Boeing How Safe is the Boeing 737 Max's MCAS System?

[anorlunda]

IIRC this was a nonstarter because airline customers would have had to rework jetways and their maintenance infrastructure, all of which were designed for the 737's existing ground clearance.

I find that hard to believe because Boeing was planning the 737-MAX-10 with the higher gear. If you are correct, the 737-MAX-9 [edit: with higher gear] would be a financial disaster but the 737-MAX-10 would be fine. Do you have a source?

I don't have any data on how much higher the gear would be. 20 cm? 1 m?

The jetways I see have vertical adjustment. They have painted calibration marks for the correct jetway height for 737, DC9, AIRBUS320, and so on. So I would be surprised if they must be redesigned to accommodate a higher 737-MAX-9 or a 737-MAX-10.

 

[PeterDonis]

Boeing was planning the 737-MAX-10 with the higher gear.

Yes, it was. However, according to Wikipedia [1], the higher gear for the MAX 10 was driven by the need to move the rotation point aft because of the longer fuselage, and did not change anything about the engine configuration relative to the fuselage, which is what causes the pitch up moment at higher angle of attack. So what Boeing did on the MAX 10 does not remove the need for MCAS or something like it.

[1] https://en.wikipedia.org/wiki/Boeing_737_MAX#737_MAX_10

I don't have any data on how much higher the gear would be.

9.5 inches according to the article linked above.

 

[mfb]

Concerning the discussion about modifying an old design: That's exactly what Airbus did - successfully. Take an A320 from the 1980s (not 50 years, okay, but over 30), change the engine. It worked for Airbus because they had enough space to mount the engine at the same place as before. The problem with the 737 MAX was not the old design, it was the engine not fitting to that old design.

 

[artis]

@mfb correct, and add a heavy dose of corporate greed and financial pressure on top of that.

Maybe one can fix an MCAS system for a plane but one will never be able to fix financial greed, there are no patches for that sort of thing and there are no sensors for it to begin with...Engineers typically work best when they are left alone to master their area of expertise. We normally don't hear about financial experts and share holders making decisions on parts of a particle accelerator for example and rightly so because then scientists could get nowhere, then again in more commercial types of business we see a lot of compromise between what would be good and what "fits the bill".

 

[Dullard]

The engineering of commercial products (those that have to compete for customers) always requires consideration of the economics. A competent 'Chief Engineer' should have identified this issue and insisted on a more robust (and probably costly) system. If you believe that engineers ever get to do exactly what they think is 'best,' you're probably a physicist.

 

[FactChecker]

The engineering of commercial products (those that have to compete for customers) always requires consideration of the economics. A competent 'Chief Engineer' should have identified this issue and insisted on a more robust (and probably costly) system. If you believe that engineers ever get to do exactly what they think is 'best,' you're probably a physicist.

If it was totally left up to engineers (not to denigrate engineers, of which I am one), some engineers would be immediately sure that they had designed a perfect system. Other engineers would be so cautious that the plane would never leave the drafting table. And the end result would be decided by a fistfight.

 

[nsaspook]

While buggy and badly designed MCAS IMO wasn't the root cause of why those two planes crashed. The root cause was a lack of training on quickly, effectively diagnosing and correcting a condition of run-away trim. The run-away trim memory items existed long before MCAS and were effective in saving the plane and lives in cases where MCAS and other systems misbehaved in the past even if the pilots didn't know MCAS was installed. Sure it's a very good thing the probability of MCAS as the source has been reduced but maybe it's more important pilots are being trained and retested on how to fly the plane under these confusing conditions.

Run-away trim memory items and the proper methods to recognize and handle it early is what's really been 'fixed' here.


1:10

 

[PeterDonis]

The root cause was a lack of training on quickly, effectively diagnosing and correcting a condition of run-away trim.

I believe this was discussed earlier in this thread (quite a while ago now since the thread was dormant for a while). My recollection of the TL/DR of that discussion is: first, the symptoms of MCAS failure are not the same as the symptoms of a normal runaway trim event; and second, the standard action pilots were trained to take for runaway trim does not disable MCAS; disabling MCAS requires a more complicated series of actions that no pilots were ever trained to carry out.

