Boeing How Safe is the Boeing 737 Max's MCAS System?

[FactChecker]

[edit] Let me rephrase: I don't know why hydraulic assist control systems still require significant control force. ... Or perhaps it is a purposely made choice to keep the control wheel force high to keep the direct feedback feel "normal".

On the F-16 (fly by wire), that is exactly correct. The feel on the stick maps to the roll and pitch rates (or g's) desired. In general, the mapping remains unchanged regardless of flight condition. That makes flying the plane much easier.

 

[FactChecker]

It can certainly be said that the Boeing design philosophy contributed to these crashes,

I have worked with some Boeing flight control "worker bees" and found them to be very smart, conscientious and reliable. I trust and respect them. I would guess that the problems (if any) may be with higher-level decision makers. But that is pointless guesswork on my part.

 

[russ_watters]

I have worked with some Boeing flight control "worker bees" and found them to be very smart, conscientious and reliable. I trust and respect them. I would guess that the problems (if any) may be with higher-level decision makers. But that is pointless guesswork on my part.

I don't mean for that to sound like blame; I'm talking broader than just the MCAS issue itself. In essence, my perception is that the Airbus philosophy is that computers fly airplanes and pilots are there to tell the computer where the plane should go. The Boeing philosophy is that pilots fly airplanes and computers help. Both of these philosophies have their pros and cons and both contribute to crashes. These days crashes are so infrequent that it seems to me that most are caused by poor relationships/communication between the pilot, the computer and the plane -- because everything else has become so close to perfect.

 

[atyy]

It seems the Ethiopian Airlines pilots followed the instructions Boeing reiterated after the Lion Air Crash and were still unable to control the plane. How could that be? Could Boeing's instructions have been wrong or inadequate? There's interesting commentary in the April 6 update at http://www.askthepilot.com/ethiopian-737max-crash/.

 

[nsaspook]

It seems the Ethiopian Airlines pilots followed the instructions Boeing reiterated after the Lion Air Crash and were still unable to control the plane. How could that be? Could Boeing's instructions have been wrong or inadequate? There's interesting commentary in the April 6 update at http://www.askthepilot.com/ethiopian-737max-crash/.

https://theaircurrent.com/wp-content/uploads/2019/04/1981-737-roller-coaster-recovery-1240x1903.jpg

 

[atyy]

https://theaircurrent.com/wp-content/uploads/2019/04/1981-737-roller-coaster-recovery-1240x1903.jpg

Is that the current manual or an old one? The Ask the Pilot article says "However, as an obscure phenomenon that no pilot was likely to ever encounter, it was eventually forgotten as the 737 line evolved, to the point where no mention of it appears in the manuals of later variants."

 

[nsaspook]

Is that the current manual or an old one? The Ask the Pilot article says "However, as an obscure phenomenon that no pilot was likely to ever encounter, it was eventually forgotten as the 737 line evolved, to the point where no mention of it appears in the manuals of later variants."

It's from 1982. I've no idea if it's in the current manual but I suspect not.

 

[CWatters]

There's interesting commentary in the April 6 update at http://www.askthepilot.com/ethiopian-737max-crash/.

Quote from that link...

The reason, many now believe, is a design quirk of the 737 — an idiosyncrasy that reveals itself in only the rarest of circumstances, and that few 737 pilots are aware of. When the plane’s stabilizers are acting to push the nose down, and the control column is simultaneously pulled aft, a sort of aerodynamic lockout forms: airflow forces on the stabilizers effectively paralyze them, making them impossible to move manually.

OMG

 

[CWatters]

I was trying to think of a analogy. Best I could come up with is...

You're driving on the freeway and re-engage the cruise control. The car accelerates towards the preset speed. Suddenly a car pulls into your lane forcing you to brake. You slow down a bit but the brake pedal forces required seem very high, you're virtually standing on the pedal but not much is happening. In fact you are unable to depress the brake pedal any further because the controls have locked-out.

This is deemed acceptable by the regulators because..

a) it only happens rarely (eg when the car is accelerating you are trying to brake)
b) drivers are warned about it by an entry in the user manual. The solution is to release the brake pressure and start pumping the hand brake.

