem is "systemic" then even more so justified with the systemic 737 Max Flight Instability (due to improper engine placement), don't you think?]¶

 

[PeterDonis]

The vessel itself meets all applicable USCG requirements as is. To carry passengers commercially requires a Captain's license but no additional equipment for the boat.

And still one human operator is OK? Even though, as you said, failure could be fatal to everyone on board?

Also, how big is the boat and how many passengers could it actually carry?

Worldwide, even big cruise ships require seagoing tows to get back to port several time per year. What does that tell us about multiple layers of backup/redundancy?

How many such incidents involve fatalities to passengers?

I wish we had agreed upon methods to conclusively prove whether they add to safety or subtract from it.

In the case of automobiles, we have a much larger statistical base.

I think the statistical base for commercial air travel is more than large enough. My understanding is that commercial air travel has been getting safer and safer, and that differences in safety records between, say, the US and Europe vs. other areas of the world can be attributed to the stricter requirements for things like regular maintenance inspections, flight crew rest time, and many other regulations.

 

[russ_watters]

There have been articles on the web about the Angle of Attack sensors disagreeing with each other

I'm talking about the normal behavior of the plane without MCAS operating.

So the tendency to Stall... is evident by my reconning.

NOTHING you have provided documents a "tendancy to stall" and YOU REALLY NEED TO.

You can't just keep making this claim and leaving it unsubstantiated. It's a critical point for your position. A plane that stalls without the pilot's input would be a really big problem.

 

[russ_watters]

I think the statistical base for commercial air travel is more than large enough. My understanding is that commercial air travel has been getting safer and safer, and that differences in safety records between, say, the US and Europe vs. other areas of the world can be attributed to the stricter requirements for things like regular maintenance inspections, flight crew rest time, and many other regulations.

While I hesitate to get back into this because of some previous unfinished discussion of mine...

The issue isn't proving airplanes are safe, it is that airplanes are so safe that it is difficult to identify the next failure mode. These days it is common for an issue to manifest once and only once - causing one crash, and then being addressed. That's not something statistics can deal with. The issue of MCAS causing two crashes relatively early makes it a rare statistically significant problem.

 

[artis]

I don't see any reason to go on for pages after pages about some statistics etc , this has nothing to do with statistics. Planes as well as many other technology have increased in safety steadily much like automobiles etc, nut this is besides the point here, the point here is not that Boeing or any other modern company couldn't make a good and safe plane, in fact the previous 737 models were safe and were flown by multiple companies for decades , everyone from Russia to Africa to US was flying them.

The reason why this is bad is even worse, it's an inherent flaw that we humans posses and it's called greed and lack of care for consequences for our actions, it starts from a simple car mechanic having a lax attitude at work and so someone's wheel came off on the highway (real story, bolts were left loose) and it ends with big companies pushing their earnings and sacrificing on critical safety standards.

@russ_watters , do I think Boeing engineers did not see(read dumb enough to not see) that this design will have problems, no i don't.
Do I think they were told to fix it as it is and just make it fly as fast as possible? Yes I do.

I think we can say that this "feeling" of the yoke that changed with the new engines and their bad position can be compared to a car and the accelerator/gas pedal, if you push a pedal say to some position what you expect is the car starts to accelerate and after some time it reaches a steady speed and stops accelerating and stays there,
now in Boeing's case it would look like this, you push the accelerator pedal slightly and hope for a slightly increased speed but what you get is a constant speed increase that tends to keep on going until something "breaks" , would you want to have a car that performs that way? I doubt.
The only difference here is that in the case of the plane instead of increased speed the plane just increased it's nose angle (AOA) to the point where it can cause stall.

Pardon me saying this, but the irony here is that instead of fixing this flaw, they really "fixed it" with a add-on that just made everything worse by being made unreliable.
I mean safety backups should by definition be more reliable than the systems they are used to safeguard. Here the safety backup MCAS was even more unreliable than the stall condition in the first place. This must be some sort of a dark humor.