 

[PeterDonis]

Here is the FAA's statement on the rescission of the emergency order that prohibited the 737 MAX from flying:

https://www.faa.gov/news/updates/?newsId=93206

It includes links to relevant FAA documents.

 

[PeterDonis]

buggy and badly designed MCAS IMO wasn't the root cause of why those two planes crashed

The changes that were made to the flight control software, as described in the FAA's updated Airworthiness Directive, do not seem to me to support this assertion. Key changes that were made (pp. 6-7) include:

MCAS can only activate based on inputs from both AoA sensors, not a single one.

The inputs from the two AoA sensors must be compared, and if they differ significantly, the speed trim system, which includes MCAS, is disabled for the remainder of the flight (and a light illuminates in the cockpit to indicate this).

Only one MCAS activation is permitted per high AoA event.

The control authority of MCAS is limited such that, even when MCAS is commanding the maximum change it is allowed to the horizontal stabilizer, the pilot can still control pitch using the control column, without having to make any electric or manual stabilizer trim inputs.

The fact that those changes were required indicates to me that the errors in the control software that those changes are correcting were part of the root cause of the two crashes.

Also note that the updated pilot training required for the 737 MAX now includes training in how to recognize an AoA sensor failure and how to get the plane's trim back into a reasonable range before disabling the electric trim system in the event of an AoA sensor failure that triggers an erroneous MCAS activation.

 

[FactChecker]

It is clear from the FAA analysis that the design was riddled with fundamental errors that needed to be corrected. Training is certainly one thing to correct, but the design violated many basic principles that are the first thing to correct before pilot training is even looked at. The design mistakes were inconceivable.

 

[nsaspook]

I believe this was discussed earlier in this thread (quite a while ago now since the thread was dormant for a while). My recollection of the TL/DR of that discussion is: first, the symptoms of MCAS failure are not the same as the symptoms of a normal runaway trim event; and second, the standard action pilots were trained to take for runaway trim does not disable MCAS; disabling MCAS requires a more complicated series of actions that no pilots were ever trained to carry out.

I have to disagree.

The normal memory checklist for a runaway trim event is to disable the trim power by flipping switches. This disables any possible electrical movement command including MCAS.

 

[PeterDonis]

The normal memory checklist for a runaway trim event is to disable the trim power by flipping switches. This disables any possible electrical movement command including MCAS.

It's not that simple.

First, disabling the electric trim system completely, which disables MCAS as well, means you have to put the trim back where it's supposed to be using the mechanical trim wheel. That can be prohibitively difficult or even impossible once MCAS has put the trim far enough in the wrong direction--MCAS before the changes now being implemented had enough control authority to put the trim in a place where it is physically impossible to readjust it using the mechanical trim wheel. (And in such a position the pilot also cannot exert enough force on the control column to have the needed pitch authority.)

Second, disabling just automatic electric trim while leaving the manual electric trim powered, so you can put the trim back where it belongs using the manual electric trim system, does not disable MCAS. So you get into repeated cycles of MCAS putting the trim out of whack, using the manual electric trim system to readjust it, and then MCAS putting it out of whack again. The only way out of this loop is to use the manual electric trim system to put the trim back where it belongs, and then immediately shut off electric trim completely, so you're now restricted to the mechanical trim wheel for the remainder of the flight. That is what the updated pilot training now trains pilots to do in the event of an erroneous MCAS trim adjustment; but the previous pilot training did not train them to do that.

Both of these issues were factors in the crashes. (And all of this has been well discussed previously in this thread, though of course it's been a while now.)

 

[nsaspook]

It's not that simple.

First, disabling the electric trim system completely, which disables MCAS as well, means you have to put the trim back where it's supposed to be using the mechanical trim wheel. That can be prohibitively difficult or even impossible once MCAS has put the trim far enough in the wrong direction--MCAS before the changes now being implemented had enough control authority to put the trim in a place where it is physically impossible to readjust it using the mechanical trim wheel.

Second, disabling just automatic electric trim while leaving the manual electric trim powered, so you can put the trim back where it belongs using the manual electric trim system, does not disable MCAS. So you get into repeated cycles of MCAS putting the trim out of whack, using the manual electric trim system to readjust it, and then MCAS putting it out of whack again. The only way out of this loop is to use the manual electric trim system to put the trim back where it belongs, and then immediately shut off electric trim completely, so you're now restricted to the mechanical trim wheel for the remainder of the flight. That is what the updated pilot training now trains pilots to do in the event of an erroneous MCAS trim adjustment; but the previous pilot training did not train them to do that.