If you were a regulator would you find that acceptable?

 

[FactChecker]

Quote from that link
When the plane’s stabilizers are acting to push the nose down, and the control column is simultaneously pulled aft, a sort of aerodynamic lockout forms: airflow forces on the stabilizers effectively paralyze them, making them impossible to move manually. OMG

That sounds like the aerodynamic hinge moment is so large one way that the actuators do not have enough power to move stabilizers the other way. I thought that only happened at very great speeds, but the low altitude and dense air might cause that in a steep, fast, dive.

In those airplanes, does "manually" mean that there is no hydraulic assistance?

 

[cyboman]

Hello, just catching up on the latest replies. It's interesting to see the latest information coming out of the crashes. I think what we hypothesized early was fairly accurate. The memory items were not adequate to regain control of the aircraft. And as suggested, there is a software issue.

I can't help but think back to the beginning of this discussion where we discuss the need for a master cut out that essentially let's the pilot command absolute manual control of the airplane. Or direct law. This is exactly how we see the cruise control systems work in cars. It's interesting because with the tesla and the growing automation in these cars, we're seeing these same paradigms shift, so that the automated systems get more and more authority. Perhaps in 90% of use cases this isn't problematic and in fact beneficial statistically, but it's the other 10% when Murphy's law comes into play. Alas, often the impetus in engineering is to run before we can walk consistently and accurately. I think we're in this place with automation and AI.

It's always useful to step way way back when you're deep into a complex problem.

When we look at how MCAS operates on the trim, it seems to me it is over-stepping the bounds of what an automated system should control.

With autopilot, we have a computer working with essentially the yoke and throttle and commanding them to maintain altitude and heading etc... The limits to that system and how to circumvent it are very well understood by pilots. It's a tool for them that they control.

But with MCAS we're employing an automated system that is essentially, working "behind the scenes" to try to create a scenario or desired flight characteristics that is expected by the pilot. This is a big paradigm shift the way I see it. This is not like autopilot or the speed trim system. The pilot is not aware in the general situational sense, that any autonomous system is engaged and the ways to disengage this system are fundamentally different than autopilot. This override scenario is metaphorically akin to doing a sort of "airplane system emergency surgery" to disengage a fundamental system integral to how the plane flies as expected.

I think when they sketched up MCAS they didn't really have the objective, stepped back, forest for the trees approach to understand how this system is very different than anything they've implemented (taking the Boeing model of flight controls in account). It's really not like the speed trim system.

I think they might of thought of MCAS as augmenting the speed trim system. And so from that perspective, the MCAS is just the speed trim system going farther and farther down the direction of increased automation authority.

Anyway, wanted to add my thoughts. Really engrossing discussion here on aerodynamics, HCI and system design.

 

[cyboman]

So trim force has to be more powerful than control force so the pilot can use it to eliminate of all of the control force.

You're right. So the issue is that we have an automated system controlling that trim, and thus has tremendous pitch authority. And the communication and feedback to the pilot of that system, as well as how easily that system can be circumvented is problematic.

 

[cyboman]

In those airplanes, does "manually" mean that there is no hydraulic assistance?

No I don't think that's the case for Boeing aircraft in these scenarios. These planes are so big that hydraulic augmentation is fundamental to controlling the aircraft. Such that there is a redundant hydraulic system. A and B. If both systems fail the pilot is still linked in mechanically, such that the pilot would still be connected to the control surfaces. But that is not a very good scenario at all and the control forces would be unmanageable for anything but minor attitude adjustments.

Further, when you say "manual control", that would be a scenario for the pilot where they are in control of the airplane without the intervention of any autonomous systems and yes, it would be hydraulically assisted.

 

[nitsuj]

Hello, just catching up on the latest replies. It's interesting to see the latest information coming out of the crashes. I think what we hypothesized early was fairly accurate. The memory items were not adequate to regain control of the aircraft. And as suggested, there is a software issue.

