Boeing How Safe is the Boeing 737 Max's MCAS System?

[FactChecker]

https://www.boeing.com/commercial/737max/737-max-software-updates.page

The approved software fix is still using using trim/stabilizer adjustments to adjust enhance the pitch stability of the airplane, right?

They fixed three glaring sins of CLAW design:
1) MCAS only looked at one AOA sensor. That was a sin.
2) MCAS took control repeatedly and for longer times than it allowed the pilots to correct it. That was another sin.
3) MCAS had more control authority than the pilots. That was a third sin.
I am sure that experienced CLAW designers were horrified.
It is not clear to me that any amount of pilot knowledge and training would have made it safe.

 

[PeterDonis]

So IMO after a long period of intense investigation it was decided the basic concept was OK but the execution of that concept was the root engineering error by the certification agencies.

While that will be the effect of the current ruling (AFAIK the software update described is the only fix, the 737 MAX is still considered the same aircraft type), I'm not sure how much of that decision was driven by actual engineering judgment as opposed to the political implications if such a fix were not approved.

 

[nsaspook]

While that will be the effect of the current ruling (AFAIK the software update described is the only fix, the 737 MAX is still considered the same aircraft type), I'm not sure how much of that decision was driven by actual engineering judgment as opposed to the political implications if such a fix were not approved.

+1
I would certainly hope political implications were at the bottom of the heap for that decision.

https://www.faa.gov/foia/electronic_reading_room/boeing_reading_room/media/737_RTS_Summary.pdf

Boeing proposed multiple updates to the MCAS function to address Safety Item #1: USE
OF SINGLE ANGLE OF ATTACK (AOA) SENSOR, Safety Item #2: MCAS RESET GENERATES
REPETITIVE MCAS COMMAND and Safety item #3: MCAS TRIM AUTHORITY in the
previous chart. The MCAS activation software now includes a maximum limit of one nosedown stabilizer activation during a single elevated AOA event and cannot be reset by pilot
activation of the electric trim switches. An AOA sensor monitor was added to prevent
MCAS from using an AOA input if it differs from the other AOA input by more than 5.5
degrees. Boeing incorporated a maximum command limit to disable the MCAS and speed
trim operations if the stabilizer position exceeds a reference position. This limit ensures
sufficient elevator control is available to provide maneuvering capability using control
column inputs alone.

13. FAA Conclusion
Following a thorough, transparent and inclusive process, the FAA determined that Boeing’s
changes to the 737 MAX design, flightcrew procedures and maintenance procedures
effectively mitigate the airplane-related safety issues that contributed to the Flight 610
and Flight 302 accidents. The FAA further determined that the design change addressed
additional safety concerns beyond those identified during the accident investigations. This
report does not address other safety issues that might have contributed to the accidents
but are not related to airplane design, including maintenance, aircraft operator and air
traffic control. The FAA believes recommendations related to these other potential
contributing factors should be addressed by the appropriate organizations. Further, the
FAA evaluated Boeing’s proposed flightcrew training through the Flight Standardization
Board process. The FAA issued a final Boeing 737 Flight Standardization Board Report
documenting the results of the operational evaluation.

 

[EAG711]

Was it something like the several second timer that repeats the erroneous trim adjustment? Was it a design control law problem or a problem with some like the software PID implementation of a control law? Typically with a PID control loop the error term has the integral term gain limited (equivalent to a one time adjustment here) to only be able to give X amount of feedback (to combat mechanical system windup to control limits) to adjust the total error signal to balance the control set-point. One of the problems that prevented recovery was the pilot would correct the pitch error but MCAS would just push the nose back down again and again. The pilots were able to counter the nose-down movement multiple times but eventually they ran out of airspace. Obviously the repeated adjustment mode was 'fixed' to one time only now.

The main thing to avoid in airplane stability & control, is an aerodynamic nose up moment that is not commanded by the pilot. The uncommanded nose-up moment would not auto-stabilize, but rapidly get progressively larger with increasing angle of attack, and run away to a stalled airplane.

During certification of a passenger airplane, many tests are carried out to check if the airframe does not start to have a mind of its own.

• If the pilot does not provide a control input, the airframe must return to the trimmed position.
• Forces and inputs to move the airplane away from trimmed position must be such that there is an ever increasing force required to achieve an ever increasing nose-up position. The nose-up position must always be commanded by the flight control surfaces, elevator and stabilizer, in a predictable way.

One of the tests to be performed during certification is stick-force-per-g. Bank the airplane and start turning while pulling the stick back in order to maintain altitude. Then bank more and pull back more, in ever tightening turns. It must be progressively harder to pull back on the stick to maintain altitude, never easier.

It was during this wind-up turn that due to the engine configuration of the MAX an aerodynamic nose-up moment appeared, which would cause the pitch stick force to suddenly become less than expected. Not as bad as a runaway pitch, but still an undesirable situation when the pilot is still straining to maintain the maneuver. This is the situation that MCAS was originally designed for, to auto-compensate for this situation only.