Both of these issues were factors in the crashes.

I agree that early detection of the problem is the key, ie training. The old procedure worked to disable MCAS in a recoverable mode if you didn't allow the trim to move the jack-screw to extreme locations that required beyond human effort.

In the Lion air case the day before the fatal crash a crew did the Trim runaway memory item correctly, MCAS was disconnected when the trim power was cut, plane landed safely.
https://en.wikipedia.org/wiki/Lion_Air_Flight_610

Passengers recounted that the aircraft had suffered an engine problem and were told not to board it as engineers tried to fix the problem. While the aircraft was en route to Jakarta, it had problems maintaining a constant altitude, with passengers stating that it was like "a roller-coaster ride."[118] The chief executive officer of Lion Air, Edward Sirait, said the aircraft had a "technical issue" on Sunday night, but this had been addressed in accordance with maintenance manuals issued by the manufacturer. Engineers had declared that the aircraft was ready for takeoff on the morning of the accident.[119][120] Information later emerged that a third pilot was on the flight to Jakarta and told the crew to cut power to the stabilizer trim motors which fixed the problem. This method is a standard memory item in the 737 checklist.[121] Subsequently, the National Transportation Safety Committee confirmed the presence of an off-duty Boeing 737 MAX 8 qualified pilot in the cockpit but did not confirm the role of the pilot in fixing the problem, and denied that there was any recording of the previous flight in the CVR of Lion Air Flight 610.[122]

 

[PeterDonis]

The old procedure worked if you didn't allow the trim to move the jack-screw to extreme locations that required beyond human effort.

Yes, but having that happen was a matter of luck. See below.

In the Lion air case the day before the fatal crash a crew did the Trim runaway memory item correctly

But only because there was an off duty pilot sitting in the jump seat in the cockpit, who, not being distracted by all the other stuff that was going on in the cockpit (note that another item now being added in the 737 MAX pilot training is how to deal with multiple warnings in the cockpit all going off at the same time), was able to figure out what to do and told the crew to do it.

 

[nsaspook]

Yes, but having that happen was a matter of luck. See below.
But only because there was an off duty pilot sitting in the jump seat in the cockpit, who, not being distracted by all the other stuff that was going on in the cockpit (note that another item now being added in the 737 MAX pilot training is how to deal with multiple warnings in the cockpit all going off at the same time), was able to figure out what to do and told the crew to do it.

That's why I included the example. It was possible to disable MCAS even it you didn't know the system existed but knowing it existed and training on how to handing its unique signature of failure might have saved both flights.

 

[PeterDonis]

a crew did the Trim runaway memory item correctly

Also note that, in the updated pilot training for the 737 MAX, this item is now different: before shutting off the electric trim system, you now have to check to make sure the trim is close enough to where it should be for mechanical adjustment, and if it isn't, you have to use the manual electric trim system to put it there. So saying that "the old procedure worked" is, IMO, a misstatement; the old procedure did not work as the pilots were trained to do it, because it ignored the possibility of the trim being in a condition where mechanical adjustment was not possible. The reason for that was that the old procedure was developed before MCAS existed, and before MCAS existed, there was not a possibility of the automatic electric trim system putting the trim in a place where mechanical adjustment was not possible; without MCAS that system cannot do that. So adding MCAS should have originally included adding that extra check and operation to the procedure which is now added.

 

[nsaspook]

Also note that, in the updated pilot training for the 737 MAX, this item is now different: before shutting off the electric trim system, you now have to check to make sure the trim is close enough to where it should be for mechanical adjustment, and if it isn't, you have to use the manual electric trim system to put it there. So saying that "the old procedure worked" is, IMO, a misstatement; the old procedure did not work as the pilots were trained to do it, because it ignored the possibility of the trim being in a condition where mechanical adjustment was not possible. The reason for that was that the old procedure was developed before MCAS existed, and before MCAS existed, there was not a possibility of the automatic electric trim system putting the trim in a place where mechanical adjustment was not possible; without MCAS that system cannot do that. So adding MCAS should have originally included adding that extra check and operation to the procedure which is now added.

