Bjorn’s Corner: The Ethiopian Airlines Flight 302 crash, Part 3.

By Bjorn Fehrm

March 23, 2019, ©. Leeham News: Boeing this week presented how they plan to get the 737 MAX back in the air again. MCAS has a fix.

We look at what the fix tells us about the first implementation and the rationale behind its implementation.

Figure 1. The improved Pilot’s Primary Flight Display presented Wednesday. Source: Boeing.

Boeing’s MCAS fix casts light on the original implementation

Boeing presented its fix for the MCAS problems Wednesday. By it, it spotlights what was wrong with the original implementation.

The reliance on a single triggering signal for MCAS

A lot has been written about the MCAS system relying on a single Angle of Attack input. This is unusual for systems involved in the flight control of aircraft. Normally you have three inputs so a voting procedure can sort out one of them if it has a problem (two singling out the third as faulty).

The 737 has only two Angle of Attack sensors, so no voting can be set up between them. Instead, the system relying on the sensors can be switched off if the sensors disagree and the pilot informed about the missing function.

This is the route chosen for the improved MCAS. It will now be disconnected when the sensed Angle of Attack difference is beyond 5.5 degrees when MCAS activates and over 10 degrees for over 10s when the system is in use.

The wide allowed difference shows what I have written about before. The aerodynamics around these sensor vanes, placed at the nose sides, is dependent on how the aircraft is flown. If there is a sideslip the airflow passing the sensors will be affected and the sensor values will differ.

The actual sensor value is also higher than the wing Angle of Attack (the airflow around a fuselage nose is curving upward), therefore a correction table is used to calculate the wing’s Angle of Attack. It’s the wing’s Angle of Attack which determines how close to stall the aircraft is.

Was the use of only one signal OK to trigger the original MCAS? No, it wasn’t. But at least there was a rationale for this decision, whatever one might think about the rationale. A deactivation of MCAS was not an acceptable solution as it would trigger a need for an MCAS not available signal and this would mean more difference training for the Pilots migrating from 737ng to MAX.

The design of the original MCAS function

While the reliance on a single sensor is highly questionable, the architecture and implementation of the original MCAS function is inexcusable.

If you have a flight control function which is triggered by a single sensor, it means the likelihood it being incorrectly activated is there. Then you implement a non-hazardous augmentation function!

You make sure it only injects the minimum correction necessary and you limit its total authority to not jeopardize the safe flight of the aircraft.

Where others focus on a single trigger signal, my biggest problem is with the function itself. If you have a weak trigger architecture, you limit the authority of what you trigger!

There was no need for the authority MCAS got. We know this today as the software fix only trims once for each elevated Angle of Attack event and limits the total trim amount to a safe level. This is regardless of the sensors being wrong or the function running wild.

It was just a very, very bad function design, and there was no need for it.

Designed to not show, it became the centerpiece of attention

MCAS was a function put there to cater for a very remote case. The pilot needs to maneuver close to the limits of the aircraft and way beyond normal flying practice, to save the aircraft from some emergency. Then MCAS kicked in to make the aircraft easy to fly close to its limits.

In the life of a commercial 737 MAX pilot he should never experience an MCAS augmentation, its use case was so remote. Instead, it became the most known and explained function of all on the 737 MAX. And for the wrong, very sad reasons.

There are only a few airliner OEMs in the world. There is a reason for this. It’s a challenging product to get right and the stakes are very high for any mistakes. In today’s very safe air transport system mistakes of this scale are non-acceptable.

92 Comments on “Bjorn’s Corner: The Ethiopian Airlines Flight 302 crash, Part 3.

  1. Excellent interpolative anaysis. And you are right: if the function could have been designed for safety with less authority, it was negligent not to do so.

    One question for my high-altitude colleagues: does flying at the upper flight levels have less of a margin of safety above stalling than light aircraft at lower altitudes?

    If not, and it’s really true that “in the life of a commercial 737 MAX pilot he should never experience an MCAS augmentation”, there is no excuse for designing the system off a single sensor that appears to fail at a higher rate than MCAS events occur, and with so much authority that a confused flight crew could be overpowered by the “augmentation”.

    • Bjorn:

      I put this at 3 aspects and I am going to disagree on 2 of them.

      1: Conversion Training: That should never be an excuse to create a monstrosity that MCAS was in its original iteration.

      2. Single Input: That is also totally flawed and its an abomination unto itself let alone 1 and 3. To cover up an abomination with limiting authority is beyond really bad.

      3. Amount of Stab Authority: That just went hand in hand with 1 and 2. Slap dash lousy.

      If there is any proof needed, all 3 have been addressed in Rev 2.0.

