Bjorn’s Corner: The Ethiopian Airline’s Flight 302 crash

By Bjorn Fehrm

March 15, 2019, ©. Leeham News: With the crash in the weekend of Ethiopian Airlines Flight 302 we take a break from the Yaw and Roll stability discussions to look at what happened Sunday.

The 737 MAX 8 with 157 persons onboard crashed six minutes after takeoff. Here is what we know.


Flight path

The aircraft crashed after having taken off from Runway 7R on Addis Abebba Bole airport. FlightRadar 24 (FR24) has captured the ADS-B signal from the flight from runway roll to 2 minutes and 45 seconds into the flight, Figure 1, the Yellow-Green curve. When FR24 lost tracking of the flight it continued for another three minutes until it crashed at the end of the red curve from about 1000ft above ground.

Figure 1. RET302 flight’s path after takeoff from Addis Abeba Bole airport. Source: FR24 and Leehalm Co.

The flight’s FR24 ADS-B altitude and speed traces are shown in Figure 2 and 3.

Figure 2. ET302 FR24 ADS-B altitude and vertical speed traces. Source: FR24 and Leeham Co.

Figure 3. ET302 ADS-B ground speed trace. Source: FR24.

The FR24 ADS-B receivers had bad reception so there are dropouts in the one-second rate emissions from the ADS-B transmitter on the aircraft. The Authorities have in the meanwhile been able to complement the ADS-B trace all the way out to the 6 minutes point of the crash by Satellite receivers picking up the ADS-B signal from the flight. We don’t have access to this data.

There are several things to note from the traces and information which has been given from Ethiopian Airlines:

  • The crew declared an emergency after takeoff demanding to return to the airport. The crew reported they had unreliable airspeed indications and difficulties to control the aircraft.
  • The aircraft climbed very slowly and only to about 1,000ft above ground before crashing.
  • The airspeed was high, however. Normal would be to stay at 250kt below 10,000ft. The graph in Figure 3 shows the aircraft’s Ground speed, which is different to its speed through the air, but any wind affecting the real speed of the aircraft should have been below 20kts at the altitude flown.
  • It’s likely the crew retracted the takeoff flap somewhere around local time 5:39:40 as the speed thereafter rises above the maximum Flap speed for the 737 MAX of 250kts.
  • As the flaps are retracted any too high Angle of Attack signal, like in the Lion Air case, it will then trigger repeated MCAS nose down actions.

There are irregularities in the vertical speed data from FR24, but I would caution to interpret it as the MCAS nose down trim followed by the Pilot counter trimming, then MCAS trimming nose down again for the Lion Air flight. The FR24 data has dropouts of 10 to 15 ADS-B emissions between its values, so it’s difficult to draw any firm conclusions from the data.

The vertical speed trace in Figure 3 is calculated from adjacent altitude ADS-B values. Once again with large dropouts in the data, one shall be cautious with conclusions from this trace.

What conclusions can be made?

We can conclude from the radio communication from the crew and from the FR24 data the Crew had unreliable airspeed problems like the Lion Air flight.

If this is caused by a faulty AoA signal the air data computer on the side with the faulty AoA will do an erroneous correction of the airspeed and altitude it feeds the Pilots display for this side of the aircraft. This will trigger a master warning in the aircraft of unreliable airspeed as there will be a difference in the airspeed of the affected side and the co-pilots airspeed. There will also be a difference to the third independent backup indicator’s airspeed.

If it’s a too high AoA signal causing the unreliable airspeed, we can assume the stall warning will be on for the affected pilot from liftoff. This will cause the artificial Yoke feel system to increase the Yoke force. The flying pilot will feel he needs an increased back force on the Yoke to hold the aircraft level.

If the flaps are retracted, the MCAS system will start trimming nose down. It will be interrupted by the pilot trimming nose up to compensate but will start again after a 10-second delay, once the pilot has stopped trimming.

In this situation, the pilots shall shut off the aircraft’s trim system and trim manually. If this is done and what exactly happened until the crash we will know when the French DEA has read out the data from the data and voice recorders the Ethiopian authorities sent them and the Ethiopians have decided to brief the public on the results.

The Seattle Times today wrote the horizontal stabilizer trim system, a jackscrew which pushes the horizontal stabilizer up or down, has been found at the crash site. Apparently, it was in the full nose down position. This should point to this being another MCAS accident, with the aircraft’s powerful pitch trim going to full nose down position.

The aircraft can then not be held level with the pilot’s elevator control; he needs to trim against the MCAS trimming to keep pitch authority.  Why the pilots didn’t use the trim cutout switches to shut down MCAS trimming, we will learn from the voice recorder read-outs.

Where is the fix to the problem?

The fix to the problem of the MCAS kicking in when it shouldn’t will be ready in April, according to Boeing. The updated software for the MCAS function has several changes. Here how Boeing communicated the changes at 12th of March:

For the past several months and in the aftermath of Lion Air Flight 610, Boeing has been developing a flight control software enhancement for the 737 MAX, designed to make an already safe aircraft even safer. This includes updates to the Maneuvering Characteristics Augmentation System (MCAS) flight control law, pilot displays, operation manuals and crew training. The enhanced flight control law incorporates angle of attack (AOA) inputs, limits stabilizer trim commands in response to an erroneous angle of attack reading, and provides a limit to the stabilizer command in order to retain elevator authority.

The following is noteworthy from Boeing’s communication:

  • The triggering Angle of Attack signal gets verified against other data to check the signal is valid.
  • There will only be one instance of nose down trimming, not repeated ones like today.
  • There will be a limit to how far the MCAS can trim the horizontal stabilizer nose down, so the aircraft’s elevator can compensate and control the aircraft even against a malfunctioning MCAS.

One now asks why such check and limits were not implemented in the first place? There are several areas of question marks over Boeing’s problems with the 737 MAX’s sensors and stability augmentation system:

  • It’s strange the AoA signal to the Air data computer gets corrupted on brand new aircraft with only months between presumably two cases of it happening.
  • It’s also strange there were no balances or checks in the system to check the signals were correct and not erroneous. The signals were used to trigger powerful and potentially dangerous functions in the flight control system.
  • Finally, it’s strange how MCAS was allowed to trim the horizontal tailplane full nose down. It’s not needed to fulfill its intended stabilizing function in a remote part of the flight envelope. By allowing this to happen, MCAS can overpower the pilot’s elevator control and render the aircraft uncontrollable.

There will be a lot of debate around the implementation of the MCAS function for the 737 MAX. With the fix, Boeing and FAA now show what was wrong with the implementation in the first place.

Edit:

There are many questions put in the comments section which are answered by previous articles on this subject. For those who want to read more, here are links to these articles. Just click on the Headline or the light grey “Continue reading” of the synopsis:

Boeing issues 737 Operations Manual Bulletin after Lion Air accident

Boeing’s automatic trim for the 737 MAX was not disclosed to the Pilots

Indonesian authorities release preliminary Lion Air crash report

Bjorn’s Corner: Pitch stability

Bjorn’s Corner: Pitch stability, Part 2

Bjorn’s Corner: Pitch stability, Part 3

Bjorn’s Corner: Pitch stability, Part 4

Bjorn’s Corner: Pitch stability, Part 5

Bjorn’s Corner: Pitch stability, Part 6

Bjorn’s Corner: Pitch stability, Part 7

Bjorn’s Corner: Pitch stability, Part 8

Bjorn’s Corner: Pitch stability, Part 9

Bjorn’s Corner: Pitch stability, Part 10. Wrap up.

235 Comments on “Bjorn’s Corner: The Ethiopian Airline’s Flight 302 crash

  1. I have a couple questions.

    Do we know how far from required stall caracteristics the aircraft is without the MCAS?

    How serious is this deficiency?

    How much redundancy, based on the seriousness of the deficiency, will be required by the revised MCAS?

    Based on the very old and limited FCC/sensor package/system layout on the 737Max, how much redundancy can feasibly been built into a revised MCAS system?

  2. “a flight control software enhancement for the 737 MAX, designed to make an already safe aircraft even safer.”

    This PR sentence makes me crazy. Boeing is not going to sort out this crap with this kind of poor dialectical assertion.
    Anyway the work is starting this morning at the BEA’s lab, let’s wait and see.

    • Boeing can’t say “to make an unsafe plane safe”. They will lose all their profits of decade in paying Compensation to victims of Lion Air JT610 and the current ET302.
      The PR crap is a legal one and can’t be otherwise. But the problem is NOT what Boeing says, it’s what FAA does or says.

      FAA HAVE sided with Boeing in all aspect since Oct 29, 2018 when JT610 crashed and killed 189. BIASED/Colored Authority

      • How about just leave that clause out altogether and state the facts? I think that would have both been better and looked more trustworthy and not written by a PR hack:

        “For the past several months and in the aftermath of Lion Air Flight 610, Boeing has been developing a flight control software enhancement for the 737 MAX [cut]. This includes updates to the Maneuvering Characteristics Augmentation System (MCAS) flight control law, pilot displays, operation manuals and crew training….”

        • Boeing can’t admit it is wrong, no matter how wrong.

          Its in the DNA. Goes back a long ways.

          Form or Arogance.

  3. The question we should be asking is why and what was the purpose of the MCAS function. If the MCAS is developed to correct or compensate the stability of the plane then would it not be logical to resolve the issue with redesign or modification to the offending component instead of using software (which is faulty in itself) to correct or compensate the instability? In my opinion Treat the source not the symptoms or the root of the problem will always be there.

    • You can teach horses to sing and you can’t train pigs to fly.
      To compete with the NEO Boeing had to cut as many corners as possible. ( Even with being advantaged by the existing cop outs in this grandfathered platform.)

      Longer legs: Kills the certification and adds a big basked of ancillary items ( like evac slides … )
      increases cost.
      fixing pitch up: larger tail increases drag
      increases cost.
      ( they already changed the tail contour for better airflow
      and thus improved rudder authority )

      Fan size limit already is tighter than on A320.

      Boeing haphazardly stands on the very peak of an iceberg
      just above the water line.
      Step minimally left or right, forward or back and you are in deep water. The 737 platform as is founders.

      I hadn’t imagined that things were so tight.
      But I also hadn’t imagined the Boeing would be so carelessly “cheap” in doing their work as if it would not be worth it. Actually an impression I had on the 787 too.
      Most of the problems were and are caused by some kind of disinterest. What does Boeing know that is not publicly visible?

      • If I understand correctly, those are possible alternative fixes for the consequences of fiting those bigger and heavier engines further up and forward.
        That changed the centre of lift and added a tendency to pitch down.
        Isn’t it?

        • in a normal flight attitude center of lift is where it belongs.
          BUT IF you pitch up beyond a certain point the lift/drag created by the nacelles sitting forward and near level of the wing creates a pitch up moment. ..
          Increasing pitch up and thus further increasing …
          positive feedback, a suicide machine.

          • Capt G:

            The so called stability issue keeps coming front and center with some, its not the issue involved.

            There was a change in handling characteristics at the edge of or into a stall.

            That is extreme edge of envelope where the 737 would never be (sans other issues) –

            The only losses (non MAX) since the rudder incidents on the 737 have been pilots who put the aircraft out of control.

            Frankly its not a stability as much as a leverage issue going into stall. The new engine location pushes it further but would not do so unless you were in a stall (which few if any pilots – short of out of control – ever see outside a simulator)

            In this case fixing one aspect has caused lethal consequences.

            Its not the fix but the gross failure to do it right.

            I major aspect is what the hell is causing AOAs suddnely to go buggy?

            In the NG you would get stall warnings and stick shakers regardless if this occurred.

            If its happened its not been publicly reports so that is a critical element of this.

            The other part is that there is bogus air speeds (separate system) and why are the two occurring together?

            As a pilot I could handle failures, the more failures you have the more task saturated you get.

            At some point the failure cascades into pilot no longer ahead of the curve but behind it and confused no longer taking the right actions.

          • Transworld, there are a couple of things wrong with your presentation.

          • Am sorry TW but you maintain that this is only of academic importance because the pitch issue only occurs near stall. I don’t think this has been proven positively or negatively outside of the confines of Boeing/ FAA. Simply at present we know there is higher sensitivity to this condition and that the FAA were sufficiently concerned to require additional protection

          • Well Bjorn accepts its true so why would you not?

      • That is what happens when you let an ex consultant, ex GE CEO with only training in finance run an engineering company. Focus is on costs, margins, financial engineering rather than developing great products.
        Bulk of their order book is this plane which was designed in the 60s.

    • MCAS is an NEW, ad-hoc, afterthought, add-on, auto-flight-control System BUT outside the stable AutoPilot (now found in all aircrafts).
      It’s installed in B737Max ONLY and NOT in B737 NG (many don’t know this). Any Training on the Latter (simulator) DOES NOT cover anything about MCAS.
      MCAS had to be added as the NEW Engines of Max are Bigger, raised and shifted forward causing high Nose-up when throttled. MCAS, autonomously, forced a Nose-down to compensate W/O THE PILOTS COMMAND!
      The current MCAS takes input from ONLY ONE AoA sensor (when three are available)!! And these: Flaps IN, Autopilot OFF, steep turn, “high” Nose-up. UTTER NONSENSE!
      Won’t you REPLACE such NONSENSE Single-Point Falure System S/W? Boeing and FAA talk of “Updating”, “Patching” MCAS!! AND “to make already a safe aircraft safer” (Disgusting)!
      One CAN write a Safe MCAS, Always, but, must respect Murphy’s Law and design for WORST CASE scenario.
      Boeing/FAA looks at BEST CASE scenario, no Dr Murphy … Poor Lost Souls.