I can't help but think back to the beginning of this discussion where we discuss the need for a master cut out that essentially let's the pilot command absolute manual control of the airplane. Or direct law. This is exactly how we see the cruise control systems work in cars. It's interesting because with the tesla and the growing automation in these cars, we're seeing these same paradigms shift, so that the automated systems get more and more authority. Perhaps in 90% of use cases this isn't problematic and in fact beneficial statistically, but it's the other 10% when Murphy's law comes into play. Alas, often the impetus in engineering is to run before we can walk consistently and accurately. I think we're in this place with automation and AI.

It's always useful to step way way back when you're deep into a complex problem.

When we look at how MCAS operates on the trim, it seems to me it is over-stepping the bounds of what an automated system should control.

With autopilot, we have a computer working with essentially the yoke and throttle and commanding them to maintain altitude and heading etc... The limits to that system and how to circumvent it are very well understood by pilots. It's a tool for them that they control.

But with MCAS we're employing an automated system that is essentially, working "behind the scenes" to try to create a scenario or desired flight characteristics that is expected by the pilot. This is a big paradigm shift the way I see it. This is not like autopilot or the speed trim system. The pilot is not aware in the general situational sense, that any autonomous system is engaged and the ways to disengage this system are fundamentally different than autopilot. This override scenario is metaphorically akin to doing a sort of "airplane system emergency surgery" to disengage a fundamental system integral to how the plane flies as expected.

I think when they sketched up MCAS they didn't really have the objective, stepped back, forest for the trees approach to understand how this system is very different than anything they've implemented (taking the Boeing model of flight controls in account). It's really not like the speed trim system.

I think they might of thought of MCAS as augmenting the speed trim system. And so from that perspective, the MCAS is just the speed trim system going farther and farther down the direction of increased automation authority.

Anyway, wanted to add my thoughts. Really engrossing discussion here on aerodynamics, HCI and system design.

The first report on the crash reported the co pilot requested to trim stab cut out, was permitted.

That was well into the issue, inputting nose up trim via yoke, then as per mcas, nose down stab trim.

With stab trim off, co pilot tried manual trim. He said it wasn't working. Pilot concurs (did he try? why didn't both try at same time for more power?) Note Boeing's procedural fix is to get trim where you want it first (this is specifically for runaway mcas trim) using yoke inputs; then stab trim cut out. That's just to make it so there no need for a huge manual (with the trim wheels) trim adjustment.

Apparently pilots are (well) aware of the effects of airspeed, altitude ect on aerodynamics. Including that manual trim in such conditions can be very difficult and a valid option is a "relief trim" input and then manually adjust trim; if altitude permits of course.

Odd thing looks like stab trim was re-engaged after that. Likely to try a final nose up trim; followed by a Boeing "correction" designed to avoid the costs of a new type certificate hard nose down; kaput.

Grr...

all the info in here, except for my figure pointing, is from Juan Brown's "debriefing" of the accident from a pilot to the general public lol (his yt channel is called blancolirio)

Juan's debrief of the initial report
Note in that vid, he mentions a system that may operate the stabilizer trim even with the stab trim cut-off in the off position. Regarding a "mach trim". It was recorded that while the stab trim cut off was in off position that the stab trim move a bit (with no explanation on what moved it), Juan posits it could be a mach trim, given the speed of the craft at the time.

So such "behind the scenes" automation can work, it just needs to have an acceptable logic to it.

 

[nitsuj]

Yes, it is relevant. Apparently, the engine position of the MAX changed and moved the CG so that the MCAS system was required for preventing a stall. There should be a mandated stability margin that would make a commercial airplane safe. The location of stored luggage is also a concern.

The relevancy may not be so obvious. Strong note; mcas is not there to prevent a stall; the plane does have pilots on board that are there to fly the plane. The pilots prevent stalls, implicitly.

The mcas was to maintain the flight characteristics of the plane as not to require a new type certificate. Simple as that.

Apparently the plane flies "just fine" without mcas; however would require all new pilot training...try selling that to the airlines.

So they half ass this to circumvent the actual flight characteristics. Using automation to make this different beast fly like the previous version the pilot is certified to fly.