The pilots of ET302 needed to unload the stabilizer, and you would only need to unload the stabilizer if you've allowed the trim runaway to progress to a point at, or very near, the full nose-down limit AND you failed to reduce thrust and your airspeed is excessive. The Ethiopian flight's indicated airspeed reached 390 knots.

Neither accident crew accomplished the steps on either the runaway stabilizer or unreliable airspeed checklists. Both of which have as either their 2nd (IAS) or 3rd (trim) step to disengage the autothrottles.

They did not.

1. Control Column, hold firmly
2. Autopilot (if engaged), disengage
3. Autothrottle (if engaged), disengage
4. Choose one:
... The runaway stops after the autopilot is disengaged:
... End of procedure

... The runaway continues after the autopilot is disengaged:
... ... STAB TRIM CUTOUT switches (both), CUTOUT
... ... ... If the runaway continues:
... ... ... ... Stabilizer trim wheel, Grasp and hold

The ET Captain engaged the A A/P (the one on the side with the invalid data) while still well below the minimum A/P engagement altitude.

They never disengaged the autothrottles and that allowed the airspeed to build to around 390 knots indicated.

They didn't use the stab trim cutout switches until the stab trim was already near the full nose-down position. Then they took the switches back to normal and allowed MCAS to drive the stab the rest of the way to the full nose-down position.

The backup trim system on all 737s is the same as what was used on the B707, B720, and B727 which all operated with that system for many decades. The system is designed to work in stages depending on the amount of force required in a given situation.

The trim wheels have fold-out handles. When the airplane is close to in-trim, the flying pilot folds out his handle and can operate the trim with his inboard hand while flying the airplane with his outboard hand.

As the out-of-trim condition increases, the forces are higher and the pilot-monitoring will operate the trim wheel on command of the flying-pilot. i.e. "Trim down", "Stop trim", etc.

As the out-of-trim condition increases further, the two pilots work together with their inboard-hands turning the wheels together. The two fold-out handles are located 90 degrees of rotation apart. This is so that one pilot has his handle in a position which provides good leverage at any point in the wheel's rotation.

When you get to a situation where the trim is at the full nose-down stop, and your airspeed is around 150 knots faster than it should be, the stabilizer loads are too high to manually move the stabilizer which require alternate periods of unloading and trimming with periods of regaining altitude.

The key to successfully handling any runaway stabilizer event is to accomplish the runaway stabilizer checklist in a reasonably prompt manner so that the runaway is stopped before the trim reaches the full nose-down limit. If you don't, you have made recovery significantly more difficult.

The additional training that these crews needed was not in MCAS, how MCAS works, or even in handling a runaway stabilizer. The training they needed was in the proper prioritization of tasks in an emergency. 1. Fly the airplane, 2. Silence the warnings, 3. Confirm the emergency. This process is how you move past the distractions to find, confirm, and correctly action the emergency.

None of which would have been necessary if they had continued to fly the airplane by retrimming each time the nose got heavy from the MCAS activations. The Lion Air Captain did exactly that through 21 MCAS activations. The F/O, to whom he transferred control, did not.

As for the Ethiopian accident, the excessive airspeed over the stabilizer in the full nose-down position far outweighed the nose-up moment from the high power setting.

You can't fly the airplane at 390 KIAS (Vmo is 340) and full nose-down stab trim. That would be true in every transport jet.

If they had followed the correct procedure, the trim never would have reached full nose-down, the airspeed never would have reached 390 KIAS, and they would have been able to trim manually just as the crew of the Lion Air incident flight, which landed safely, did.

 

[FactChecker]

If they had followed the correct procedure, the trim never would have reached full nose-down, the airspeed never would have reached 390 KIAS, and they would have been able to trim manually just as the crew of the Lion Air incident flight, which landed safely, did.

And if they had made some wise design decisions, the pilots would have never been put to the test at all. Do you think that the design corrections they made now should not have been made? Flight controls should reduce the risks, not introduce new ones.

 

[PeterDonis]

If they had followed the correct procedure

Which a number of US flight crews did during similar incidents that got reported to the FAA but never resulted in any casualties so never triggered a detailed review of what was going on. I think I mentioned in a much earlier post in this thread that lack of proper pilot training and competence appears to have been a contributing factor to the MCAS incidents that did result in casualties.

However, that does not change the fact that Boeing hid the very existence of MCAS from flight crews, and made a number of egregiously wrong design decisions in its original design (for example, no comparison of at least two AoA sensors, no detection of a faulty AoA sensor, too much control authority allowed to MCAS).

 

[hutchphd]

The Lion Air Captain did exactly that through 21 MCAS activations.

21 activations ! Yessir that's the system want on all my equipment. Wow I hope you do not do critical design...

 

[russ_watters]

It's fair to say that better training can lead to better outcomes in an emergency situation. But this [pretty severe, as these things go] emergency situation was caused by the faulty design and the lack of training was caused in part by the faulty documentation/roll-out of the change, so it is pretty harsh to judge the pilots' as bearing much of the responsibility for these crashes.

