Boeing How Safe is the Boeing 737 Max's MCAS System?

[cyboman]

Engineering skill doesn't equate with good pilot skills.

An engineer analyzing something needs the ability to focus in on one train of thought and follow it to a conclusion without getting distracted.
A pilot can't afford that degree of mental lockup - he has to keep situational awareness .

There are people like "Borderline-OCD-Me" .
I might make a decent Flight Engineer but I know better than to trust myself to maintain that presence of mind requisite for good piloting.
That's why i stayed in maintenance instead of operations .
I was a useful tool that operators could sic on a problem to get it fixed.
Their "Big Picture" grasp always amazed me, just as my knowledge of the instrument system details amazed them. I was the Details guy in that symbiotic relationship..

Eastern 401 is what happens when that "Mental Lockup" takes over a cockpit.You can't take psychology out of the picture.

Not saying an engineer can't make a good pilot, just it's not a given that he will.

old jim

Some good points. You need both the detail oriented and those that see the big picture. Perhaps airline companies also get so huge that like other companies some of the communications between all the different teams can become complex and breaks down. I hope these latest incidents result in both the airlines and the FAA taking a close look at how these things can be improved.

 

[cyboman]

I wonder if the test pilots flew it without the AOA indicators or the AOA mis-compare light. If a pilot doesn't have those, I wonder how long would it take to distinguish between a MCAS problem versus turbulance or other possible problems. I have trouble believing that the test pilots and pilot-vehicle-interface experts would approve of that situation.

This is what I reiterated in a recent post. I didn't realize you basically say it here.

What I'm wondering, is why is a test pilot having more information than they are providing to the actual pilots, at least initially for the first phases of test piloting. It would seem to me, they should recreate the exact scenario of a pilot flying the new plane for the first time. The test pilots should only be privy to what they plan on revealing / training / briefing the actual airline pilots. So they can see how the airliner pilots will interact with the new plane and it's changed systems and aerodynamics.

This appears to not be the case. Which seems nonsensical to me.

 

[jim hardy]

What I'm wondering, is why is a test pilot having more information than they are providing to the actual pilots, at least initially for the first phases of test piloting.

Oh c'mon.
You don't knowingly set a trap for a guy. That's videogame stuff not real life. What would you learn from a dead test pilot?
You ask him to evaluate "Is this thing manageable by the average bear?"

 

[cyboman]

Oh c'mon.
You don't knowingly set a trap for a guy. That's videogame stuff not real life. What would you learn from a dead test pilot?
You ask him to evaluate "Is this thing manageable by the average bear?"

You shouldn't be setting any traps for anyone if you're confident in your engineering. If you don't ask the test pilot to enter the exact same scenarios that you're going to ask your final client, which is an airline pilot, then you're not "testing" what a pilot could encounter.

 

[jim hardy]

I don't think i'd work in one of your test programs.

 

[cyboman]

I don't think i'd work in one of your test programs.

This is the inherent risk involved in test piloting.

 

[cyboman]

I don't think i'd work in one of your test programs.

In effect, this is the definition of a test pilot, they are going to take those risks (before the client or airline pilot has to), to show how a pilot interacts with those new systems and the changed aerodynamics of the craft.

 

[cyboman]

Oh c'mon.
You don't knowingly set a trap for a guy. That's videogame stuff not real life. What would you learn from a dead test pilot?
You ask him to evaluate "Is this thing manageable by the average bear?"

Much has been learned from many "dead" test pilots. It's not a risk free profession. It is a risk high profession. Outside of computer simulation (which didn't exist for a long time) we needed these brave souls to provide real "test" scenarios. And even now with simulation, we still need them, as much as we originally did. Because as much as we trust our simulations, the real deal - actual real flight experiments cannot be replaced by computer simulation.

 

[FactChecker]

Test pilots are not expendable; they are friends. Initial test flights would have everything to make it as safe as possible. There may be later test flights with the configuration as it would be sold. Professional pilot-vehicle-interface experts should work with pilots (many are pilots) to make sure that the final product is safe.

 

[PeterDonis]

What I'm wondering, is why is a test pilot having more information than they are providing to the actual pilots, at least initially for the first phases of test piloting.

