How Safe is the Boeing 737 Max's MCAS System?

In summary, the MCAS system was not the cause of the crash and it is possible for the plane to fly without the system if the angle of attack sensor is not working correctly. However, the plane is more likely to stall if the angle of attack sensor is not working correctly and the pilots need to manually fly the plane back to correct pitch attitude.
  • #596
FactChecker said:
And the end result would be decided by a fistfight.
I've had lively discussions with fellow engineers, and certainly voices, as well as blood pressures, got raised, faces got flushed, and some expletives exchanged, but I've never had or witnessed a fistfight. I did have one manager mention impaling another manager though. I've heard of other colleagues who witnessed stuff getting thrown, or smashed.Another complication regarding faulty speed indicators - Invasive keyhole wasp builds nests in aircraft instruments, may pose 'significant risk' to air safety!
https://www.abc.net.au/news/science...bes-brisbane-airport-aviation-safety/12919668

https://www.biorxiv.org/content/10.1101/2019.12.15.877274v2.full

At 80 knots on take-off the captain found out that his air speed indicator (ASI) wasn’t working properly. The co-pilot’s indicator seemed to work fine. While climbing through 4700 feet the captain’s ASI read 350 knots (real speed was about 220 knots); ‘resulting in an autopilot/autothrottle reaction to increase the pitch-up attitude and a power reduction in order to lower the airspeed’. At that time the crew got ‘rudder ratio’ and ‘Mach airspeed’ advisory warnings.
https://www.flightsafetyaustralia.com/2015/07/small-but-dangerous/
 
Last edited:
  • Like
Likes russ_watters, FactChecker and Ivan Seeking
Physics news on Phys.org
  • #597
nsaspook said:
All of this death, cost and work for a system to adjust the pilot column pull to give the MAX the flying feel of older 737 models.

As I understand it, some adjustment of the stick force would have been necessary in any case in order to meet the basic FAA requirement that the stick force should always increase with increasing angle of attack; the "raw" stick force on a 737 MAX, with no adjustment, starts decreasing at high enough angles of attack due to the pitch up moment from the engines.
 
  • Like
Likes Ivan Seeking
  • #598
PeterDonis said:
As I understand it, some adjustment of the stick force would have been necessary in any case in order to meet the basic FAA requirement that the stick force should always increase with increasing angle of attack; the "raw" stick force on a 737 MAX, with no adjustment, starts decreasing at high enough angles of attack due to the pitch up moment from the engines.

I've never officially seen the manual flight characteristics (within normal flight) of the 737 described as out of basic FAA flight characteristic requirements. My understanding is that's a solid requirement that can't be fixed by automation in commercial aviation. Making it handle like another type (the rest of the 737 family) did require some adjustment of the stick force. That's why MCAS exists today.


10:20

Judging from the early history of MCAS Boeing did an end-around on the FAA to get MCAS approved without additional training.
https://www.oig.dot.gov/sites/default/files/FAA Oversight of Boeing 737 MAX Certification Timeline Final Report.pdf
According to internal Boeing meeting minutes from 2013,26 the company made
the decision to portray MCAS as a modification to an existing flight control
system in part because if MCAS “was emphasized as a new function, there may
be a greater certification and training impact.”
An ODA representative working on
FAA’s behalf also agreed with portraying MCAS as a modification and not a new
function. According to an FAA Flight Standards representative and an internal
Boeing email, an early Boeing program goal was to keep a common type rating
for the aircraft—which would minimize additional training requirements for 737
MAX pilots previously certified on the NG series—and to avoid the need for 737
MAX pilots to train in simulators, which can add costs for airlines that purchase
the aircraft. References to MCAS were later removed from flight crew training
requirements
; therefore, any simulator training, while not proposed, probably
would not have included MCAS.
 
Last edited:
  • #599
Just a personal observation: Boeing has been one of my biggest customers for over 25 years. And by chance I have spent much of the last 2.5 years onsite at Boeing at one of their major production facilities. I have never seen things so dark. First they were plagued with issues on the 787. Then it became clear that they had many issues with pretty much all of their models. Then the 737 nightmare hit. And then Covid hit. It didn't take long until we started seeing the unavoidable layoff and early retirements. Not long ago a lot of long-time familiar faces went away. People were noticeably shaken. As one Boeing employee told me, the place a like a ghost town.

They have made a great effort to avoid direct layoffs and instead pushed early retirements.

The end of this nightmare episode is in sight and a vaccine is coming. We all know it is just a matter of time. But it has been terribly painful to watch. And talk about budget cuts! Wow. We are down to the bone.
 