 

[FactChecker]

made a number of egregiously wrong design decisions in its original design (for example, no comparison of at least two AoA sensors, no detection of a faulty AoA sensor, too much control authority allowed to MCAS).

This is a good summary of the design issues. These are the major design deficiencies that we immediately recognized, and it was not just our opinion. -- These are also the problems that Boeing engineers have now corrected and are the first things Boeing mentioned in their recent release.
IMHO, one other issue is in an even more serious category. Boeing had removed the AOA miscompare indication from the standard displays so that they could make it optional and start charging to have it added. That seems almost criminal.

 

[russ_watters]

FYI, just last month Boeing acknowledged full legal responsibility for the crashes*. So, there's not much value in further debate of the point:
https://www.seattletimes.com/business/boeing-aerospace/boeing-accepts-liability-for-737-max-accidents-wins-agreement-that-avoids-punitive-damages/

Boeing’s lawyers filed a joint court motion Wednesday with the lawyers for the families of the 157 people who died in the 737 MAX crash in Ethiopia, accepting sole liability for the fatal accident and laying out a process to settle almost all the claims.

“The defendant, Boeing, has admitted that it produced an airplane that had an unsafe condition that was a proximate cause of Plaintiff’s compensatory damages caused by the Ethiopian Airlines Flight 302 accident,” the filing states.

Boeing explicitly agreed that the pilots were not at fault.

It also exonerated two MAX suppliers: the company that built the jet’s angle of attack sensor and the one that produced, to Boeing’s specification, the aircraft’s faulty flight control software.

*caveat: the title says full responsibility for both, but the body seems to be about a legal filing for only one of them.

 

[artis]

IMHO, one other issue is in an even more serious category. Boeing had removed the AOA miscompare indication from the standard displays so that they could make it optional and start charging to have it added. That seems almost criminal.

This reminds me of the TV add style offers that were so popular around the early 2000's , where they sold you a "super duper" heater but the power cable comes as an extra option for extra money.
I mean who doesn't love a heater without a power cable.

FYI, just last month Boeing acknowledged full legal responsibility for the crashes*. So, there's not much value in further debate of the point:

Nice to see there is still some justice in the world , sadly this could have been easily avoided.
Pretty much an engineered problem.

 

[EAG711]

21 activations ! Yessir that's the system want on all my equipment. Wow I hope you do not do critical design...

You realize the same amount of activations can occur on any 737, right? before the Max, a runaway trim would be caused by an electrical failure, and a loose wire making intermittent contact with a ground could do exactly that.

In all reality, Boeing has accepted responsibility and admitted change, unlike the two airlines who have not made any safety changes whatsoever, and are practically fine with pilots who can't even recognize a runaway trim, which is a memory item that's solved by flipping a switch, which happens to be right next to the trim wheel itself. Boeings role in JT610 was probably less than 10%.

 

[PeterDonis]

before the Max, a runaway trim would be caused by an electrical failure, and a loose wire making intermittent contact with a ground could do exactly that.

From the data we have, it seems like a loose wire making intermittent contact with a ground is a much, much rarer event than a faulty AoA sensor. So even if a runaway trim could occur before MCAS, the poor design decisions of MCAS made runaway trim a much less rare event. And the mechanisms provided to pilots for dealing with runaway trim were predicated on it being an extremely rare event like a loose wire, not a much more common event like a faulty AoA sensor.

the two airlines who have not made any safety changes whatsoever

Neither of those two airlines are US airlines (or European airlines, since Europe has much the same regulatory attitude as the US), and the regulatory requirements they have to meet are very different, reflecting a very different viewpoint on tradeoffs between risk mitigation and cost saving from the viewpoint that drives US regulations. You might not like that, but you are perfectly free to not fly on those airlines.

Also, part of what drives the very different viewpoint on tradeoffs that regulates those non-US, non-European airlines is a belief, which up until these incidents was mostly justified, that airliners from big name suppliers like Boeing and Airbus are designed to not require a high level of competence from pilots to be able to operate at the risk level that they deemed to be justifiable. And Boeing told everyone that the 737 MAX would be just like previous 737s, which those same airlines had operated for decades at that tolerable level of risk. As it turned out, Boeing's claim was egregiously wrong: the 737 MAX was not just like previous 737s, and it was not just like them in a way that drastically changed where the 737 MAX sat on the spectrum of tradeoffs between pilot competence and risk. It's not realistic to expect the regulators that have oversight of those non-US, non-European airlines to spot that, when the US and Europe had already accepted Boeing's claims and approved the 737 MAX on the theory that pilots would see no difference between it and previous 737s.

It's possible that all this will lead the regulators who have oversight of those non-US, non-European airlines to re-evaluate their risk tradeoff and start requiring a much higher level of pilot competence. But I wouldn't bet on it. I think a much more likely outcome is less market share for Boeing and more for Airbus in those markets because of a reduced level of trust in Boeing and in US regulators.

 

[hutchphd]

You realize the same amount of activations can occur on any 737, right?

Golly that's a revelation. Can that axact same number really occur?

I will cease kicking this dead horse. It is a true moral tragedy.