The initial flight report doesn't sound like a "well behaved" airliner.

 

[FactChecker]

mcas is not there to prevent a stall; the plane does have pilots on board that are there to fly the plane. The pilots prevent stalls, implicitly.
The mcas was to maintain the flight characteristics of the plane as not to require a new type certificate. Simple as that.
Apparently the plane flies "just fine" without mcas;

That is not the impression I had, but I do not have an authoritative source.

 

[nitsuj]

That is not the impression I had, but I do not have an authoritative source.

it'll be my new source of aircraft news...seems we have that much choice of source...no need for impressions.

note this "source" did not say,
mcas is not there to prevent a stall; the plane does have pilots on board that are there to fly the plane. The pilots prevent stalls, implicitly.

That's just my impression ;)

 

[cyboman]

The mcas was to maintain the flight characteristics of the plane as not to require a new type certificate. Simple as that.

It's really not so simple. That's one way to summarize the system and situation. And somewhat accurate from a high level. But when describing MCAS itself it's way more complex. MCAS is qualified differently at different times by Boeing themselves and their motives for it's implementation are complex, not just certification. Also, I've heard an airliner pilot on youtube describe the MCAS as a type of stall prevention system. That's likely because, when you look at a system that commands nose down trim in high AoA scenarios, one of the main threats that system is trying to mitigate is the pilot entering a stall. It doesn't mean it handles the stall without pilot intervention. It means it modifies the aerodynamics of the airplane to assist in preventing a stall scenario.

One issue is in these discussions, everyone tries to summarize the problem it their own way, typically over simplifying the failure modes and all the various motivations and involved actors. In general, if you read this entire thread you'd see we've been over a lot of this ground. And certainly, the contention that MCAS was a sort of "hack" or jerry-rigged approach has certainly been suggested more than once.

 

[cyboman]

Note in that vid, he mentions a system that may operate the stabilizer trim even with the stab trim cut-off in the off position. Regarding a "mach trim". It was recorded that while the stab trim cut off was in off position that the stab trim move a bit (with no explanation on what moved it), Juan posits it could be a mach trim, given the speed of the craft at the time.

Interesting, that's not entirely surprising as I've suggested the speed trim system is very tightly coupled functionally to MCAS it seems, the mach trim is another automated system commanding trim. I'm pretty sure speed trim and or mach trim have been associated with other crashes as well. Again, it's about the pitch authority these systems have.

So such "behind the scenes" automation can work, it just needs to have an acceptable logic to it.

Sure they can. But it's how they are implemented not necessarily the robustness of the logic. The logic and the testing always need to be robust, that's a given - and it's certainly an issue with MCAS. But even with the best logic, accidents can happen. A system can fail. And a big part of what's gone wrong with MCAS, I would contend, is that the system is not communicating with adequate feedback to the pilot. And the training and maneuvers to disable the system is lacking and very problematic. Remember, this isn't something that adjusts automatically the speed of windshield wiper blades based on a water volume sensor. It's a system that has tremendous pitch authority. If the pilot doesn't even know it exists (which they didn't initially, it wasn't even in the manual), then there is very bad evidence of a dangerous paradigm shift in how we approach implementations of flight critical automated systems.

One good thing that has come out of these horrible tragedies is that those implementations are going to be ruthlessly reexamined and all actors and motives will be under question and further, as we've seen, under investigation.

 

[cyboman]

The relevancy may not be so obvious. Strong note; mcas is not there to prevent a stall; the plane does have pilots on board that are there to fly the plane. The pilots prevent stalls, implicitly.

What I think you're missing is that @FactChecker is saying that moving the CG back has big efficiency gains but also sacrifices aerodynamic stability. Making the engines larger is the same thing. More efficiency but it came at a big aerodynamic cost, CG was affected. MCAS was implemented to solve that problem. The issue is, how far do you push an air-frame before it's not stable? Is it safe to implement automation like MCAS to deal with those changes (and do so without telling the pilot)? Many pilots are of the opinion the air-frame was not adequate for those engines. I suggested earlier and I had read similar elsewhere, that the stab needed to be bigger / redesigned.

