As I see it there are several critical flaws in the MAX.
First, the engine placement means it has a non-linear control force curve, so it needs some system to compensate for that. Hence MCAS. This is because the landing gear can't be lengthened without expanding the gear bays, which would void the type certificate AFAICT.
Second, the larger size of the plane means that a single pilot cannot be guaranteed to be able to use the manual trim wheels in all flight modes. The force required is extreme, weaker pilots may not be capable of trimming the aircraft. This can't be fixed without changing the trim wheel size (which requires a new cockpit layout) and/or the horizontal stabilizer, both of which would void the type certificate.
Third, critical flight control systems need to be triple-redundant, and there are only two AOA sensors. Since the plane cannot be certified without MCAS (point 1) and MCAS can command a catastrophic failure (see two craters) it should be a triple-redundant system. A new AOA sensor would void the type certificate.
Canada stated that they would certify the MAX without MCAS and with required pilot training, if its performance characteristics were acceptable. Boeing has made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in fact required for certification, which would make it a Fly-By-Wire system (and subject to appropriate regulations, requiring hardware changes) and not just a stability augmentation system. Essentially Canada called Boeing's bluff.
It's not the software that's the (only) issue. If it were, the plane would be flying by now.
> First, the engine placement means it has a non-linear control force curve, so it needs some system to compensate for that. Hence MCAS.
No. Boeing wanted it to share a type rating with the rest of the 737 family, hence MCAS. This plane would be perfectly safe to fly if it had no MCAS and required a new type rating. Consider the 767 which has a stronger pitch-up characteristic and operates just fine. This meme has been debunked several months ago but keeps getting repeated along with the more ignorant 'the plane is inherently unstable'.
> The force required is extreme, weaker pilots may not be capable of trimming the aircraft.
This is true in all planes. In certain conditions, aerodynamic loads exceed the pilot's or even the hydraulic system's ability to overcome. Pilots are trained for how to recover from these conditions and regain trim authority.
> Canada stated that they would certify the MAX without MCAS and with required pilot training, if its performance characteristics were acceptable. Boeing has made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in fact required for certification
This claim contradicts your first claim, as the authority indicates they will accept the plane without MCAS. So clearly, MCAS is not critical to safe the operation of the plane in the eyes of this authority.
Without MCAS the MAX loses the 737 type rating and becomes a commercial failure. Of course Boeing isn't going to even humour that avenue of action except as a last resort.
> This plane would be perfectly safe to fly if it had no MCAS and required a new type rating.
GP didn't claim otherwise. GP claimed:
>> [...] so it needs some system to compensate for that.
And it does need that system - whether for safety is debatable, but it needs it for certification (not within the 737 family certification, but for certification full stop), because the FAA requires basically a linear control force curve.
>> weaker pilots may not be capable of trimming the aircraft.
> This is true in all planes.
Source? I'd assume, in fact, that in most planes that is not the case - superhuman strength is not required to trim.
> This claim contradicts your first claim, as the authority indicates they will accept the plane without MCAS. So clearly, MCAS is not critical to safe the operation of the plane in the eyes of this authority.
No, it doesn't. There are three possibilities:
1. Without MACS, the plane is safe and certifiable, but not similar enough to be certified with the 737 family.
2. Without MACS, the plane is reasonably safe, but not certifiable under the specific FAA rule requiring linear control forces (though possibly under more lenient, eg Canadian rules).
3. Without MACS, the plane is not safe and not certifiable.
I think 2 is the case. 1 has been debunked, and you argue that 3 is false, too.
> Without MCAS the MAX loses the 737 type rating and becomes a commercial failure.
Does it fail? I will grant you this: 1) A significant number of people would refuse to fly it. 2) Pilots would need to be trained to the new type. 3) There would have to be more simulators constructed to handle the training load, and the airlines would likely force Boeing to bay for that.
OTOH: All the 737 ground equipment and gates and so forth will work perfectly fine. It seems to me that with suitable discounts, it would sell through. Not an easy sale, certainly.
> Pilots are trained for how to recover from these conditions and regain trim authority.