      Item 3 should not cover up for Item 2 or visa versa.

      Item 1 should never have occurred.

      Boeing knows better.

  2. What I don’t understand: Muilenburg was the CEO when the MCAS code was implemented. Muilenburg was the CEO when Boeing “tweaked” the certification of the B737Max. It was the Boeing management that decided, that the B737Max must under no circumstances trigger simulator training for pilots.

    Muilenburg has for sure not written the code for MCAS by himself, but as the CEO he is responsible for the mess. He is responsible, that the first version of MCAS was cheap and fast to implement, but not safe. It was basically Muilenburg, who allowed a strategy, that was basically: Profits and Quickness before safety. Muilenburg has the responsibility for 346 dead people. You can’t kill 346 people with your new product and still be the highly paid CEO of the company. There have to be consequences.

    Why are there no calls, that Muilenburg must step down?

    • Muilenburg will find a scapegoat further down the line that will be sacrificed. The people on the top get there for a reason, because they know how to protect themselves from such fallout.

      • They found their fall guy. The 737 Chief Engineer (Mike Murphy) lost his job earlier this week.

        • Some years back, up at Elmendorf AFB out of Anchorage an AWACS took off through a flock of geese and crashed (ingested birds)

          Entire crew died and a major asset was lost.

          They tried to pin it on a Sergeant who had something like 17 job functions and goose control was both last and not resources allocated.

          There were major protests and they finally sacked the base commander (correctly)

          But as one of the other crews informed the public, its not a base commander, its the cultuere.

          The Missions was nothing more than a touch and go landing training flight with no need of the crew. Regs say full crew any time it flies.

          On top of that at the time, all missions were deemed combat missions, you went no matter what.

          Supposedly that has changed and there is an assessment on the real nature of what is going on.

          That is from the top and a cultrual issue.

          Muilenburg should be canned, we will see if Boeing gets away with the low level sacrifice.

          There was a poem written about a service manger that has the greate4st line I have heard in regard to managers.

          He wanted all the glory but could not stand th pain.

          • I think you are looking at the wrong Boeing CEO, as its the Boeing Commercial Airplane CEO( and Boeing VP) who is leading the commercial aircraft side and has those responsible for flight safety reporting to him.
            Interesting background to the most recent BCA CEOs
            Current Kevin McAllister, a metals engineer who came from GE Aviation Services
            Raymond Connor .MBA who worked in sales -marketing for Boeing ( started as a mechanic on the 727 program)
            James Albaugh , Civil Engineer who worked in the defense side of Boeing
            Scott Carson , a financial guy in BCA then sales, and Defense before that, especially space , missiles etc
            Alan Mulally . An aviation engineer with long record of leadership of Boeing aircraft programs especially 777.

            The last time BCA had an experienced commercial aviation engineer in charge was Mulally 98-2006

            The 737 Max issues date from the Albaugh period. And the 787 debacle proceeded that.

  3. So, it seems that in the effort to reduce crew training costs Boeing thought it was O.K. to have important sub-system that the crews were not informed of and almost 350 people perished.
    At the very least, more than a few people from Boeing and the FAA should have a meeting down at the unemployment office.

    • Well, it was a system most pilots shouldn’t experience in their lifetime. I think it is OK to keep it out of manuals. What is not OK is the sloppy implementation like single sensor and not notifying pilots about undertaken actions.

      • I fear your logic is broken.

        If they know what actions to take then they have to know about the system and it HAS to be in the (pilots training ) manual.

        And yes as a pilot you need to know about it and have the training, it has its own set of symptoms that you need to recognize FAST.

    • It’s instructive to read this article on the infamous Ford Pinto gas tank issue:
      Ethical Breakdowns
      Harvard Business Review
      April, 2011

      Consider an infamous case that, when it broke, had all the earmarks of conscious top-down corruption. The Ford Pinto, a compact car produced during the 1970s, became notorious for its tendency in rear-end collisions to leak fuel and explode into flames. More than two dozen people were killed or injured in Pinto fires before the company issued a recall to correct the problem. Scrutiny of the decision process behind the model’s launch revealed that under intense competition from Volkswagen and other small-car manufacturers, Ford had rushed the Pinto into production. Engineers had discovered the potential danger of ruptured fuel tanks in preproduction crash tests, but the assembly line was ready to go, and the company’s leaders decided to proceed. Many saw the decision as evidence of the callousness, greed, and mendacity of Ford’s leaders—in short, their deep unethicality.