 

[PeterDonis]

The issue isn't proving airplanes are safe, it is that airplanes are so safe that it is difficult to identify the next failure mode.

Yes, agreed, but we know that because we have lots of statistical and historical data showing that airplanes are in fact that safe, and that the reason they're that safe is that there has been dedicated effort over decades to analyze every incident, identify systemic failure modes, and put requirements in place that prevent that systemic failure mode from happening again. The reason we are now at the point where it is common for incidents to be manifestations of one-time events that are not usable evidence of a new systemic failure mode is that all of those efforts did in fact make an enormous difference.

 

[anorlunda]

And still one human operator is OK?

... It would be too much off-topic to recite all the regulations here. Here is a sample for one class of vessel. Of course there are other classes too.

CHARTER VESSEL REGULATIONS AND INSPECTION GUIDELINES

Notable is that the only redundancy required is "Vessels under 16ft require alternate propulsion (oar, paddle)"

The only non-captain crew requirement is "Sufficient number of operators for two watches (if voyage over 12 hours)"

Neither an engine, nor a radio is required.

I thank my lucky stars that marine regulations are not as thick as the FARs or the NUREGs. But we have 20,000 years of experience with boating. By comparison, it is very mature.

I think the statistical base for commercial air travel is more than large enough.

I don't agree with respect to individual safety features. The number of designs of airplanes is large, the number of safety features is large, the number of fatal crashes is low. That is not sufficient to attribute number of lives saved to each safety feature. Think of redundant AOA sensor as a particular feature. But in the case of cars, it is large enough, to give specific numbers for seat belts or airbags.

 

[russ_watters]

I've never seen a source describe clearly and precisely how the uncorrected Max behaves and how it feels to the pilot.

I believe I found - a disquieting - reason why I've had such difficulty. Here is a review of the certification process of the 737 Maxx:
https://www.faa.gov/news/media/attachments/Final_JATR_Submittal_to_FAA_Oct_2019.pdf
Page 38:

Recommendation R3.4: The FAA should review the natural (bare airframe) stalling characteristics of the B737 MAX to determine if unsafe characteristics exist. If unsafe characteristics exist, the design of the speed trim system (STS)/MCAS/elevator feel shift (EFS) should be reviewed for acceptability.

o Observation O3.4-A: The original implementation of MCAS was driven primarily by its ability to provide the B737 MAX with FAA-compliant flight characteristics at high speed. An unaugmented design would have been at risk of not meeting 14 CFR part 25 maneuvering characteristics requirements due to aerodynamics.

o Observation O3.4-B: Extension of MCAS to the low-speed and 1g environment during the flight program was due to unacceptable stall characteristics with STS only. The possibility of a pitch-up tendency during approach to stall was identified for the flaps-up configuration prior to the implementation of MCAS.

o Finding F3.4-A: The acceptability of the natural stalling characteristics of the aircraft should form the basis for the design and certification of augmentation functions such as EFS and STS (including MCAS) that are used in support of meeting 14 CFR part 25, subpart B requirements.
[emphasis added]

To me, what this is saying is that the natural stalling characteristics of the 737 Max have not been adequately vetted. In other words, the reason I can't find an answer is that the answer doesn't exist in the public domain. This doesn't say that the Max could fail without MCAS though, just that its function and the logic behind it need to be to be properly vetted. And that if the unaugmented behavior is unacceptable, the augmented behavior need to be reviewed to ensure it is an acceptable solution. But conversely, I suppose, if the unaugmented behavior is acceptable, that just means MCAS isn't required for certification, but is just a nice to have.

 

[russ_watters]

Here's one of the better general discussions of stability, from Boeing, evidently written before the 737 Max was designed:

The trend in the design of modern airplanes is to have less static longitudinal stability--frequently referred to as relaxed static stability (RSS)--to capture the benefit of improved fuel efficiency. Simply stated, some airplanes are now designed to be aerodynamically efficient, and stability is augmented electronically so that stick force gradients will meet certification requirements. Many methods exist for augmenting stability. For example, the Boeing 777 and MD-11 use flight control computers that adjust the elevator actuator positions to give the appearance of more longitudinal stability than the airplane actually has. In other words, computers absorb the extra workload caused by flying with RSS.