 

[cyboman]

After hearing the report from the video provided (which was good analysis):

Why does the stab cutout switches not disable all automated systems commanding the stab? How could it disable MCAS but not speed or mach trim? (I don't believe elevator feel is involved here as he suggests as that's only commanding elevator not the stab trim from my understanding). In fact the procedure for a runaway stab trim is to use the cutout switches, that exists before MCAS. He explains being trained for that scenario.

He's right, it's gut wrenching and aggravating.

Also, much of what was hypothesized here earlier in the thread has borne out. Some very smart people participating on this forum.

 

[cyboman]

In those airplanes, does "manually" mean that there is no hydraulic assistance?

To further clarify: I think that with trim, manual control may in fact not be hydraulically assisted. So, if I'm not mistaken when they use the stab cutout switches that may result in no hydraulic or "electric" assistance to control the trim and the trim wheels in effect work mechanically. I'm not sure of this however. It may be the case that the stab cutout only bypasses automated systems and the trim switches on the yoke still operate using electric control of the trim. Given the recent tragic scenarios, I think that's preferable.

For other systems, like elevator, aileron and rudder, manual control would still mean hydraulically assisted since as previously explained direct mechanical control is not a practical flight scenario and more of a redundant backup architecture. Manual control in this sense, is disabling autopilot.

 

[cyboman]

Airliners crash very infrequently these days. It can certainly be said that the Boeing design philosophy contributed to these crashes, but it can also be said about the Airbus design philosophy. Neither is perfect.

Ya this is a great point. It really dives into the heart of the issue. We've been dancing around this a lot. More automation etc... I do think the Boeing model has some merits. I do like the idea of the pilot still being a central "CPU", that's the case for airbus model too, but with Boeing I think that's a larger focus. I also like the idea of mechanical redundancy. It's a challenge perhaps with these large crafts but as a non expert, I do lean towards the Boeing flight controls philosophy.

In fact, perhaps part of what Boeing did wrong with MCAS is deviate from their flight controls philosophy.

These days crashes are so infrequent that it seems to me that most are caused by poor relationships/communication between the pilot, the computer and the plane -- because everything else has become so close to perfect.

Yes, HCI is critical and seems to be lagging behind the growth of automation and AI.

 

[nitsuj]

What I think you're missing is that @FactChecker is saying that moving the CG back has big efficiency gains but also sacrifices aerodynamic stability. Making the engines larger is the same thing. More efficiency but it came at a big aerodynamic cost, CG was affected. MCAS was implemented to solve that problem. The issue is, how far do you push an air-frame before it's not stable? Is it safe to implement automation like MCAS to deal with those changes (and do so without telling the pilot)? Many pilots are of the opinion the air-frame was not adequate for those engines. I suggested earlier and I had read similar elsewhere, that the stab needed to be bigger / redesigned.

I don't believe I missed that point. Not sure about the aerodynamic changes. The point of thrust is more forward on the wing, as well as the weight. Apparently such a situation causes a "natural" tendency to pitch up. Not to some crazy degree that pilots cannot control without automation. But enough to say it flies differently from the previous model and requires a new type certificate. enter mcas to bring those flight characteristics back to being the same as the previous model, for which the pilot is already trained.

To your rhetorical question/point regarding "how far do you push an air-frame" via changes. Only to have automation adjust the resulting flight characteristics so the plane "flies" the same (as previous 737's) from the pilots perspective.

Is FAA at fault for allowing such a system circumvent the requirement to have pilot training in order to fly this essentially new aircraft? Is boeing also culpable because they did a poor job of implementation?

At first I thought it was economic reasons that the FAA held out grounding the plane for so long (obvious economic implications for Boeing)

I imagine the pilots of the failed flights would say that mcas specifically was the issue.

Am not sure pilot's opining on engineering of the plane is a good basis; maybe best left to aerospace engineers.

That guy in the vid Juan, he talked about this particular airforce jet he flew that was all about AoA. Had a big AoA reading display right in the center of the panel. Had a crazy high landing speed too. He liked how it flew...I imagine many would not, particularly someone not trained in it's use.