      Taking an approach heralded as rational in most business school curricula, they conducted a formal cost-benefit analysis—putting dollar amounts on a redesign, potential lawsuits, and even lives—and determined that it would be cheaper to pay off lawsuits than to make the repair. That methodical process colored how they viewed and made their choice. The moral dimension was not part of the equation. Such “ethical fading,” a phenomenon first described by Ann Tenbrunsel and her colleague David Messick, takes ethics out of consideration and even increases unconscious unethical behavior.

      I expect a similar thing happened at Boeing.

      As I recall, in addition to ignoring the ethical issues, the cost-benefit analysis approach also had two flaws: (1) they underestimated the amount they’d have to pay out in damages; and (2) they didn’t include reputational damage to the Ford brand from knowingly putting dangerously defective cars on the road.

      I expect Boeing’s decision to cut corners on safety will be another business school case study in stupidity – and will be ignored by the graduates.

      • Well, there must have been opinions at Boeing, still the argument that you have the cut out switches and the trim runawy checklist that will take you out of problems.
        As a paying passanger you think that pilots have been exersised in every situation (altitude, speed, c.g.) with a single probe failure in a certified full flight simulator of the correct type at least every 2nd year and especially as part of initial type/model training.

  4. Hi Bjorn

    What is to stop the inertial reference system(s) from validating the AoA signal? Or replacing the AoA sensors entirely?

    They can distinguish between course and track in the horizontal plane, why not between direction of travel and direction in which the aircraft is pointing in the vertical plane?

    I can see that vertical movement of the air would muddy the signal slightly, but not by much (~10m/s vertical air speed vs ~70-240 m/s aircraft speed). And anyway, AoA sensors seem to have issues – I haven’t done the trig but I’d be surprised if the IRUs would be 5.5 Degrees different from reality, which seems possible with the AoA vanes.

    • “What is to stop the inertial reference system(s) from validating the AoA signal? ”

      in a sense the 787 uses a ‘synthetic airspeed’ as well as the sensor detected airspeed as described here.
      787 Synthetic Airspeed
      • Calculated from angle of attack and inertial data
      – AOA – voted dual sensors plus inertial data
      – Accurate Coefficient of Lift (CL)
      – Airplane Mass from FMC – Validated after Takeoff
      • Algorithm developed for enhanced stall protection
      • Avoid displaying data known to be bad
      – Loss of valid voted VCAS = Display synthetic airspeed VSYN
      – Loss of valid voted PSTATIC = Display GPS altitude

      Tom Dodt
      Chief Engineer – Air Safety Investigation
      ISASI – International Society of Air Safety Investigators

      • CL:

        You don’t need AOA and other than fighter aircraft it really is an unnecessary function and addition.

        Your PFD and backup instrument cluster has an artificial horizon that shows where the nose is.

        You simply combine air speed and or VSI into an algorithm and you will have a good enough stall warning.

        What inertial can’t tell you is the attitude of the aircraft (unless you have one front and back and even then stagnant pitch change means no change)

        AOA is just another cute feature that was inflicted by the massive number of fighter pilots going into he pilots ranks form Vietnam and post Nam.

  5. I concur “the architecture and implementation of the original MCAS function is inexcusable”.

    What’s most worrying is that it passed certification, FAA, EASA etc…

    I still don’t understand the logic of altering the ‘yoke jerk’ to stop trim function that has been present on the 737 until now. With the pursuit of a common type rating at all costs, it strikes me as odd that it was thought necessary to modify this function.

    Peter Lemme said “Human factors must be taken into account. In the scenario where the stabilizer is running away nose down, the pilot may only fixate on pulling the column back in response. They may not be mentally capable to trim back or cutout the trim – instead they just keep pulling. That is where the aft column cutout switch saves the day.”

    • “What’s most worrying is that it passed certification, FAA, EASA etc…”

      So far as we know the certification was an all FAA afair, with the rest of the world accepting that through the normal reciprocal agreements.

      The problem now is that the rest of the world lost faith in the FAA’s assertions that the aircraft was safe, even after the Ethiopian crash, and chose to ground it. The FAA did not, at least not until the writing was in a Trump Tweet.

      Having disagreed with the FAA once, there’s a good chance the rest of the world will keep doing so until a convincing reason to restore the status quo. We’ve not seen one of those as yet.

      • The MCAS lack of sensor redundancy, forcefull, overpowering authority, missing documentation/ training, how could it pass the layers of the certification process?

        Weren’t the requirements applied, or were stone age, grandfathered requirements used for the brand new system, to speed up the process?

        • Well, I think the answer is that it passed through whatever layers there were with remarkable ease. Inappropriately so.

