Boeing How Safe is the Boeing 737 Max's MCAS System?

[nitsuj]

From Boeing: "Flight Control Computers and Stability Augmentation
The trend in the design of modern airplanes is to have less static longitudinal stability--frequently referred to as relaxed static stability (RSS)--to capture the benefit of improved fuel efficiency. Simply stated, some airplanes are now designed to be aerodynamically efficient, and stability is augmented electronically so that stick force gradients will meet certification requirements. Many methods exist for augmenting stability. For example, the Boeing 777 and MD-11 use flight control computers that adjust the elevator actuator positions to give the appearance of more longitudinal stability than the airplane actually has. In other words, computers absorb the extra workload caused by flying with RSS. -https://www.boeing.com/commercial/aeromagazine/aero_02/textonly/fo01txt.htmlOne of the main functions of MCAS was to make the plane "simpler to fly". To make it simpler to certify and get up in the air. It's pretty evident increased RSS and automation add incredible complexity and new failure modes in their effort to keep things simple for the pilot.

From your boeing quote above.
Simply stated, some airplanes are now designed to be aerodynamically efficient, and stability is augmented electronically so that stick force gradients will meet certification requirements.

In this specific case I don't think that the 737 max was out of line from those requirements. But I know it was out of line from the previous model. Again, mcas was used to make it fly similar to the previous model pilots are already certified to fly.

I would be VERY surprised to hear/read that without mcas, on take off the "yoke resistance" is way off from "normal" / expectation. Though if the pilot flew it the same as the previous model the pitch up would be "too high". Not even remotely necessarily that pilots WOULD pitch up too much. But that is clearly different flight characteristics; which would require a new type certificate.

completely agree with your last statement. We do see the issue the same from that perspective.

 

[cyboman]

From your boeing quote above.
Simply stated, some airplanes are now designed to be aerodynamically efficient, and stability is augmented electronically so that stick force gradients will meet certification requirements.

In this specific case I don't think that the 737 max was out of line from those requirements. But I know it was out of line from the previous model. Again, mcas was used to make it fly similar to the previous model pilots are already certified to fly.

I would be VERY surprised to hear/read that without mcas, on take off the "yoke resistance" is way off from "normal" / expectation. Though if the pilot flew it the same as the previous model the pitch up would be "too high". Not even remotely necessarily that pilots WOULD pitch up too much. But that is clearly different flight characteristics; which would require a new type certificate.

completely agree with your last statement. We do see the issue the same from that perspective.

Well it wasn't out of line with those requirements because part of their genesis was to satisfy them.

Again, only one of the functions of MCAS was certification. It's remedies are more reaching than that which overlap certification.

I would add that you seem to be envisioning MCAS as operating only in a take off scenario. In effect, these systems are very primitive and stupid (so as to decrease failure modes) and as I understand, they don't know if you're in take off or cruising at 30 000 or in a dive or climb (they don't do that level of inductive reasoning), they are limited by their very strict parameters, which seems primarily to be determined by the AoA. This is part of the design problem. Add their pitch authority and this is where we're at.

 

[nitsuj]

MCAS is intrinsically faulty as a flight control augmentation system. I think I get that you're saying that it's not required if it fell into a new type. But that's not what happened.

It's in how you frame your argument. When you say maybe, it's not so benign. In this context its refuting my more complex perspective and position. And in effect simplifying the scenario such that if one, more training was provided and two, a new type certification was attained, all would be good. Well, both of those things needed to happen potentially but that doesn't remedy the totality of the problems and challenges that automated systems like MCAS create. And it wouldn't be moot or unnecessary I would argue. I think with those huge LEAP engines, you needed MCAS. Training could potentially supplant it but you'd still be left with an unstable aircraft and instead of MCAS you'd be putting that instability on the pilot to correct for.

Ah I see, well I can't argue your feelings.

Note mcas is "active" only with AP off* flaps up and AoA too high. (*because AP, just like the pilots, can fly the plane just fine; it's' not an "unstable" plane)

A link from "the Air Current" article on mcas written by their editor in chief Jon Ostrower who "covered" (aviation journalist) the development of the 737. Where he describes the effect of the redesigns on the flight characteristics as "Ever so slightly changed how the jet handled in certain situations". That's inline with my understanding from Juan's videos I've linked to previously.

 

[cyboman]

Ah I see, well I can't argue your feelings.