I agree with all of your corrections except this one. I've read that this yo-yo or rollercoaster maneuver was described in old 737 manuals decades ago, but then removed. It's not in the current manuals and I haven't heard anyone else claim that it was ever trained for by airline pilots, either back then or now.
I get the impression that Boeing decided some decades ago that needing to retrim without the motor and at extreme airspeeds and aerodynamic load was so unlikely that they didn't need to prepare pilots for it.
This would probably be true if they hadn't introduced a system that makes the stabilizer try to kill you, and then tied the off switch for that system to the off switch for the trim assist motor.
(A reason to be pedantic on this point is that it's important to know whether the lack of having performed this maneuver can be reasonably described as a pilot error.. although in the MAX cases there probably wasn't enough altitude to perform it anyway at the speeds involved.)
If you're right and he's wrong, then MCAS is a non-critical system (augmentation, not fly-by-wire) and would require a mere software fix, which ought to have been completed by now.
> This meme has been debunked several months ago but keeps getting repeated along with the more ignorant 'the plane is inherently unstable'.
Yet, there has been no information released, at least publicly, as to the bare airframe flight characteristics (bare as in sans MCAS).
The reasons for the initial inclusion of the MCAS seems like it may have been related to the augmentation of the "touch and feel" of the flight controls, but we simply do not know at this point what were the reasons for the increase of it's operating envelope and authority.
If you have a source for the debunking, I would appreciate if you could share it. In the meantime, our best bet is to hope for one of the other CAA-s to conduct said bare airframe tests.
I suspect that one must also consider that the Boeing's PR department is busy coloring the narrative in a favourable way.
The FAA should review the natural (bare airframe) stalling characteristics of the B737 MAX to determine if unsafe characteristics exist. If unsafe characteristics exist, the design of the speed trim system (STS)/MCAS/elevator feel shift (EFS) should be reviewed for acceptability.
Observation O3.4-A: The original implementation of MCAS was driven primarily by its ability to provide the B737 MAX with FAA-compliant flight characteristics at high speed. An unaugmented design would have been at risk of not meeting 14 CFR part 25 maneuvering characteristics requirements due to aerodynamics.
Observation O3.4-B: Extension of MCAS to the low-speed and 1g environment during the flight program was due to unacceptable stall characteristics with STS only. The possibility of a pitch-up tendency during approach to stall was identified for the flaps-up configuration prior to the implementation of MCAS.
Finding F3.4-A: The acceptability of the natural stalling characteristics of the aircraft should form the basis for the design and certification of augmentation functions such as EFS and STS (including MCAS) that are used in support of meeting 14 CFR part 25, subpart B requirements.
In short, Boeing designed a full-authority flight envelope protection system, just like Airbus has. Except for the fact that Airbus uses a full triplex system (3 ADIRU-s with their own set of sensors), while Boeing went with a single source of data, treating the wetware on the seat as the pseudo duplex channel ("you are the backup", while neglecting to inform them of their role, or their potential physical inability to accomplish this, nor provide accurate force feedback in sims). Now they are trying to sell us a duplex/pseudo-triplex model with the consolation that while the beast still has half a brain (pun intended), it is at least more tame. All this while simply neglecting to tell us, the pilots and the flying public, exactly why it was needed in the first place. See O3.4-B above.
With all those changes listed, you are basically saying that if it was a different plane, the software would not be a problem (which in turn is an issue because we don’t really know that would be true or not since Boeing seems to have institutional problems).
The issue is that the plane was changed only enough to avoid a cert issue but to keep the plane flyable, software had to be implemented to keep the pilots and the plane in check.
So, the plane needs to be either redesigned or it won’t certify. You are correct in that Canada called Boeing’s bluff. But the software is the issue or the plane would not be flying anyways because it wouldn’t certify.
As the 737 MAX saga unfolds, I've been wondering just why options to modify the landing gear (say: telescoping legs, or placement, or both), is such anathema.
Clearly, moving engine pods alone is not without its risks.
Ground handling equipment for most of the 737 operators is designed around the low clearance. So if they were to make it sit higher, operators would have to remove a significant amount of equipment.
