Boeing How Safe is the Boeing 737 Max's MCAS System?

[PeterDonis]

My understanding is that's a solid requirement that can't be fixed by automation in commercial aviation.

I linked to the relevant FAA requirement way back in post #437; here is a link to it again:

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

There is nothing that says you can't use automation (or otherwise alter the "raw" stick feel, for example by putting weights in carefully chosen locations in the mechanical linkages, which is what smaller aircraft often have) to meet the requirement, just that you have to meet it.

 

[mfb]

It is being called by some the most expensive programming error in history.

March 2020 estimates were $19-23 billion - excluding some open lawsuits, and not including recent delays.
Industry estimates for a new airplane development were around $10-12 billion.

Airbus estimated $1.3 billion development cost for the A320neo. Boeing's cost is disputed but not much larger than that.

 

[nsaspook]

I linked to the relevant FAA requirement way back in post #437; here is a link to it again:

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

There is nothing that says you can't use automation (or otherwise alter the "raw" stick feel, for example by putting weights in carefully chosen locations in the mechanical linkages, which is what smaller aircraft often have) to meet the requirement, just that you have to meet it.

Thanks.

As far as I can tell MCAS was originally (not sure what later changes were made without Boeing informing the FAA of those changes) designed as a limited cure for the stick-force-per-g tests not not static longitudinal stability in normal flight. The airplane does not become unstable, it's handling becomes unacceptable during required out of normal flight testing.

https://aviation.stackexchange.com/questions/66799/what-is-mcas-trying-to-fix-on-b737-max

From an email from the author of the SeattleTimes article, Dominic Gates:

The description of MCAS provided by Boeing for regulators (FAA and foreign) during certification, is this:

MCAS “was added to address potential nose-up pitching moment at high angles of attack at high airspeeds outside the normal flight envelope.”

Elsewhere in the documents, it’s made clear that MCAS was expected to kick in when a MAX approached a “wind-up turn,” which is essentially a banked downward spiral. Of course a commercial jet would never in normal flight do such a maneuver. But in flight tests for certification, the test pilots are required to show that the plane can approach that and not lose lift on one wing and flip over.

Can you post that answer for me? Thanks, Dominic Gates

https://aviation.stackexchange.com/...-require-it-to-be-harder-for-pilots-to-pull-b

 

[OCR]

“wind-up turn”

AKA. . . A graveyard spiral.

Some more sensory illusions in aviation. . .

.

 

[PeterDonis]

As far as I can tell MCAS was originally (not sure what later changes were made without Boeing informing the FAA of those changes) designed as a limited cure for the stick-force-per-g tests not not static longitudinal stability in normal flight.

Item 25.173 (c) is the stick force curve requirement. Yes, I know the section as a whole is titled "static longitudinal stability", but for whatever reason, they included the stick force curve requirement there.

 

[nsaspook]

Item 25.173 (c) is the stick force curve requirement. Yes, I know the section as a whole is titled "static longitudinal stability", but for whatever reason, they included the stick force curve requirement there.

So, when you drill down to the bottom, this was your classic Corner case problem with a solution that turns out much worse than the original problem.

 

[Office_Shredder]

So, when you drill down to the bottom, this was your classic Corner case problem with a solution that turns out much worse than the original problem.

That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?

 

[FactChecker]

That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?

And there were probably crashes that led to this regulation.

 

[nsaspook]

That's probably a bit unfair. Only two planes have crashed from implementing a solution to this. Do you think this hasn't prevented two planes crashes in the history of the regulation?

My comment was pointed to Boeing, not the need for the regulation. Yes, it's very unfair to Boeing. They took a stable aircraft under normal flight conditions and transformed it into a flying bronco that killed 346 people in two crashes within 5 months.
https://www.satcom.guru/2019/05/737-pitch-trim-incidents.html

There is no documented 737 accident as a result of stabilizer/pitch trim malfunction or failure (prior to JT610 and ET302).

The actual regulation to discover faults at the limits of operation, something engineering does daily when we build new things is not the issue. The issue is the solution to the discovered fault.

 

[Ivan Seeking]

My comment was pointed to Boeing, not the need for the regulation. Yes, it's very unfair to Boeing. They took a stable aircraft under normal flight conditions and transformed it into a flying bronco that killed 346 people in two crashes within 5 months.