  • Sad
Likes Astronuc, nsaspook and FactChecker
  • #600
Astronuc said:
I've had lively discussions with fellow engineers, and certainly voices, as well as blood pressures, got raised, faces got flushed, and some expletives exchanged, but I've never had or witnessed a fistfight. I did have one manager mention impaling another manager though. I've heard of other colleagues who witnessed stuff getting thrown, or smashed.
I know of an organization where two groups, which worked in the same, large, room in adjoining rows of cubicles were ordered not to talk to each other. Their managers were afraid that any talking would lead to actual fistfights.
 
  • Wow
  • Sad
  • Haha
Likes hutchphd, Astronuc and berkeman
  • #601
nsaspook said:
My understanding is that's a solid requirement that can't be fixed by automation in commercial aviation.

I linked to the relevant FAA requirement way back in post #437; here is a link to it again:

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

There is nothing that says you can't use automation (or otherwise alter the "raw" stick feel, for example by putting weights in carefully chosen locations in the mechanical linkages, which is what smaller aircraft often have) to meet the requirement, just that you have to meet it.
 
  • Informative
Likes FactChecker
  • #602
Ivan Seeking said:
It is being called by some the most expensive programming error in history.
March 2020 estimates were $19-23 billion - excluding some open lawsuits, and not including recent delays.
Industry estimates for a new airplane development were around $10-12 billion.

Airbus estimated $1.3 billion development cost for the A320neo. Boeing's cost is disputed but not much larger than that.
 
  • Like
Likes russ_watters
  • #603
PeterDonis said:
I linked to the relevant FAA requirement way back in post #437; here is a link to it again:

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

There is nothing that says you can't use automation (or otherwise alter the "raw" stick feel, for example by putting weights in carefully chosen locations in the mechanical linkages, which is what smaller aircraft often have) to meet the requirement, just that you have to meet it.
Thanks.

As far as I can tell MCAS was originally (not sure what later changes were made without Boeing informing the FAA of those changes) designed as a limited cure for the stick-force-per-g tests not not static longitudinal stability in normal flight. The airplane does not become unstable, it's handling becomes unacceptable during required out of normal flight testing.

https://aviation.stackexchange.com/questions/66799/what-is-mcas-trying-to-fix-on-b737-max
From an email from the author of the SeattleTimes article, Dominic Gates:

The description of MCAS provided by Boeing for regulators (FAA and foreign) during certification, is this:

MCAS “was added to address potential nose-up pitching moment at high angles of attack at high airspeeds outside the normal flight envelope.”

Elsewhere in the documents, it’s made clear that MCAS was expected to kick in when a MAX approached a “wind-up turn,” which is essentially a banked downward spiral. Of course a commercial jet would never in normal flight do such a maneuver. But in flight tests for certification, the test pilots are required to show that the plane can approach that and not lose lift on one wing and flip over.

Can you post that answer for me? Thanks, Dominic Gates
https://aviation.stackexchange.com/...-require-it-to-be-harder-for-pilots-to-pull-b
 
Last edited:
  • Like
Likes hutchphd
  • #605
nsaspook said:
As far as I can tell MCAS was originally (not sure what later changes were made without Boeing informing the FAA of those changes) designed as a limited cure for the stick-force-per-g tests not not static longitudinal stability in normal flight.

Item 25.173 (c) is the stick force curve requirement. Yes, I know the section as a whole is titled "static longitudinal stability", but for whatever reason, they included the stick force curve requirement there.
 
  • Like
Likes Ivan Seeking and nsaspook
  • #606
PeterDonis said:
Item 25.173 (c) is the stick force curve requirement. Yes, I know the section as a whole is titled "static longitudinal stability", but for whatever reason, they included the stick force curve requirement there.

So, when you drill down to the bottom, this was your classic Corner case problem with a solution that turns out much worse than the original problem.
 
  • #607
nsaspook said:
So, when you drill down to the bottom, this was your classic Corner case problem with a solution that turns out much worse than the original problem.

That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?
 
  • Like
Likes Ivan Seeking and FactChecker
  • #608
Office_Shredder said:
That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?
And there were probably crashes that led to this regulation.
 
  • Like
Likes Ivan Seeking
  • #609
Office_Shredder said:
That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?

My comment was pointed to Boeing, not the need for the regulation. Yes, it's very unfair to Boeing. They took a stable aircraft under normal flight conditions and transformed it into a flying bronco that killed 346 people in two crashes within 5 months.
https://www.satcom.guru/2019/05/737-pitch-trim-incidents.html

There is no documented 737 accident as a result of stabilizer/pitch trim malfunction or failure (prior to JT610 and ET302).