Laziness. This is absolutely a "fuck it, we'll fix it in software" problem. I don't think it would necessarily invalidate the type certificate to change the legs but Boeing has gotten away with doing the bare minimum of structural changes necessary to keep the 737 relevant. Adding fuselage tube sections is far easier than reworking the complex gear systems and moving everything out of the way to make the bays longer (737 has an equipment bay around the nose gear, mains have systems routed around them) so they will do just about anything to avoid that.
As the parent mentioned, that would make it a different plane, which would require the airlines to go through an expensive training process with their pilots. It seems Boeing initially preferred that but was talked out of it by airlines.
It would presumably be easier to just not have the rogue computer pulling on the control surface the other way? The trim wheel seems like a last ditch mechanism to deal with a malfunctioning hydraulic control system but that's not the problem with the MAX, rather the hydraulics are working fine but being told to do the wrong thing.
“In the course of the investigation, a new type of flight assistance system known as the Maneuvering Characteristics Augmentation System (MCAS) came to light. It was intended to bring the flight characteristics of the latest (and fourth) generation of Boeing's best-selling 737 airliner, the "MAX", in line with certification criteria. The issue that the system was designed to address was relatively mild. A little software routine was added to an existing computer to add nose-down trim in situations of higher angles of attack, to counteract the nose-up aerodynamic moment of the new, much larger, and forward-mounted engine nacelles.”
“Apparently the risk assessment for this system was not commensurate with its possible effects on aircraft behaviour and subsequently a very odd (to a safety engineer's eyes) system design was chosen, using a single non-redundant sensor input to initiate movement of the horizontal stabiliser, the largest and most powerful flight control surface. At extreme deflections, the effects of this flight control surface cannot be overcome by the primary flight controls (elevators) or the manual actuation of the trim system. In consequence, the aircraft enters an accelerated nose-down dive, which further increases the control forces required to overcome its effects.”
Right around 37:30 it shows how difficult it is to use the manual trim wheel to affect the plane's attitude.
One pilot has to move all focus to it, without touching the other controls.
It is still baffling to me how everything, from one sensor to a control system that can overwhelm the pilots with stick forces with no sanity checks in software, got through Boeing and then the FAA.
> One pilot has to move all focus to it, without touching the other controls.
And even that may not be enough.
It's quite plausibly physically impossible if the pilot happens to be less strong than this one, or if the aircraft's situation is worse than this simulator's.
In particular, the Ethiopian flight was in extreme overspeed (if I recall, past the max safe structural speed for the plane!), which increases all of these forces. I'm not sure whether that was being modeled by the simulator, or if the simulation's model of trim wheel force is a correct one.
There's certainly no guarantee that a pilot can produce the force required to relieve aerodynamic load on the stabilizer here. It's a purely mechanical system.
Actually, in earlier flight manuals for the 737 there was a description for the so called roller-coster-maneuver for exactly the case that the trim was so far off that it couldn't be operated manually any more. The maneuver consisted of pushing the yoke forward to take the pressure off the stabilizer and quickly trim back and then put the nose up again. So it was documented, that in certain conditions the forces could be too high for the pilots.
> It's quite plausibly physically impossible if the pilot happens to be less strong than this one, or if the aircraft's situation is worse than this simulator's.
That simulation would have ended in a crash if they didn't abort it.
So the pilots strength did not seem to matter and the situation was about as bad as it gets.
At least some simulators are capable of modelling those forces (I don't have any knowledge of the domain, but I would assume it's standard in "professional" simulators):
I think getting through Boeing was effectively the same as 'getting through' the FAA at this point though, since the FAA relied so heavily on Boeing in order to perform their stated duties.
The argument of Boeing for MCAS to be not "safety critical" is, that there is a trim cut out switch in every airplane, which is to be activated in case of a "trim runaway" to cut of all electricity to the trimming system, including MCAS. As this is a memory checklist, every problems should be able to just switch off MCAS in case of a problem...
As mentioned in the talk, the problem is, that reality differs, and the MCAS actions don't appear to the pilot like a normal trim runaway. Actually, the day before the Lion Air crash, the machine already had the same problem, but the pilots (as the story goes due to the advice of a third pilot present) did activate the cut out switch and solved the problem.
