Boeing How Safe is the Boeing 737 Max's MCAS System?

[PeterDonis]

My understanding is that's a solid requirement that can't be fixed by automation in commercial aviation.

I linked to the relevant FAA requirement way back in post #437; here is a link to it again:

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

There is nothing that says you can't use automation (or otherwise alter the "raw" stick feel, for example by putting weights in carefully chosen locations in the mechanical linkages, which is what smaller aircraft often have) to meet the requirement, just that you have to meet it.

 

[mfb]

It is being called by some the most expensive programming error in history.

March 2020 estimates were $19-23 billion - excluding some open lawsuits, and not including recent delays.
Industry estimates for a new airplane development were around $10-12 billion.

Airbus estimated $1.3 billion development cost for the A320neo. Boeing's cost is disputed but not much larger than that.

 

[nsaspook]

I linked to the relevant FAA requirement way back in post #437; here is a link to it again:

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

There is nothing that says you can't use automation (or otherwise alter the "raw" stick feel, for example by putting weights in carefully chosen locations in the mechanical linkages, which is what smaller aircraft often have) to meet the requirement, just that you have to meet it.

Thanks.

As far as I can tell MCAS was originally (not sure what later changes were made without Boeing informing the FAA of those changes) designed as a limited cure for the stick-force-per-g tests not not static longitudinal stability in normal flight. The airplane does not become unstable, it's handling becomes unacceptable during required out of normal flight testing.

https://aviation.stackexchange.com/questions/66799/what-is-mcas-trying-to-fix-on-b737-max

From an email from the author of the SeattleTimes article, Dominic Gates:

The description of MCAS provided by Boeing for regulators (FAA and foreign) during certification, is this:

MCAS “was added to address potential nose-up pitching moment at high angles of attack at high airspeeds outside the normal flight envelope.”

Elsewhere in the documents, it’s made clear that MCAS was expected to kick in when a MAX approached a “wind-up turn,” which is essentially a banked downward spiral. Of course a commercial jet would never in normal flight do such a maneuver. But in flight tests for certification, the test pilots are required to show that the plane can approach that and not lose lift on one wing and flip over.

Can you post that answer for me? Thanks, Dominic Gates

https://aviation.stackexchange.com/...-require-it-to-be-harder-for-pilots-to-pull-b

 

[OCR]

“wind-up turn”

AKA. . . A graveyard spiral.

Some more sensory illusions in aviation. . .

.

 

[PeterDonis]

As far as I can tell MCAS was originally (not sure what later changes were made without Boeing informing the FAA of those changes) designed as a limited cure for the stick-force-per-g tests not not static longitudinal stability in normal flight.

Item 25.173 (c) is the stick force curve requirement. Yes, I know the section as a whole is titled "static longitudinal stability", but for whatever reason, they included the stick force curve requirement there.

 

[nsaspook]

Item 25.173 (c) is the stick force curve requirement. Yes, I know the section as a whole is titled "static longitudinal stability", but for whatever reason, they included the stick force curve requirement there.

So, when you drill down to the bottom, this was your classic Corner case problem with a solution that turns out much worse than the original problem.

 

[Office_Shredder]

So, when you drill down to the bottom, this was your classic Corner case problem with a solution that turns out much worse than the original problem.

That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?

 

[FactChecker]

That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?

And there were probably crashes that led to this regulation.

 

[nsaspook]

That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?

My comment was pointed to Boeing, not the need for the regulation. Yes, it's very unfair to Boeing. They took a stable aircraft under normal flight conditions and transformed it into a flying bronco that killed 346 people in two crashes within 5 months.
https://www.satcom.guru/2019/05/737-pitch-trim-incidents.html

There is no documented 737 accident as a result of stabilizer/pitch trim malfunction or failure (prior to JT610 and ET302).

The actual regulation to discover faults at the limits of operation, something engineering does daily when we build new things is not the issue. The issue is the solution to the discovered fault.

 

[Ivan Seeking]

My comment was pointed to Boeing, not the need for the regulation. Yes, it's very unfair to Boeing. They took a stable aircraft under normal flight conditions and transformed it into a flying bronco that killed 346 people in two crashes within 5 months.

But it wasn't inherently flawed. It was a programming error. That doesn't suggest that Boeing fundamentally did anything wrong. It might speak to issues of peer review and testing but not the essential approach.