Note mcas is "active" only with AP off* flaps up and AoA too high. (*because AP, just like the pilots, can fly the plane just fine; it's' not an "unstable" plane)

A link from "the Air Current" article on mcas written by their editor in chief Jon Ostrower who "covered" (aviation journalist) the development of the 737. Where he describes the effect of the redesigns on the flight characteristics as "Ever so slightly changed how the jet handled in certain situations"

The qualification "ever so slightly" doesn't really bode well in light of the recent tragedies with pilots with more than adequate flight hours and experience, in that type. It's all about probabilities and scenarios. If said pilot goes up and says, "The aircraft didn't feel very different." That doesn't really say much. Perhaps it's worth something if they fly like 10 - 50 different flight scenarios.

 

[cyboman]

Note mcas is "active" only with AP off* flaps up and AoA too high. (*because AP, just like the pilots, can fly the plane just fine; it's' not an "unstable" plane)

Well, perhaps it was proven as stable before the newest mark which is MAX with the new engines.

 

[nitsuj]

I would add that you seem to be envisioning MCAS as operating only in a take off scenario. In effect, these systems are very primitive and stupid (so as to decrease failure modes) and as I understand, they don't know if you're in take off or cruising at 30 000 or in a dive or climb (they don't do that level of inductive reasoning), they are limited by their very strict parameters, which seems primarily to be determined by the AoA. This is part of the design problem. Add their pitch authority and this is where we're at.

Am giving up with a final retort lol. mcas does not at all operate on take off. flaps up is a requirement for it to activate. That is shortly after take off, while engines are still at take off thrust. And where the "creeping up" of the nose would occur.

again three requirements (as at the time of the accidents) flaps up, AP off and high AoA for mcas to activate.

 

[cyboman]

Am giving up with a final retort lol. mcas does not at all operate on take off. flaps up is a requirement for it to activate. That is shortly after take off, while engines are still at take off thrust. And where the "creeping up" of the nose would occur.

again three requirements (as at the time of the accidents) flaps up, AP off and high AoA for mcas to activate.

You lean on these basic parameters for activation as if they forgive the erroneous activation we've seen in these tragedies.

 

[FactChecker]

It is inconceivable to me that the plane is outside of the required stability margins when the system is operating correctly. I think that the issues are the reliance on a single AOA input, the removal of displays which would tell the pilot what is going on, and the way the system seemed to ignore pilot pitch-up inputs for such a long time. So the system would believe one unverified input while ignoring (or unaware of) indicators that the input may be wrong.

 

[cyboman]

flaps up, AP off and high AoA for mcas to activate.

In other words, typically normal flight regime outside of the AoA sensor input.

 

[cyboman]

It is inconceivable to me that the plane is outside of the required stability margins when the system is operating correctly.

There is a lot of assumptions here. But again it's how those lines or margins are drawn.

I think that the issues are the reliance on a single AOA input, the removal of displays which would tell the pilot what is going on, and the way the system seemed to ignore pilot pitch-up inputs for such a long time. So the system would believe one unverified input while ignoring (or unaware of) indicators that the input may be wrong.

Or in laymen's terms, the system was "dumb". An oversimplification, because simplification of a system was beneficial in this scenario (simpler was better). It proved to be a erroneous pressure on the decision making. Such that a system with tremendous pitch authority was mis-configured to disastrous effects.

 

[russ_watters]

In other words, typically normal flight regime outside of the AoA sensor input.

I think you're mixing together the "normal" operation and the failure scenario. Having a high aoa during cruise - most of the "normal flight" regime - would require a ripping-the-wings-off steep turn. So there is no scenario in cruise when it should activate. The actual part of the flight envelope or normal flight regime where MCAS should activate is pretty small. You could add additional sensors such as an airspeed limit (MCAS disabled above 300kts for example), but that also adds another potential failure point.

We tend to get tunnel vision focusing on the specific system or crash scenario. It's not a simple system and while it does appear a failure mode was missed or underestimated, Boeing engineers are not idiots and have surely thought through the broader implications.

 

[russ_watters]

To further clarify: I think that with trim, manual control may in fact not be hydraulically assisted. So, if I'm not mistaken when they use the stab cutout switches that may result in no hydraulic or "electric" assistance to control the trim and the trim wheels in effect work mechanically. I'm not sure of this however. It may be the case that the stab cutout only bypasses automated systems and the trim switches on the yoke still operate using electric control of the trim. Given the recent tragic scenarios, I think that's preferable.