That still doesn't explain why Boeing didn't implement at least consistency checking with the other sensor. And of course, we know now, how wrong Boeing was in their assumption.
Unfortunately the next day, the other crew did not do this. And on the Ethiopian Air flight, they did activate the cut out switch, but way to late and didn't regain control of the machine, as it was out of trim too far.
Correction on the Ethiopian flight: They activated the trim cutout, were able to regain most control, and then deactivated it, presumably to adjust the trim, tested that they had trim controls, and then something happened to distract them from trimming it correctly and then cutting it back out.
Had they left it cut out, they would have been able to keep it under control, had they adjusted the trim and then cut it out, they would have been in a decent position to come back and land. It will be interesting to see what the investigation finds about why it was cut back in and then left.
In previous models you could cut out the auto trim while still having electric trim on the yoke enabled. Sadly in the MAX Boeing decided to get rid of this feature which would have been pretty damn useful for these crews.
It's controls designed in the 60s grandfathered in for many decades because of common type ratings that simply don't make any sense anymore. More modern clean sheet plane designs do not have the issue of literally not being able to apply enough force to adjust the trim!
I think the mismatch may be that these are all-manual designs, and the 737 is much larger now than when it was first designed, plus the first design didn't have automated systems counteracting your inputs.
Boeing was looking to do a clean sheet design, the airlines wanted to keep the same type rating. The presentation micharacterizes that bit of history, but that's what was going on. This follows what made the A320neo popular, Airbus took a older venerable design and re-engined it for higher efficiency.
The 777 got a similar upgrade that did include a new wing design.
Ultimately Boeing is looking to introduce an all-composites design that fills the 737 and 757 roles, but airlines desires for crew commonality might push that back.
Anyone old enough knows this is flows from 1980s Reagan deregulation policies. Now these same people (literally the same people, in some cases) are trying to blame the government for it. The government (FAA) is nominally at fault, but the reason they are at fault is exactly what you said - they could not get funding to do their job and relied on industry to self-regulate.
I can very faintly understand the reaction when Boeing was so successful. It just exemplify that no institution should rest on laurels and there should be mandatory external pressure and chaos monkey like systems to restore doubts.
It's ... within the realm of distant possibility. But generally not recommende practice.
Flight systems (fuel feed, hydraulics) assume a gravitational vector toward the bottom of the aircraft. Flying inverted would starve fuel and hydraulic systems.
We've seen it again and again: Industries do not "self-regulate." How many people have to die before the "REGULATION BAD!" people are put in their place?
In the Q&A, there were two questions about topics that the speaker wasn't really aware of.
1. A purchase option for an instrument/indicator that shows discrepancies between Angle of Attack sensors on each wing.
2. In the KC-46A Pegasus it seems the pilots are able to override the MCAS system by simply pulling on the controls.
For me, #2 would have been an interesting discussion as perhaps Boeing chose not to re-use this system because it might delay certification. Imagine being the person who (may) have made the call to create a worse software than something that existed to sneak past compliance.
Note that for the 767-2C/KC-46 it's very likely the case that the 767-2C wouldn't share a common type-rating with the rest of the 767 family (as this wasn't a requirement for the KC-46 contract!), and for the 737 MAX a lot of design decisions were driven by the desire for the 737 MAX to have a common type rating with earlier 737 models.
From the 767-2C type certificate:
> The Boeing 767-2C has not been evaluated by the Flight Standards Board. No pilot type rating or training, checking and currency requirement determinations have been made.
Note the only 767-2Cs built were to certify the type, no airline has ordered the freighter aircraft.
On #1. No-one has, other than speculating, confirmed the option is cost difference (there are hundreds of options for the 737 series, many of which are just configuration differences). In the case of the indicator, there would need to be additional training, so airlines may opt not to have it to save on training, since it is not required.