The actual regulation to discover faults at the limits of operation, something engineering does daily when we build new things is not the issue. The issue is the solution to the discovered fault.
 
  • Like
Likes cyboman and hutchphd
  • #610
nsaspook said:
My comment was pointed to Boeing, not the need for the regulation. Yes, it's very unfair to Boeing. They took a stable aircraft under normal flight conditions and transformed it into a flying bronco that killed 346 people in two crashes within 5 months.

But it wasn't inherently flawed. It was a programming error. That doesn't suggest that Boeing fundamentally did anything wrong. It might speak to issues of peer review and testing but not the essential approach.

I have always felt a real problem was self policing for the FAA. That should never be allowed. If it wasn't THE cause of this disaster, it was bound to be sooner or later.
 
  • Like
Likes FactChecker
  • #611
Ivan Seeking said:
It was a programming error.

I think that understates the error. It was an error of design and judgment, not just an error of programming.
 
  • Like
  • Informative
Likes russ_watters, hutchphd, Klystron and 2 others
  • #612
PeterDonis said:
I think that understates the error. It was an error of design and judgment, not just an error of programming.

Why? I didn't want to read all 25 pages. Can you give a quick synopsis of the argument? In the end, as I understand it, if two lines of code had not been misplaced, or if that error had been identified in the testing process, it never would have happened. I am familiar with the design history and how this plane was modified.
 
  • #613
Ivan Seeking said:
Can you give a quick synopsis of the argument?

See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.

Ivan Seeking said:
if two lines of code had not been misplaced

Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.
 
  • Like
Likes FactChecker
  • #614
Ivan Seeking said:
Why? I didn't want to read all 25 pages. Can you give a quick synopsis of the argument? In the end, as I understand it, if two lines of code had not been misplaced,
IMO, no two-line misplacement could have caused all the problems that were identified. The issues have been listed several times in this thread and you can see them identified in Section 5.2 (pages 20-21) of this report.
 
  • Like
Likes russ_watters
  • #615
PeterDonis said:
See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.
Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.

Ah, sorry, I can't produce that yet. But it will be coming out.
 
  • #616
PeterDonis said:
The changes that were made to the flight control software, as described in the FAA's updated Airworthiness Directive, do not seem to me to support this assertion. Key changes that were made (pp. 6-7) include:

MCAS can only activate based on inputs from both AoA sensors, not a single one.

The inputs from the two AoA sensors must be compared, and if they differ significantly, the speed trim system, which includes MCAS, is disabled for the remainder of the flight (and a light illuminates in the cockpit to indicate this).

Only one MCAS activation is permitted per high AoA event.

The control authority of MCAS is limited such that, even when MCAS is commanding the maximum change it is allowed to the horizontal stabilizer, the pilot can still control pitch using the control column, without having to make any electric or manual stabilizer trim inputs.

The fact that those changes were required indicates to me that the errors in the control software that those changes are correcting were part of the root cause of the two crashes.

Also note that the updated pilot training required for the 737 MAX now includes training in how to recognize an AoA sensor failure and how to get the plane's trim back into a reasonable range before disabling the electric trim system in the event of an AoA sensor failure that triggers an erroneous MCAS activation.

Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.
 
  • #617
Ivan Seeking said:
Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.

Was it something like the several second timer that repeats the erroneous trim adjustment? Was it a design control law problem or a problem with some like the software PID implementation of a control law? Typically with a PID control loop the error term has the integral term gain limited (equivalent to a one time adjustment here) to only be able to give X amount of feedback (to combat mechanical system windup to control limits) to adjust the total error signal to balance the control set-point. One of the problems that prevented recovery was the pilot would correct the pitch error but MCAS would just push the nose back down again and again. The pilots were able to counter the nose-down movement multiple times but eventually they ran out of airspace. Obviously the repeated adjustment mode was 'fixed' to one time only now.

I think about the second time you see the trim causing a problem is the time to shut off the trim system and stabilize the aircraft because when the electric trim system fails FOR ANY REASON, the immediate corrective action is to disable the electric trim system per the emergency checklist for runaway stabilizer. The CAUSE might be confusing, but the cause is irrelevant at that point in time.
 
  • Like
Likes cyboman and russ_watters
  • #618
Ivan Seeking said:
Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.
Those correct the design mistakes that drove the plane into the ground. Without those design mistakes, there would have never been a crash.
 
  • #619
Ivan Seeking said:
Those are corrections needed to enhance safety but do not eliminate the root cause of failure.

Why not? What root cause is still there?
 