For other systems, like elevator, aileron and rudder, manual control would still mean hydraulically assisted since as previously explained direct mechanical control is not a practical flight scenario and more of a redundant backup architecture. Manual control in this sense, is disabling autopilot.

Trim is the *only* aerodynamic control in which manual control is even possible, so rather than have multiple levels of automation, they may drop straight to full manual. The electronic trim is not the same as hydraulic assist in that it is still fully decoupled mechanically from the control surface. Hydraulic assist is pretty "dumb".

Related to what I said in my previous post, these failure scenarios get complicated. There was an Airbus crash once where the aoa sensors froze up during an automation/acceptance test, the plane's computer realized it and handed full "manual" control to the pilots, with the pitch trim strongly "up". The pilots either didn't notice or didn't know how to handle the issue and simply pushed their control sticks all the way forward to avoid the stall. It didn't work and the plane stalled and crashed.

In this case they evidently didn't know the trim was "fighting" them - because they couldn't feel it - and never tried to manually spin the trim wheels, which likely would have prevented the crash.
https://en.m.wikipedia.org/wiki/XL_Airways_Germany_Flight_888T
This also relates to past discussions of the pros and cons of a system (trim itself) that can overpower the pilots. Is it worse to be overpowered and know it or overpowered and not know it?

 

[cyboman]

I think you're mixing together the "normal" operation and the failure scenario. Having a high aoa during cruise - most of the "normal flight" regime - would require a ripping-the-wings-off steep turn. So there is no scenario in cruise when it should activate. The actual part of the flight envelope or normal flight regime where MCAS should activate is pretty small. You could add additional sensors such as an airspeed limit (MCAS disabled above 300kts for example), but that also adds another potential failure point.

We tend to get tunnel vision focusing on the specific system or crash scenario. It's not a simple system and while it does appear a failure mode was missed or underestimated, Boeing engineers are not idiots and have surely thought through the broader implications.

What I meant is that all of the conditions outside high AoA are totally normal. So that a single AoA sensor reading that's bad results in erroneous activation.

Regarding if the Boeing engineers are idiots. Obviously they are not. However, they aren't all going to be of the same caliber and experience. It's hard to know where to put the blame with a big corporation like that, I'm sure more than one head in more than one department will roll. However, I think it's accurate to say that MCAS was a very stupid design and implemented very poorly.

 

[cyboman]

Trim is the *only* aerodynamic control in which manual control is even possible, so rather than have multiple levels of automation, they may drop straight to full manual.

I was sure I read somewhere that there is redundancy in the case both A and B hyd fail.

It's termed manual reversion in the 737:

"In the event of a dual hydraulic failure, a manual reversion mode will allow the elevators and ailerons to driven through a mechanical means"

"In the event of of a total hydraulic failure, manual forces from the control wheel would be transmitted through stops in the power input control linkage, thus providing a direct mechanical link to the control wheel. Input forces are minimized by aileron balance tabs and hinged balance panels. "

-https://www.airliners.net/forum/viewtopic.php?t=731915

"Ailerons are powered by hydraulic systems A and/or B. If both hyd should fail, manual reversion is available from both control wheels. "

None for the rudder but there is a 3rd way to power it if A and B fail:

"The rudder is moved by a PCU powered by hyd sys A and/or B. If A and/or B fails a standby PCU can be powered from the standby hydraulic system. "

"The control column moves the elevators using hyd A and/or B. If both hyd should fail, manual reversion is available from both control columns. "

Also there are balance tabs on the elevators and ailerons.

-http://www.b737.org.uk/flightcontrols.htm

...so rather than have multiple levels of automation, they may drop straight to full manual.

Remember that the NG operated exactly as I suggested. The AP cutout disabled all automatic trim commands while you could leave MAIN ELEC in normal to command electric trim. This was procedure in the NG for stab trim runaway. They changed it in the Max for some reason.

 

[cyboman]

This also relates to past discussions of the pros and cons of a system (trim itself) that can overpower the pilots. Is it worse to be overpowered and know it or overpowered and not know it?

It's a good point. I would say that it's worse to be overpowered to begin with. It's one thing if the pilot has commanded the stab to an out of trim scenario, but when auto systems are doing it, then a lot of confusion can ensue as we've seen.

The issue of not knowing is again I believe a feedback problem (and training and probably a bunch of other things as is always the case). But I really think that a feedback system, like I posted earlier should be included in the PFD that shows the trim angle and perhaps if it's in man electric, full manual, or auto.