"Apparently the only design of the MCAS system the FAA saw was limited to a 0.6 degree deflection [of the stabilizer] at high speeds and only single deflection only. And that was changed and ... it is still unclear how that could happen ... it was changed to multiple activations, even at high speed, and each activation could move the stabilizer as much as 2.5 degrees, and there was no limit to how often it could activate." (~28min; emphasis added)
For me, in a crisis with a lot of burning questions, one I haven't seen raised much is: who changed the MCAS behavior after the FAA "saw" the first version? Someone decided this should happen, and someone implemented it (perhaps the same person). Forget the C-suite for a moment; someone in middle management made this call. Shouldn't they answer for it?
When stuff like this happens, it's a process issue, not an issue with a particular engineer. It's human nature to try to assign blame to people and that's why it's so important to avoid that. Whatever process created the flawed product is where the blame lies.
Somewhere in the group that produced MCAS, there's a process to permit changes to be submitted, reviewed, accepted or rejected, implemented and tested along with the documentation produced at each stage.
Maybe that process is broken, maybe it isn't. From the outside we can't tell. However, as responsible professional software developers what we should do is understand that these are system problems and not just look around for someone to pin the blame on.
Yeah, my first reaction after watching the video (it was a good video to watch over a morning coffee!) was that the author used passive voice several times without making it clear _who_ took a particular action ("It was decided" and other phrases like that). You make a good point that no one person might've made the call, however someone _must_ be accountable for it even if no single party is responsible (a single person at some level, possibly the CEO, probably below that level). That's what I'm personally curious to know.
as people died, now you need both: to identify the issue with the process that caused the problem to happen, sure, but also to identify key figures that signed off the design and trough the justice system identify whether exists a direct cause between their decisions and people deaths.
Are holding people to (moral, ethical) account and looking at problems from a systems perspective mutually exclusive?
These are systems problems, I fully agree, but they aren't only systems problems. The systems in question are people. They have minds, personalities, and agency. Eliding this - sorry for saying so - makes phrases like "whatever process created the flawed product [...]" sound absurd, borderline callous.
I hate to resort to what by now is a web forum trope, but would you look the MAX victims' families in the eye and say, word for word, what you wrote above: "No, 'they' shouldn't" be held to account? Come on dude.
In some different articles I read, the change from 0.6 to 2.5 came after flight testing of the aircraft when it became apparent that the MCAS system needed greater authority to function properly. That part of it was totally normal. The major error, however, was that the documentation was not updated following the changes. That created a situation where some people were looking at documentation that no longer reflected the true system.
You can read about it in more detail here.[0] Likely responsibility for the (series of) decisions was diffuse enough that perhaps no one person made the call.
Readit News
First, the engine placement means it has a non-linear control force curve, so it needs some system to compensate for that. Hence MCAS. This is because the landing gear can't be lengthened without expanding the gear bays, which would void the type certificate AFAICT.
Second, the larger size of the plane means that a single pilot cannot be guaranteed to be able to use the manual trim wheels in all flight modes. The force required is extreme, weaker pilots may not be capable of trimming the aircraft. This can't be fixed without changing the trim wheel size (which requires a new cockpit layout) and/or the horizontal stabilizer, both of which would void the type certificate.
Third, critical flight control systems need to be triple-redundant, and there are only two AOA sensors. Since the plane cannot be certified without MCAS (point 1) and MCAS can command a catastrophic failure (see two craters) it should be a triple-redundant system. A new AOA sensor would void the type certificate.
Canada stated that they would certify the MAX without MCAS and with required pilot training, if its performance characteristics were acceptable. Boeing has made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in fact required for certification, which would make it a Fly-By-Wire system (and subject to appropriate regulations, requiring hardware changes) and not just a stability augmentation system. Essentially Canada called Boeing's bluff.
It's not the software that's the (only) issue. If it were, the plane would be flying by now.
No. Boeing wanted it to share a type rating with the rest of the 737 family, hence MCAS. This plane would be perfectly safe to fly if it had no MCAS and required a new type rating. Consider the 767 which has a stronger pitch-up characteristic and operates just fine. This meme has been debunked several months ago but keeps getting repeated along with the more ignorant 'the plane is inherently unstable'.
> The force required is extreme, weaker pilots may not be capable of trimming the aircraft.