          Judging by some of the reported EASA officicals’ comments, they won’t be letting that happen again. According to the Reuters article, the EASA had some concerns back in 2016, and their lack of action (was it, “We can trust the FAA”? Or were they told things by the FAA or Boeing that turned out to not be true?) over those concerns will no doubt be exercising them. It’s not their fault that the 737MAX turned out the way it did, or at least that’s my perception of how global certification works, but you can see them being motivated to never let anything like this slip through their fingers again.

          At least that’s what I hope will happen, which will be another robust layer in the process. Because right now, I think that that’s what the world needs, at least as far as Boeings are concerned.

          • Keesje: Those stone age requirements were intended for stone age aircraft like the 737.

            Modern specs mean that it won’t let you stall (Airbus)

    • It “passed” because Boeing lied about the % of trim MCAS would take to be effective; 2.5 degrees instead of .06 degrees. And they pushed hard to be allowed to “self-certify”.
      Two things need to happen here. The “Max” needs to be taken out of service because the new engines changed the plane’s center of gravity, requiring bullshit like the MCAS to make it fly. We have a bunch of military craft like this but it’s a trade-off for other attributes (such as small radar footprint). But to allow more efficient engines probably isn’t a good enough trade-off to make an airliner more unstable. Their choice was to build a different airframe or “tweak” it with a new automatic trim system. They chose the latter and 300 souls were lost.
      Second, the FAA needs to focus on what should be its only goal, which is the safety of the flying public. Forget about being a cheer leader for the Aviation Industry. Stop all the “self-certification” and hire enough people to adequately regulate the industry like you are supposed to.

    • Speculating:
      – lack of perspective
      – control freak mentality

      An example was the new regulation circa 1968 for altitude alerting.

      Varying notions in Boeing of how it should be met, plus customer TWA wanting a red light.
      Fortunately in a multi-project meeting of Boeing departments a test pilot spoke eloquently to pilot needs and priorities.

      [Brain fade on his name, he later was Chief Pilot of the 767 development.
      Jim Tsai of 707 Flight Deck was one of the more sensible people in Boeing on the subject.]

  6. What about the stick shaker – was it also activated based on the single AoA sensor failure or is this a separate story? Shouldn’t the pilots also be “protected” against false warnings such as stick shaker?

    • The so called logic is that if its shaking one side and not the other you shift to the non shaking side for piloting.

      I don’t agree with it but……………..

  7. One more thing that will need to be investigated is why there have been two faulty AoA indications.
    Is there a problem with the vanes or with the software that generates the signal from the vanes.
    The failure rate is too high.

    • I’ve been trying to make sense of the AoA issues by following Peter Lemme’s take, but the more I read the more I get confused.

      If Peter has the right information and the setup for the MAX is the same as the NG, the AoA sensor is squarely to blame. Which begs the question of how it passed the installation test, or how the replaced sensor could give an erroneous reading in the exact same manner.

      If the fault is a result of a bit flipping in the ADIRU (if I understand the part about ARINC 429 chipset correctly), why does the stick shaker activate? Does the stick shaker rely on the ADIRU rather than the SMYD on the MAX? Something doesn’t add up here.

      • I have read a story in NY times about the Max development which indicated the wiring design was ‘rushed ‘.
        ““It Was Go, Go, Go”: Boeing Rushed 737 MAX Design In Race With Airbus”

        A technician who worked on wiring the 737 Max said that at the start of the project, “rushed designers were delivering sloppy blueprints” to him. His designs, to this day, still include omissions.

        His internal assembly designs for the Max, he said, still include omissions today, like not specifying which tools to use to install a certain wire, a situation that could lead to a faulty connection. Normally such blueprints include intricate instructions.
        Despite the intense atmosphere, current and former employees said, they felt during the project that Boeing’s internal quality checks ensured the aircraft was safe.

        This may be unconnected , but its worth looking into.

      • Peter is not clear enough in his explanations, notably in talking of ‘aft column switches’ he is not clear how they work. (Apparently he is talking of force sensing that cuts off speed trim when column is pulled back hard.)

        As for bit flipping:
        – IIRC Peter himself suggests that’s unlikely.
        – THE question is what error detection and correction is embedded in the data stream and use of it. Wouldn’t even a parity bit check detect flip of a single bit? (There are more capable embedded error-detecting data algorithms than parity bit, including CRC up through the double-wrap used in LAS uplink of final approach path to an airplane.)

        • What it means is that if you have garbage anywhere in your Analog Input (which is what an AOA is) then the algorithm that takes that data and executes, will have a garbage output (MCAS activated)

          Its possible for the signal to go bad anywhere in the system, AOA is the prime suspect but as it was replaced on Lion 610, why did it continue? And why could they not see it when it was sowing bad 22 degrees on taxi?

          While unlikely, a ground in the system could send bad data (odd it would be withing the allowed data limits) or software could twist it when it was a good signal.