    • Agree.
      Personally, I When I look more and more into the system it seems to me that its real function is to help pilots recover in a stall due to the extra pitch up moment created by the new engine location.
      Now the system has been branded as stall prevention and aid to manual pilotage.
      However, it does not make sense to let the horizontal stabilizer move this way (MCAS does base on altitude and Mach number) to prevent entering a stall or stabilize the plane
      Would Boeing have difficulties certifying the aircraft without MCAS during stall recovery demonstration based on part 25?
      By the way, those planes did not experience steep turns why the MCAS comes in?

      • Its based on AOA and if the AOA says you are a high enough AOA it activates.

        Turn keeps coming into it, while a turn increases the stall (lowers what AOA takes to stall it) its not the sole decision maker in this.

        Straight ahead too high AOA also will stall.

        I think there is a bank factor.

        Speed wise I am less sure as both crashes also had speed issues though two Indonesia flight did not report speed issue (could be wrong)

      • JT610 DID have a Steep Left Turn, ET302 also had a right turn (may be steep)!
        FYI, the immediate previous flight JT043 to JT610 with same A/C Regn PK-LQP had the SAME problems as JT610 but had Straight trajectory and had time to switch off the Trim toggles Twice at 9000 ft and didn’t perish.
        JT610 was at 5000 ft, didn’t put off the Trim toggles.

    • If you had read previous articles in Bjorn’s corner, I’ll see that it is usual business for OEMs to add stability augmentation systems to enhance the margin. Yaw dampers, a device ubiquitous in modern swept wing airliners since 707 IIRC, is a perfect example for that. Relaxed static stability compensated by FBW control laws is also already in place in new Boeing FBW jets like 777 and 787 and can be traced back to the rather infamous MD-11 (Called LAAS).

      People keep stressing that the larger engine as the problem. I myself think though that had MCAS been properly implemented with well-thought-out inputs and failure modes, and had Boeing informed airlines and pilots of this reduced stability at the edge of the envelope such that proper training was done, 737 Max would have been just as safe as every other jets out there.

    • I think an elevator that had more lift at those angles of attack when the nacelle starts to add too much lift could make the 737MAX more linear until stall happens.
      Most likely a bigger elevator in span, chord or both. Software “fixes” also take time to certify.
      Boeing most likely has the design ready and just need Witchita or somone to make the tools and rivet it together, still the certification program will take some time unless it is already fully ran in the wind tunnels, CFD and FEM analyzed and needs its instrumented flight test program without the MCAS software to verify all the computer runs. The SB would be pretty simple, rpl stabilizer and maybe modify the THSA (actuator) and load the revised software. The Aircraft Operating Manual should just have minor revisions.
      If Boeing is lucky maybe just a larger chord elevator with a 1-2 inches on the same stabilisator is enough to get inside FAA requirements with a revised Elevator Feel Computer and removed MCAS software.
      We will see which road they choose.

  4. The sort of questions you pose at the end of your article are those one would assume are asked at a System Risk Analysis and documented that the risks are low or have been addressed. For example, one obvious risk would be AoA sensor fault/incorrect reading, document how that would impact the MCAS system, followed by what is in place to manage.

    Like the O rings on the shuttle disaster, there will be someone in Boeing or a supplier that was warning that the risks were identified but for time pressure reasons management overruled or discounted the risks.

  5. Thanks for the clear analysis Bjorn.

    From what you’ve read, does this fix seem to have better than even odds of returning the 737MAX to flight (although possibly with need for further fixing re the AoA fault) or worse than even odds?

  6. “One now ask why such check and limits were not implemented in the first place? ”

    I ‘ve been thinking about this a bit.

    I have a theory based on the info handed out that
    not raw AoA data is handed downstream but sanitized
    data sets including various corrections, sensor interleaf, ….
    are handed to MCAS and other sinks.

    It also takes a range of “unreliable airspeed” and other data consistency problems reported by pilots ( US as well as PRC ) into account.

    The sanitized air data sets were pronounced to be error free.
    ( but this does not seem to have been proven or certified.)

    Thus MCAS must only show that with correct data it will work in the intended way.

    I see a very faint link to the A330 ADIRU software bug clashing with data sanitation done by A330 FBW.
    Though here I think it is a rather in your face show of bad processes ( design, realisation, certification.)

    In a way we see the same kind of shaving thin any margins in the processes for profit reasons that brought us the GFC.

    Another BAD examples was/is Microsoft Windows OS were various shortcuts and “quantum tunnels” bypassed the canonical interfacing. pinpoint performance advantage but also the foundation for unpleasant bugs and inroads for infestations and roadblocking of further developement.

    Good design requires partitioning, well defined interfaces,
    sources that deliver above spec and sinks that allow under spec performance band of safety.

    Boeing seems to have taken a lesson from Microsoft.
    ( OK, they are neighbors 🙂

    • I think Boeing, FAA and EASA relied on the cut-out switches that the pilots will flip the switches as soon as the trim is not per expectations and trim manually.
      In reality they do not always do as expected. They have a yoke in their hands and like to hold on and pull it. It is a bit like some horse riders holding onto the bridle even if they are mid air crashing off the horse and still hold on when on the ground with a broken collar bone.

      • Afaics EASA only green stamped the MAX cert. ( as per mutual cert arrangement )

        In the Checklist Trim Run Away is apparently described as continuous activity. running, running, running, no stop.
        -> pull switches.
        The visible effect is trim correctng. pause. trim correcting, pause testing trim switches :: even longer pause.
        If you follow the checklist you seem to not land on run away trim and thus not on switching trim off.

      • NG and MAX have a common rating, pulling rhe yoke worked on one, so guys have an immediate reaction, especially under stress, at low altitudes, with little time/height to think, to do it again, on the other. Also crews going back and forward between NG and MAX, might be getting mixed up a bit. A separate type rating might have prevented it. It sounds as though the MAX’s charactoristics aren’t exactly dangerous, but they are different.

  7. Would it be possible one of the other bodies (eg EASA) take a slightly different view on the fix the FDA, they’ve already shown to have taken a different view on the safety of the aircraft.

  8. The weired thing is, with flaps out you shouldn’t have issues- MCAS is not active.

    But the update list from Boeing speaks for itself:
    “The triggering Angle of Attack signal gets verified against other data to check the signal is valid.
    There will only be one instance of nose down trimming, not repeated ones like today.
    There will be a limit to how far the MCAS can trim the horizontal stabilizer nose down, so the aircraft’s elevator can compensate”

    So Boeing connected MCAS to just one sensor? No plausability check.
    WTF….how can that be fail safe?
    As it makes sense to constantly trim down the nose if the system detects stall it’s clear why pilots have issues if they trim the plane and MCAS is then overtrimming them.
    And the 3rd point, it should be clear MCAS can just trim the plane so it’s recoverable.

    So far this alone sounds like a major blunder from Boeing, it is actually a recipe for catastropy.

    • So Boeing connected MCAS to just one sensor? No plausability check.
      WTF….how can that be fail safe?

      I think they’ve really combined quite a few things here into MCAS from a solution design perspective that each on its own you really, really shouldn’t do.

      They designed and implemented an automatic system with
      1) single-point-of-failure sensor input
      2) no cross-checking/tie-breaker/quorum mechanism in place to determine in sensor input is potentially erroneous
      3) no limit on the maximum trim
      4) no limit on the number of trim commands issued

      For each individual point on its own you really have to wonder how it even made it through the initial architectural stage of the solution design. Never mind how all four combined made it through to the finished product.
      Plus you really have to wonder how on earth the system made it through certification.

      Besides Boeing, questions should be directed at the FAA and those that followed the FAA’s guidance on MAX certification.

      • Point made before.

        Brazil AHJ saw it and took action in manuals and training

        Rest of the world AHJ did not.

        Clearly all AHJ should act as cross check to others and not blindlyu follow, they have to and are oblciatged to do their oan analysis.

        Why was it not done EU, China, Japan, even Russia, UK?

        I would be more than embarrassed that a so called third world country caught this and the so called West and others did not.

        Its still a crappy aspect, but at least they had it in place to better deal with it and give all on board a better chance until this got sorted out as the incidents would occur anyway.

      • This wonders me as well. Maybe cost cutting in R&D department. Outsourcing design to less experienced team? This is like putting prototype/prove of concept code/solution into production. This does not consider edge cases you can come up with in 1 hour team discussion.

        • It sounds like the FAA complained pretty late in the certification process and Boeing did a quick and dirty fix to get FAA to tick the box and keep the certification schedule.
          Now we know it should have been fully redundant system from a number of sensors on the databus including the gyros with the new logic and maybe revised stabilizor/elevators.
          By Japanese logic there are 7 other problems of similar magnitude to be found and corrected when you get hit by one disaster.

  9. Within EASA Cs25 certification, the ongoing maintenance and safety data is enshrined with the AMC, so serious questions shall have to be answered whether the ongoing AMC safety data supports the initial Cs25 certification?

    • Brian:

      Could you list what AMC is?

      Cs25 Certification’s is what?

  10. Bjorn, thanks for your analysis as always.

    I am unsure, however, where you extract the following two points from Boeing’s communication:
    – The triggering Angle of Attack signal gets verified against other data to check the signal is valid.
    – There will only be one instance of nose down trimming, not repeated ones like today.
    By my reading, the Boeing statement does mention anything like the first statement (“incorporating AoA inputs” does not say how those inputs are incorporated or if they are compared). Moreover, while it does say there will be limits on the nose down command, this does not need to mean there will be only one instance of nose down trimming. It could well trim the nose down multiple times before it hit its “limit”.

    Moving on.
    My understanding of how these systems are engineered is that are two important metrics to the performance of the MCAS safety system:
    1. The probability of failure on demand (the probability the safety function does not work when it is needed). This needs to be sufficiently low to effectively protect against the hazard for which it exists.
    2. The probability of incorrect activation. This matters, because the activation of the safety function at the wrong time is itself a hazard. This also needs to be low enough to be tolerable.

    If we compare both AoA sensors before doing anything, we reduce the probability of incorrect activation, but increase the probability the safety function will not activate at the time it is actually needed. With one AoA sensor inoperative, we lose the stall protection. This was previously not the case. One wonders if this was not the reason the values were not compared to start with: AoA sensors seem to freeze up fairly regularly, so we would lose the stall protection fairly regularly.

    Rather than trade-off between the two, the better engineering solution would appear to be to add another AoA sensor (so that there are three) and use voting. I know Airbus does this on their entire fly by wire family. Presumably this is avoided for cost or complexity reasons?

    • I believe it has to do with the legacy mechanical underlying nature of the 737.

      As there is no backup mechanical on an Airbus FBW (or any other) they have to have that system.

      Disagreements in the 737 are resolved by shift to the other pilot or using the mechanical backup.

      Previously a pilot could overcome the system on a Boeing, this is a case where he can’t control wise but has to revert to a system removal function (trim motor cutout) and use manual.

      I can see that being a surprise element of a Boeing pilot.

  11. Let’s try some plain logic.

    a) Why was the MCAS installed in the first place? The only explanation is that the Max is prone to stall. The normal flight envelope is too narrow. The plane does not offer the required stability. It would not be safe and not be certified.

    b) Why did Boeing design the MCAS so badly and so undersized, with no redundancy and only existing sensors and hardware? Because a larger and more complex (and safer) system would have become very obvious, which brings us back to a)

    c) If Boeing now fixes the MCAS by adding sensors and other hardware, writing new software, test flying for quite some tima and all, how does that change a)? It would still be a plane that is not safe to fly manually. Maybe the FAA would still approve, but other authorities?

    d) If European, Japanese, Chinese,… authorities won’t accept the patched up unsafe plane (which would not come as a surprise to me) the 737 is dead. Deliveries to non-US customers would not resume. What hapens with the planes that are already in service? Would they go back to Boeing? Say the FAA approves but the ESEA doesn’t. Will Norwegian be able to return the planes to Boeing? At what price? Will US airlines really accept further deliveries?

    e) Would it be possible to mount CFM56 engines on the Max to make the planes servicable? Probably not.

    f) Will Boeing resume full sized production of the 737NG instead? Sell them at especially low prices to keep the producion open and retain customers?

    g) How fast can Boeing develop a successor? If they use all existing technology and stick to full-aluminum, maybe 3-4 years?

    x) Doesn’t look good for Muilenburg and whoever has made the decision to bring the Max to market. Doesn’t look good for the great people working at Boeing, the suppliers, the airlines. Has the potential to create significant losses for the shareholders.

    y) Oh, but at least this might turn out well for our planet, as ticket prices will rise and the number of flights will be reduced for a good while.

    • It’s not just about customers in the countries who are directly affected by approval that will affect the commercial proposition.