This is true in all planes. In certain conditions, aerodynamic loads exceed the pilot's or even the hydraulic system's ability to overcome. Pilots are trained for how to recover from these conditions and regain trim authority.
> Canada stated that they would certify the MAX without MCAS and with required pilot training, if its performance characteristics were acceptable. Boeing has made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in fact required for certification
This claim contradicts your first claim, as the authority indicates they will accept the plane without MCAS. So clearly, MCAS is not critical to safe the operation of the plane in the eyes of this authority.
Without MCAS the MAX loses the 737 type rating and becomes a commercial failure. Of course Boeing isn't going to even humour that avenue of action except as a last resort.
Please stop spreading thoroughly debunked misinformation.
GP didn't claim otherwise. GP claimed:
>> [...] so it needs some system to compensate for that.
And it does need that system - whether for safety is debatable, but it needs it for certification (not within the 737 family certification, but for certification full stop), because the FAA requires basically a linear control force curve.
>> weaker pilots may not be capable of trimming the aircraft. > This is true in all planes.
Source? I'd assume, in fact, that in most planes that is not the case - superhuman strength is not required to trim.
> This claim contradicts your first claim, as the authority indicates they will accept the plane without MCAS. So clearly, MCAS is not critical to safe the operation of the plane in the eyes of this authority.
No, it doesn't. There are three possibilities:
1. Without MACS, the plane is safe and certifiable, but not similar enough to be certified with the 737 family.
2. Without MACS, the plane is reasonably safe, but not certifiable under the specific FAA rule requiring linear control forces (though possibly under more lenient, eg Canadian rules).
3. Without MACS, the plane is not safe and not certifiable.
I think 2 is the case. 1 has been debunked, and you argue that 3 is false, too.
Does it fail? I will grant you this: 1) A significant number of people would refuse to fly it. 2) Pilots would need to be trained to the new type. 3) There would have to be more simulators constructed to handle the training load, and the airlines would likely force Boeing to bay for that.
OTOH: All the 737 ground equipment and gates and so forth will work perfectly fine. It seems to me that with suitable discounts, it would sell through. Not an easy sale, certainly.
Does the 737MAX really become an economic loser?
I agree with all of your corrections except this one. I've read that this yo-yo or rollercoaster maneuver was described in old 737 manuals decades ago, but then removed. It's not in the current manuals and I haven't heard anyone else claim that it was ever trained for by airline pilots, either back then or now.
I get the impression that Boeing decided some decades ago that needing to retrim without the motor and at extreme airspeeds and aerodynamic load was so unlikely that they didn't need to prepare pilots for it.
This would probably be true if they hadn't introduced a system that makes the stabilizer try to kill you, and then tied the off switch for that system to the off switch for the trim assist motor.
(A reason to be pedantic on this point is that it's important to know whether the lack of having performed this maneuver can be reasonably described as a pilot error.. although in the MAX cases there probably wasn't enough altitude to perform it anyway at the speeds involved.)
It does not qualify for a new one. The crew alerting system (EICAS) does not meet modern standards.
https://www.seattletimes.com/business/boeing-aerospace/boein...
If you're right and he's wrong, then MCAS is a non-critical system (augmentation, not fly-by-wire) and would require a mere software fix, which ought to have been completed by now.
Why hasn't it?
Yet, there has been no information released, at least publicly, as to the bare airframe flight characteristics (bare as in sans MCAS).
The reasons for the initial inclusion of the MCAS seems like it may have been related to the augmentation of the "touch and feel" of the flight controls, but we simply do not know at this point what were the reasons for the increase of it's operating envelope and authority.
> Please stop spreading thoroughly debunked misinformation.
If you have a source for the debunking, I would appreciate if you could share it. In the meantime, our best bet is to hope for one of the other CAA-s to conduct said bare airframe tests.
I suspect that one must also consider that the Boeing's PR department is busy coloring the narrative in a favourable way.
Source: https://www.faa.gov/news/media/attachments/Final_JATR_Submit...