I have always felt a real problem was self policing for the FAA. That should never be allowed. If it wasn't THE cause of this disaster, it was bound to be sooner or later.

 

[PeterDonis]

It was a programming error.

I think that understates the error. It was an error of design and judgment, not just an error of programming.

 

[Ivan Seeking]

I think that understates the error. It was an error of design and judgment, not just an error of programming.

Why? I didn't want to read all 25 pages. Can you give a quick synopsis of the argument? In the end, as I understand it, if two lines of code had not been misplaced, or if that error had been identified in the testing process, it never would have happened. I am familiar with the design history and how this plane was modified.

 

[PeterDonis]

Can you give a quick synopsis of the argument?

See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.

if two lines of code had not been misplaced

Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.

 

[FactChecker]

Why? I didn't want to read all 25 pages. Can you give a quick synopsis of the argument? In the end, as I understand it, if two lines of code had not been misplaced,

IMO, no two-line misplacement could have caused all the problems that were identified. The issues have been listed several times in this thread and you can see them identified in Section 5.2 (pages 20-21) of this report.

 

[Ivan Seeking]

See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.
Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.

Ah, sorry, I can't produce that yet. But it will be coming out.

 

[Ivan Seeking]

The changes that were made to the flight control software, as described in the FAA's updated Airworthiness Directive, do not seem to me to support this assertion. Key changes that were made (pp. 6-7) include:

MCAS can only activate based on inputs from both AoA sensors, not a single one.

The inputs from the two AoA sensors must be compared, and if they differ significantly, the speed trim system, which includes MCAS, is disabled for the remainder of the flight (and a light illuminates in the cockpit to indicate this).

Only one MCAS activation is permitted per high AoA event.

The control authority of MCAS is limited such that, even when MCAS is commanding the maximum change it is allowed to the horizontal stabilizer, the pilot can still control pitch using the control column, without having to make any electric or manual stabilizer trim inputs.

The fact that those changes were required indicates to me that the errors in the control software that those changes are correcting were part of the root cause of the two crashes.

Also note that the updated pilot training required for the 737 MAX now includes training in how to recognize an AoA sensor failure and how to get the plane's trim back into a reasonable range before disabling the electric trim system in the event of an AoA sensor failure that triggers an erroneous MCAS activation.

Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.

 

[nsaspook]

Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.

Was it something like the several second timer that repeats the erroneous trim adjustment? Was it a design control law problem or a problem with some like the software PID implementation of a control law? Typically with a PID control loop the error term has the integral term gain limited (equivalent to a one time adjustment here) to only be able to give X amount of feedback (to combat mechanical system windup to control limits) to adjust the total error signal to balance the control set-point. One of the problems that prevented recovery was the pilot would correct the pitch error but MCAS would just push the nose back down again and again. The pilots were able to counter the nose-down movement multiple times but eventually they ran out of airspace. Obviously the repeated adjustment mode was 'fixed' to one time only now.

I think about the second time you see the trim causing a problem is the time to shut off the trim system and stabilize the aircraft because when the electric trim system fails FOR ANY REASON, the immediate corrective action is to disable the electric trim system per the emergency checklist for runaway stabilizer. The CAUSE might be confusing, but the cause is irrelevant at that point in time.

 

[FactChecker]

Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.

Those correct the design mistakes that drove the plane into the ground. Without those design mistakes, there would have never been a crash.

 

[PeterDonis]

Those are corrections needed to enhance safety but do not eliminate the root cause of failure.

Why not? What root cause is still there?

 

[hutchphd]

As was said long ago in this thread by me (from Wikipedia)

The JATR said, "MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used; this [might have] identified the potential for the stabilizer to overpower the elevator."[26]
(emphasis mine)

This really bad piece of engineering design is the crux. Reprehensible.

 

[russ_watters]

I think that understates the error. It was an error of design and judgment, not just an error of programming.

See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.

Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.

Indeed as far as I know, the code correctly executed the control logic the engineers intended, so it can't rightly be called an "error of programming". But if even one of the three programmed features on that list had been done differently, it is possible (as I've speculated before) that by today we still never would have heard of MCAS. And they may be simple changes (though two lines of code seems unlikely). But I still think the wholesale upgrade to the flight computer architecture/philosophy was a good idea.

 

[cyboman]

I think that understates the error. It was an error of design and judgment, not just an error of programming.

Ahhh, after so much debating...ultimately we agree.

 

[cyboman]

But I still think the wholesale upgrade to the flight computer architecture/philosophy was a good idea.