          Its almost academic now other than understanding what went wrong.

          You don’t read about stick shaker issues so we have limited data, do they happen and passed off or is this new and part of MCAS software ?

          Answers some day.

  8. Re – using the IRUs to compute AoA rather than AoA vanes;

    I’ve done the trig now; a 10m/s upgust would produce an AoA error of 8.13 Deg if it was computed by the IRUs on an a/c travelling at 70 m/s. That’s probably too much but it’s a hell of an upgust and wouldn’t last for long.

    For other regimes it seems to me IRUs could do the job better than vanes, and could indeed monitor the health of the vanes, monitoring direction, travel, speed of response and ‘vote down’ a discrepant unit.

    • The IRS might not be perfect but the change in alfa from the IRS should be even more valuable comapring with the alfa dot of the AoA vane sensors. Hence if one “jumps around” and the other does not and the IRS does not it should be pretty easy concluding what sensor is wrong.
      Boeing, FAA, EASA and the rest more were conviced that the pilots would disconnect the trim with its switches if anything not normlal happened hence the poor redundancy. In reality not all pilots did so but hold onto the steering yoke and wheel especially if not have trained in a 737MAX simulator going thru all error sensor inputs at different speeds and c.g. The first 737MAX simulators to airlines will ship before new year 2020.

    • The IRS type device senses attitude and motion relative to space not air – the wing flies in air.

      (Winds including vertical are a key difference between motion relative to air and to space. IRS senses relative to earth (adjusted from relative to space, including for earth rotation rate).)

      Attitude, groundspeed, and airspeed plus weight are information that given time a crew can use to check reasonableness of AOA and each other.

      Indeed, a 707 had unreliable airspeed indications over the South Pacific due winds over mountains pushing moist air unusually high, crew coped by using groundspeed from the doppler sensor. (Doppler used four down-looking radar beams, it pre-dated IRS which is an inertial sensor using accelerometers that it integrated to velocity and distance or later used velocity sensors (the ‘ring laser gyro).)

  9. Well, with Bjorn article, it starts to make sense that it was some gross mistake.
    But this other article (
    says that EASA knew about it and was preocupied. So perhaps, there is more than just a mistake….
    It seems to me that Boeing and regulators (in several cases, Boeing people working under FAA authority) didn’t bother to think about a panicked pilot who didn’t know (without any word of MCAS in the manual) that he or she had a different beast….They had to “understand” and “comprehend” the thoughts of people who were not aboard the aircraft….

    • I will disagree, they simply had to have good logic and well written software with the 2.0 MCAS they have now.

      Frankly any idiot could see that a single AOA triggering a major control change was a damned stupid idea.

      If I came up with something that awful I would quite and go dig ditches. I would have no place in the controls world.

      Anyone that suggested it should have been fired on the spot.

      • There seems to be the assumption that Boeing made and error when they based MCAS on a single sensor. I doubt is is that simple. I doubt Boeing based MCAS on a single sensor due to naiveté, stupidity or oversight. Somewhere at Boeing there are technical docs that outline the following thought process:
        * At close to stall we need a system to push the nose down
        * We can trigger this based on AOA indicators
        * But if there is any yaw or buffeting, which is quite likely at high AOA then the sensors will disagree
        * But the nose must come down or there will be a disaster, best push it down even if only one sensor shows a high AOA

        Boeing is now they are saying:
        * If at high AOA where MCAS should trigger, we will not trigger it if the AOA sensors disagree (which may will happen at stall) because that is safer than accidentally triggering it. And well it is not likely they will disagree by that much. MCAS protections will be disable in an un-coordinated turn close to stall but that should not be a big deal.

        This is a problem because the perfection authorities will be thinking:
        * Wait a minute, previously you indicated it is imperative the nose be pushed down, so imperative you will do it based one sensor. But now you are saying it is not so important and only needs to happen if the sensors agree. Explain your new logic. In detail.

        The criminal authorities will be thinking:
        * How did this get classified as a non-flight-critical system? Was that inappropriately done to let the single-sensor trigger get through certification?

      • And as for the apparently bad idea to repeatedly trigger MCAS. Again this will have been a deliberate and reasoned decision. Perhaps like this:
        * It has been shown that even experienced first world pilots can become disoriented and feel they need to pull back when they should pitch down.
        * In the Max the pitch force curve results in the yoke feeling lighter as you enter a true stall. This will signal things are getting better when they are getting worse.
        * Therefore we need to do more than provide a single gentle corrective input. We need to act aggressively and repeatedly to get the nose down.

        If such a document exists Boeing will will now need to show why the original analysis no longer applies. And the certification authorities will need to feel they can explain this to the public.