      One of the reasons the FAA eventually made the decision was the huge passenger backlash against flying on the aircraft that had already been deemed ‘unsafe’ by other regulators. Would passengers be willing to take a flight knowing that that Europe still deemed the aircraft unsafe? Would airlines be willing to accept an aircraft knowing that it’s resale value was severely diminished (half the customer based ruled out, half limited to the routes they fly, passengers not trusting).

      Would the likes of American and Southwest have stipulations in their contract that the aircraft have FAA AND EASA AND china etc approval? (imagine the EASA part could well be relevant)

      • I assume that the US airlines have nothing in their contracts in regard of other authorities but the FAA. But it’s really hard to predict to which conclusions the FAA will come to. But I expect the EASA and others to withdraw the certification and I just can’t see how Boeing will regain it.

        Anyway, keeping the 737 production running full throttle is suicidal.

        • Stopping 737 produci9on is suicidal for a easily fixed issue.

          Boeing will not do so.

          EASA will only pull cert if they are not satisfied with the fix.

          At leas this time they will actually look at it.

          They are as culpable as the FAA for not doing their job.

          • This is what happens when you basically just accept the other’s certification of a frame.

            If this doesn’t cause a rethink on the relationship between the manufacturers and the certifying bodies, I don’t know what will. Many have said that the relationship between Boeing and the FAA is just a bit too cosy. Not wanting to start A vs B, but Airbus and EASA don’t seem quite so close.

          • In theory EASA and FAA have mutual acceptance of certifications based on some treaty or other.

            In reality EASA seems to be true to that treaty
            while the US regularly finds “extra niggles” that have to be solved ( more for competitive reasons than actual safety related, see their obstructive hehaviour over the A380 and delays in accepting the A350 cert from EASA.)

            i.e. EASA has zero/minimal handle to block FAA certs. While the US side regularly ignores their obligations with ficle arguments. Not new.

          • I would say the FAA in this case is doing what they should and questioning it.

            Why is not the EU doing its job?

            They don’t report to nor are they obligated to the US, they are to the EU countries and others that adopt their standards.

    • I believe the US government would fight tooth and nail force the EU accepts FAA certification. The entire Airbus portfolio would be hostages. Because Boeing is dead without 737 MAX now.

      • Its not going to happen that way.

        Fix will be proposed and asses ed by v FAA, then tested.

        Those test will be published to the EU, Japan, China etc.

        Any negative feedback will be responded to, probably not publicly.

    • Sounds like a lot of wishful thinking on your part, lets just leave the entire single isle market to Airbus, so they can compensate for the A380 fiasco.

    • It’s worth remembering that Boeing never wanted to build the Max, they only did so after Airbus launched the 320 Neo.
      It wasn’t planned for years as was the case with other programs – more of a knee jerk reaction.

  12. As well as seriously questioning Boeing’s implementation of MCAS, one has to ask the same serious questions of the certifying authorities. How did this, frankly unbelievable state of affairs, get past them?

    • Good question !

      Possible answers :

      Loss of manpower.
      Loss of expertise.
      Performance based legislation ( EASA ).
      Weighted cost benefit analysis, without sufficeient or adequate data sets.

      The big picture in this situation must look a the culture of regulation and certification, within the FAA and EASA .

    • Problem is a element of trust, most of the global authorities rubber stamp decisions made by other bodies. I’ve read elsewhere that EASA were not too happy but followed the FAA’s lead.

      • Do they have to ?

        Brazil did not.

        There is a world of difference between recognizing it and accepting a given aircraft setup.

          • Likely.

            I don’ thin mutual accept means they can’t challenge or question – I would like to see answer on that. Its one reason I raised it.

            If not they should revamp it. The 787 battery is a case in point as well.

            I would hope they do.

            At a minimum it a good exercise for all as those agency people don’t have a lot to do when no new or NEO type aircraft are in the pipe.

  13. Bjorn,

    Excellent analysis. The key data was from the jack screw. The fact that it was in the extreme position, which would have made the elevator useless and hence the aircraft uncontrollable and unrecoverable from a steep dive, is indeed the key finding (irrespective of what the flight data recorder will say) that makes it similar to the Lion Air incident. I presume that was what triggered the Canadian authorities and ultimately President Trump to ground these aircraft.

    I would love to know which genius designed the system to repeatedly override pilot’s inputs and take the trim control to the extreme, which would automatically make it unrecoverable from a steep dive. I am going to assume that the flight recorder will show a steep dive into the ground at the end of the flight record. Bjorn, am I right?

    It looks like the fault is not in the AOA sensors (highly unlikely on two planes) but the software that processes the AOA input. Why no redundancy was built in is a good question. Looks like a single point failure built-in without a backup to verify if indeed the AOA is too high. Once again a genius at work here!

    Boeing bears the full responsibility for the disasters. To assert that 737 MAX was “… an already safe plane …” is the height of hypocrisy that flies against evidence just revealed by the two disasters. I guess the lawyers are forbidding a “mea culpa” admission!

    • 100%; they are simply putting money ahead of safety. I can’t believe this has happened in 2019 due to an incredibly dumb software bug in a system that was intentionally hidden from pilots! Think of the families as they begin to realize how avoidable their loved ones’ deaths were..

  14. I read that not only was this software update delayed due to the Government shutdown but that there was a difference of poinion between Boeing and the FAA as to what the update should cover/include. I wonder how much of what the FAA was demanding is now being included at the last moment.

    Odds are that the public will never know.

    • It’s grotesque to consider that part of the chain of causation for this accident was Donald Trump having an affair, but if you are right that the government shutdown delayed the fix (which sounds plausible)…

  15. It’s interesting that everyone (as far as I know) assumes that the pilots did not try to deactivate the MCAS.

    What would it mean if they actually did try to do so?

    • I’m curious about this as well, esp after all the Lionair press coverage. Also it seems strange that an unlukely number of AoA sensors failed the moment the aircaft left the ground. Sounds like a software issue to me, which makes me wonder whether the gremlin is somewhere in the autopilot/FMS. There will have been other changes apart from MCAS to account for the aero and CoG changes, so it can be a set of imputs which never occur in an NG. There have been other uncommanded dives on MAX’s as well, so I suspect national authorities will insist on a more rigorous response than a software patch.

      • While there may be well aspects unknow, the other dive issues were in auto pilot and stopped when that was turned off.

        Supposedly MCAS is not a player in auto pilot.

        Nose down trim might be depending on how auto pilot is setup (one input on the flying pilots side or the other two system?)

        The control column change of feel is also new.

        How all this does or does not play into it is a very open question(S) .

        • While it is all a big unknown I suspect, now MAX is grounded, that outside the Americas at least, that EU and other national authorities will try to keep it grounded until Boeing can explain all the events, not just the two losses.

          • Martin: I do hope so.

            I have put in a report to that affect.

  16. This relates to the FAA and Boeing’s questionable working relationship.

    Just how many of These 787 batteries have blown up since the implementation of the blast proof battery box?

    Is Information like that easily obtainable to the public at large?

    They sure have managed to hide the Problem/issue with that fix, didn’t they?

    • If I remember correctly Boeing does not have to to inform the FAA about thermal run away events on the B787 batteries anymore.
      That means only Boeing knows how many times that has happened the past years (individual airlines would know about their own planes).

      I’m not sure they’d still blow up though. From what I’ve read the manufacturer has improved production significantly.

  17. Considered, and well reasoned comments from Bjorn as we usual.

    Apart from the fact MCAS does not appear to have been implemented in a rigorous, fail safe fashion, what I find astonishing / frightening is
    “By allowing this to happen MCAS can overpower the pilot’s elevator control and render the aircraft uncontrollable.”

    So when BA designed, and tested the aircraft, they didn’t think for one moment this might be an issue.

    The FAA then rubber stamped the certification, and also decided this wasn’t an issue.

    Other certification authorities around the world decided if the FAA says it’s fine, no problem certification authorised.

    At no point did anyone realise that this was an accident waiting to happen ? How many agencies signed the MAX off ? How many chances were there to stop, and ask the question is this a good idea ?

    “There will only be one instance of nose down trimming” this is also worrying, so why wasn’t this the case to begin with, what has changed their minds (apart from the obvious) ?

    Either it’s necessary to trim the nose down until there is no danger of a stall or it isn’t. The two extremes don’t make sense, trim until the elevator loses pitch authority, or just give the pilots a ‘heads up’ with one nose down trim, and then leave them to it.

    Of course you have to be very sure you’re on the edge of a stall before you begin to think of intervening.

    A serious question, just how practical is “the pilots shall shut off the aircraft’s trim system and trim manually” if you are 1000ft above the ground nose down at over 300kt, do you actually have the time, even if you recognise the issue immediately ? Is it actually possible to trim manually in time to avoid impact ?

    There have been comments that the FAA don’t have enough resources, or money? A supranational body does seems like a good idea !

    Get the best people from each of the certification, and air accidents agencies worldwide together in a new organisation. Give them all of the funding that is currently allocated to each of the previous bodies, make them unambiguously independent from the airframers, and politicians, and let them do their job rigorously.

    If MCAS does really work the way it appears (at least until software update) I can’t see any seasoned air accident investigator allowing it to pass certification.

    “How do you ensure that the AOA data is correct, where’s the redundancy, hang on a minute you can (however unlikely) get to a point where the pilot has no pitch authority… no way, think again”

  18. The Boeing 737 Max MCAS begs a different question. 777x followed a similar concept of bigger & heavier engines on a legacy airframe with some tweaks.

    1. Does 777x have MCAS as well or an equivalent of MCAS?
    2. Why would Boeing not invest a few additional billions for clean sheet approach rather than do these MBA type design decisions?

    • THe A320 NEO and A330 NEO also “followed a similar concept of bigger & heavier engines on a legacy airframe with some tweaks.”

      New engines aren’t the issue. A 50+ year airframe that has had one too many updates is the issue.

      • The significant difference isn’t the age of the base frame (the A320 is over 30 years old itself) but the fact that the A320 and A330 are fully FBW.

        If the larger, heavier engines on the A320neo and A330neo cause the same issues as the 737MAX, then the software can be adjusted to make them fly exactly like their ceo brothers.

        • Well you have more alfa probes and sensors including a couple of ring laser gyros on the databus on a FBW aircraft that makes it a bit easier to identify a faulty sensor.

          • Stehath: I hate to tell you this but that is what they did on the 737, it was supposed to act like the NG.

            They failed to execute code, not a system.

            An FBW would have the same problem if they used the same code setup and single sensor input.

            Inertial Gyro and RLG can all supplement the less than good Pitot system like they did with the 787.

            Newer air frames have newer stuff in it, until Duke listed it I did not know the 787 had that but it makes sense.

            Not as a main but as a revert backup to fill in to keep data flow right until ice goes way or you lock out the bad input.

            The 737 has 3 Pitots and you could use a 2 out of 3 vote in the computer for what speed is displayed.

            Or GPS to tell you if 2 out of 3 disagree and you need want speed input even if its 20 knots off its better than bad data (or tell you the last one is right)

    • Or the A330neo or the A320neo?
      I assume the difference is the 777, A330, and A320 have fly by wire that are proven redundant and reliable systems.

      • Dave:

        I disagree. Lethally badly done software and open question on two sensing systems are is what at issue.

        A badly programed FBW is equally or more lethal.

        You can ask Bjorn about the crash of the first Grippen (and the US on an F-22, both landing as I recall and the tuning of the software)

        There have been software induced Airbus crashes. Its not a panacea.

        As the French Pilots union has noted, now crashes are due to the confusing complex nature of automation system that are being put into place faster than AHJ can keep up with it.

        One answser is a set standard for how these system should work across the network.

        Back in the early days it was established that throttles forward was thrust and back was thrust (power) off

        France had a different take. Now push forward for power is the standard.

        Instruments were random laid out. Then they moved them to logical and consistent locations.

        Airbus will not drop out Auto Throltte unless you speidly turn it off

        Boeing will and an inexperience pilot crashed a 777 due to the fact it never came back in despite the low airspeed and about to hit the ground.

        Airbus has that right, Boeing has it wrong, NTSB has cited it and Boeing will not back off (again)

        FAA should mandate that change.

        All modern aircraft auto throttles should work the same and best practices not whims of the mfg.

        • You disagree that the said aircraft have proven redundant ant reliable FBW systems?

          • Sowerbob:

            Quit trying to change what I have said.

            I have said ALL system have unintended consequences. Most crashes post FBW have been due to automation.

            FBW has had those as well

            Automated ala FBW is not a panacea

            The logic still has to work

            Why did not AF447 sytem put the aircraft into a safe mode when the speeds went?

        • I’m assuming you are referring to the Asiana crash in SFO, and I have to disagree with your assessment. The pilot specifically moved the throttle levers to idle, which in a Boeing, like the vast majority of other aircraft, disables the autothrottle (in this operation, Airbus is the outlier, which means by your logic they should be the ones changing). So there was a specific command from the pilot to disable the system, and this was a standard command on many other models. What makes you think that a pilot telling a system to turn off, and having the system turn off, is wrong?

          The SFO crash was due to two factors:
          -The pilot flying had no idea how how the autothrottle operated, and apparently thought pulling the throttle to idle wouldn’t result in the engines being reduced to idle.

          -The pilot flying, on a manual approach, did not keep speed and altitude in mind.

          I get the bash Boeing train is going full speed, but now we’re getting ridiculous.