I alluded to this at the beginning of this thread - before the investigations and remedies were implemented. With a lot of friction I might add.

 

[russ_watters]

I alluded to this at the beginning of this thread - before the investigations and remedies were implemented. With a lot of friction I might add.

[shrug] I only re-read the first page, and on that page you argued MCAS should not exist. Post #2 includes an allusion to a major system re-design, but not by you. I don't know what your allusion was, when it was, or how I/others responded, so I really can't respond directly to that.

If you want your "I told you so", you'll need to quote where you told me/us so.

 

[cyboman]

I can do that work later. But it's a long thread. From what I remember, my contention was that MCAS was flawed. The logic that governs the system was poor. MCAS was basically a band-aid solution to an unstable airframe due to the placement of the engines. And certainly much of it was arguing MCAS does in fact effect / affect / change / creates a change in forces on the airfoil (it got really needlessly semantic) the trim and hence pitch of the aircraft. Much of what I said has born out. Including specific logic I alluded to including limiting maximum commands MCAS can issue and making disabling the system very easy and straightforward. With the max it turns out they changed ways in which MCAS worked from previous versions (may have had a different name like speed trim etc...) and while those changes were proven to be stupid and poorly implemented what was even more moronic is the pilots were not adequately informed of those changes. Training costs money. In the end as was also my contention, it all comes back to money.

 

[cyboman]

If you want your "I told you so", you'll need to quote where you told me/us so.

Not sure it's worth digging up for that. I really don't need the chest thumping. I just revisited the thread after so long and couldn't help but notice the "drift" in opinions since the beginning.

 

[PeterDonis]

From what I remember, my contention was that MCAS was flawed.

I don't think anyone in this thread disagreed with that contention. Or with the claim that a wholesale upgrade was a good idea. Nor were you the only one who said such things, even early on in the thread.

much of it was arguing MCAS does in fact effect / affect / change / creates a change in forces on the airfoil (it got really needlessly semantic)

As I said in several posts during that discussion, nobody was disagreeing with you about the aerodynamics of the plane or about what MCAS does to affect them. The disagreement was only over a specific choice of words you kept making that, in the opinion of some others (including me), did not accurately describe what MCAS, and more generally the stability trim system, was intended to do.

In short, yes, you said things in this thread that have turned out to be correct. So did many others.

 

[PeterDonis]

couldn't help but notice the "drift" in opinions since the beginning.

I'm not sure what "drift" you are referring to. As far as I can tell, there has been general agreement from the start that MCAS as it was implemented before the crashes was flawed. In particular, the statement of mine that you quoted here...

I think that understates the error. It was an error of design and judgment, not just an error of programming.

Ahhh, after so much debating...ultimately we agree.

...is the position I have taken throughout this thread, so if we agree on it, we have agreed on it all along.

 

[DaveE]

 

[cyboman]

I'm not sure what "drift" you are referring to. As far as I can tell, there has been general agreement from the start that MCAS as it was implemented before the crashes was flawed. In particular, the statement of mine that you quoted here...
...is the position I have taken throughout this thread, so if we agree on it, we have agreed on it all along.

Well I recall early on you were quite defensive of any culpability of Boeing and their MCAS system, I thought your arguments initially seemed to allude that it was more pilot error but I could be mistaken.

 

[cyboman]

No. No. No. When the plane stalls you must put the nose down to increase airspeed, not get level. As a glider pilot, I'm used to flying at the edge of stall speed for prolonged periods. Adding an engine changes the parameters, but it does not change the basic physics of flight.

It is counter-intuitive at first. If you stall close to the ground, you must immediately push the stick forward to put the nose down. But after training, the counter-intuitive becomes intuitive.

Pushing the nose down, is increasing velocity, which is what thrust or power results in. When I said "get level", I didn't mean to imply pull up on the yoke. Pushing down to increase airspeed could be part of the maneuvers to become "level". But your point is well taken, and worth pointing out as I'm not a pilot. And it is indeed extremely counter intuitive pitching down when stalling.

*Why am I revisiting this old thread? Is this a faux pas? Please tell me if so.

 

[PeterDonis]

I recall early on you were quite defensive of any culpability of Boeing and their MCAS system

You recall incorrectly. I never made any such claims.

I thought your arguments initially seemed to allude that it was more pilot error

I did say that pilot error might also have been a contributing factor. I never said that pilot error being a contributing factor meant that Boeing was not culpable as well.