        • What is documented is Boeing assessed the MCAS as anon critical flight control, pushing it down in how much (none) redundancy is called for.

          Its based on odds happening and how many injuries or deaths it can cause in X amount of time based on a probability which is only as good as the assessment in the first place.

          They don’t even know what a regular line pilot would do when faced with it, non were ever trained in it. Simulators just are getting out to the fleet (and if its not in the book they would not be tested anyway.)

          They pushed it down for financial reasons and 347 people paid the price.

          As all the pilots have said, your damned right I want to know about it, when it would kick in and what the characteristics for MCAS are not run away trim they hid behind.

  10. @Bjorn, I note that you carefully abstain from voicing an opinion about the safety of the new MCAS. That’s probably quite wise…

    I’m sure that there’s problems remaining. The original function must still be carried out, as before (2.5° inputs?) when needed. However it is obvious that to be safe, the function must be limited. They have chosen to limit the function in software.

    The limiter is a new function, all of itself. The problem they still have is that the limiter is not implemented in a safety critical manner (no triplicate implementations of the limiter, no voter for those, etc). It’s just a few lines of code patched into their existing system. Given the complexity of deciding to trim or not to trim, this seems inappropriate.

    So if this limiter function is all that sits between an MCAS system going haywire and the aircraft crashing, the patch seems inadequate to pass a safety review.

    Furthermore the MCAS system has a function to detect high AoA events. Another is to count these. I note that the new MCAS will limit its trim outputs to once per high AoA event. So, what if the event detector function goes wrong and generates too many events from its input data? The limiter may be correctly limiting MCAS to once per event, but if it generates a lot of events that could cause a large net down trim.

    So the high AoA event detection function is also safety critical. But it seems again Boeing are not implementing that function in triplicate, etc.

    Basically I can’t see this being readily acceptable. It still feels very cheap and nasty.

    Then there’s the issue that, assuming that the new MCAS is more reliable, if it does go wrong and still has the potential to run away from pilots and crash the aircraft, the human factors involved in diagnosing a rarer fault aren’t great.

    • Good question. I asked this in other forums with no answers. Defining the threshold and duration of an MCAS trigger ‘event’ is a logical conundrum.

      • As far my read of the regulation goes, the airplane (with or without augmented stability system) must be longitudinally stable or neutral at any point in it’s allowed flight envelope. That regulation would justify the ever present MCAS, not that it was executed properly.
        I suppose a case could be made for disabling the MCAS (hence having an airplane be longitudinal unstable/neutral at certain flight conditions) IF the risk of it causing a catastrophic failure is higher than a catastrophic failure due to the original longitudinal stability issue. It all depends on how bad the longitudinal stability problem is to begin with. If it can become quickly unmanageable by an average pilot, a different more robust fix would be needed – but if it is a fairly benign issue with long/low-amplitude oscillations that a pilot could easily damp out, then maybe the MCAS disablement approach is valid, we just don’t know how bad that underlying issue is that made them put the MCAS on in the first place.

        • except it had zip to do with stability per se- it was to prevent yoke force/feel from decreasing at an extreme corner of the flight envelope, and to force the nose down at such an unusual rarely if ever reached flight regime – so as to make a ‘smooth’ force versus trim curve in accordance with flight certification. The stability per se was not an issue- the rare ‘ problem’ was due to the top of the engine cowling adding lift at the edge of the flight regime rarely if ever reached. Since it was SUPPOSED to be rare, BA fudged some numbers to hide it and thus got to claim it needed no explanation etc ad naseaum.
          Boeing will /has scapegoated a few engineers/janitors/ and probably a few clerk- typists since the CEO and his aides have long since securely fastend A** covers and are in the ‘ what me worry ‘ mode. Those engineers involved who wanted to speak out either dared not speak out and/or retired simply as a matter of self preservation.
          Speaking truth to power in Boeing rarely has rewards especially since the real boeing managers have long since retired or died.

          • @ bubba
            “except it had zip to do with stability per se”
            I don’t know what you mean by that.
            “Longitudinal stability” and “smooth stick force v. trim” are very much related to each other.
            A longitudinally stable airplane is defined by the FARs to have to meet 3 conditions:
            “1-with the airplane trimmed at within envelope speeds, a PULL must be required to obtain AND maintain speeds below the trim speed. Conversely, a PUSH must be required to obtain AND maintain speed above the trim speeds.”
            “2-The speed must return to within some specified percentage of the trim speed if the the cockpit control is release from the push or pull condition implied by 1”
            “3-The stick-force vs speed gradient must not be less that that specified in the regulation”
            (J. Roskam APD Part 7, Ch. 3.1.3. He is referencing FARs 25.171, 25.173, 25.175, 25.253, and 25.255)

            A reversing stick force vs. trim curve (which MCAS is mitigating) violates all requirements of longitudinal static stability, which is what I am referring to here.