  19. “A serious question, just how practical is “the pilots shall shut off the aircraft’s trim system and trim manually” if you are 1000ft above the ground nose down at over 300kt, do you actually have the time, even if you recognise the issue immediately ? Is it actually possible to trim manually in time to avoid impact ?”

    A very good question.

    737fixer posted a comment back in November after the LionAir Crash (please see below). At the time, it sounded like it was addressing MCAS, but upon reading Information from Jon Ostrower’s Website (https://theaircurrent.com/aviation-safety/what-is-the-boeing-737-max-maneuvering-characteristics-augmentation-system-mcas-jt610/), I am not so certain.

    The reason for this belief is that 737fixers issue is runaway trim and the second item on the list is to deactivate the Autopilot (if engaged). But according to the theaircurrent.com, MCAs is only active when the Autopilot is disengaged.

    But, Jon Ostrower also wrote that MCAS is deactivated by simply manually trimming the nose back up, although the link to that sentence (https://theaircurrent.com/aviation-safety/boeing-nearing-737-max-fleet-bulletin-on-aoa-warning-after-lion-air-crash/) also states that the STAB TRIM CUTOUT Switches should be set to CUTOUT . It also notes that higher Forces may be required to overcome any stabilizer nose down trim already applied and that could be done by using electric stabilizer trim, but that must be done BEFORE moving the STAB TRIM COUTOUT Switches to CUTOUT.

    Maybe a Pilot can understand the subtle nuances between all of this information. I am totally confused.

    But I believe JakDak has pointed out a slight possible issue as to the practicability/probability of recognizing and reacting to such a situation.

    “737fixer
    November 14, 2018

    Here is the procedure for Runaway trim from my companies MAX QRH. The revision Date is July 2017.

    1 Control column. . . . . . . . . . . . . . . . . Hold firmly
    2 Autopilot (if engaged) . . . . . . . . . . . . .Disengage
    Do not re-engage the autopilot.
    Control aircraft pitch attitude manually with
    control column and main electric trim as
    needed.
    3 Autothrottle (if engaged). . . . . . . . . . .Disengage
    Do not re-engage the autothrottle.
    4 If the runaway stops after the autopilot is
    disengaged.
    ■ ■ ■ ■
    5 If the runaway continues after the autopilot is
    disengaged:
    STAB TRIM CUTOUT
    switches (both) . . . . . . . . . . . . . . . . CUTOUT
    If the runaway continues:
    Stabilizer
    trim wheel . . . . . . . . . . Grasp and hold
    6 Stabilizer . . . . . . . . . . . . . . . . . . . Trim manually
    7 Anticipate trim requirements.”

    • At 400 knots and under 2000 feet AGL can you get through that checklist before crash?

      • Doubtful, especially if you’re battling other issues in the cockpit with alarms blaring. IMHO, if the crew were busy enough, they might even miss the MCAS pushing the nose down.

        • Aero Ninja:

          MCAS is stopped for a short time with trim.

          It then kicks back in.

          To stop it entirety you have to pull the stab power.

    • There is a reason why we pay pilots a lot more money than bus drivers?

    • Note that the list ends halfway if the runaway stops, so if the pilot overides the runaway he won’t hit the cut off switches. Only after the second or third dive will he reach that part of the proceedure.

  20. Virtually no one commenting (if anyone) actually flies a 737 MAX, yet we all know what to do in the case of a MCAS problem as a result of the lion air crash. Bjorn and all the experts were confident that it couldn’t happen twice with this knowledge which is going to be etched into the brain of any MAX pilot.There is no answer until the black boxes are read.

    • There is no answer until its read, assessed understood and the AOA and speed question resolved.

      It will be flying before that as the worst of the trigger is gone.

  21. Like Dave I’ve been thinking of parallels with the Challenger disaster. The immediate cause of it all looks to be a poorly engineered MCAS. But once the enquiries start going deeper into the sequence of decisions we’re looking at a classic case of Suits/Sales vs the engineers – or Chicago vs Renton. With the origins going all the way back to the panic in 2011 and the rushed job to come up with a response to the neo. There must be some engineers in Renton who offered solid technical advice that was overridden by the Suits. They’ll be wanting to tell their story. It won’t stop at the MAX programme: you have to assume there will be some big names in the C-suite who can’t survive this.

      • This is certainly smelling like a very similar situation to the Challenger disaster, management overriding engineers, and Feynman’s words are going to apply in this case also.

        Worse, it’s happened twice to the 737MAX. That’s pretty damning.

        I cannot think of a more poisonous mix of management failings and corruption of the certification process. Boeing do not deserve to survive this episode. They may survive, which is probably going to take some hefty intervention from Uncle Sam, but the current management’s reputation is, to out it charitably, toxic.

        The FAA needs wholesale rejuvenation, at least when it comes to their relationship with Boeing. Even then, organisations like EASA now cannot simply take the FAA’s word at face value. This is going to impact on the return to flight of the 737MAX and the introduction of the 777x.

        The Indonesians and Ethiopians would be fully justified in being furious with how they’ve been treated by Boeing and the FAA. It’s not impossible that they might decide to make this a criminal matter, in which case certain Boeing and FAA personnel may find themselves subject to international arrest warrants. The fact that some USA citizens died makes it possible that some domestic charges may arise.

        Perhaps this would be a good thing. I cannot square the behaviour of Boeing’s management with a sense of self preservation. It’s perhaps like they think there’s no possibility of personal consequences for their actions. A healthy attitude is “if I put a shonky aircraft into service, I’ll pay a price”. Nothing about these crashes and Boeing’s or the FAA’s response to them suggests that this attitude pervades those organisations.

        We’ve had comments from actual pilots in the news media suggesting that the level of information given to them was verging on criminally insufficient. Perhaps that should be tested in court.

  22. And yet and yet.I took a look at the film ( it’s on YouTube) of what I believe was the CEO of Southwest.They have the most MAX’s,the most hours,the most T/O’s with the most pilots.And he makes it 100% clear that this MCAS ( or any other) even has never happened in any flight on their MAX’s- not once.
    What he says ‘has’ to be true or else he would find himself in court and the reputation of his airline sunk.
    So what are Soutwest pilots doing differently?Surely that would be a very important learning.

    • Maybe could it be possible that Southwest has the initiative to disable MCAS…

      • SW has not reported any of these incidents even trying to occur.

        It clear they are random and rare.

        350 aircraft flying and two known incidents.

          • I did not say that. Please do no hi jak my comment, it you want to make a comment use the non tree section.

            SW can’t disable it without repercussions

            They have done their training. US Pilots have for the most part said they feel ready to deal with it.

    • I don’t know if this still the case but but Southwest used to require their pilots to hand fly the plane as much as possible and not rely so much on automation. Herb used to say he hires pilots not guys sitting there watching a computer. So I wonder what they have turned off.

      • It is no longer Herb’s Airline, and the days of hand flying are gone. Southwest has done nothing different than anyone else…the two (too many) failures have occurred elsewhere.

  23. Its possible they though the situation was stable, as the plane accelerated to 400 knots (maybe they did not know their speed due to the speed indication problem) when MCAS came at them with full nose down at 400 knots and 1000 ft AGL, I don’t think that is recoverable.

  24. Can I begin my making clear that LNA are doing their best with what they have. So no criticism.

    For me, I discarded the FR24 data as invalid. It’s not FR24 fault. Drop out is drop out.

    What does interest me is that this article does suggest thst the pilots did signal to ATC that their data readings were invalid. Can I have the reference for all other sites I’ve visited said ‘technical difficulties’.

    If true, why does it happen after the flaps have been retracted, if they were retracted, and not before?

    With regard to the sofware patch to be introduced for MCAS. It just shows that the orginal MCAS was written by somebody wearing beer goggles.

    In my view, if invalid air data is present, the FCC should hand control to the pilots and simply issue advisories in the fashion of Airbus?

    But, at least they are going to cross check the data and come up with synthetic answers

    The Lion Air trace, which is valid, does show MCAS exerting fierce forces to bring the nose down. This we now know involves the use of a fierce trim stabiliser that can even overpower the elevators!

    Why doesn’t MCAS use the elevators to bring the nose down? It’s a maneuvering system, the acronym says so. Elevators maneuver airplanes in pitch not trim stabilisers!

    I still end up coming back to pitch stability. To me MCAS is a mask (cover up) for very poor pitch stability. But then we come to the solution, the trim stabiliser is used to maneuver the airplane away from stall not the elevators. That’s a new one on me!

    Equally, we are told a software stop will be put in place to prevent the trim stabiliser overpowering the elevators. To me it should be a hard stop to prevent trim stabiliser runaway. If we all remember, that’s Boeing’s original excuse: It’s just trim stabiliser runaway! Read the manual, you silly pilots!

    Will the patch work? For me, it’s not right even now. At the very least it needs to be tested thoroughly. Regulators in other countries must take a close look at what Boeing are doing and only lift the grounding if Boeing can prove that they have got it right.

    Rolls’ decision to bow out of the NMA get’s more sensible by the minute! I think Boeing have lost the plot.

    • Phillip: A couple of simple answers.

      MCAS does not engage until the flaps are up.

      737 Elevator: The only input into the Elevators is a mechanical one via the yoke.

      All others use Stab trim for their functions as well.

      • I’ve done my job. Can you see the diversity of opinion on this web-site since I returned. For me it’s nice to see it.

        Yes, I was/am an engineer until I retired.

        Boeing will have to pay for what they have done. The world will make sure of that.

        • Philip: You are attributing the comment to your return?

          You have a great deal of more faith in the world than I do.

          Boeing will pay whatever cost is insured and go on.

          The people that have paid the price are dead.

  25. While Boeing obviously did a terrible job of software design to allow a single sensor failure to cause the flight control system to crash the aircraft, the FAA may bear some responsibility for the Ethiopian crash if, as news reports indicate, Boeing was waiting for the FAA to approve a software patch which would have corrected the problem.

    • The FAA share full responsibility for this in the first place as they allowed it.

      All AHJs do as well sand Brazil (they allowed it but mandated in manual and training)

      They all should have looked at the logic (Lack of) and rejected it.

      Each AHJ is complicit.

      • I am not sure what you are suggesting. Do you think each and every AHJ should it’s own certification. Sorry but that is bonkers. MartinA has already pointed out that there are agreements in place to stop reinventing the wheel and critically to stop national competition in regulation.

        The FAA has always held itself in the highest regard and in a superior position effectively requiring subservience from other bodies whilst being contrary or at least slow when it comes to certification in Europe.

        It is quite reasonable for other bodies to accept the FAA certification IF THEY HAVE FAITH IN THE REGULATOR. Your argument is ridiculous and beneath you sir. Unfortunately the faith may not be there from now on and we are in a trumpian phase of losing international cooperation. We will all be the loser in this

        • All AHJ should review the certification’s and justification for the allowance on all aspects.

          If Brazil can catch something like this then any decent regulatory agency can as well.

          Is there anything wrong with a “we adhere to”, no.

          But the adhere to should not just cut and paste.

          Or is it simply easier to blame the US for everything that goes on in the world?

          We go have our failures, perhaps the world should buck up a bit more as well? Take some responsibility?

          Safety is a culture of many layers and cross checks.

  26. Boeing schould go back wiring up this old aircraft the 737 max. Pilots get payed to fly aircrafts not play with microsoft computer screens. There are many professional pilots that have not flown the aircraft manualy for years according to accident reports. It is a bad habit to perform auto take offs on a fast flying aircraft.

    The co pilot on the Ethopian Boeing Max had only 200 hours the morning of his last day. How can this be.?

    • GJ: (I am not goign to try to spell that)

      You sound like me when I am annoyed. Trust me, I started my current career (30 years) in pneumatic relay logic and they messed it all up with computers. sigh.

      Its not going back and its where we are going.

      Manual flying in Simulator is now mandated and I believe encouragement by AHJ in the EU and USA JAPAN.

      Clearly Ethiopian standards are not EU standards for Co pilot.

  27. Why is it that a thorough system safety analysis occurs only after an accident or series of accidents? This reminds me of the Lauda Air 767 inflight thrust reverser actuation disaster. A subsequent in-depth analysis of the reverser systems uncovered some flaws in the redundancy of the design and corrections were made. I can think of other examples.
    It seems to me that any system that takes away the control of the airplane from the flight crew should have had intense scrutiny from experts from engineering, flight crew ops, manufacturing, etc. Did Boeing convene a safety board before the MCAS design was finalized? Or was the system simply a rushed band-aid to satisfy the Certification agencies?
    I suspect we will know the answer soon.

    • Actually Trevor it does not.

      Its supposed to be done during design, checked during testing and FAA is supposed to be there all the way.

      How do you keep up with a fast moving operation when your experts have to be as good as theirs? (that assumes they are not drinking the cool aid)

      Clearly Boeing thought this was a miner annoyance and treated it as such and the FAA did not call them on it.

      People then pay the price to get corrected.

  28. AOA: Why are we even seeing a single AOA bad data input into the system?

    Speed: Why have both crashes had speed issues?

    Its not just the MCAS software involved.

    Current logic will still yell stall and stick shaker activation with a single bad AOA input data (wherever its coming from)

  29. Isn’t the speed trim moving the horizontal stabilizer from take off?
    How come it is not affected by bad data? Is it run through a different computer?
    Is the speed trim fail safe, and why?