 

[russ_watters]

It's a good point. I would say that it's worse to be overpowered to begin with.

Well again, that's not one of the options. The trim needs to be stronger than the pilot otherwise the plane -basically any plane - wouldn't be flyable. Not even a little Cessna. Remember, trim has to be adjusted every time you change your speed or attitude and as you burn fuel. You can be overpowered by *not* adjusting trim, not just by over-adjusting it.

And to clarify, in case it isn't clear, I'm not just talking about needing 100+lb of force as in these scenarios. Even the ~20lb changes that are pretty normal in the Cessna I fly would be unsustainable for more than a few minutes. Humans just aren't built to be able to hold constant force with muscles.

It's one thing if the pilot has commanded the stab to an out of trim scenario, but when auto systems are doing it, then a lot of confusion can ensue as we've seen.

Right; that's different from the trim being stronger than the pilot, that's auto-trim doing something unexpected. But in a plane without auto-trim, even a small plane such as a Cessna, if you don't adjust the trim yourself, you'll be fighting it for most of the flight, with poor odds of completing the flight successfully.

So my point is, in a situation where the plane hands full manual control to the pilot, is it easier to handle the plane when you have feedback or don't? Well again, it depends. If you are handed control when in control and in trim and with all your instruments working, it may not matter. When you make a change in attitude/speed, you should notice the yoke pressure on a manual plane and notice the joystick isn't centered on a fly-by-wire plane. But unfortunately, computerized planes rarely hand the pilot manual control when the plane is fully functional -- they only do it when something fails. And when that happens, a pilot with a lot on his plate might not realize what is going on. The XL888 pilots in the above link didn't realize it - perhaps because they couldn't feel it - and crashed. The Ethiopian Air pilots did realize it - because they felt it - and crashed anyway.

The issue of not knowing is again I believe a feedback problem (and training and probably a bunch of other things as is always the case). But I really think that a feedback system, like I posted earlier should be included in the PFD that shows the trim angle and perhaps if it's in man electric, full manual, or auto.

In the case I just linked, XL888, the pilots were given a notification that auto-trim was no longer active and either missed it or misunderstood it. For Ethiopian, I'm not sure if we know yet whether they followed the procedure correctly.

 

[nitsuj]

In other words, typically normal flight regime outside of the AoA sensor input.

No.

That is typical flight just after take off. Am not sure about landing, I imagine sometimes they do "auto pilot" landings, at least to some degree.

Typical flight is with AP on.

 

[cyboman]

No.

That is typical flight just after take off. Am not sure about landing, I imagine sometimes they do "auto pilot" landings, at least to some degree.

Typical flight is with AP on.

My view is the logic for activation outside of the AoA vane input is completely normal. It does not represent a scenario outside or on the edge of the flight envelope. As you've pointed out it occurs regularly after take off.

 

[nitsuj]

You lean on these basic parameters for activation as if they forgive the erroneous activation we've seen in these tragedies.

Really? am not interested in going along that tangent with you.

 

[nitsuj]

My view is the logic for activation outside of the AoA vane input is completely normal.

that's fine, my reply you quoted was to you saying...

In other words, typically normal flight regime outside of the AoA sensor input.

My reply was that (AP off) is not "typically normal flight regime..."

 

[cyboman]

Well again, that's not one of the options. The trim needs to be stronger than the pilot otherwise the plane -basically any plane - wouldn't be flyable. Not even a little Cessna. Remember, trim has to be adjusted every time you change your speed or attitude and as you burn fuel. You can be overpowered by *not* adjusting trim, not just by over-adjusting it.

What I mean here is that the scenario of the airbus you gave was an undesirable scenario that you'd rather not be in, where the elevator controls are overpowered by the stab and there is no attitude control.

But unfortunately, computerized planes rarely hand the pilot manual control when the plane is fully functional -- they only do it when something fails. And when that happens, a pilot with a lot on his plate might not realize what is going on.

Ya I imagine that's a big issue with these types of failures. I think better HCI and feedback could help as we've suggested.

In the case I just linked, XL888, the pilots were given a notification that auto-trim was no longer active and either missed it or misunderstood it. For Ethiopian, I'm not sure if we know yet whether they followed the procedure correctly.

I think a constant feedback of the stab trim on the PFD would be better than a verbal notice or light. It just has so much pitch authority and now we have all these auto systems commanding it.