            And I am not defending the fix Boeing is proposing or their general approach to the problem, I am just outlining what they maybe thinking. I personally think their solution is not robust enough and they are instead trying to bargain with/test their luck and endanger passengers lives just so the ban could be lifted.

      • Gordon, glad to know there’s others thinking along the same lines.

        There’s one observation I would like to highlight from this, (assuming my understanding of what is being proposed is indeed correct). I’ve thought of that, and so have you. So, why haven’t Boeing?

        One would have imagined that, with a very black mark against its name at present, Boeing would be bending over backwards to be seen to be putting their design in order. Unless we’ve completely got the wrong end of the stick, they’re clearly not achieving that; we don’t believe the fix us appropriate.

        I can’t believe that any self respecting senior engineer in Boeing would propose such a fix. To me the “fix” has all the hallmarks of being management lead, not engineering lead. That doesn’t bode well for their future, because if there’s one thing a grumpy certification agency is going to be demanding now, it’s a proper engineering solution to the aircraft’s problems.

        Throw in the fact that the PR machine has been turned on big time,Big events with 200 pilots attending, press in hand, etc? This is not the sober reaction of a chastened engineering team anxious to get their homework properly marked prior to exposing themselves to the public gaze again. The optics of this are not going to look good in the eyes of the engineers working in the world’s certification agencies. I wonder if representatives from the EASA or CAAC were invited?

        • Mathew:

          The older 737 system is not a FBW and it can’t be setup that way.

          If you read Peter Lemme, its inherent in the 737 system with added on control smoothing functions.

          They program two computers by two different software writing teams.

          Its not an Airbus 2 out of 3 and what happens in your 2 out of 3 when TWO ARE WRONG? (the data has to be close enough that its not rejected on value disagreement but it does happen)

          Drill down and see how its handled between the two computers but the system is not a 2 out of 3 voting system.

          • Transworld, that’s the first time I’ve heard anyone say that the computer systems on the 737MAX that do this kind of thing are anything other than simplex. That’s much more encouraging.

          • Mathew:

            I have posted that a number of times. As this is a wild new world for me (I follow it but you don’t get into this kind of depth unless something like that happens sadly)

            737 had this inserted over time (change to control inputs) not as mandatory to flight, but as a method to smooth out the flight and less upset and or sick passengers.

            As this was not an Envelope Protection system using FBW, the logic is different.

            I don’t know what the staiblity and characteris is the A320 are, but it was desinged group up wihtout any mechnail redundancy systems.

            It reverts to various degraded control laws by step or completely off.

            Obviously there are backup system that don’t have the computer in there. What setup the backups use I don’t know, I have not seen it.

            The 737 will fly without any of the augmentation (vs envelope protection) as well of course.

            Instead of backup redundant circuits of some kind, turn the stab powered off on a 737 and you have the wheel to adjust the stab.

            Freeze up two of the three AOA on an Airbus and you have an issue because two out of 3 agree and they are frozen into the same position .

            How many backup actuators or parallel actuator systems does Airbus have?

            I do know you don’t have the full flight controls, it drops back to absolute necessary and its not a fun flight any more.

            Likely much like the rock trucks I drove with bump steering.

            The 787 is all computer controls but you can bust out of the restrictions by use of the controls.

            That is the lethal nature of the MCAS (or was) column control or trim should override it, and it did intermittently so the leap to a stab control issue and go to runaway was missed by 3 crews.

    • Other reports identified a more basic issue
      “The ATSB found that while the pilots had been trained in stall recovery in low altitudes, they had not had instructions on how to handle the problem at higher altitudes.”
      No stall training at higher altitudes.! This was 2017 well after the Air France incident where a high altitude stall , in a different type of plane, wasn’t correctly compensated for by the crew.

      • That would not be correct and two not connected.

        Somehow the 747 pilots missed in school that air is thinner higher (really?) You stall speed is higher. You can use lower altitude stall speeds at higher altitudes. It shows you how supposedly high what crew (Qantas) are missing basics as well.

        AF447 was a stunningly stupid reaction by a pilot who PUT it into a stall (deliberately though what he was thinking is unfathomable)

        He yanked the nose up. We learned in flight school (accelerated stall) that you can stall with full power (which he also did) .

        Loss of airspeed is nose down (though stupid in that case as well). Nose up is absolutely not taught anywhere .