  • #620
As was said long ago in this thread by me (from Wikipedia)

The JATR said, "MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used; this [might have] identified the potential for the stabilizer to overpower the elevator."[26]
(emphasis mine)

This really bad piece of engineering design is the crux. Reprehensible.
 
  • #621
PeterDonis said:
I think that understates the error. It was an error of design and judgment, not just an error of programming.
PeterDonis said:
See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.

Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.
Indeed as far as I know, the code correctly executed the control logic the engineers intended, so it can't rightly be called an "error of programming". But if even one of the three programmed features on that list had been done differently, it is possible (as I've speculated before) that by today we still never would have heard of MCAS. And they may be simple changes (though two lines of code seems unlikely). But I still think the wholesale upgrade to the flight computer architecture/philosophy was a good idea.
 
  • #622
PeterDonis said:
I think that understates the error. It was an error of design and judgment, not just an error of programming.
Ahhh, after so much debating...ultimately we agree.
 
  • #623
russ_watters said:
But I still think the wholesale upgrade to the flight computer architecture/philosophy was a good idea.
I alluded to this at the beginning of this thread - before the investigations and remedies were implemented. With a lot of friction I might add.
 
  • #624
cyboman said:
I alluded to this at the beginning of this thread - before the investigations and remedies were implemented. With a lot of friction I might add.
[shrug] I only re-read the first page, and on that page you argued MCAS should not exist. Post #2 includes an allusion to a major system re-design, but not by you. I don't know what your allusion was, when it was, or how I/others responded, so I really can't respond directly to that.

If you want your "I told you so", you'll need to quote where you told me/us so.
 
  • Like
Likes Astronuc
  • #625
I can do that work later. But it's a long thread. From what I remember, my contention was that MCAS was flawed. The logic that governs the system was poor. MCAS was basically a band-aid solution to an unstable airframe due to the placement of the engines. And certainly much of it was arguing MCAS does in fact effect / affect / change / creates a change in forces on the airfoil (it got really needlessly semantic) the trim and hence pitch of the aircraft. Much of what I said has born out. Including specific logic I alluded to including limiting maximum commands MCAS can issue and making disabling the system very easy and straightforward. With the max it turns out they changed ways in which MCAS worked from previous versions (may have had a different name like speed trim etc...) and while those changes were proven to be stupid and poorly implemented what was even more moronic is the pilots were not adequately informed of those changes. Training costs money. In the end as was also my contention, it all comes back to money.
 
  • #626
russ_watters said:
If you want your "I told you so", you'll need to quote where you told me/us so.
Not sure it's worth digging up for that. I really don't need the chest thumping. I just revisited the thread after so long and couldn't help but notice the "drift" in opinions since the beginning.
 
  • Like
Likes russ_watters
  • #627
cyboman said:
From what I remember, my contention was that MCAS was flawed.

I don't think anyone in this thread disagreed with that contention. Or with the claim that a wholesale upgrade was a good idea. Nor were you the only one who said such things, even early on in the thread.

cyboman said:
much of it was arguing MCAS does in fact effect / affect / change / creates a change in forces on the airfoil (it got really needlessly semantic)

As I said in several posts during that discussion, nobody was disagreeing with you about the aerodynamics of the plane or about what MCAS does to affect them. The disagreement was only over a specific choice of words you kept making that, in the opinion of some others (including me), did not accurately describe what MCAS, and more generally the stability trim system, was intended to do.

In short, yes, you said things in this thread that have turned out to be correct. So did many others.
 
  • Like
Likes Astronuc and russ_watters
  • #628
cyboman said:
couldn't help but notice the "drift" in opinions since the beginning.

I'm not sure what "drift" you are referring to. As far as I can tell, there has been general agreement from the start that MCAS as it was implemented before the crashes was flawed. In particular, the statement of mine that you quoted here...

cyboman said:
PeterDonis said:
I think that understates the error. It was an error of design and judgment, not just an error of programming.

Ahhh, after so much debating...ultimately we agree.

...is the position I have taken throughout this thread, so if we agree on it, we have agreed on it all along.
 
  • Like
Likes Astronuc and russ_watters
  • #629
 
  • #630
PeterDonis said:
I'm not sure what "drift" you are referring to. As far as I can tell, there has been general agreement from the start that MCAS as it was implemented before the crashes was flawed. In particular, the statement of mine that you quoted here...
...is the position I have taken throughout this thread, so if we agree on it, we have agreed on it all along.
Well I recall early on you were quite defensive of any culpability of Boeing and their MCAS system, I thought your arguments initially seemed to allude that it was more pilot error but I could be mistaken.
 

Similar threads

Replies
28
Views
5K
  • General Discussion
Replies
4
Views
7K
Back
Top