Because the test pilot's job is not to simulate exactly what a normal pilot would experience. The test pilot's job is to test the airplane and all of its systems, not just under the conditions an ordinary pilot will experience, but out to the limits of the airplane's performance. The test pilot has to know more than an ordinary pilot, because the test pilot is going to do things to the airplane that an ordinary pilot will never do, and he has to understand what the plane is supposed to do during those things.

For example, in order to test MCAS, a test pilot would, I expect, be asked to simulate a failure of the AoA sensor (the test aircraft might have a special switch or button that provides the simulated failure input) and watch what happens. If he doesn't understand how MCAS works, he won't know if what's happening is what's supposed to happen based on how MCAS works. (In one of the online discussions I've seen on this, a test pilot was describing a typical test procedure for certifying stability trim--not specific to MCAS, but any stability trim system--and what he described was, first you introduce the failure, then you wait the prescribed time that the certification rules allow for an ordinary pilot to notice, then you check the instrument indications to see if they meet the certification criteria for identifying a failure, then if they do, you take the specified corrective action and see whether it does what it is supposed to do. There is no way to do this safely if the test pilot doesn't understand how the system works and how it might fail, so he can take the right action if the simulated failure does not lead to the right indications that an ordinary pilot would use to detect the failure.)

Once the test pilot is finished with that job, there will (or should) indeed be a time when non-test pilots, ordinary pilots, will be flying the plane to evaluate how an ordinary pilot experiences the plane. But that won't happen during "the first phases of test piloting". It will happen when that phase of test piloting is done. And the test pilot at that point might well be acting as an instructor for the ordinary pilots.

In short, as others have pointed out, test piloting is not supposed to be game between the test pilot and the engineers, to see whether the test pilot can figure out whether MCAS, or any other system, has failed.

 

[FactChecker]

In effect, this is the definition of a test pilot, they are going to take those risks (before the client or airline pilot has to), to show how a pilot interacts with those new systems and the changed aerodynamics of the craft.

A test pilot will be the first to fly a new, untested system. There are almost always surprises and problems that must be corrected. The flight tests are done in a very systematic, cautious, way so that every facet of prior test flights is understood before the next one is attempted. In fact, the first "flight" of a new airplane is usually just a high-speed taxi down the runway. Even on those tests, ugly surprises happen. A normal pilot of a commercial flight would not be expected to do anything experimental.

 

[Klystron]

Keep in mind that airplane manufacturers provide air frames to a variety of customers with different requirements. The end user specifies the deliverable within a wide range of options. An airline may decide not to install optional systems. A freight carrier might order "737's" without seats much less ancillary equipment such as supplementary oxygen. Certainly flight crew training falls under the purview of the customer to fit their requirements. Airlines also change and configure pilot checklists.

Airline "SA" might purchase every possible safety feature and mandate so many crew hours in full motion flight simulators including failure and inclement weather scenarios. Airline"EA" might not purchase what it considers redundant systems and mandate less simulator training to reduce costs. Airline "IA" might purchase minimalist or no upgrade systems and require minimum individual crew member training on part-task simulators. While the manufacturer strives to deliver safe maintainable aircraft, the end user bears responsibility for daily flying, maintenance, and training decisions.

 

[anorlunda]

Apparently, the engine position of the MAX changed and moved the CG so that the MCAS system was required for preventing a stall.

A TV talking head (sorry no link) says this is a consequence of the 737 (all 737s) having so little ground clearance. The newest most efficient engines have a larger fan diameter. They don't fit under the wing in the old position, so new pylons were designed to move the engines forward and up. That alters pitch torque.

We are voicing many opinions in this tread about how Boeing should design, but are we aware of the totality of the design complications and trade offs? I imagine an engineering report on these issues would require 300 or more pages to explain everything.

 

[gmax137]

Keep in mind that airplane manufacturers provide air frames to a variety of customers with different requirements. The end user specifies the deliverable within a wide range of options.

I think it goes further than this, with certain airlines being such big customers that they can "push" for certain attributes more basic than "options." Things like the new model must "feel" exactly like the previous models (so we don't have to re-qualify all of our pilots), or the height of the doors above the apron must be the same (so we don't have to re-adjust all of our gate equipment). The airline industry is fiercely competitive and every dollar a carrier can drop their ticket price is crucial to their survival.