Recommendation R3.4:
The FAA should review the natural (bare airframe) stalling characteristics of the B737 MAX to determine if unsafe characteristics exist. If unsafe characteristics exist, the design of the speed trim system (STS)/MCAS/elevator feel shift (EFS) should be reviewed for acceptability.
Observation O3.4-A: The original implementation of MCAS was driven primarily by its ability to provide the B737 MAX with FAA-compliant flight characteristics at high speed. An unaugmented design would have been at risk of not meeting 14 CFR part 25 maneuvering characteristics requirements due to aerodynamics.
Observation O3.4-B: Extension of MCAS to the low-speed and 1g environment during the flight program was due to unacceptable stall characteristics with STS only. The possibility of a pitch-up tendency during approach to stall was identified for the flaps-up configuration prior to the implementation of MCAS.
Finding F3.4-A: The acceptability of the natural stalling characteristics of the aircraft should form the basis for the design and certification of augmentation functions such as EFS and STS (including MCAS) that are used in support of meeting 14 CFR part 25, subpart B requirements.
In short, Boeing designed a full-authority flight envelope protection system, just like Airbus has. Except for the fact that Airbus uses a full triplex system (3 ADIRU-s with their own set of sensors), while Boeing went with a single source of data, treating the wetware on the seat as the pseudo duplex channel ("you are the backup", while neglecting to inform them of their role, or their potential physical inability to accomplish this, nor provide accurate force feedback in sims). Now they are trying to sell us a duplex/pseudo-triplex model with the consolation that while the beast still has half a brain (pun intended), it is at least more tame. All this while simply neglecting to tell us, the pilots and the flying public, exactly why it was needed in the first place. See O3.4-B above.
Disclaimer: pilot.
The issue is that the plane was changed only enough to avoid a cert issue but to keep the plane flyable, software had to be implemented to keep the pilots and the plane in check.
So, the plane needs to be either redesigned or it won’t certify. You are correct in that Canada called Boeing’s bluff. But the software is the issue or the plane would not be flying anyways because it wouldn’t certify.
Clearly, moving engine pods alone is not without its risks.
Also the 737-10 does sit higher: https://www.geekwire.com/2018/boeing-737-max-10-landing-gear...
Why would a new (third) AOA sensor void the type certificate?
https://www.youtube.com/watch?v=PlaMQBEg-9M
“In the course of the investigation, a new type of flight assistance system known as the Maneuvering Characteristics Augmentation System (MCAS) came to light. It was intended to bring the flight characteristics of the latest (and fourth) generation of Boeing's best-selling 737 airliner, the "MAX", in line with certification criteria. The issue that the system was designed to address was relatively mild. A little software routine was added to an existing computer to add nose-down trim in situations of higher angles of attack, to counteract the nose-up aerodynamic moment of the new, much larger, and forward-mounted engine nacelles.”
“Apparently the risk assessment for this system was not commensurate with its possible effects on aircraft behaviour and subsequently a very odd (to a safety engineer's eyes) system design was chosen, using a single non-redundant sensor input to initiate movement of the horizontal stabiliser, the largest and most powerful flight control surface. At extreme deflections, the effects of this flight control surface cannot be overcome by the primary flight controls (elevators) or the manual actuation of the trim system. In consequence, the aircraft enters an accelerated nose-down dive, which further increases the control forces required to overcome its effects.”
Deleted Comment
One pilot has to move all focus to it, without touching the other controls.
It is still baffling to me how everything, from one sensor to a control system that can overwhelm the pilots with stick forces with no sanity checks in software, got through Boeing and then the FAA.
And even that may not be enough.
It's quite plausibly physically impossible if the pilot happens to be less strong than this one, or if the aircraft's situation is worse than this simulator's.
In particular, the Ethiopian flight was in extreme overspeed (if I recall, past the max safe structural speed for the plane!), which increases all of these forces. I'm not sure whether that was being modeled by the simulator, or if the simulation's model of trim wheel force is a correct one.
There's certainly no guarantee that a pilot can produce the force required to relieve aerodynamic load on the stabilizer here. It's a purely mechanical system.
While the Ethiopian crew did have the overspeed warning going off, it was well below the "do not exceed" and "max dive" speeds.