    • Speed trim SPEED behavior is changed by speed. Basically it moves more as it has less authority at low airspeed (takeoff)

      AOA comes in to play as well but I don’t know AOA sensor or the attitude indicator.

      It moves less per input at higher air speeds as its leverage increase at higher airspeed.

      The reason these cost so much is they are extremely complex systems.

      What the system does in the event of a speed issue discrepancy I do not know.

  30. If the MCAS is trimming down, and the pilot presses the trim adjust switch up, what happens? Does it move the tailplane up, or just pause the down?

    Can the pilot use the trim adjust switch to move the tailplane up with the motor when MCAS is engaged?

    • It interrupts it for 5 seconds and trim does go up.

      Then it kicks back in.

      If I have it right you loose ground each time.

      YOu have to pull stabs to fully stop it (or put on auto pilot and or drop flaps)

    • From what I read any manual trim activity halts MCAS for a backoff of 10 seconds. i.e. you can correct up.
      If you go off that switch 10 s delay and MCAS will happily
      drive trim down. again.

  31. If the aircraft is stalling in a turn, does the reduced airflow over the lee AoA sensor make it ineffective? And explain why data from only one was used?

    And thanks to Leeham for this excellent coverage.

    • There was discussion on this with the Indonesian crash but I never got the full aspect of it.

      From what the control people non Boeing can figure, it was assessed as a non critical single point of failure system and only one input is needed.

      Clearly that is wrong, but for whatever reasons that is what Boeing proposed and the FAA accepted.

      Boeing then went onto saying head ups it was there to Airlines was NOT needed , FAA accepted that.

      Therefore it was not in the pilots manual and it was not required to be trained on (the excuse was that run away trim did that procedure wise.

      It was in the in depth tech manuals (which you only look at or for if you have a problem with that system)

      Light for AOA disagreement was an option as was a display reading out of how much. That may have been there with NG (if so no one would question it)

      And as oits nopt needed

    • “Boeing is reportedly rolling out a software upgrade for its 737 Max in 10 days ”

      With all respect, this has become a bit more complicated over the last few days.

      Boeing & the FAA are also subjects in the investigations into the deadly crashes now.

      Worldwide airlines and their authorities will review and decide when to restart operations. Boeing share prices (the topic of the link) are irrelevant.

      • I will disagree.

        A lot of people are saying Boeing is done for, the 737 is gone etc.

        Stock price proves they are not and won’t be.,

        Otters say a year hiatus. The fix will be in place, testing done and then in under 3 months it will be operational

        What is done about the AOA and Speed bust situation are still iffy as that is not directly discussed but is a core element of this.

        World wide suppliers are in play as are airline revenues. All will want to stay normal or get back to normal if the fix passes the smell test.

  32. It will be revealing when the facts indicate if any sensors failed and when (such as before or after take off) and what systems the pilots tried to shut off and when. Good writing by Bjorn as usual.

  33. Seems to me the MAX is an appropriate name. This design is maxed out. The updates, design changes, revisions, software, etc. etc. seem like ban-aides to a basic design that’s overdue for replacement. Then again maybe a simple off switch for the MCAS additional training and allowing pilots to fly might have prevented such electronic tragedies.

    • This was exactly my thought when the name was first presented. I actually had a feeling of doom.

  34. In this case the incorrect speed indication appears to have triggered MCAS, the plane was travelling far too fast, which means it was reading low. In hindsight they shoulda aborted the takeoff at all costs. At 400 Knots, MCAS though they were gonna stall, when they banked to return to the airport it triggered and killed them.

  35. I was surprised MCAS auto trim is so powerful it overrules full pilot pull up.. should it?

    On both crashes I was surprised on the high speeds of both aircraft while they got out of control.

    I was learned that if you have enough speed, air below you (energy) you have at least time to check & fix things, make a plan.

    Apparently in this case the energy couldn’t be used to gain height, safety..

    • Keesje: It has nothing to do with energy, when a stab points you down and you don’t kill/stop the stab you are going in like a lawn dart.

      MCAS won.

  36. 2 days ago Boeing and the FAA were adamant that there was no evidence the the crash had anything to do with MCAS,now a fix will be ready in 10 days!First things first, we need to establish exactly why the plane crashed and we still haven’t established that about the last one.My estimate would be more than 6 months,look how long it took for the super puma.Massive pressure will be applied because of the company involved and the enormous numbers of aircraft.It will be interesting to see who caves in.

  37. Boeing is enhancing the MCAS, it was perfectly safe before.

    The jack screw in this last one was found in full nose down (stab up) position.

    Indonesian is not saying anything which is really disgusting (it all comes out in the final report much good that does anyone)

    Its clear MCAS plays a role and they have been working on the new and improved software for some time.

    Why the AOA is goofy and why the speeds issue are not resolved and those do need an answer.

    My guess is like the A330 freezing probes they will delay until convenient to track down.

    Much of aviation is like that, if they assess they can get away with it they do (and are usually right)

    Not a pretty world often.

    • The Indonesians were incredibly forthcoming to begin with, but then they clammed up and said that there will be nothing more until a year is up and the final report will be issued.This is very peculiar and I do wonder if any money changed hands. Presumably any important safety information would still be passed on to Boeing and the FAA in the meantime,and they haven’t been complaining.

      • Would you want Boeing and the FAA to be the point team on this or the NTSB?

        Airbus fought its freezing up prone Pitots for along time.

        If there is an AOA issue neither Boeing or FAA is the one to call it.

        Its amazing what they AHJ allow to fly that should be fixed.

        It comes back to bite though.

  38. What is chilling about this piece is that tgwo crfew reproted they di dnot have tghe training to fly the MAX (and did anyway)

    https://www.theatlantic.com/notes/2019/03/heres-what-was-on-the-record-about-problems-with-the-737-max/584791/

    How can you do a quckie training if the two displays are that much different that pilots could not get through them in an emergency?

    One pilot goes to automatic pilot to avoid MCAS and it dives anyway – un related or related we do not know.

    The end is a opinion piece that deal with pilots I don’t agree with fully (partly but very partly)

    • The Indonesians were incredibly forthcoming to begin with, but then they clammed up and said that there will be nothing more until a year is up and the final report will be issued.This is very peculiar and I do wonder if any money changed hands. Presumably any important safety information would still be passed on to Boeing and the FAA in the meantime,and they haven’t been complaining.

  39. Bringing out the ‘fix’ in 10 days, a couple of days after reports stated the fix would not be ready til May really does not give much confidence that all the work required has been done on the fix and that this is not a rush job…. it’s either that or Boring knew all along this was a big issue!

    • Maybe it is being off-shored? I wonder if it was originally done in house.

  40. The software changes are really a repeat of the 787 box, try and stop the failure from getting out of hand rather than fixing it. I doubt if it will be internationally acepted this time as there are other issues.

    MCAS was modified, made more difficult to deactivate, because near the stall the MAX behaves differently to the NG, although they have the same rating. Evidently MCAS will continue to fail occasionally, what protects NG pilots from being caught out on those occasions?

    I think MAX might need a second type rating before everybody agrees to lift the groundings. They’ll still need to explain these events and probably modify the FMS or the AoA sensor system to reduce the frequency with which they are occurring.

    • On NG you can override any trim with the yoke, apparently not so in MAX.

    • The key point is this section:

      “My colleague James Somers described precisely how software is evaluated under this safety regime. “The agency mandates that every requirement for a piece of safety-critical software be traceable to the lines of code that implement it, and vice versa,” Somers wrote. “So every time a line of code changes, it must be retraced to the corresponding requirement in the design document, and you must be able to demonstrate that the code actually satisfies the requirement.””

      This is a process audit and not a software and requirement test/review. The process audit is a proxy for a safety and quality review, but not an actual safety and quality review. I had CMMI level5 assessed suppliers who delivered poor quality software but had perfectly documented why every bug was my fault (we had requirements documents which were well understood by experienced people in our organisation but were hopelessly insufficient for use with a 3rd party contractor). In general, in large organisations, compliance with processes is required to ensure the quality. However, it is possible to produce high quality software with a small team of highly skilled and experienced cowboys while ignoring all corporate processes (however, this is not sustainable in case of manpower turnover), while it is also possible to produce well documented rubbish with all processes in place (but your metrics will be all red and should alarm management).

      • Yea we had our brush with ISO 9000

        As Roger Stone said, its a European Plot to drag down the American economy (now Roger is scum but he was right) .

        It ensures your paperwork ducks were all in a row

        It had nothing to do with quality of the process

        Yes we throw pebbles in our steel mix, its cheaper than pure steel.

        Its all documented, if you don’t like it, specify no rock steel ( you will pay more of course)

        If you think I am kidding, I saw a Hangar structure partly up get torn down

        Welds did not pass the xray exam

        Why? No one xrays them!!!!!

        The supplier said when questioned, yes we saw it in the paperwork, but you just said it had to pass, you had no process in place to ensure it did and we did not say we did it nor did you ask for proof. If you had we would not bid.

        We put a lot of weld on it so it does not have to pass.

        You can go high tech and design and xray or you can go low tech like we do and slather on the welds.

        If you want it to be xrayed then you have to do it, we don’t.

        It went to another area that did not have quake issues, another one was put up that was high tech.

        How did they catch it?

        Some ends were designed to be cut to fit and an inspector saw a welded butt end that he was 100% sure did not pass the penetration spec, sent it to a lab and then the *&^% hit the old fan.

  41. A lot of the comments have questioned how Boeing and the FAA got away with not including information about MCAS in either the FCOM or the training materials. I agree that this seems like a serious error of omission. However, I’m convinced other OEMs and regulators would likely have handled it the same way.
    The rationale for that goes back to the Dec 1972 Eastern Airlines L1011 accident in Florida where the flight crew lost situational awareness because they were troubleshooting a landing gear indication problem. As a result of that event, the industry concluded that flight crews should never be distracted from flying the airplane by inflight troubleshooting. Hence a new education and training philosophy was adopted. Flight crews would not need to know how airplane systems worked, but only be trained in how to respond to abnormal events. If you look at current FCOMs, you’ll note there is very little descriptive information, mainly focus on abnormal condition and appropriate response.
    In this case, the abnormal condition is “uncommanded trim” and there was already an existing procedure for that. So, the initial reaction that a simple re-emphasis of the existing procedure would be a satisfactory interim solution appeared appropriate, both to regulators and safety experts. In the meantime, Boeing was working on a software fix to reduce the exposure erroneous MCAS events. This is typical for how regulators and OEMs deal with such events, industry wide.
    Then all hell broke loose when there was a second event.

    • Just take that at face value “uncommanded trim”. Uncommanded by the pilot would be fairly obvious. All computer commanded trim is uncommanded trim. Unless uncommanded trim is trim not commanded by either the pilot or the computer. And then it is the pilot’s job to differentiate between commanded computer trim and uncommanded computer trim. That would be tough to do even with a detailed knowledge of all auto trim systems.

      How would the pilot know the difference between legitimate computer trim and runaway computer trim?

      The most detailed and precise engineering can always be useless with one bad assumption. The assumption in this case being that the pilots have complete mastery and understanding of what the auto trim is doing.

      Look at the logic of MCAS. If the pilots are spacing out so much that they begin to get into a high AOA stall, MCAS is there to save them. Yet they are suppose to be so alert that they are monitoring MCAS in case it operates when it is not supposed to.
      It’s got all the logical beauty of a dog chasing it’s tail.

  42. Whilst an interesting article it does not explain the FAA role and process in certifying the MCAS. Perhaps Bjorn you could use this example to explain the certification process Boeing should have followed with the FAA.

    I would expect something like this:
    1. Design specification
    2. Detailed design
    3. Risk assessment & mitigation
    4. Verification that final design meets 1&3
    5. FAA signs off steps have been completed

    Whatever the process it would be useful to understand.

    Unfortunately in any accident there is a chain of events where breakdowns occur, looking for blame tends to drive human behaviour to cover things up rather than focus on the breakdown, fix it and move on.

    We sadly live in a world where blame and retribution is the first thoughts. Many of the comments to your articles are testament to that. Your articles are being quoted in news items so you clearly have trust and understanding of the industry.

  43. I am not sure if MCAS is the cause (although its implementation is very poor) but it seems to be a major contributor to the accidents.

    What scares me is the JT610 maintenance log. See link, paragraph 1.6.3.

    https://www.flightradar24.com/blog/wp-content/uploads/2018/10/2018-035-PK-LQP-Preliminary-Report.pdf

    While JT maintenance is definitely far from world class, and some of the maintenance was done in Manado which is also not a maintenance hub, I still assume it was done according to Boeing manuals. I expect the same type of action to be performed anywhere in the world where the plane is not in a maintenance hub of a large airline. It was not 4 errors on 4 subsequent flights. There seem to have been additional flights made in between without reports. The AOA sensor was replaced and the problem came back. So somewhere is a issue which can not be correctly diagnosed by the system, which then possibly triggers MCAS to make the combination deadly. So I am not convinced that a MCAS fix only adequately addresses the issues.