 

[FactChecker]

We are voicing many opinions in this tread about how Boeing should design, but are we aware of the totality of the design complications and trade offs? I imagine an engineering report on these issues would require 300 or more pages to explain everything.

We do know that important indicators of AOA and AOA mis-compare were available for a price, so I think that the engineering solutions were available. Furthermore, even without 300 pages of analysis, I will go out on a limb and say that a system which would fight the pilot inputs for several minutes should raise some concern.

 

[cyboman]

Test pilots are not expendable; they are friends. Initial test flights would have everything to make it as safe as possible. There may be later test flights with the configuration as it would be sold. Professional pilot-vehicle-interface experts should work with pilots (many are pilots) to make sure that the final product is safe.

My intention wasn't to suggest the test pilots are expendable. Heavens no. I think I may have poorly communicated. It was more refuting that putting pilots in the same scenarios you're asking the client to be in while operating, shouldn't be considered unfair or dangerous. But I now see I'm not seeing the actual test pilot phases accurately. In the first experimental stages, they need to know everything. But perhaps later, in a different stage the craft will be tested under scenarios I've suggested. Where the test pilot (maybe wrong word), pilot is asked to fly the craft with the same knowledge final airline pilots will be equipped with, without any passengers on board (but perhaps the same weight, and potential slight changes in CoG during flight to simulate passenger movement somehow). Maybe some fancy Roombas with weights on them?

 

[cyboman]

Because the test pilot's job is not to simulate exactly what a normal pilot would experience. The test pilot's job is to test the airplane and all of its systems, not just under the conditions an ordinary pilot will experience, but out to the limits of the airplane's performance. The test pilot has to know more than an ordinary pilot, because the test pilot is going to do things to the airplane that an ordinary pilot will never do, and he has to understand what the plane is supposed to do during those things.

For example, in order to test MCAS, a test pilot would, I expect, be asked to simulate a failure of the AoA sensor (the test aircraft might have a special switch or button that provides the simulated failure input) and watch what happens. If he doesn't understand how MCAS works, he won't know if what's happening is what's supposed to happen based on how MCAS works. (In one of the online discussions I've seen on this, a test pilot was describing a typical test procedure for certifying stability trim--not specific to MCAS, but any stability trim system--and what he described was, first you introduce the failure, then you wait the prescribed time that the certification rules allow for an ordinary pilot to notice, then you check the instrument indications to see if they meet the certification criteria for identifying a failure, then if they do, you take the specified corrective action and see whether it does what it is supposed to do. There is no way to do this safely if the test pilot doesn't understand how the system works and how it might fail, so he can take the right action if the simulated failure does not lead to the right indications that an ordinary pilot would use to detect the failure.)

Once the test pilot is finished with that job, there will (or should) indeed be a time when non-test pilots, ordinary pilots, will be flying the plane to evaluate how an ordinary pilot experiences the plane. But that won't happen during "the first phases of test piloting". It will happen when that phase of test piloting is done. And the test pilot at that point might well be acting as an instructor for the ordinary pilots.

In short, as others have pointed out, test piloting is not supposed to be game between the test pilot and the engineers, to see whether the test pilot can figure out whether MCAS, or any other system, has failed.

This is a good explanation thanks. It helped me explain what I meant originally in the previous post I just made.

 

[cyboman]

Keep in mind that airplane manufacturers provide air frames to a variety of customers with different requirements. The end user specifies the deliverable within a wide range of options. An airline may decide not to install optional systems. A freight carrier might order "737's" without seats much less ancillary equipment such as supplementary oxygen. Certainly flight crew training falls under the purview of the customer to fit their requirements. Airlines also change and configure pilot checklists.

Airline "SA" might purchase every possible safety feature and mandate so many crew hours in full motion flight simulators including failure and inclement weather scenarios. Airline"EA" might not purchase what it considers redundant systems and mandate less simulator training to reduce costs. Airline "IA" might purchase minimalist or no upgrade systems and require minimum individual crew member training on part-task simulators. While the manufacturer strives to deliver safe maintainable aircraft, the end user bears responsibility for daily flying, maintenance, and training decisions.