I'm not sure whether that was being modeled by the simulator, or if the simulation's model of trim wheel force is a correct one.
It wasn't. Boeing's already admitted that their simulators don't correctly emulate the forces on the trim wheel.
That simulation would have ended in a crash if they didn't abort it.
So the pilots strength did not seem to matter and the situation was about as bad as it gets.
https://www.youtube.com/watch?v=aoNOVlxJmow
Deleted Comment
As mentioned in the talk, the problem is, that reality differs, and the MCAS actions don't appear to the pilot like a normal trim runaway. Actually, the day before the Lion Air crash, the machine already had the same problem, but the pilots (as the story goes due to the advice of a third pilot present) did activate the cut out switch and solved the problem.
That still doesn't explain why Boeing didn't implement at least consistency checking with the other sensor. And of course, we know now, how wrong Boeing was in their assumption.
Unfortunately the next day, the other crew did not do this. And on the Ethiopian Air flight, they did activate the cut out switch, but way to late and didn't regain control of the machine, as it was out of trim too far.
Had they left it cut out, they would have been able to keep it under control, had they adjusted the trim and then cut it out, they would have been in a decent position to come back and land. It will be interesting to see what the investigation finds about why it was cut back in and then left.
I think the mismatch may be that these are all-manual designs, and the 737 is much larger now than when it was first designed, plus the first design didn't have automated systems counteracting your inputs.
The 777 got a similar upgrade that did include a new wing design.
Ultimately Boeing is looking to introduce an all-composites design that fills the 737 and 757 roles, but airlines desires for crew commonality might push that back.
Probably even earlier. The trim wheels in the Boeing 707 look pretty similar to the 737.
See page 30 at 33.00
https://youtu.be/PlaMQBEg-9M?t=1989
Flight systems (fuel feed, hydraulics) assume a gravitational vector toward the bottom of the aircraft. Flying inverted would starve fuel and hydraulic systems.
https://outline.com/73xHvn
We've seen it again and again: Industries do not "self-regulate." How many people have to die before the "REGULATION BAD!" people are put in their place?
1. A purchase option for an instrument/indicator that shows discrepancies between Angle of Attack sensors on each wing.
2. In the KC-46A Pegasus it seems the pilots are able to override the MCAS system by simply pulling on the controls.
For me, #2 would have been an interesting discussion as perhaps Boeing chose not to re-use this system because it might delay certification. Imagine being the person who (may) have made the call to create a worse software than something that existed to sneak past compliance.
From the 767-2C type certificate:
> The Boeing 767-2C has not been evaluated by the Flight Standards Board. No pilot type rating or training, checking and currency requirement determinations have been made.
Note the only 767-2Cs built were to certify the type, no airline has ordered the freighter aircraft.
For me, in a crisis with a lot of burning questions, one I haven't seen raised much is: who changed the MCAS behavior after the FAA "saw" the first version? Someone decided this should happen, and someone implemented it (perhaps the same person). Forget the C-suite for a moment; someone in middle management made this call. Shouldn't they answer for it?
When stuff like this happens, it's a process issue, not an issue with a particular engineer. It's human nature to try to assign blame to people and that's why it's so important to avoid that. Whatever process created the flawed product is where the blame lies.
Somewhere in the group that produced MCAS, there's a process to permit changes to be submitted, reviewed, accepted or rejected, implemented and tested along with the documentation produced at each stage.
Maybe that process is broken, maybe it isn't. From the outside we can't tell. However, as responsible professional software developers what we should do is understand that these are system problems and not just look around for someone to pin the blame on.
These are systems problems, I fully agree, but they aren't only systems problems. The systems in question are people. They have minds, personalities, and agency. Eliding this - sorry for saying so - makes phrases like "whatever process created the flawed product [...]" sound absurd, borderline callous.
I hate to resort to what by now is a web forum trope, but would you look the MAX victims' families in the eye and say, word for word, what you wrote above: "No, 'they' shouldn't" be held to account? Come on dude.
[0] https://www.seattletimes.com/seattle-news/times-watchdog/the...