The preliminary report shows the Ethiopian flight followed procedure correctly for a runaway stab trim. Right before the final dive it looks like they switched the cutouts back to normal. I suggested this was likely a last ditch effort to regain manual electric control of the trim since the manual wheel wasn't working and the pilot is heard saying that, "It's not enough" after asking the co pilot to help him pull back on the yoke. The electric trim did work, as would be the case in the NG, but unlike the NG where they could command electric trim without auto trim systems, MCAS was now active again. MCAS did one final AND trim command effectively making the dive irrecoverable.

It's easy in hindsight to look at the situation and pick out all the things that could of been done better. Without really being in that situation we can't fully understand how much of it was human factors. We'll know more with the final report.

What I will say is that when you look at the graphed data from the FDR, it's pretty shocking how MCAS operates in these failure scenarios. It commands nose down trim for an incredibly long period of time, up to 10 seconds with a 5 second break and has no command limit. And when commanding any electric trim commands from the yoke are overridden. If you haven't read the report, I'd recommend it. Especially take a look at that FDR graph, it allows you to see the flight from a flight data perspective. You may wish to skip the historical facts I think it's titled, where it goes through the flight by time-code. I found that rather upsetting.

 

[cyboman]

Really? am not interested in going along that tangent with you.

Well that's the angle I get from how you seem to defend MCAS but I could be mistaken. You seem to feel like it's an easy fix if the pilots are trained. And you constantly reiterate it's activation parameters. I'm not really clear on why. These were well established in this thread hundreds of posts ago.

 

[cyboman]

that's fine, my reply you quoted was to you saying...
My reply was that (AP off) is not "typically normal flight regime..."

AP is off during take off. And climb out. It's also not used 99% of the time for landing. So I don't see AP off as non-normal. It's part of every flight.

 

[nitsuj]

AP is off during take off. And climb out. It's also not used 99% of the time for landing. So I don't see AP off as non-normal. It's part of every flight.

who said it wasn't ? rhetorical.

 

[cyboman]

who said it wasn't ? rhetorical.

You did I thought. I'm saying AP off is part of a "typically normal flight regime". You seemed to disagree.

 

[nitsuj]

You did I thought. I'm saying AP off is part of a "typically normal flight regime". You seemed to disagree.

The point isn't the frequency of it's use. The point is it's used for a very specific circumstance.

This whole point is to counter the position that the plane is "unstable" and requires mcas to maintain stability.

it's much worse than that.

mcas is to circumvent a new type certificate because that would make the plane difficult to sell.

That's why hundreds of people died, not the least of which many being humanitarians with this latest incident.

YOU seem to make defense of this disgusting scenario by suggesting that mcas is REQUIRED. that mcas must be there and we need to figure how to make it all work.

I am saying cuck mcas and train the pilots to do what the pilots are there to do.

 

[cyboman]

YOU seem to make defense of this disgusting scenario by suggesting that mcas is REQUIRED. that mcas must be there and we need to figure how to make it all work.

If that's what you gather from my posts I know you haven't read this thread in it's entirety. Or even understood my recent posts. In any case let's leave it at that. We're not really adding anything to the conversation.

 

[cyboman]

An interesting read, unfortunately it doesn't bode well for Boeing. Much of what we've assumed is fairly accurate, regarding cost cutting, managerial and certification pressures, competition, pushing an old airframe, MCAS in effect a sort of hack pushing an aging platform too far.

Some quotes:

Boeing’s 737 Max: 1960s Design, 1990s Computing Power and Paper Manuals

By 2011, Boeing executives were starting to question whether the 737 design had run its course. The company wanted to create an entirely new single-aisle jet. Then Boeing’s rival Airbus added a new fuel-efficient engine to its line of single-aisle planes, the A320, and Boeing quickly decided to update the jet again.

“We all rolled our eyes. The idea that, ‘Here we go. The 737 again,’” said Mr. Ludtke, the former 737 Max cockpit designer who spent 19 years at Boeing.

“Nobody was quite perhaps willing to say it was unsafe, but we really felt like the limits were being bumped up against,” he added.

Some engineers were frustrated they would have to again spend years updating the same jet, taking care to limit any changes, instead of starting fresh and incorporating significant technological advances, the current and former engineers and pilots said.

When engineers did make changes, it sometimes created knock-on effects for how the plane handled, forcing Boeing to get creative.