I think it goes further than this, with certain airlines being such big customers that they can "push" for certain attributes more basic than "options." Things like the new model must "feel" exactly like the previous models (so we don't have to re-qualify all of our pilots), or the height of the doors above the apron must be the same (so we don't have to re-adjust all of our gate equipment). The airline industry is fiercely competitive and every dollar a carrier can drop their ticket price is crucial to their survival.

Alas, the plot grows ever thicker.

 

[cyboman]

Latest version of the "STAS Display":

I don't think this is necessary on every airliner. I suppose it also depends on where the existing trim angle feedback is. I think this display would be beneficial in the Max because there is a new system, MCAS and other autonomous systems commanding the trim. So in an emergency scenario, it could be beneficial for the pilot to be able to know that information about the stab without directing their attention away from the primary flight display and the cockpit window.

 

[cyboman]

I don't think i'd work in one of your test programs.

I'd like to apologize Jim. You're right, test pilots need to know everything about the changes to the craft, which is critical to the experimental maneuvering they will be commanding the aircraft. I didn't understand the definition and primary role of a test pilot, and such my statements were speculative and not accurate.

 

[Astronuc]

A TV talking head (sorry no link) says this is a consequence of the 737 (all 737s) having so little ground clearance.

I read a discussion of this issue and various media organizations have published about it. The one I read highlighted the evolution of the 737 and the addition of the CFM International LEAP engine, which is larger than previous generations.

So while all 737s are certified as a single aeroplane type, the changes have been massive.
Most recently, the big push has been to reduce fuel consumption. For both economic and environmental reasons, this led to the latest 737 MAX 8 models – along with the competitor Airbus A320 Neo – being fitted with new, larger and more efficient CFM Leap engines. These must be mounted higher and further forward than previously, creating a handling problem that wasn’t unique to this aeroplane, but had to be addressed.

Ref: http://theconversation.com/boeing-7...-crashes-an-expert-explains-the-issues-113833
Similarly:

https://www.businessinsider.com/boeing-737-max-design-pushed-to-limit-2019-3 (too much advertising)

The Wall Street Journal has published an article:
U.S. Federal Investigators Probe Boeing 737 MAX Development Choices
Probes to focus on stall-prevention system and examine whether any shortcuts compromised safety

https://www.vox.com/policy-and-poli...37-max-8-investigation-ethiopian-airlines-faa

 

[CWatters]

Sorry if this has been mentioned already.

https://www.smh.com.au/world/north-...ml?ref=rss&utm_medium=rss&utm_source=rss_feed
Selected quotes..

Regulators knew before crashes 737 MAX trim control could be confusing

The undated EASA certification document, available online, was issued in February 2016, an agency spokesman said. It specifically noted that at speeds greater than 230 knots (425 km/h) with flaps retracted, pilots might have to use the wheel in the cockpit's centre console rather than an electric thumb switch on the control yoke.

The source said that training materials before the crash did not say the wheel could be required under those conditions but that Boeing advised the airline about it after the crash.

In the EASA document, the regulator said simulations showed the electric thumb switches could not keep the 737 MAX properly trimmed under certain conditions...

"It would be very unusual to use the trim wheel in flight. I have only used manual trim once in the simulator," said a 737 pilot. "It is not physically easy to make large trim changes to correct, say, an MCAS input. You - or more than likely the other pilot - have to flip out a little handle and wind, much like a boat winch."

So imagine you are both pulling hard trying to recover from a runaway nose down trim. Your colleague is yelling that the stick forces are too high for him to pull back on his own. One of you needs to stop pulling and hand crank the trim wheel instead. Ok so they can do both at once but I still have a problem with the "trim" being more powerful than "control".

 

[russ_watters]

I "liked" most of your post, but...

...I still have a problem with the "trim" being more powerful than "control".

While I understand the sentiment with regard to MCAS or other runaway trim scenarios (with or without MCAS, it happens sometimes), as a general statement this is off base or even backwards.

For a plane with a fixed stabilizer and elevator, the purpose of trim is to reduce control input force by providing some of the force directly to the elevator so the pilot doesn't have to. Without trim adjustment, such airplanes would not be flyable for very long -- not even a Cessna 172. The required control force is just too much for too long.