I mainly agree but that all assumes you still have a functional electrical system to manual trim, switches fail, wires short, motors jam. There was always the possibility of electric trim system putting the trim in a place where mechanical adjustment was not possible long before MCAS.

http://www.b737.org.uk/runawaystab.htm#rc

 

[FactChecker]

The original design would send the plane into a dive due to the AOA signal WITHOUT EVEN CHECKING IF THERE WAS AN AOA MISCOMPARE.
It had complete authority that the pilot could not overcome.
It was persistent and would turn itself back on, giving itself more control time than it gave to the pilot.
It removed the needed AOA miscompare indication from the pilot displays unless they had paid an additional amount for it.
These are all terrible design decisions. The fact that there was also a training issue should not be used as an excuse for these design mistakes. The corrective actions take care of them all and will make the plane much, much safer. That is what a design should do.

 

[PeterDonis]

There was always the possibility of electric trim system putting the trim in a place where mechanical adjustment was not possible long before MCAS.

But if the electric trim system is failed, you can't use it to get out of such a situation. That's not what we're talking about. We're talking about a situation where the electric trim system is working, so it can be used to get out of such a situation--but the only way to get into such a situation with a working electric trim system is MCAS.

 

[nsaspook]

But if the electric trim system is failed, you can't use it to get out of such a situation. That's not what we're talking about. We're talking about a situation where the electric trim system is working, so it can be used to get out of such a situation--but the only way to get into such a situation with a working electric trim system is MCAS.

What about the auto-pilot (a separate system from MCAS)? It controls trim too and is on the run-away trim memory checklist.

Training is not a excuse for bad engineering. Good operations means being prepared with proper training for the unlikely and practicing the impossible in training scenarios.

 

[PeterDonis]

What about the auto-pilot (a separate system from MCAS)?

What about it?

Training is not a excuse for bad engineering.

Agreed. But you were arguing that bad engineering was not the root cause of the 737 MAX crashes. I don't see how that follows from the fact that the training was also bad. Both were bad, and both were contributing root causes of the crashes.

Good operations means being prepared with proper training for the unlikely and practicing the impossible in training scenarios.

Yes, and the 737 MAX training prior to these new changes did not do that; it didn't even tell pilots that MCAS existed. How can pilots be expected to properly understand what the airplane is doing if they don't even know of the existence of an important system?

 

[nsaspook]

What about it?
Agreed. But you were arguing that bad engineering was not the root cause of the 737 MAX crashes. I don't see how that follows from the fact that the training was also bad. Both were bad, and both were contributing root causes of the crashes.
Yes, and the 737 MAX training prior to these new changes did not do that; it didn't even tell pilots that MCAS existed. How can pilots be expected to properly understand what the airplane is doing if they don't even know of the existence of an important system?

The 737 auto-pilot is on the run-away trim checklist because MCAS is not the only thing that can cause the trim system to move to a mechanically hard to recover position with a working electric trim system.

Yes. It's because MCAS was a bandaid to cover some MAX extreme flight control issues that would have required type training. The reason MCAS is the 737 MAX is to eliminate a training requirement. It wasn't needed to fly the plane safely.

Agree.

 

[Ivan Seeking]

I believe this was discussed earlier in this thread (quite a while ago now since the thread was dormant for a while). My recollection of the TL/DR of that discussion is: first, the symptoms of MCAS failure are not the same as the symptoms of a normal runaway trim event; and second, the standard action pilots were trained to take for runaway trim does not disable MCAS; disabling MCAS requires a more complicated series of actions that no pilots were ever trained to carry out.

I have some inside knowledge of this event. My understanding is that ultimately it came down to two misplaced lines of code . It is being called by some the most expensive programming error in history.

 

[nsaspook]

I have some inside knowledge of this event. My understanding is that ultimately it came down to two misplaced lines of code . It is being called by some the most expensive programming error in history.

All of this death, cost and work for a system to adjust the pilot column pull to give the MAX the flying feel of older 737 models.

A classic example of how shortcuts become disastrous.

 

[Astronuc]

And the end result would be decided by a fistfight.