Augmented stability provides better cruise performance with no increase in workload and no adverse effects from flying at an aft CG. This technology also allows for a smaller tail size, which further reduces drag and weight. However, FAR Part 25 requires that handling qualities remain adequate for continued safe flight and landing following an augmentation system failure. Therefore, a practical limit exists for how far aft the CG can go.

https://www.boeing.com/commercial/aeromagazine/aero_02/textonly/fo01txt.html

 

[russ_watters]

I'm not saying the system should never take uncommanded actions. I'm saying that to have a system that can take uncommanded actions, particular ones that could be unrecoverable if wrong, the system needs to be able to detect when it could be wrong and shut itself down and warn the flight crew. For sensors, that means having multiple sensors and checking them against each other. For computers, it means having multiple computers and checking their output against each other. (Note that Airbus fly by wire aircraft already do the latter.)

After further review, I will say that I still find your definition of "uncommanded action" to be oddly narrow, but that ultimately it doesn't matter because I agree in today's world we have the computing power to relatively easily provide robust/fault tolerant control systems.

 

[PeterDonis]

I will say that I still find your definition of "uncommanded action" to be oddly narrow

"Uncommanded action" might not be the right term for what I meant. And we're not talking about binary hard and fast categories; there is a continuous range of, roughly speaking, how much a particular system does without human intervention vs. how much it does in direct response to human actions. And there are different dimensions along which these things can vary.

The intuitive idea I was trying to get across is that an automated system doing something that a human would see was obviously stupid in the same situation (like pitching the nose sharply down when the plane is just flying straight and level, as happened with Qantas flight 72, or like continuing to dial in nose down trim, to the point where it overwhelmed the pilot's control authority, when the plane is nowhere near a stall, as happened with these MCAS incidents) is a failure.

 

[artis]

ok I get the idea, design a plane that all by itself as a piece of hardware is close to unsafe because you can save costs and get better fuel economy that way, then go the extra mile to reach safety via modern computers and processing power. I sense a problem here. Yes computers are very reliable these days but they can also go bad as any piece of hardware/software can and what then? You have a plane that can't fly unless "MacGyver" is the pilot and Buddha is his co-pilot being as calm as a rock.

And by this example I haven't even mentioned yet what happens if the computer designed to augment the otherwise badly flying plane gets a bad software or is made to rely upon a single input sensor that goes bad, much like the 737 MAX case.

 

[russ_watters]

"Uncommanded action" might not be the right term for what I meant. And we're not talking about binary hard and fast categories; there is a continuous range of, roughly speaking, how much a particular system does without human intervention vs. how much it does in direct response to human actions. And there are different dimensions along which these things can vary.

The intuitive idea I was trying to get across is that an automated system doing something that a human would see was obviously stupid in the same situation (like pitching the nose sharply down when the plane is just flying straight and level, as happened with Qantas flight 72, or like continuing to dial in nose down trim, to the point where it overwhelmed the pilot's control authority, when the plane is nowhere near a stall, as happened with these MCAS incidents) is a failure.

Well, sure, I think it's pretty basic that a system that is behaving in a way not intended by the designers or operators is malfunctioning/failing.

You may also be trying to distinguish different levels of risk in the failure, which is definitely part of the design equation. MCAS was explicitly judged to be less risky in case of failure than it should have been. Badly written software or not, the one sensor-one computer architecture was insufficiently robust for the criticality and power(severity of failure) of the system.

 

[anorlunda]

I object to the consensus in this thread that it is a "no brainer" decision to use redundant sensors. That may be true, but it is not necessarily true. It requires some actual data an probabilistic calculations.