So trim force has to be more powerful than control force so the pilot can use it to eliminate of all of the control force.

 

[FactChecker]

So trim force has to be more powerful than control force so the pilot can use it to eliminate of all of the control force.

I would assume that trim is needed to reduce stick force in relatively straight and level flight. I don't think that it would need enough control authority for extreme maneuvers. It may need more during a strong crosswind that lasts a long time, but I can't imagine it needing a large amount of pitch authority that this system apparently had.

 

[CWatters]

Yes I understand that trim is used to eliminate stick forces. I flew gliders for several years.

I guess what I'm saying is why do you need to be able to eliminate control forces over such a large range of control throw? When under normal circumstances do they need to trim so nose down that the pilots can't recover due to high stick forces?

 

[russ_watters]

I would assume that trim is needed to reduce stick force in relatively straight and level flight. I don't think that it would need enough control authority for extreme maneuvers.

I guess what I'm saying is why do you need to be able to eliminate control forces over such a large range of control throw? When under normal circumstances do they need to trim so nose down that the pilots can't recover due to high stick forces?

Cruise: The higher the speed, the more nose down trim is needed. Flaps: flaps down creates a pitch-up moment, requiring nose down trim.

Or looking at it from the other way, because there is no universal neutral point:

Trim for takeoff is significant nose up, otherwise it would take a huge amount of force to pull a plane up off the runway, and crashes on takeoff would be a much bigger risk.

The same amount of deflection requires more force at higher speed, so it might seem like a lot of force when it is meant to be used in a situation where the force is lower but the deflection is higher. The MCAS or any runaway nose down trim situation causes a deteriorating situation:

When you nose down, the plane speeds up, requiring more force to keep the nose down. In runaway down trim it's the opposite; the nose goes down, you pull it back up, but the plane is accelerating so the force you need to apply is steadily rising, making it harder and harder to keep the nose up. A setting that requires 30lb of force to stay level at 200kts requires 120lb at 400kts.

Perhaps we've gotten to a point with technology (or did 60 years ago?) that elevators shouldn't be used anymore. I'm not totally clear on what their upside is vs an all moving stabilizer.

 

[CWatters]

As I said much earlier in the thread I believe most jets have a combination of all moving tailplane and elevator (with trim moving the AMT and the pilot moving the elevator).

 

[FactChecker]

Trim for takeoff is significant nose up, otherwise it would take a huge amount of force to pull a plane up off the runway, and crashes on takeoff would be a much bigger risk.

I have never worked on a commercial airplane, but I believe that the actual mechanism on a modern large plane would have hydraulic or electric power

 

[russ_watters]

As I said much earlier in the thread I believe most jets have a combination of all moving tailplane and elevator (with trim moving the AMT and the pilot moving the elevator).

Hmm, the wiki on stabilators confirms that. I guess I misread that the difference between Airbusses and Boeings was that Airbusses used all moving stabilators for control and tabs (elevators) for trim.

 

[russ_watters]

I have never worked on a commercial airplane, but I believe that the actual mechanism on a modern large plane would have hydraulic or electric power

Sure, but while that can - if the designers choose - completely eliminate the need for pilot input force it doesn't eliminate the control surface force and trim is still needed. The pros and cons of the design choices are interesting but I'm not sure if they are relevant: a plane like the 737 that isn't fly-by-wire requires force to move the control wheel. The wiki article says that progressive force - inherent stability - is required by law. I'm not sure the extent of that, since obviously on a full fly by wire the only progressive force is a spring attached to the joystick.

Like I said, maybe we're at the point where this issue should be eliminated.

[edit] Let me rephrase: I don't know why hydraulic assist control systems still require significant control force. Perhaps because the control wheel is still mechanically linked to the control surfaces, control wheel force can only be proportional to control surface force. Or perhaps it is a purposely made choice to keep the control wheel force high to keep the direct feedback feel "normal".

Airliners crash very infrequently these days. It can certainly be said that the Boeing design philosophy contributed to these crashes, but it can also be said about the Airbus design philosophy. Neither is perfect.