I've had lively discussions with fellow engineers, and certainly voices, as well as blood pressures, got raised, faces got flushed, and some expletives exchanged, but I've never had or witnessed a fistfight. I did have one manager mention impaling another manager though. I've heard of other colleagues who witnessed stuff getting thrown, or smashed.Another complication regarding faulty speed indicators - Invasive keyhole wasp builds nests in aircraft instruments, may pose 'significant risk' to air safety!
https://www.abc.net.au/news/science...bes-brisbane-airport-aviation-safety/12919668

https://www.biorxiv.org/content/10.1101/2019.12.15.877274v2.full

At 80 knots on take-off the captain found out that his air speed indicator (ASI) wasn’t working properly. The co-pilot’s indicator seemed to work fine. While climbing through 4700 feet the captain’s ASI read 350 knots (real speed was about 220 knots); ‘resulting in an autopilot/autothrottle reaction to increase the pitch-up attitude and a power reduction in order to lower the airspeed’. At that time the crew got ‘rudder ratio’ and ‘Mach airspeed’ advisory warnings.

https://www.flightsafetyaustralia.com/2015/07/small-but-dangerous/

 

[PeterDonis]

All of this death, cost and work for a system to adjust the pilot column pull to give the MAX the flying feel of older 737 models.

As I understand it, some adjustment of the stick force would have been necessary in any case in order to meet the basic FAA requirement that the stick force should always increase with increasing angle of attack; the "raw" stick force on a 737 MAX, with no adjustment, starts decreasing at high enough angles of attack due to the pitch up moment from the engines.

 

[nsaspook]

As I understand it, some adjustment of the stick force would have been necessary in any case in order to meet the basic FAA requirement that the stick force should always increase with increasing angle of attack; the "raw" stick force on a 737 MAX, with no adjustment, starts decreasing at high enough angles of attack due to the pitch up moment from the engines.

I've never officially seen the manual flight characteristics (within normal flight) of the 737 described as out of basic FAA flight characteristic requirements. My understanding is that's a solid requirement that can't be fixed by automation in commercial aviation. Making it handle like another type (the rest of the 737 family) did require some adjustment of the stick force. That's why MCAS exists today.


10:20

Judging from the early history of MCAS Boeing did an end-around on the FAA to get MCAS approved without additional training.
https://www.oig.dot.gov/sites/default/files/FAA Oversight of Boeing 737 MAX Certification Timeline Final Report.pdf

According to internal Boeing meeting minutes from 2013,26 the company made
the decision to portray MCAS as a modification to an existing flight control
system in part because if MCAS “was emphasized as a new function, there may
be a greater certification and training impact.” An ODA representative working on
FAA’s behalf also agreed with portraying MCAS as a modification and not a new
function. According to an FAA Flight Standards representative and an internal
Boeing email, an early Boeing program goal was to keep a common type rating
for the aircraft—which would minimize additional training requirements for 737
MAX pilots previously certified on the NG series—and to avoid the need for 737
MAX pilots to train in simulators, which can add costs for airlines that purchase
the aircraft. References to MCAS were later removed from flight crew training
requirements; therefore, any simulator training, while not proposed, probably
would not have included MCAS.

 

[Ivan Seeking]

Just a personal observation: Boeing has been one of my biggest customers for over 25 years. And by chance I have spent much of the last 2.5 years onsite at Boeing at one of their major production facilities. I have never seen things so dark. First they were plagued with issues on the 787. Then it became clear that they had many issues with pretty much all of their models. Then the 737 nightmare hit. And then Covid hit. It didn't take long until we started seeing the unavoidable layoff and early retirements. Not long ago a lot of long-time familiar faces went away. People were noticeably shaken. As one Boeing employee told me, the place a like a ghost town.

They have made a great effort to avoid direct layoffs and instead pushed early retirements.

The end of this nightmare episode is in sight and a vaccine is coming. We all know it is just a matter of time. But it has been terribly painful to watch. And talk about budget cuts! Wow. We are down to the bone.

 

[FactChecker]

I've had lively discussions with fellow engineers, and certainly voices, as well as blood pressures, got raised, faces got flushed, and some expletives exchanged, but I've never had or witnessed a fistfight. I did have one manager mention impaling another manager though. I've heard of other colleagues who witnessed stuff getting thrown, or smashed.

I know of an organization where two groups, which worked in the same, large, room in adjoining rows of cubicles were ordered not to talk to each other. Their managers were afraid that any talking would lead to actual fistfights.