Earlier in this thread (too many posts, can't find it) I learned that Boeing's scheme was to have two independent strings of logic for MCAS. I picture it as below, two strings with N steps each (N=4 pictured). On the left are sensor inputs, and on the right are actuator outputs. The post said that Boeing pilots manually choose the A or B string on alternate days. Switching between A and B during flight was not mentioned.

The two strings are fully independent. There is no single point failure that can cause both strings to fail at the same time.

Now picture a case where we have redundant sensors. We add a logic step X1 that compares sensors A1 and B1, and decides what value to send downstream, and perhaps decides on other actions like alarms, or shutdown. I call that voting logic.

With X1, we have added protection against single failure of A1 or B1, but we introduce a new common mode failure X1 that could make both strings fail simultaneously. We also add to the transistor count, or lines of code, adding complexity. Is this safer? One can not say without assigning numbers to all possible failure modes.

This practice can be extended to all N steps (see below), giving maximal protection to single failures, but adding N new exposures to common mode failures, and further adding complexity.

In nuclear safety systems we use three strings with 2 of 3 majority voting logic. We also use 4 strings, allowing one string to be out of service while the remaining 3 strings can maintain 2 of 3 functionality.

My point is this: choosing the safest strategy is not a "no brainer" decision. It requires numerical computations. But in this thread, poster after poster asserts knowing the "best" practice sans any calculations or reference to specific topologies.

 

[russ_watters]

I object to the consensus in this thread that it is a "no brainer" decision to use redundant sensors. That may be true, but it is not necessarily true. It requires some actual data an probabilistic calculations.

Let me try to clarify my position a bit:

-I think it is a no-brainer that they underestimated certain risks. Two crashes over a small number of flight hours and additional simulations reproducing the issue make this mathematically clear in my opinion.

-In my opinion, multiple sensors would significantly and sufficiently reduce the risk. Evidently that's the path chosen by Boeing. But you are right that we are not equipped to do the FMEA, so we can't calculate that answer (also IMO FMEA is less quantitative than it outwardly appears). So I wouldn't call the solution a no-brainer.

I did say before that if the software on the existing system were better written it probably would never cause a crash and at the end of the day that's the mark of safety.

Also; I think reactions to one-off crashes are often done in part for public relations reasons: you fix a problem because it caused a crash, not necessarily because you think it will cause another one.

The general public wrongly believes that perfect safety is a requirement and any/all possible safety features should be included regardless of cost. The Ford Pinto(for example) wasn't a disaster because Ford calculated a safety feature's cost vs the value of human life: it was a disaster(primarily) because they did the calculation wrong.

 

[gmax137]

The Ford Pinto

Boy that takes me back. In the late 1970's I drove a Pinto... with Firestone 500 tires .

Following up on @anorlunda 's post and the nuclear biz, we do a lot of work with fault-trees and "probablilistic risk assessment" - PRA. This isn't used so much to actually drive design of the plants (most of which were designed & built before the advent of the PRA approach). The PRA is used nowadays to provide "insights" into what is important and what isn't so important. So it can support decisions on surveillance frequencies (ie, spend more time testing the important stuff; don't wear equipment out by testing it), and determining severity of nonconformance/noncompliance issues.

I was told, the nuclear PRA work and approaches started out following similar approaches developed in the aviation industry. So I have a hard time squaring that with the idea that the airplanes have unidentified single point vulnerabilities.

 

[PeterDonis]

Earlier in this thread (too many posts, can't find it) I learned that Boeing's scheme was to have two independent strings of logic for MCAS.

Yes, but as I understand it, only one of them is actually affecting the operation of the plane at any given time, so only its failure rate is relevant for assessing flight safety.

With X1, we have added protection against single failure of A1 or B1, but we introduce a new common mode failure X1 that could make both strings fail simultaneously.