    I am working on standards development for a complex software intensive safety critical control system. I was speaking to some Europe counterparts yesterday and our key question to each other was “what else is not disclosed by Boeing?”. If you certify something like this you heavily rely in disclosure by the manufacturer. If something in software is not disclosed you don’t find it. I recently had case where we a long standing issue which we assumed was due to sensor processing, and then we received one additional set of data showing software internal variables which we had no access to earlier and suddenly it was clear that the actual issue is actuator control and the sensing component had no issues.
    In Germany, the government has instructed the legislator to perform a full code review on all diesel engine management software of all German car manufacturers. It is a waste of time because you are just not going to find something unless the programmer was stupid enough to put in a comment like “watch out, this is an illegal cheat”. It is just too complex for a 3rd party to review in a traditional way.

    • Don’t they have software that can ‘document ‘ code in a ponderous way that allows a skilled programmer to understand what happens?

      • Duke: Yes they do.

        In this case as its just a dual computer, they also have a different team write code for each computer.

        Each computer has its own code and is tested in all phases of flight.

  44. In scanning this thread and others here I seem to have missed a reference to whatever regulations or codes or rules apply to the stability system enhancements ?

    § 25.672 Stability augmentation and automatic and power-operated systems seems to apply

    and it references § 25.671 General.

    and copied from another site it looks like this

    ….§ 25.672 Stability augmentation and automatic and power-operated systems

    If the functioning of stability augmentation or other automatic or power-operated systems is necessary to show compliance with the flight characteristics requirements of this part, such systems must comply with § 25.671 and the following:

    (a) A warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for any failure in the stability augmentation system or in any other automatic or power-operated system which could result in an unsafe condition if the pilot were not aware of the failure. Warning systems must not activate the control systems.

    (b) The design of the stability augmentation system or of any other automatic or power-operated system must permit initial counteraction of failuresof the type specified in § 25.671(c) without requiring exceptional pilot skill or strength, by either the deactivation of the system, or a failed portion thereof, or by overriding the failure by movement of the flight controls in the normal sense.

    (c) It must be shown that after any single failure of the stability augmentation system or any other automatic or power-operated system –

    (1) The airplane is safely controllable when the failure or malfunction occurs at any speed or altitude within the approved operating limitations that is critical for the type of failure being considered; … goes on

    So how did BA ( Boeing ) manage to apparently ignore this ?

  45. Forgetting any peripheral or ancillary items the core issue is whether or not the MAX is too unstable “naked” – I.e. without MCAS or othe software enhancements – for commercial passenger service with run of the mill pilots given appropriate training.

    Presumably that aspect has been exhaustively studied by the Boeing/FAA symbiotes during certification, and the gory detailed results are sure to come out sooner or later (during multiple lawsuits). I believe EASA for one will demand access to this data and form its own opinion there on. This may very well be at odds with the FAA’ s prior conclusions.

    If the answer is that yes indeed it is marginally unstable, And given the two hull losses and casualties – I cannot see any official blessing being given and a major redesign – higher landing gear? – will be mandated , with the costs and delays involved. The fate of the existing frames will be an issue, with scrapping a real possibility.

  46. I see in the press many comments about the safest air system in the world, the national pilots trained and operating second to none and similar flag waving that makes me nervous. It has nothing to do with safety, more like blaming pilot not from here. Instead of aiming for the truth.

    • keesje: There is a part that does involves the pilot (or their training) – Inbdonsmean crash the pilot pulled up the flaps and it began. He put them down and it stopped. He then put them up again.

      There is an old adage, if it hurts don’t do that.

      While not a correct response, it did stop it and he could have returned to base with flaps down. He did not.

      I agree fully that the pilots should not be put into that position , but they had a chance to stop it understanding it or not and did not take it.

      I don’t know if there is any way to even try to assign levels of blame.

      By far the highest goes to Boeing and the FAA.

      Ethiopian has such little altitude to work with we still need the recorders to see what was done or not and some level of training was done.

      It seems inadequate. As pilots, we do and are supposed to be able to deal with that.

      As a system its still failing but I think its better in many part of the world, Indonesia and Ethiopian do not seem to be two of them.

      I think AF447 has similar fingerprints.

      Yes the pilots did dumb trhings or allowed dump; things to contineu.

      But clearly they were not prepared for it.

      1. Why does not Airbus have the aircraft morph to the safe configuration (85% thrust 5 deg nose up) when the speeds go away at altitude? That is well in line with the automated approach.

      2. Why were pilots not trained on that so that they reacted right or their wrong reaction were trained out?

      Number 2 is being worked on with upset training and a far more in depth of the aircraft basics but it appears not to have gotten thorough to or implemented at Indonesian or Ethiopian even well post AF447 (mandated now)

      Like the interaction with Boeing and FAA, there are regs and then there are implementing it and in these cases the system has failed as individual failed and the system did not catch or stop it.

      Boeing’s motive is profit and the FAA has a political motive.

      That was used to undermine the system.

  47. Thanks for the great article Bjorn!

    I have a question regarding the MCAS. MCAS is the moving the stabilizer. In the end this caused the crashes since at a certain point the effect of the stabilizer can’t be compensated by the rudder. Does anybody have an idea why Boeing didn’t make the MCAS move the rudder instead? For me this makes much more sense. As far as I understood it the problems are that the engines having been “pushed” forward and upwards to be able to use them with MAX that has a litmited ground clearance. They generate an additional upward moment that increases with AoA – yielding a even higher moment, higer AoA etc. So apparently its possible that the MAX enters a “self augmentation feedback loop” regarding AoA that will lead it to stall, even if not stalled in the current situation. I’m not familiar with the flight characteristics of the MAX, but it sounds like a “procedure” that will take place within seconds. The stabilizer only moves 0.27deg/sec (or at least the MCAS commands it to) which seems to be not pretty much regarding this near stall scenario. So why wouldn’t Boeing use the rudders instead for compensating this issue. Regarding the fact that the airplane has to be brought out of this situation and it’s not meant to fly permanently like this the stabilizer would be reversed after a short moment anyway.

    The only cause that I can imagine is that due to its geometry the MAX can get into situation like described where the rudder is not sufficient to prevent it from stalling. But then I guess the MAX wouldn’t be a self stable aircraft anymore, would it?

    Hoping for clarification 🙂

    • With “rudder”, you probably mean “elevator”. The rudder is located on the vertical tailplane.

  48. Bjorn:

    Someplace in all this I had a picture of the 737 AOA, Pitot and the backup (at least third pitot I don’t think there is a 3rd AOA in it? )

    It was a diagrams form and clearly allowed you to see layout and logic .

    I think its a shame some seem to want to put forth a theory when you have provided and amazing amount of data.

  49. What is the impact of the new engine location on stall recovery characteristics of the 737 max family?
    Based on how the MCAS works, if the plane is stalled the MCAS will come into play to help for the recovery.
    Did Boeing certify the plane according to CFR 25.203 without MCAS?

    • If you read the information that has been answered over and over again.

      • Transworld, rather than being a smart ass it would be better and simpler the answer the question if you think you know the answer. These are comments about the article not an opportunity to put someone down because you have read all the posts.

        You did the same thing over the question on the DC 7 and L1049 having square windows. If you google both aircraft the photos on Wikipedia show them with square windows. The discovery of metal fatigue as a root cause was a pivotal moment not only for aircraft design but engineering in general.

        Since hindsight is 20/20 i for one would like to understand more about the certification process and how the train of events starting at the design stage lead to these accidents. Given the complexity of an aircraft and its systems if there has been a failure in the certification process the remidies have just like metal fatigue, application to other industries outside the aerospace industry too.

        • Dave:

          We see people parachute into the END of the conversation without having done their background and read the articles and proceeding post and ask the same questions over and over that have been answered?

          Or why people insist the 737 is unstable when its been pointed out over and over and over again its an issue at points of flight pilots never see?

          So yes I get sarcastic.

          Yes I know the Connie had square and round windows, that was a tweak at Duke as there is more to the story than square windows and the B-47 ranged up to 40k and the B-52 to 50k so the world did know how to design aircraft in that environment.

          Why de Haviland choose not to use that knowledge I don’t know.

          • Why did Lockheed start off with round windows on Constellation L-749 then change to square on the L-1049 Super Constellation.
            looking at other US manufacturers in the pre – post war period
            Curtis CW20 square
            Martin 202 etc -square
            Convair 240 etc – square

            Yet Canadas Avro C102 jet airliner had round.

            The reality was the metal fatigue from pressurisation cycles wasnt completely understood by any manufacturer at the time.( de Havilland had done fatigue tests on a fuselage section to 18,000 cycles)
            A military jet like the B52 just doesnt do enough cycles in shorter time like airliners do, and the crew areas arent designed as a lightweight thin tube.

            “No one had taken into consideration the pressurizing cycles on the fuselage for a given time span, which were faster than the equivalent cycles in the slower, propeller-driven airplanes.” To gauge the effect of these cycles, an entire Comet fuselage was placed in a giant water tank, and its sealed interior filled with water. To simulate cabin-pressure changes in an aircraft climbing to 35,000 feet and then descending again, interior pressure was increased and decreased at three-minute intervals. Around-the-clock testing aged the Comet nearly 40 times faster than actual service.”
            https://www.smithsonianmag.com/history/comets-tale-63573615/
            Even more recently the 737-300 has suffered multiple fatigue failure of the fuselage well within its design cycles.

            While the Boeing 367-80, as a military prototype, a some small flattened oval windows , by the time the 707 was rolled out ( after the Comet fatigue was understood) it had the ’rounded square’ windows were are all familiar with. Since Boeing had windows in the passenger section at every frame section, that gave them an ‘small’ advantage over the DC-8 which used a wider spacing of windows.

          • TransWorld:

            This particular blog format is FUBAR, in that it is next to impossible to NOT early post like an idiot, or parachute in days later like a genius… I see you have fully taken advantage of both, old man….

            Learn to blog post in 250 words or less and with time, maybe you can even slice all that great content of yours down to 100 words or less….

          • @2mil-mller: Read our Reader Comment guidelines. You’ve violated them.

            Hamilton

  50. Does anybody know if the max family was certified for stall demonstration according to 25.203 without MCAS or with the MCAS?

    • PC:

      I find the question a bit ???????

      Of course the MAX was certifies with MCAS for stall.

      That is what it is all about.

      • What I meant is during the stall demonstration required was the system disable to only use the existing controls (without having to use the horizontal stabilizer or PHR trimming nose down thus helping for recovery) or was MCAS involved thus adding extra nose down moment (extra nose up moment would come from new engines’ location at these high angle of attacks compare to NG versions).
        The point of the question is would the max aircraft be recoverable in a stall without MCAS? (in a stall not before or preventing the stall).
        “No abnormal nose-up pitching may occur” (CFR 25.203)
        “it must be possible to promptly prevent stalling and to recover from a stall by normal use of the controls” (CFR 25.203)
        § 25.203 Stall characteristics.
        (a) It must be possible to produce and to correct roll and yaw by unreversed use of the aileron and rudder controls, up to the time the airplane is stalled. No abnormal nose-up pitching may occur. The longitudinal control force must be positive up to and throughout the stall. In addition, it must be possible to promptly prevent stalling and to recover from a stall by normal use of the controls.

        • The need for MCAS was found as a result of initial MAX testing and the MCAS was not there.

          So yes a test pilot can recover it from a stall.

          No one did airline pilot testing as MCAS was put in place before that.

          Me? I think that a pilot would never get into a stall as he has stall warning and stick shaker and you put the nose down for that. MCAS just kicks in there during that process and is supposed to duplicate NG feel.

          This is a good writeup of how and why it got mucked up.

          https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/

          I once did a cross wind landing (at an instructors suggestion and my agreement to do so ) that exceeded the listed rating of the aircraft (I was a student at the time)

          When we discussed it after we were down he clarified that the cross wind was what it had been tested to, not what it could (or a pilot) could do.

          The mfg felt it was not a good area to be in for all pilots.

          In this case its almost if not a nit noid in that few if any pilots would be there in the first place.

          The ones I know about were all out of control for other reasons and the anti stall MCAS wold not make any difference anyway.

          Its one of those its in the books and while the FAA did the right thing the allowance of how it was done was disastrous .

          I doubt any pilot in a plane stall would have any issue recovering a 737 MAX without the MCAS

  51. In my old company (we made printers) we always had human factors testing to show that the average user could successfully use the material provided to set up the printer and install the required driver.

    In the MCAS case, Boeing should have:
    1. Given qualified pilots the training materials
    2. Put them in a simulator
    3. Throw an MCAS event at them.
    4. Show that the pilots successfully manage the event.

    Instead they seem to have assumed that the system with a single point of failure would never fail. And hence didn’t need to be tested.

    It seems this wasn’t done.

    • I think you have to throw out what is right vs what Boeing was tyring to do.

      They were trying to hide a change so they could say it was no different.

      Doing your kind of testing woujld be to admit that not only was it different but it could be lethal.

      Somehow they managed to delude themselves of were forced to rate it as non lethal and the software was written at a lo level (no level) of backup.

      That also allowed them to not put it in the manual or train on it.

      I often tell the guys at work (and my wife) you are attempting to interject logic into this. When they want to force an outcome, the logic of safety goes out the window.