 

[PeterDonis]

increasing velocity, which is what thrust or power results in

Not necessarily. There are many cases where increasing power will result in increasing altitude, not airspeed.

Also, the response of the plane to an increase in power is significantly slower than its response to a change in pitch. So if you're in a stall, pushing the nose down is something you have to do regardless of whether you're going to increase power or not, because increasing power by itself won't get you out of trouble fast enough.

 

[PeterDonis]

if you're in a stall

And it's worth noting as a reminder that, as I pointed out at the time the referenced discussion earlier in this thread was taking place, the 737 MAX airplanes that crashed were not actually in a stall. The automated system thought they were because of faulty sensor data, but they actually weren't. So what to do in an actual stall is irrelevant in assessing what needed to be done to avoid those crashes.

 

[cyboman]

Not necessarily. There are many cases where increasing power will result in increasing altitude, not airspeed.

Also, the response of the plane to an increase in power is significantly slower than its response to a change in pitch. So if you're in a stall, pushing the nose down is something you have to do regardless of whether you're going to increase power or not, because increasing power by itself won't get you out of trouble fast enough.

Agreed, I'm going to guess on an aircraft that size they both increase power and pitch down.

 

[PeterDonis]

I'm going to guess on an aircraft that size they both increase power and pitch down.

Pitch down, yes. Whether to also increase power will depend, as I said, on the specific situation. For example, consider these two different stall situations:

(1) You're on approach for landing and your angle of attack gets too high. Your airspeed drops and you fall below your glide slope.

Here you have to pitch down to increase airspeed, and you also need to add power because your energy is too low--you're below glide slope.

(2) You're in a dive and your angle of attack gets too high and you're close to a stall.

Here you have to pitch down, but the last thing you want to do is add power. You're in a dive, so your airspeed will probably increase pretty rapidly as you pitch down, and you might have to decrease power to avoid too much stress on the airframe (as well as for the obvious reason of decreasing your dive rate).

 

[berkeman]

Oops...

https://abc7news.com/ex-boeing-test-pilot-indicted-for-fraud-in-737-max-probe/11127038/

 

[hutchphd]

Boeing itself is apparently "too big to charge" in that they would be precluded from a host of federal contracts if convicted.

Not that this guy isn't culpable as hell IMHO...

.

 

[artis]

Well it seems almost logical that he wasn't acting alone but more like "taking one for the team" so probably got paid to do so , otherwise why would he ?

 

[berkeman]

https://abc7news.com/ex-boeing-test-pilot-indicted-for-fraud-in-737-max-probe/11127038/

In January 2020, Boeing released more than 100 pages of internal communications that the company itself called "completely unacceptable."

In one exchange, an unnamed Boeing employee says the 737 Max "is designed by clowns, who in turn are supervised by monkeys," after complaining about the flight management computer.

 

[hutchphd]

When I was teaching freshman engineers (this was before being personally exposed to the insides of corporate decisions ), I took some solace that the less technically adept thirds of the class would be likely ensconced somewhere in middle management from whence they could do no real harm. How naive I was.
The saga of Boeing is a tragedy. The maintenance of excellence is never easy, and without recognition of quality by those in charge, impossible. This is an engineering morality play.

 

[Andrew Mason]

Oops...

View attachment 290727
https://abc7news.com/ex-boeing-test-pilot-indicted-for-fraud-in-737-max-probe/11127038/

Just a comment on the legal side of this. This charge raises an interesting legal issue about the definition of "fraud". Normally, fraud is defined as a dishonest act that causes some kind of deprivation relating to the property interests of another. If the pilot in question provided false information unknowingly as the email indicates, the dishonesty component is lacking. If he did it knowingly, it may still a bit of a challenge to see that the dishonesty relates to deprivation of a property interest.

AM

 

[hutchphd]

This guy crashed the plane in the simulator because of the difficulty of overcoming the actions of MCAS. He then forcefully petitions the FAA that the existence of the system need not be divulged to pilots. A bad idea, stupidly implemented and then hidden.
I guess the law does not recognize the term "reprehensible"

 

[nsaspook]

This guy crashed the plane in the simulator because of the difficulty of overcoming the actions of MCAS. He then forcefully petitions the FAA that the existence of the system need not be divulged to pilots. A bad idea, stupidly implemented and then hidden.
I guess the law does not recognize the term "reprehensible"

According to the indictment, in late 2016, Forkner discovered information about an important change to MCAS and withheld it. In an instant-message chain between Forkner and then technical pilot Patrik Gustavsson, the chief pilot described a scenario in which he witnessed the MCAS “running rampant” during a November 2016 simulator session, some four months before the Max received its certification from the FAA.