But it wasn't inherently flawed. It was a programming error. That doesn't suggest that Boeing fundamentally did anything wrong. It might speak to issues of peer review and testing but not the essential approach.

I have always felt a real problem was self policing for the FAA. That should never be allowed. If it wasn't THE cause of this disaster, it was bound to be sooner or later.

 

[PeterDonis]

It was a programming error.

I think that understates the error. It was an error of design and judgment, not just an error of programming.

 

[Ivan Seeking]

I think that understates the error. It was an error of design and judgment, not just an error of programming.

Why? I didn't want to read all 25 pages. Can you give a quick synopsis of the argument? In the end, as I understand it, if two lines of code had not been misplaced, or if that error had been identified in the testing process, it never would have happened. I am familiar with the design history and how this plane was modified.

 

[PeterDonis]

Can you give a quick synopsis of the argument?

See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.

if two lines of code had not been misplaced

Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.

 

[FactChecker]

Why? I didn't want to read all 25 pages. Can you give a quick synopsis of the argument? In the end, as I understand it, if two lines of code had not been misplaced,

IMO, no two-line misplacement could have caused all the problems that were identified. The issues have been listed several times in this thread and you can see them identified in Section 5.2 (pages 20-21) of this report.

 

[Ivan Seeking]

See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.
Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.

Ah, sorry, I can't produce that yet. But it will be coming out.

 

[Ivan Seeking]

The changes that were made to the flight control software, as described in the FAA's updated Airworthiness Directive, do not seem to me to support this assertion. Key changes that were made (pp. 6-7) include:

MCAS can only activate based on inputs from both AoA sensors, not a single one.

The inputs from the two AoA sensors must be compared, and if they differ significantly, the speed trim system, which includes MCAS, is disabled for the remainder of the flight (and a light illuminates in the cockpit to indicate this).

Only one MCAS activation is permitted per high AoA event.

The control authority of MCAS is limited such that, even when MCAS is commanding the maximum change it is allowed to the horizontal stabilizer, the pilot can still control pitch using the control column, without having to make any electric or manual stabilizer trim inputs.

The fact that those changes were required indicates to me that the errors in the control software that those changes are correcting were part of the root cause of the two crashes.

Also note that the updated pilot training required for the 737 MAX now includes training in how to recognize an AoA sensor failure and how to get the plane's trim back into a reasonable range before disabling the electric trim system in the event of an AoA sensor failure that triggers an erroneous MCAS activation.

Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.

 

[nsaspook]

Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.

Was it something like the several second timer that repeats the erroneous trim adjustment? Was it a design control law problem or a problem with some like the software PID implementation of a control law? Typically with a PID control loop the error term has the integral term gain limited (equivalent to a one time adjustment here) to only be able to give X amount of feedback (to combat mechanical system windup to control limits) to adjust the total error signal to balance the control set-point. One of the problems that prevented recovery was the pilot would correct the pitch error but MCAS would just push the nose back down again and again. The pilots were able to counter the nose-down movement multiple times but eventually they ran out of airspace. Obviously the repeated adjustment mode was 'fixed' to one time only now.

I think about the second time you see the trim causing a problem is the time to shut off the trim system and stabilize the aircraft because when the electric trim system fails FOR ANY REASON, the immediate corrective action is to disable the electric trim system per the emergency checklist for runaway stabilizer. The CAUSE might be confusing, but the cause is irrelevant at that point in time.

 

[FactChecker]

Those are corrections needed to enhance safety but do not eliminate the root cause of failure. They address in part issues that prevent the pilot from recovering.

Those correct the design mistakes that drove the plane into the ground. Without those design mistakes, there would have never been a crash.

 

[PeterDonis]

Those are corrections needed to enhance safety but do not eliminate the root cause of failure.

Why not? What root cause is still there?

 

[hutchphd]

As was said long ago in this thread by me (from Wikipedia)

The JATR said, "MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used; this [might have] identified the potential for the stabilizer to overpower the elevator."[26]
(emphasis mine)

This really bad piece of engineering design is the crux. Reprehensible.