But if only one string is actually affecting the plane's operation, the only failure probability that is relevant is the failure probability at that string's final output. So the relevant question is not whether introducing the new failure mode at X1 increases or decreases the overall probability of at least one of the A or B strings failing; the relevant question is whether introducing the new failure mode at X1 increases or decreases the probability of failure of the string, A or B, that is actually affecting the plane's operation. And one would expect that it is very likely to decrease the probability of that one string failing, because the reduction in failure probability from comparing outputs A1 and B1 is likely to be much greater than the increase in failure probability from the chance of the comparison at X1 having an error.

 

[PeterDonis]

MCAS was explicitly judged to be less risky in case of failure than it should have been. Badly written software or not, the one sensor-one computer architecture was insufficiently robust for the criticality and power(severity of failure) of the system.

Yes, agreed.

 

[anorlunda]

Yes, but as I understand it, only one of them is actually affecting the operation of the plane at any given time, so only its failure rate is relevant for assessing flight safety.

That was my understanding too from earlier in this thread. That exactly matches the first graphic posted in #539. That scheme is arguably the one with the highest probability of having at least one string functional.

So my wager is that the original design engineers argued for fully independent strings, with no contaminating cross connections. But somehow, switchover from A string to B string when needed never appeared in the operating procedures. Without a switchover, what is the point of a second string in the first place? Spare parts? I am unaware of any other case where they carry spare parts on board the aircraft without the possibility of using those spares during a flight.

Nevertheless, we should strive for the same discipline we use in SR, GR and QM. None of us should be making factual assertions about a conclusion that must be calculated.

 

[PeterDonis]

That exactly matches the first graphic posted in #539. That scheme is arguably the one with the highest probability of having at least one string functional.

Not if including the crossover X1 decreases the overall probability of failure, by incorporating input from both AoA sensors (if we assume that nodes A1 and B1 are the two sensors) in order to detect sensor failure or unreliability, and that improvement outweighs the impact of adding the additional failure mode associated with X1 itself making an error.

switchover from A string to B string

How would the system decide to make such a switchover without doing some kind of comparison between the two?

Also, to be clear, the kind of redundant sensor configuration I was thinking of would not switch over from one string to the other; it would just compare the two sensors, and if they didn't agree within some tolerance, the automated system would simply be disabled, and the flight crew would see some kind of warning in the cockpit telling them the system was disabled. (The "AoA agree" cockpit indicator that is in the additional package that US carriers like Southwest paid for would be a similar cockpit indicator, if it were actually connected to an automatic function that disabled MCAS when the AoA sensors did not agree.) One could imagine more complicated algorithms to detect sensor failure or unreliability, but you are correct that more complexity means more possibilities for failure, so such algorithms would have to be evaluated on that basis.

 

[anorlunda]

that improvement outweighs the impact of adding the additional failure mode associated with X1 itself making an error.

Sorry Peter, but that's an assertion of fact that needs a citation.

One could imagine more complicated algorithms to detect sensor failure or unreliability, but you are correct that more complexity means more possibilities for failure, so such algorithms would have to be evaluated on that basis.

That's inconsistent. You are saying more complicated algorithms (like my 3rd graphic) have to be evaluated but that your preferred scheme (like my 2nd graphic) does not need evaluation.

 

[PeterDonis]

that's an assertion of fact that needs a citation.

I said "if". I agree we don't know for sure whether and in what cases it would be true; we would have to actually collect real world data. I was only saying that I don't agree with your statement that "arguably" the configuration with the highest probability of having at least one string functional is the one with no crossovers at all. I was giving an argument for a different expectation that I think is more likely: that there are ways to add crossover nodes that, while they do introduce new failure modes, decrease the overall probability of failure by allowing comparison of multiple items as an error check.

You are saying more complicated algorithms (like my 3rd graphic) have to be evaluated but that your preferred scheme (like my 2nd graphic) does not need evaluation.

I was not saying that simpler algorithms don't need evaluation. What I was saying is that in evaluating any algorithm, the complexity of the algorithm will be a factor since more complexity means more possibilities for error.