What exactly does MCAS “running rampant” mean? Was the simulator session flying the normal flight envelope of the plane and simulating failures or were they doing acrobatics. Some context is needed.

 

[FactChecker]

There were design decisions that must have raised red flags throughout the design team. I believe that upper management relies on the test pilots to give them a realistic evaluation of risks, whereas the engineers are often overly optimistic about their design. This is not such a case. IMO, the design mistakes were severe enough that everyone knew there were problems.

 

[jedishrfu]

Boeing was in competition with Airbus and they had a plane that performed better. Boeing added MCAS to make their new plane competitive.

One overriding feature was the desire to skip pilot training on the new plane saying it handles the same as a prior model and so a test pilots input would have been critical here.

https://en.wikipedia.org/wiki/Boeing_737_MAX

 

[nsaspook]

Auto-trim runaway is what MCAS was causing. Is this what MCAS “running rampant” means?

If that's true then we're back to the standard Auto-trim runaway check-list issue (no manual recovery if started too late) again instead of MCAS specific countermeasures in the crashes.


MCAS put the plane into a "dive" when the AOA sensor malfunctioned by over-trimming the plane.

Some pilots recovered the plane using the auto-trim runaway procedure early and for the rest of the flight but sadly some didn't.

The system should not go into runaway so easily, and it should not have been permitted to run the trim as far as it did.

 

[Astronuc]

Some pilots recovered the plane using the auto-trim runaway procedure early and for the rest of the flight but sadly some didn't.

It's not clear that other pilots faced the same degree of runaway that the pilots of Lion Air and Ethiopian Air faced. At 34:34 in the Frontline video, a discussion of Boeing's position is mentioned, followed by a review of the Ethiopian Air (ET-302) crash with an American Airlines 737 pilot, who mentions the crew got it right (37:34) when they shutoff power to MCAS. Unknown to the pilots, an AOA was giving faulty data and MCAS kicked into correct the situation. The first officer tried to use manual trim wheel, but it proved too difficult to move, and by then the plane was traveling too fast (ostensibly, the pilot/co-pilot should have reduced engine power). Then they reactivated MCAS.

Boeing was facing stiff competition from Airbus. They promised US airlines that no additional training (that would require a simulator 15:40) would be necessary with the 737 Max based on a commitment to Southwest Airlines (15:52). MCAS was adapted from a military aircraft (17:20). At 18:02 begins the discussion of the simulator test that revealed a potential problem with MCAS, that being even a Boeing test pilot might have trouble overcoming faulty operation of MCAS.

At 22:08 begins a discussion of FAA's delegation to Boeing and statements by Michael Huerta. I disagree with his statements. Quality Assurance is not necessarily fully independent from corporate management and pressure to accept the unacceptable.

At 22:42, discussion of the maiden flight of 737 Max reveals a less than smooth flight particularly at low speed (just after take off). MCAS is further adapted given greater effect (it evolved from minor to major, and perhaps critical in some situations).

At 26:10, begins discussion of Mark Forkner, who became chief technical pilot for the 737. Forkner requested permission from FAA to remove MCAS from pilot manual (27:14-27:21). At 28:49, the video indicates that Forkner became aware that the had misinformed the FAA regarding MCAS. However, Forkner did not alert the FAA and did not correct the record.

Due to the delegation practice, the FAA was unaware of how significant MCAS has become. Clearly the FAA was negligent in this matter, and Boeing was negligent in not informing the FAA, or ensuring that correct information was provided to the FAA.

At 30:20 begins discussion of faulty AOA sensors and impact of MCAS. Boeing engineers raised the issue internally.

 

[FactChecker]

an AOA was giving faulty data and MCAS kicked into correct the situation.

It's my understanding that the AOA faulty data fooled the MCAS into causing the situation. MCAS did not correct anything.

 

[anorlunda]

Unknown to the pilots, an AOA was giving faulty data and MCAS kicked into correct the situation.

It's my understanding that the AOA faulty data fooled the MCAS into causing the situation. MCAS did not correct anything.

Those two descriptions are not contradictory. It sounds to me like a difference in characterization.