The larger size and new location of the engines gave the Max the tendency to tilt up during certain flight maneuvers, potentially to a dangerous angle.

To compensate, Boeing engineers created the automated anti-stall system, called MCAS, that pushed the jet’s nose down if it was lifting too high.

A second electronic system found on other Boeing jets also alerts pilots to unusual or hazardous situations during flight and lays out recommended steps to resolve them.

On 737s, a light typically indicates the problem and pilots have to flip through their paper manuals to find next steps. In the doomed Indonesia flight, as the Lion Air pilots struggled with MCAS for control, the pilots consulted the manual moments before the jet plummeted into the Java Sea, killing all 189 people aboard.

https://www.nytimes.com/2019/04/08/business/boeing-737-max-.html

 

[nitsuj]

NYTimes - "The larger size and new location of the engines gave the Max the tendency to tilt up during certain flight maneuvers, potentially to a dangerous angle."

It's this part that is misleading and imo an insult to pilots and washes over what is imo the "crux" of the issue. It helps justify mcas, for what appears to be reasonable grounds.

Pilots would not maneuver the plane in such a way as to unnecessarily reach a dangerous AoA, ever.

Ceteris parabis, it is IF they flew the max version (without mcas active) the same as the previous version then it could POTENTIALLY reach dangerous aoa . (ergo flies different to a remarkable enough degree as to require new training new type certificate as per FAA rules)

Trained for the plane or not a pilot would never do such a thing, that's just crazy; the pilot, or even someone who's merely played a flying game lol would push the yoke forward just a bit and or reduce thrust a bit until the plane is at the desired pitch. Then maybe trim it to that and carry on.

A pilot doesn't NEED an automated process to do this maneuver; the FAA does though, in order to give boeing a pass on this clearly new aircraft.

no justification for mcas beyond boeings financial concerns. FAA should be held accountable equally imo.

 

[cyboman]

NYTimes - "The larger size and new location of the engines gave the Max the tendency to tilt up during certain flight maneuvers, potentially to a dangerous angle."

It's this part that is misleading and imo an insult to pilots and washes over what is imo the "crux" of the issue. It helps justify mcas, for what appears to be reasonable grounds.

Pilots would not maneuver the plane in such a way as to unnecessarily reach a dangerous AoA, ever.

Ceteris parabis, it is IF they flew the max version (without mcas active) the same as the previous version then it could POTENTIALLY reach dangerous aoa . (ergo flies different to a remarkable enough degree as to require new training new type certificate as per FAA rules)

Trained for the plane or not a pilot would never do such a thing, that's just crazy; the pilot, or even someone who's merely played a flying game lol would push the yoke forward just a bit and or reduce thrust a bit until the plane is at the desired pitch. Then maybe trim it to that and carry on.

A pilot doesn't NEED an automated process to do this maneuver; the FAA does though, in order to give boeing a pass on this clearly new aircraft.

no justification for mcas beyond boeings financial concerns. FAA should be held accountable equally imo.

What you're not acknowledging is that this fix (MCAS) was to solve fundamental aerodynamic deficiencies created by pushing an aging airframe too far with larger engines. This article shows such a concern was legitimate and expressed from the engineers themselves. It's not solved by simply certifying in a new class with additional training.

 

[nitsuj]

What you're not acknowledging is that this fix (MCAS) was to solve fundamental aerodynamic deficiencies created by pushing an aging airframe too far with larger engines. This article shows such a concern was legitimate and expressed from the engineers themselves. It's not solved by simply certifying in a new class with additional training.

oh, okay.

 

[anorlunda]

https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer

I am impressed by this article. It is a long read, but very informative and insightful IMO.

 

[FactChecker]

https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer

I am impressed by this article. It is a long read, but very informative and insightful IMO.

I worked at a competitor and only on military airplanes, so I can't vouch for the Boeing non-military flight control engineers. IMHO, this article's characterization of the flight control software engineers knowledge is completely wrong. I think they would have designed, programmed, and tested redundant systems and fault analysis for decades. They live and breath that. At least that was true of the people I worked with.

 

[nsaspook]

https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer

I am impressed by this article. It is a long read, but very informative and insightful IMO.

"So Boeing produced a dynamically unstable airframe, the 737 Max"

Everything I've read about the 737 Max says this is not true. No, the 737 MAX is not aerodynamically unstable in any part of its flight envelope.