 

[russ_watters]

I think that understates the error. It was an error of design and judgment, not just an error of programming.

See my post #580, which lists the key changes required by the FAA. Each one of those changes addresses a fundamental design flaw.

Please give a reference for this. Nothing I have seen says that it was just two lines of code, or that it was just a coding error and not a more fundamental design and judgment error.

Indeed as far as I know, the code correctly executed the control logic the engineers intended, so it can't rightly be called an "error of programming". But if even one of the three programmed features on that list had been done differently, it is possible (as I've speculated before) that by today we still never would have heard of MCAS. And they may be simple changes (though two lines of code seems unlikely). But I still think the wholesale upgrade to the flight computer architecture/philosophy was a good idea.

 

[cyboman]

I think that understates the error. It was an error of design and judgment, not just an error of programming.

Ahhh, after so much debating...ultimately we agree.

 

[cyboman]

But I still think the wholesale upgrade to the flight computer architecture/philosophy was a good idea.

I alluded to this at the beginning of this thread - before the investigations and remedies were implemented. With a lot of friction I might add.

 

[russ_watters]

I alluded to this at the beginning of this thread - before the investigations and remedies were implemented. With a lot of friction I might add.

[shrug] I only re-read the first page, and on that page you argued MCAS should not exist. Post #2 includes an allusion to a major system re-design, but not by you. I don't know what your allusion was, when it was, or how I/others responded, so I really can't respond directly to that.

If you want your "I told you so", you'll need to quote where you told me/us so.

 

[cyboman]

I can do that work later. But it's a long thread. From what I remember, my contention was that MCAS was flawed. The logic that governs the system was poor. MCAS was basically a band-aid solution to an unstable airframe due to the placement of the engines. And certainly much of it was arguing MCAS does in fact effect / affect / change / creates a change in forces on the airfoil (it got really needlessly semantic) the trim and hence pitch of the aircraft. Much of what I said has born out. Including specific logic I alluded to including limiting maximum commands MCAS can issue and making disabling the system very easy and straightforward. With the max it turns out they changed ways in which MCAS worked from previous versions (may have had a different name like speed trim etc...) and while those changes were proven to be stupid and poorly implemented what was even more moronic is the pilots were not adequately informed of those changes. Training costs money. In the end as was also my contention, it all comes back to money.

 

[cyboman]

If you want your "I told you so", you'll need to quote where you told me/us so.

Not sure it's worth digging up for that. I really don't need the chest thumping. I just revisited the thread after so long and couldn't help but notice the "drift" in opinions since the beginning.

 

[PeterDonis]

From what I remember, my contention was that MCAS was flawed.

I don't think anyone in this thread disagreed with that contention. Or with the claim that a wholesale upgrade was a good idea. Nor were you the only one who said such things, even early on in the thread.

much of it was arguing MCAS does in fact effect / affect / change / creates a change in forces on the airfoil (it got really needlessly semantic)

As I said in several posts during that discussion, nobody was disagreeing with you about the aerodynamics of the plane or about what MCAS does to affect them. The disagreement was only over a specific choice of words you kept making that, in the opinion of some others (including me), did not accurately describe what MCAS, and more generally the stability trim system, was intended to do.

In short, yes, you said things in this thread that have turned out to be correct. So did many others.

 

[PeterDonis]

couldn't help but notice the "drift" in opinions since the beginning.

I'm not sure what "drift" you are referring to. As far as I can tell, there has been general agreement from the start that MCAS as it was implemented before the crashes was flawed. In particular, the statement of mine that you quoted here...

I think that understates the error. It was an error of design and judgment, not just an error of programming.

Ahhh, after so much debating...ultimately we agree.

...is the position I have taken throughout this thread, so if we agree on it, we have agreed on it all along.

 

[DaveE]

 

[cyboman]

I'm not sure what "drift" you are referring to. As far as I can tell, there has been general agreement from the start that MCAS as it was implemented before the crashes was flawed. In particular, the statement of mine that you quoted here...
...is the position I have taken throughout this thread, so if we agree on it, we have agreed on it all along.

Well I recall early on you were quite defensive of any culpability of Boeing and their MCAS system, I thought your arguments initially seemed to allude that it was more pilot error but I could be mistaken.