      US is looking into this now at a legislative level

  52. This is also good background. Note the loss of airspeed if rotated too soon? Two crashes.

    https://www.abc.net.au/news/2019-03-16/a-look-at-the-airline-grounded-after-multiple-crashes/10903524

    The 707 has a number of crashes as well, pilots were not used to the speed and characteristics that were so different that all prior.

    We hope we don’t repeat the mistakes (Commet, pressurized aircraft had flown and successfully the B-29 had tens of thousands of hours of pressurized flight as did the B-47 and B-52)

    We do know about coding and backup and that a sad commentary (no pun intended) that this killed 347 people.

    • Regarding the Comet and the earlier piston powered pressurized passenger airliners. They too had used square windows ( DC7 and L1049) , so using that feature wasnt seen as a design weakness. The reason why they didnt fail was they just didnt fly as high to experience the pressure differential, repeated cycles leading to the fatigue cracks originating at either a window or a square ADF cutout in the roof.

  53. Do we know if there are two inputs to MCAS from AOA sensors (there should be at least 2 AOA sensors) or just one AOA sensor is used to determine the stall condition?

    • Yes we do know, its been written about innumerable times now.

      Rather than jump in at the end I would suggest reading the list and or Bjorn’s analysis.

    • just one AOA with NO repeat NO comparison with anything- In other planes(737) pull or push hard enough and you wind up in full control. But with max ” hal” continues to override you again and again and again…

      • Yes and that has been presented and discused since the Lion Air Crash.

  54. Constellation changed from round to square in later models, Stratocruiser had a mix of both types and of course the very first US pressurised airliner the B307 Stratoliner had square. The point is the window shape wasn’t seem as an issue for pressurisation.

    • The Comet had multiple. factors of sharp corner, reinforcement, rivets etc.

      Window shape alone was not a factor, you can have square windows with a radius corner.

      B-47 and B-52 had rectangular/square windows. A round window may be easier and less structure but note that square is whats needed to see well (vs pax view)

      https://en.wikipedia.org/wiki/Boeing_B-47_Stratojet#/media/File:NNSA-NSO-990.jpg

      40,000 feet was in their wheelhouse of B-47 and B-52.

      de Havliand simply did not do due diligence on their design any more than Boeing did on MCAS.

      • Rubbish . Its a mix of altitude , cycles and the faster plane having shorter cycles. Military bombers may do 400-600 hours per year, 1 -2 flights a week.
        De havilland did test a fuselage section, both to over pressurization and 16,000 cycles.

  55. A nagging question: If upwards pitch creates a crisis to be handled so aggressively, it looks logical to me (from the form of the wings and engines) that AoA with downwards pitch will be even worse. Yet, nothing is mentioned about it. It scares me because these two planes both dived to their destiny.

    • It should not. Its areas that aircraft do not go to,

      If they do, they are out of control for other reasons and all the other stuff makes no difference (they crash) – pilot disorientation and over control is the killer, not the aerodynamics.

      These are tested extensively. They keep getting better.

      The 737 has some legacy design factors, pilots are trained for it.

      Its no different than old cars vs modern cares.

      With the control system in a skid you simply point the wheels where you want to go now.

      Older ones (which I have one of) you counter steer INTO a skid.

      I am over 60 and I have no problem with the switch.

      Pilots don’t swap Airbus to Boeing regularly (if they do they have training on both)

      Boeing did one thing wrong that has turned out to be lethal. Once is fixed the 737MAX will revert to the same safety record the 737 NG had.

  56. Just one thought: I assume to learn the ability to monitor the MCAS if a trim from the system is correct or not correct you need to have training about the MCAS and the part of the flight envelope where this happens, so you aren’t simple countering the MCAS in a reflex in a situation where the MCAS actions are actually warranted . However if you are trained in recognizing this part of the flight envelope, i assume
    as an interested observer you should be actually be able to fly the aircraft without MCAS or at least stay out of this area of the flight envelope. Thus would learning the ability to monitor the MCAS not actually make MCAS unnecessary or is the 737 to dangerous to fly without it?

    • Joerg: Good questions.

      What most lay people don’t get is that the aircraft are tested at the normal extreme edge of control. A stall is one of those.

      The stupid part of this is that if you were in a stall, the pilot would be countering it already as he would have had a stall alarm (Voice) say Stall, Stall, Stall.

      They also have a thing called a stick shaker that does exactly that, the yoke vibrates and that is the other alert.

      Either one of those you would react to if you happened to have put the nose up and or hose up and a steep turn. You would already be pushing the nose down (technically the tail up)

      My view is they should have left it alone, FAA did not and this is what resulted.

      In my world its called the law of unintended consequences.

  57. Some news from the last BEA tweets (https://twitter.com/bea_aero) :
    – Data from the CVR successfully downloaded on Saturday but the BEA didn’t listen to the audio files (transfered to the Ethiopian team)
    – Work on the FDR to continue today (Sunday)

    NTSB, FAA, EASA and Boeing representative are attending .

    • And now the FDR download is done and transferred to the Ethiopian authorities.

  58. Quite a few posts in this thread claiming that various persons and organizations involved in these tragic incidents are incompetent, immoral, corrupt, and under bribery. May I suggest that such claims require substantial proof rather than just insinuation?

    • https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/?utm_source=marketingcloud&utm_medium=email&utm_campaign=BNA_031719130226+Crucial+flaws+in+Boeing+737+MAX+safety+analysis_3_17_2019&utm_term=

      After reading the article what would be immoral and corrupt if true, is if either Boeing or the FAA post the Lion Air disaster became aware of the issues being talked about but failed to come forward and ground the aircraft because to do so would mean admitting faults. If true gross negligence would be a better term given the additional loss of life.

    • I think that is frustration showing through (as is mine with people taking one word out of context and claiming the 737 is unstable)

      Severe criticism of how this all came about is more than warranted, but then spinning it to the 737 is unstable is another form of corruption.

      I don’t believe in any way that money has changed hands

      But also in affect the system is corrupted.

      The FAA was right to want an action on the pitch up.

      They then allowed Boeing to implement a bad response.

      That gets into the interplay and relationship.

      People deny their own AHJ or the AHJ they subscribe to has no role to play when they can and do.

      Boeing by their actions makes it corrosive in that people want to know how it went off the rails and the simple answers is outright corruption. Its far more complex than that but people want simple answers.

      If Boeing had a clue they would not have done the MCAS the way they did, but they just knee jerked it and ok, FAA are you happy now?

      RR did not set out to create corrosion prone fan blades
      Not did they want blades to crack.

      GE did not want engines blowing up but screwed up an industrial process that did just that.

      The system caught RR before lives were lost, GE did not even make it past a test run.

      What most do not know is that there are hundreds of these issues lurking in the system. Most they get away with.

      The A320 had a software issue that required an equally odd MCAS type reaction (it came up just as my wife was taking an A320 flight)

      It had been out there for years. They were allowed 5 years to implement the fix and they had dragged their feet in doing so (airlines)

      If it had not been for an iceberg, the Titanic would have been the safest ship in the world (despite the fact is bulkhead did not go up to main deck level)

      We have seen where the AHJ have not mandated the testing in Simulators that pilots need to deal with modern systems and simply replaced actually flying with a Simulators for a DC-3 type (landings, take offs)

      Then people die, we catch up but as the one guy noted, its moving so fast we are still behind.

      People will always try to game the system.

      Read some of L.E. Modesitt’s books, while an exaggeration what he writes is true. They will shoot themselves in the foot and kill others all for the sake of coin and near view vs the long view.

      Corporations are not different (in many ways worse)

      Its human nature that we try to keep under control. A lot of success and the failures are bad.

      • Corporate (or human) behaviour is understandable. But a regulator should do more than just rubber-stamping corporate behaviour.

        Given the revelations in this article, will other global civil aviation take FAA’s pronouncement that MCAS is now (well, according to Boeing, “even safer”) at face value, and allow the 737 MAX to fly immediately?

      • I wasn’t aware you were familiar with the A320 flight control system.

        Could you please provide more information regarding your comment:

        “The A320 had a software issue that required an equally odd MCAS type reaction (it came up just as my wife was taking an A320 flight)
        It had been out there for years. They were allowed 5 years to implement the fix and they had dragged their feet in doing so (airlines)”

        If you are referring to aileron problem during the cross wind landing then this is hardly the same.

        Remember the A320 was designed for FBW from the outset – not so the B737 Max, so such comparisons are likely to be suspect.

      • Looks like we are double posting

        Shocking? No.

        That is the way the world works, we hack it back and it grows back worse again as they undercut.

        Nice, no, people died in this case but its not like its something new or will not happen in the future.

        • Boeing software engineering was slapdash and subpar. Even by my non-aerospace standards. And maybe this does happen in aerospace regularly, but I sure thought that Boeing and Airbus could hire software engineers better than this.

          But the shocking part is the FAA management behaviour. How can we even call this organization a regulator? They were just looking to rubber-stamp the Boeing design as quickly as possible.

    • Shocking. Absolutely shocking.

      The design of MCAS, as described in the article, is poor, and would be unacceptable for normal software engineers, let alone aerospace software engineers. It was either not design reviewed, or reviewed by incompetent managers only. And the managers approved it, knowing this (or worse, not knowing what was going on).

      But even worse is the behaviour of FAA management, who assigned analysis work back to Boeing, berated engineers who didn’t speed through work fast enough, and approved analyses without reviewing them. They behaved like a Boeing subcontractor at best, not like a responsible regulator.

      This actually makes me more worried about the 737MAX in particular and other recent Boeing aircraft to a lesser extent. What other slapdash software design work is there, whose certification work was skipped or ignored by the FAA, who was only concerned about matching the Airbus EIS schedules?

      Unbelievable. I would have believed this happening in Russia, but in the United States of America? I am stunned. Simply stunned.

  59. OV-099:

    Thanks for sharing the ST article, best I’ve read to date.

    It is clear both Boeing and FAA have pinpointed the design, implementation and process flaws and failures and are now forced to correct it.

    It is deeply saddening such tragic loss of life is the catalyst that leads to the correction.

    No one should suffer any delusions such a thing will not happen again, whether it is from an aircraft manufactured by Boeing, Airbus, Embrier or other. It is not a question of “if”, it is a question of “when”….

    • Spot on.

      We try to minimize it and have done well but its never ever fully stopped

  60. After AF447 disaster it was revealed to the lay public that the Airbus aircraft (in this case A330) has two rather puny Atari-like “joystick” pilot controls that operate INDEPENDENT of each other on either side of the cockpit, as opposed to the larger two yoke system on Boeing craft that operate in sync with each other.

    In AF447 it was determined that the rather inexperienced FO had dilly dallied with his ‘joystick’, unbeknownst to the Capt until it was too late.

    Can any one tell me what kind of engineering team could possibly imagine that independent gaming joystick controls on either side of the cockpit is a great design idea?

    Was that design flaw ever corrected, or at least modified?

    • For a non pilot that may make sense, but the reality is different (and I am not fond of Airbus side stick)

      First, the Co Pilot did not dill dally with the side stick. He pulled it full back deliberately. It was a monstrously wrong action but other incidents have shown its was not an uncommon reaction (sometimes called startle, I call it panic)

      It had nothing to do with FBW, side stick controllers, it had to do with a Co Pilot who had not learne3d basic aeronautics.

      Much like the MAX, the incident was triggered by a sensing issue . The Pitots (those are the inputs for speed) froze up (known issue on A330 with one mfg type) and then the flaws in Airbus automation methods reared their head (though that should not have done anything)

      In this case the computers say we can not handle this (they can) and it steps back from full automation to partial.

      Partial then allows you to pull full nose up (full will not) and the pilot proceeded to stall the aircraft.

      Step Back A Moment: You are flying along at 35k or so and your speed reading out goes flaky. You are over an ocean and you are above the highest mountains in the world. If you had stopped, you would be dead and would not see any of that, ergo you are not stopped (no speed)

      All you do is NOTHING and its fine.

      The next step if persistent then there is a hand flying mode you shift to which is 5 deg nose up and 85% thrust.

      This keep the aircraft from stalling, it also keeps from over speed and you see if the situation clears or which Pitot you may have that is ok (there are 3) and then shift (usually this clears up as the Pitot thaws out, they are heated ) to the known good pitots (you can cross trhe display or shift to the other Pilot who may have a good Pitot (the third is a backup)

      All the actions of the Co Pilot were wrong (the head pilot was back in tghe cabin and two co pilots were flying, should be fine, they were experience)

      What the other Pilot never grasped (no idea why) was the aircraft was stalled.

      The Pitots did come back but as they were stalled the readings were low and in the automation mode they were in, it refused to accept that so the stall warning is intermittent.

      There are other instrument and displays that tell you what is going on. Full nose up is a blatant one, you never see that.

      Cross check is VSI (Vertical Speed Indicator) that was negative (loosing altitude) at about 8,000 feet per second, you see those two (let alone one) and its, ok, we are stalled.

      Stalled fix is nose down (MCAS) not nose up.

      So the second pilot did not understand either and it had nothing to do with side sticks. They actually swapped once. The Swapee kept it the same as the swaper.

      The Pilot staggered back into the cockpit and he NEVER figured it out either though you have not only main displays but a set of backups all telling you the same thing.

      They had 4.5 minuets to figure it out (that is a lifetime) and did not.