 

[Anderson-Paul]

After having read the House Committee Report(s) concerning the circumstances surrounding the crash of two Boeing 737 Max Airliners. Along with the destruction of both airliners, was a horrendous loss of human life. This House Report is one of many Federal Government reports ( FAA, NTSB etc. ) directed at both cause and failure of parts and systems etc. thorough their investigation phase.

During my research into the demise of both airliners, I found everything from the opinions of the general public, to memos and reports written by company employees. One such report was written by both company test pilots. Both had experienced problems with the MCAS system, and both reported the problems to the company. The problem is, the information the company received, fell on deaf ears. No attempt had been made to correct the MCAS system Issues.
I was most concerned about the conflict between engineering and management , over whether or not to re-engine a fifty year old design, that had been through four cycles of modification change. The discussion between 737 Max project engineering and project management was this, all appeared to oppose a re-engine attempt, on a fifty year old design. On the other hand, both the board members and top level management, approved
going ahead with a fifty year old design. The opposition were all for a new “Clean Sheet“ design. As a pilot and retired research and development engineer for P&W, I would also have opposed using a fifty year old design.

The fact that Boeing had decided to replace the CFM 56-7, used on their previous Boeing 737NG, for the CFM Leap 1B, Really got my attention. To begin with, the CFM Leap 1B is much larger diagonally. There are thrust and weight differences, but the diameter is the problem. They were given orders in spite of their opposition. The installation crews had lots of difficulty fitting the larger engine. To install the engine, the engine must be moved forward and upward on their pylons. Engineering was well aware of the fact, such an installation would directly effect the weight and balance factor, which would alter the flight characteristics of the airliner. Knowing this should have caused the company to altar their plans. MCAS is nothing more than a fix to get by. I can assure you, I will not be one of the passengers on a 737 Max no matter what they call it. If an airplane is within weight and balance standards, the thumb adjustments on the yoke should be enough. All of this highly advanced technology, tends to create issues that can be deadly. A light touch on the controls of my aircraft is more than enough.
One thing I would suggest, is 100 or so hours of aerobatic training. My training saved my life Some years ago, when a pilot nearly struct my airplane in flight. I rolled over inverted as the other pilot nearly collided with me. I was upright in a flash, and happy to be alive, while the other fella was in my airspace.

 

[DaveE]

MCAS is nothing more than a fix to get by.

First I 100% agree with your opinions of Boeing management (FAA too, IMO). But my understanding is that the "fix to get by" was to avoid pilot training, and perhaps a new type rating, to deal with stall recovery characteristics that were significantly different from the previous versions. This appears to me to be essentially an exercise in putting poorly designed, tested, and approved software in the flight control systems to make planes easier to sell. For example, a flight control system that essentially overrides untrained pilots based on a single AOA sensor. Honestly, I wouldn't be upset if someone went to jail, but that won't happen since the FAA said it was ok to do, and since no one had sole responsibility for such a stupid decision.

However, with modified (i.e. limited) SW, a redundant AOA system, and newly required type-specific pilot training, I don't agree that this airplane is unsafe. In fact, because of the scrutiny this design has been subjected to, I actually have more confidence. My guess is that at the first master caution light 90% of pilots will be going to the stab trim cut-out switches (ok, just kidding). If I was to choose an airplane to be scared of, I might go with a 787 built in S. Carolina, they seem to have some QA issues there.

Also, while I know that you know more than I about flying, I am not convinced that aerobatic training in a small aircraft is very applicable to large transport aircraft. I would like to hear from someone that has experience with both, like any of the numerous commercial pilots that learn in military fighters. My understanding is that big planes maneuver more slowly.

 

[FactChecker]

Military airplanes have flight controls with some abilities that a pilot can not match. They can react faster. They also have some safety features to make sure that the pilot (even some excellent ones) do not crash. There have been examples where the chase plane of an experimental plane followed the experimental plane right into the ground because the chase pilot was so busy watching the experimental plane that he did not notice where he was going. Those were expert pilots. There is also an Automatic Ground Collision Avoidance System (AGCAS) on the F-16, F-22, and F-35 that has saved lives.