 

[nitsuj]

"So Boeing produced a dynamically unstable airframe, the 737 Max"

Everything I've read about the 737 Max says this is not true. No, the 737 MAX is not aerodynamically unstable in any part of its flight envelope.

It was certified stable, in the previous vid of that "series" he says and shows this and gives the FAA regulation number.

Of all the various vids I've seen on the incident; his by far are most accurate and well said.

I time stamped the vid below to where Juan explicitly states the 737 max flies "normal" without mcas.

 

[PeterDonis]

It was certified stable

Yes. I agree that statements that the 737 MAX is "unstable" without MCAS are not justified.

Juan explicitly states the 737 max flies "normal" without mcas

"Normal" means the pilot can control the plane. Yes, that's true. But "normal" is not the same as "feels similar enough to previous 737 models to allow pilots that are type certified in the 737 to fly it without additional training". The latter is what MCAS was intended to address.

 

[PeterDonis]

For reference, here is the portion of the FAA airworthiness standards that addresses "stick force":

https://www.ecfr.gov/cgi-bin/text-idx?node=14:1.0.1.3.11#se14.1.25_1173

 

[PeterDonis]

Here are some other relevant references. First, the FAA's current list of all aircraft type ratings:

https://registry.faa.gov/TypeRatings/
The B-737 type rating:

http://fsims.faa.gov/wdocs/fsb/b737_rev_16.pdf
And for comparison, the B-757/B-767 type rating (since these aircraft have engines mounted forward on the wing and so have a similar pitch up moment to the 737 MAX):

http://fsims.faa.gov/wdocs/fsb/b-757_767 fsbr7.pdf

 

[nitsuj]

Yes. I agree that statements that the 737 MAX is "unstable" without MCAS are not justified.
"Normal" means the pilot can control the plane. Yes, that's true. But "normal" is not the same as "feels similar enough to previous 737 models to allow pilots that are type certified in the 737 to fly it without additional training". The latter is what MCAS was intended to address.

You're just restating facts; am not sure you're saying anything new or addressing anything specific.

Just being correct is all...I see.

 

[anorlunda]

The Seattle Times is not an engineering journal. However, this new article goes much deeper into the details of the failures and remedies than previous coverage.

https://www.seattletimes.com/business/boeing-aerospace/newly-stringent-faa-tests-spur-a-fundamental-software-redesign-of-737-max-flight-controls/

Shockingly, they attribute the root cause to the KISS principle. Horrors! I am a big KISS advocate. However, the completely stated KISS principle should say, "as simple as possible (but no simpler)" The article accuses Boeing of ignoring that parenthetical clause.

The remedies are also more extensive than I expected. It is not a matter of bugs, or patches. They are restructuring the entire architecture. That may be needed and overdue, but doing it under intense schedule pressure is another cause of worry.

I recommend reading the article, the whole article.

 

[FactChecker]

Shockingly, they attribute the root cause to the KISS principle.

I'm not sure I would characterize it that way. To have two flight control computers, but totally ignore one, seems like they were snatching defeat from the jaws of victory. It's like someone was not convinced of the need for redundancy, even though it was readily available. Many airplanes with digital flight control computers have three or more computers so that there is a tie-breaker in the case of a disagreement.

 

[berkeman]

Many airplanes with digital flight control computers have three or more computers so that there is a tie-breaker in the case of a disagreement.

Yeah, I wonder how they handle that with just two computers. If there is a disagreement above some threshold, take the mean value and sound an alarm?

 

[FactChecker]

Yeah, I wonder how they handle that with just two computers. If there is a disagreement above some threshold, take the mean value and sound an alarm?

If one doesn't work right, it can put out such a bad number that a mean value is bad. There may be a "safe" simpler backup calculation that the flight controls can switch to. At the very least, the pilot should be notified. I don't know a better way to handle it. Everything I worked on had more redundancy and there was a tie-breaker computer.

 

[berkeman]

Everything I worked on had more redundancy and there was a tie-breaker computer.

Yeah, I guess that 3rd computer would have been way too heavy for this plane...

 

[anorlunda]

Yeah, I wonder how they handle that with just two computers.

The article explains that. In the new architecture, if there is disagreement, there will be no automated action, and the plane goes to fully manual control of the pilot. So the pilot is the tie breaker.

In other fields like nuclear safety, we use 2/3 or even 3/4 voting but there is no option for the computers to shut themselves off and leave it to the operator.

I'm not sure I would characterize it that way.