In other words, maybe all 737 max needed was pilot training...a new type certificate.

 

[Roberto Teso]

For who whould like to deepen knowledge on 737 all version and find exaustive technical description of all systems there's this site: The Boeing 737 Technical Site.

Site author, Chris Brady, is a pilot of 737 from 1994, in this case I find very interisting the analisys on MCAS system here: 737 MAX - MCAS.

 

[cyboman]

In other words, maybe all 737 max needed was pilot training...a new type certificate.

I don't think that's "all". If you read through this entire thread and the preliminary reports of the two crashes (which I'd recommend, but it's tough read - as in disturbing), I find it hard to believe you'd feel that way.

Also, it's pretty clear that's not all the max needed by the software updates rolling out. Many of which were suggested early on in this thread. MCAS was a very bad design with an even worse implementation and that's just the tip of this complicated iceberg.

 

[cyboman]

I learned after finally reading the reports that the stab cutout disables all electric and automated control of the trim. Only the trim wheel can be used at that point. So there is no manual control of the trim that is hydraulically or electrically assisted without reactivating the automated pitch trim systems. This is a flawed design approach imo.

EDIT: This turns out is only the case in the Max and not the NG.

Also, I watched a c-span where a FAA official qualifies MCAS as a sub-device of the speed trim system. This was part of the excuse he was giving to a question as to why training wasn't provided.

 

[cyboman]

To your rhetorical question/point regarding "how far do you push an air-frame" via changes. Only to have automation adjust the resulting flight characteristics so the plane "flies" the same (as previous 737's) from the pilots perspective.

I have read many opinions that the air-frame has been pushed way too far with the max and the motivations for Boeing and their clients are obvious. The question is what is the line (EDIT: regarding efficiency / automation vs safety / increased RSS) and does the FAA actually even have one defined.

Not sure about the aerodynamic changes.

From Boeing: "Flight Control Computers and Stability Augmentation
The trend in the design of modern airplanes is to have less static longitudinal stability--frequently referred to as relaxed static stability (RSS)--to capture the benefit of improved fuel efficiency. Simply stated, some airplanes are now designed to be aerodynamically efficient, and stability is augmented electronically so that stick force gradients will meet certification requirements. Many methods exist for augmenting stability. For example, the Boeing 777 and MD-11 use flight control computers that adjust the elevator actuator positions to give the appearance of more longitudinal stability than the airplane actually has. In other words, computers absorb the extra workload caused by flying with RSS. -https://www.boeing.com/commercial/aeromagazine/aero_02/textonly/fo01txt.html

All good and fine until HAL doesn't work as expected, or encounters a scenario it's not programmed for. Or you don't provide feedback of HAL's status to the pilot. Or you don't tell anyone HAL exists and therefore don't train or design for easily disabling HAL. And then what happens when HAL's disabled. Is the plane still airworthy? In all scenarios?

One of the main functions of MCAS was to make the plane "simpler to fly". To make it simpler to certify and get up in the air. It's pretty evident increased RSS and automation add incredible complexity and new failure modes in their effort to keep things simple for the pilot.

 

[cyboman]

In those airplanes, does "manually" mean that there is no hydraulic assistance?

To clarify with my latest understanding, and so @FactChecker perhaps gets a notification: As I posted above

I learned after finally reading the reports that the stab cutout disables all electric and automated control of the trim. Only the trim wheel can be used at that point. So there is no manual control of the trim that is hydraulically or electrically assisted without reactivating the automated pitch trim systems. This is a flawed design approach imo.

 

[nsaspook]

I learned after finally reading the reports that the stab cutout disables all electric and automated control of the trim. Only the trim wheel can be used at that point. So there is no manual control of the trim that is hydraulically or electrically assisted without reactivating the automated pitch trim systems. This is a flawed design approach imo.

I don't think so. The stab cutout should be like an EMO switch in most life-safety systems. When you hit that button it needs to be off, period, as you don't know where the problem is, you just need it to stop moving. The root cause flawed design is MCAS overpowering possible manual control by moving trim too far out while going too fast.