      Airbus could program the system to just do an alert (Speeds gone) and maintain the exact same attitude and thrust.

      Or it could after 15 seconds revert to 5 deg nose up and 85% thrust with the same message.

      Now any pilot has part of his training that is how you react, but it was not done often or at all just talked about.

      They had not practiced it in a simulator.

      No one can tell you why he pulled up.

      A US Pilot with a 757 had the same thing occured, he pushed down. He was no where near terrain, so why would he push down when all he had to do with confirm where the nose was, what the VSI was going, what the backup instrument staid?

      No one knows, its the right reaction to a stall but NO stall was there and can’t be.

      They are now exposing pilots to hand flying and all sort of emergence like that.

      Some are doing well and some badly.

      • TransWorld:

        Yes, I am aware of the full story on AF447. No need to write a novel about it….

        Answer the basic question i prosit on why two little Atari-like game joysticks on a Airbus that operate INDEPENDENT of each other (or in case of simultaneous control, offset each other) on a modern aircraft is a good engineering design and what, if anything, has Airbus done to correct it?

        • The sidestick controllers aren’t ‘puny’. I’m sure you are aware, but maybe not, that there is no mechanical connection. Unlike Boeing’s older models they don’t connect via wires, cables and rods to the control surface.
          The F16 has a puny sidestick controllers , for the same reasons as the Airbus planes do. Many passenger, cargo and warships follow the same philosophy, a tiny video game controller like wheel.
          It would help us all if you kept up with advances since the 1970s.

        • 2mil-miler:

          Well you came across as totally uninformed.

          When that occurs I try to put a balanced view despite the fact I am not fond of side stick controller (most pilots like or adjust so that is a me thing)

          So I apologize for trying to make a very complex situation clear.

          You clearly have an agenda and don’t care about understanding vs posing wildly incorrect comments.

          I won’t try to educate you any more, I also don’t spit into Hurricanes.

    • Poor crew coordination.

      There is merit in independence or redundancy, which the 737 MAX MCAS computation apparently did not have.

      What the integrated picture of the A330’s system is I don’t know.

    • 737 reliable ?
      Then why so many fuselage ruptures like this one
      https://en.wikipedia.org/wiki/Southwest_Airlines_Flight_812
      The depressurization was caused by the structural failure of a lap joint in the fuselage skin due to metal fatigue.(48,748 hours and 39,786 cycles)
      Which followed
      https://en.wikipedia.org/wiki/Southwest_Airlines_Flight_2294
      An NTSB investigation found that the incident was caused by a failure in the fuselage skin due to metal fatigue (42,500 takeoff/landing cycles, and 50,500 airframe hours.)

      These were Series 300 versions, which followed 20 years earlier the Aloha Airlines 200 series ( 35,496 flight hours 89,680 flight cycles) but was a very early airframe.

  61. Giblets
    March 15, 2019
    Depends how many people work how hard – e.g. three shifts using the test setups, and if other work like 777x is shoved aside – certainly Boeing now knows it has a crisis on its hands.

  62. OV-099:

    Yep.

    Now imagine a world in which the liability may be the same, but 4x highly educated and trained experts can more efficiently do the job of 400x, without a need for appeasing shareholders or profits for the sake of profits, cut corners for the sake of savings, combined with absolutely no need whatsoever for a marketing department, to get 250 people from NY to Tokyo in less than 3 hrs with virtually no significant adverse effects to environment or risk to life and limb..

    You and I will likely be long dead and gone by then and most likely immediate offspring too, but that is the future of aviation.

    The good news is that some of the key technologies to make that happen, are already well upon us and you can bet your house that neither Boeing or EADS will be leading the way…

  63. And to be clear:

    Many millions will risk life and limb to make what i prosit a reality. Tens of thousands will die in the process… Technology marches on….

  64. Than you Mr. Fehrm for the usual informative post with informed technical detail which is hard to find elsewhere.

    I found the Washington Post article at the link below with details of previous crashes and close calls due to malfunctioning angle of attack sensors very interesting. Although the MAX may well turn out to be the first aircraft to suffer two total loss accidents within six months due to a malfunctioning angle of attack sensor, according to the Post article it will not be the first to suffer a total loss accident or close call due to an angle of attack sensor malfunction.

    https://www.washingtonpost.com/business/economy/sensor-cited-as-potential-factor-in-boeing-crashes-draws-scrutiny/2019/03/17/5ecf0b0e-4682-11e9-aaf8-4512a6fe3439_story.html?utm_term=.64db18ebdab7

    • Its strange that WaPo story should start out with an A321 sensor problem , but bury much further down in the story these comments
      “The FAA reports include 19 reported cases of sensor trouble on Boeing aircraft, such as an American Airlines flight last year that declared a midflight emergency when the plane’s stall-warning system went off, despite normal airspeed. The Boeing 737-800 landed safely. Maintenance crews replaced three parts, including the angle-of-attack sensor, according to the FAA database.

      In 2017, an American Airlines-operated Boeing 767 headed to Zurich declared an emergency and returned to New York. Another angle-of-attack sensor was replaced. And an American Airlines 767 was forced to return to Miami in 2014 after a midflight emergency because of a faulty angle-of-attack sensor.”

      Creative writing seemed taken over in the news report:
      “As the Lufthansa plane fell from 31,000 feet, the captain pulled back on his stick as hard as he could.”

      While incident report from the BFU said:

      “The commander gave maximum
      backward sidestick input (pull) and the airplane’s nose began to rise”

      Further information from the BFU report
      ‘The aircraft manufacturer in his role as type certificate holder analysed the available
      data of the occurrence. This analysis included the following results:
      All three AOA sensors functioned normally at take-off of the airplane. Eight minutes
      after take-off, while reaching FL 195, at an outside air temperature of -35°C (SAT),
      freezing of the AOA sensors 1 and 2 led to AOAcor recorded at 4.5°.
      This value remained unchanged for the next approximately 1 hour and 32 minutes until the descent.”

      The plane manufacturer made these recommendations
      “”Abnormal V Alpha Prot”
      The FOT explained that if two or three AOA probes are blocked at the same angle, an increase of the Mach number may activate the high angle-of-attack protection (Alpha Prot). This results in continuous nose down pitch rate that may not be stopped with backward sidestick inputs, even in
      the full backward position. It was recommended to turn off two of the three ADRs to put the flight control system in Alternate Law and therefore deactivate the high angle of-attack protection.

      https://www.bfu-web.de/EN/Publications/Interim_Reports/IR2014/I1_Report_14_6X014_A321_Pamplona.pdf?__blob=publicationFile

      • That was a great reference. Even the more robust safety logic of the two out of three tie breaker can fail, but as a last resort the crew can turn off the computer control of the flight surfaces.

  65. Dukeofurl:

    No, the WaPo story is not strange. The only thing that is strange is your apparent desire to write your own gazillion word ‘article’ within this blog post, that no one outside of yourself will ever fully read….

    • Well I do read it. So at least two?

      Not that I agree with all Duke posts but its worth a read.

      He does have a decent grasp of the basics even if the conclusions are wrong (grin)

  66. How about the moment created by thrust and drag which is speculated regarding the MAX. Does the MAX have a higher moment than the NG? If the centerline of the engines is raised towards the center of rotation, it should be less.

    As fans get larger and their centerline drops lower beneath the wing (A220, A330neo, 777x), I assume the drag-thrust moment is increasing. Does this mean the center of gravity must be moved increasingly forward of the center of lift?

  67. WSJ says grand jury sent subpeoneas to someone involved via criminal prosecuto

    r” A grand jury in Washington, D.C., issued a broad subpoena dated March 11 to at least one person involved in the 737 MAX’s development, seeking related documents, including correspondence, emails and other messages, one of these people said. The subpoena, with a prosecutor from the Justice Department’s criminal division listed as a contact, sought documents to be handed over later this month “

  68. Regarding the https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/ article:

    There are a number of very worrying things in the article if it is accurate.

    1) The amount of delegation back to BA from the FAA.

    2) “Both Boeing and the FAA were informed of the specifics …” BEFORE the second crash ! Even after the second crash they didn’t think there was enough reason to ground the MAX !

    3) Initial limit of 0.6 degrees out of a total movement of nearly 5 degrees, but then implemented as 2.5 degrees.
    “The FAA believed the airplane was designed to the 0.6 limit, and that’s what the foreign regulatory authorities thought, too,”

    4) “MCAS was classified as a ‘hazardous failure,’ “, “… then a system typically must have at least two separate input channels in case one goes wrong” and yet it appears that it was implemented dependent on just one sensor.

    5) Safety dictated by certification deadlines. Managers signing off reviews because the FAA technical staff didn’t have the time to complete the reviews.

    Certification has got to change, it has to be properly funded so that ALL certification is carried out by the certification authorities, and not delegated back to the airframer. It has to be proven to be totally independent of manufacturer, and politics. ALL certification bodies are going to have to verify initial certifications with a lot more rigour.

    As one of the pilots commented when informed of MCAS, “I am left to wonder: what else don’t I know?”

  69. I have a question for the jet pilots in the thread:

    As a lowly private pilot (single engine land and sea, instrument rated), it seems crazy to me that Boeing would design the MCAS system for what seems like a very rare event (stall in clean configuration while being hand flown), and base it off a single sensor. It seems as if–based on the evidence–the sensors go bad more often than I would have guessed the system is likely to be needed.

    My assumption here is that a stall in clean configuration while being handflown is as or more unlikely than it is in the types of aircraft I fly.

    However, I have a vague recollection that on flights in the higher flight levels the aircraft may actually be operating pretty close to a stall at cruise, which could explain why the designers’ focus might have been more on making sure not to get in an unstable configuration and less on what happens if a sensor goes bad. (Not acceptable logic, but at least understandable.)

    Is it true that jetliners are actually frequently operating near stall speed at altitude, and, if so, could that account for why the focus was more on the MCAS functionality than the risk analysis?

    Thanks in advance, and thanks to all for the excellent analysis and facts; best thread I’ve read.

    PS — If this has already been addressed, my apologies. It’s been a day or so since I went through all the comments.

  70. The attached is the clearest analysis which i have read on this whole FUBAR.

    Read an interesting take on the situation with the Max:

    “Bottom line don’t blame software that’s the band aid for many other engineering and economic forces in effect.

    Some people are calling the 737MAX tragedies a #software failure. Here’s my response: It’s not a software problem. It was an

    Economic problem that the 737 engines used too much fuel, so they decided to install more efficient engines with bigger fans and make the 737MAX.
    Airframe problem. They wanted to use the 737 airframe for economic reasons, but needed more ground clearance with bigger engines.The 737 design can’t be practically modified to have taller main landing gear. The solution was to mount them higher & more forward.
    Aerodynamic problem. The airframe with the engines mounted differently did not have adequately stable handling at high AoA to be certifiable. Boeing decided to create the MCAS system to electronically correct for the aircraft’s handling deficiencies.
    During the course of developing the MCAS, there was a:

    Systems engineering problem. Boeing wanted the simplest possible fix that fit their existing systems architecture, so that it required minimal engineering rework, and minimal new training for pilots and maintenance crews.
    The easiest way to do this was to add some features to the existing Elevator Feel Shift system. Like the #EFS system, the #MCAS relies on non-redundant sensors to decide how much trim to add. Unlike the EFS system, MCAS can make huge nose down trim changes.

    On both ill-fated flights, there was a:

    Sensor problem. The AoA vane on the 737MAX appears to not be very reliable and gave wildly wrong readings. On #LionAir, this was compounded by a
    Maintenance practices problem. The previous crew had experienced the same problem and didn’t record the problem in the maintenance logbook. This was compounded by a…
    Pilot training problem. On LionAir, pilots were never even told about the MCAS, and by the time of the Ethiopian flight, there was an emergency AD issued, but no one had done sim training on this failure. This was compounded by an..
    Economic problem. Boeing sells an option package that includes an extra AoA vane, and an AoA disagree light, which lets pilots know that this problem was happening. Both 737MAXes that crashed were delivered without this option. No 737MAX with this option has ever crashed.
    All of this was compounded by a:

    Pilot expertise problem. If the pilots had correctly and quickly identified the problem and run the stab trim runaway checklist, they would not have crashed.
    Nowhere in here is there a software problem. The computers & software performed their jobs according to spec without error. The specification was just shitty. Now the quickest way for Boeing to solve this mess is to call up the software guys to come up with another band-aid.

    I’m a software engineer, and we’re sometimes called on to fix the deficiencies of mechanical or aero or electrical engineering, because the metal has already been cut or the molds have already been made or the chip has already been fabed, and so that problem can’t be solved.

    But the software can always be pushed to the update server or reflashed. When the software band-aid comes off in a 500mph wind, it’s tempting to just blame the band-aid.”

  71. I do not think the MCAS is the only possible problem that could cause a full downtrim of the stabilizer on a 737max (or an 800/900) in case of wrong Speed or AoA data. The stall recovery (or stall ID) will downtrim stab until the stalled condition does no longer exist. No limit on how long the trim can be if I remember correct. (I always thought this was what happened on the FlyDubai crash. ) As I understand the SMYD computers have been removed from the MAX and the system “migrated to other boxes”.

Leave a Reply

Your email address will not be published. Required fields are marked *