Characterizations are not like facts. We are all entitled to our preferred characterization.

Re the KISS characterization: The KISS argument is that each redundant string should have its own independent set of sensors. A non-KISS solution, might be something like 2/3 voting on the sensor readings then passing the verdict down to the redundant strings of computing steps That might be better, but we must admit it is also more complex. Carried to the extreme, if there are M parallel strings, and N sequential steps in processing, there could be N sets of (M-1)/M voting; one after every step.

Another strategy is to use diversity in redundant strings to dodge repeated vulnerabilities or bugs. For example, analog in parallel with digital, or contractor A's software in parallel with contractor B's software. Some people like that, but they are not KISS.

 

[Gatekeeper1958]

I have 29 year's in Aviation Quality Assurance, 19 year's with Boeing.

MCAS is a Patch or Band Aid solution to the problem created by moving the larger Max jet Engines forward and up in front of the wing creating inherent Aerodynamic instability in the flight characteristics of the Max. This is because the FAA required 18 inches of ground clearance.

The safe solution that was suggested by the European Union Aviation Safety Agency (EASA) in July 2019 was to make the landing gear taller and then place the new larger Max Engines properly under the wing, thereby eliminating the need for MCAS. Keep in mind the design and engineering has already been accomplished on the 737 Max 10, that has 9.5 inch taller main and front landing gear.

With the Max Engines placed properly under the wing, and restoring flight stability to 737NG levels, will eliminate the need for MCAS. No MCAS, no problems, everybody is happy.

Several Airlines have switched their Max 8 orders to Max 10's for the above reasons.

The Max 7,8,9 versions did NOT pass the Wind Tunnel and Flight Tests. This created a problem that Boeing should have solved as EASA suggested, instead Boeing decided on a Patch or Band Aid solution.

This reminds me of the Baseball comedy where the Owner is trying to discourage her team players by reducing Comfort and Safety. The LA baseball team approached their charter aircraft usually quite new and comfortable, this time an old DC-3 and see the Maintenance Mechanic using DUCT TAPE to "repair" one of the propellers. Everybody in the audience laughed. Little did they know how close to the truth this Joke was! Ref: 1987 Major League with Charlie Sheen as the "Wild Thing" pitcher.

Boeing will resist this Solution because of the short term cost. But in truth, they have the Safety reputation of 5,000 Max Jet's costing billions of dollars at stake, as well as Boeing's over 100 year history of quality and safety at stake. I think they have no other choice that would satisfy everyone. What do you think?

 

[FactChecker]

@Gatekeeper1958 , I will concede to your expertise in this and to your recommended solution. But IMHO, they have other problems in their design and attitude. MCAS seemed to have no access to the redundant sensors and had too much authority while fighting the pilot inputs. That is a tragedy waiting to happen.

 

[gmax137]

What do you think?

anecdotally, i have heard a number of people say, "I will never fly in one of those things.". So, i think you are spot on with the idea that the company itself is at stake.

 

[Gatekeeper1958]

anecdotally, i have heard a number of people say, "I will never fly in one of those things.". So, i think you are spot on with the idea that the company itself is at stake.

Yes, I think the Boeing Company would be in a very steep dive toward bankruptcy, if they do not consider the long term affects of their tragic mistakes with the 737 Max.

I do not think they are considering the solution suggested by EASA. No, I think they will pursue the MCAS, muscle it through the FAA, and Rebrand the Aircraft with a New Name. Heavily publicised flights with Airline and Boeing executive's flying with their wife and children on the Max to boost confidence in the new and improved aircraft. This will only partially succeed, and Boeing will continue it's slow spiral downward to destruction. It may take 10 year's or more.

However, I truly think they can build a safe Max if they realized the damage that has been done, and the fear in people's hearts at the mere mention of MCAS. It also should be renamed. I will NOT fly a Max by any name that doesn't put the Engines properly on the wing's as EASA has suggested. If we could somehow get EASA and China to demand the proper changes before the FAA gives it's reluctant "OK" then Boeing would be forced to do "The Right Thing."

 

[etudiant]

I don't believe Boeing has much control over the process at this point.
The Chinese grounded the MAX well before the FAA did and in the current environment, I'd be astonished if they released the aircraft based on the FAA's decision.
The bulk of the MAX market is in Asia, where China is the largest single market, so China must be satisfied for the MAX to continue. If that requires the EASA retrofit, it will get done.