        All 3 pilots saw the nose up and could and VSI at 10,000 FPM Negative and could not figure out it was a stall (basic airmanship. )

        People do not realize this is a pervasive issue across the entire spectrum of flying.

        Revised training is addressing that, but its not mandatory all over the world.

        1. Unusual attiduge and recoveriw (how to reacit right)

        2. Throwing odd problems at a crew in different flight modes that require understanding the system and how to deal with them.

        As opposed to the rout9ne same stuff they did that after a session or two you recognized what you were being presented to before it even manifested itself and were reacting.

        Both Automation and the failure to train to modern equipment vs the 30s- 70s era is at fault and only gets on the right course after enough crashes that its, oh, yea, we really don’t need to do take off and landings, we do need to take their speeds away on approach.

    • ‘The irony. I’m sure the above is true but then just yesterday a story of a 747 almost stalling’

      Uhhlook at the date it was in 2017 !!!

      • Indeed, the incident was in 2017, but the story reporting on the outcome of investigation came out March 28, 2019.

  11. A very well written article with a very plausible theory.

    The UK daily telegraph is reporting that it was MCAS that caused the Ethiopian crash. But doesn’t make clear that there was a false AoA reading.

    The last paragraph caught my eye:

    “US and European regulators knew at least two years before the Indonesian crash that the usual method for controlling the nose angle might not work in conditions similar to those in two recent disasters, Reuters reporting on Friday, citing a document.”

    Both airplanes were performing a normal climb out on a calm, clear day with a clear horizon. Those were the conditions.

    I’m not saying the report is true. But if true, it points to pitch stability. There is a serious problem with pitch stability on climb out.

    If the report is true it would explain why MCAS 1.0 is so ferocious in it’s action. This article is very, very strongly suggesting MCAS 1.0 wasn’t justified in being so ferocious in it’s action because MCAS 2.0 will be far less ferocious in it’s action. Perfectly rational logic.

    I entirely agree with “minimum correction”, do the least necessary. Infact I can’t agree more. We need to remember these are civilian airplanes, so no need to throw them around. The passengers might not like it. In other words, there are no excuses for throwing a civilian airplane around, unless it is necessary.

    But I do believe that if the pilots want to fly the airplane they must be allowed to fly the airplane. No ifs, no buts. Both crashes occurred on calm, clear days with a clear horizon. The pilots would have got their airplanes home!

    It’s time Boeing owned up. Are there pitch stability issues, especially in climb out, soon after the flaps are retracted?

    • After the Fly Dubai crash, but before the Lion air crash, I read on a forum somewhere some pilot’s discussing the apparently well known fierce pitch up characteristics of the 737NG.They were wondering if this had contributed to the disorientation of the pilots. Why did Boeing increase the automatic trim adjustment from the 0.6 degrees that they informed the FAA, if it wasn’t necessary?
      I am worried about the reliance on training, even if it’s extensive. Is it realistic to expect a pilot with below average abilities to remember what to do and overcome all the muscle memory etc, with something that happens very rarely?

      • Hmmm. Sounds like the aerodynamics of the 737 airframe have been stretched a long way, a long time ago, and the mounting of the MAX’s engines have made it worse. Changing late on from 0.6 to 2.5 degrees? Makes me wonder if there’s more need of MCAS than simply giving NG pilots a familiar ride.

        I wonder if the EASA will take a closer look at the fundamental behaviour of the 737MAX airframe?

        • I have been wondering how BA decided on the 0.6 degree movement, and had to change to to 2.5 degrees.

          They know the 737 airframe very well, so their computer modelling should be pretty accurate, how could these figures differ so much ?

          A question for Bjorn:
          How different are the aerodynamic forces at 38,000 feet compared to 2,000 feet ? For the same stabiliser deflection, what is the net effect on nose down trim at each of these altitudes ?

          • Forces are propottional to dynamic pressure of the fluid in question, in this case air. Dynamic pressure is density * velocity^2. Density is a property and in the case of air, which can be behaves as an ideal gas, it can be calculated by the ideal gas law:

            pressure = density*R*temperature

            R is the specific gas constant and is 287 J/kg-K for air.

            Note all units should be SI, i.e. Pa for pressure, kg/m3 for density and Kelvin for temperature.

            A quick google will give you p and T at various altitudes and allow you to calculate dynamic pressure, Pdyn in your cases of interest.

          • mneja

            Thanks for the lesson in basics.

            I wish it was that simple. You need to take into account turbulence. In a non-turbulent world, aerodynamics would be beyond simple.

            I wish. But thanks anyway

    • There is the reverse theory to Bjorn’s theory. Specifically the ferocious action of MCAS 1.0 is necessary if the airplane nose up becomes aggressive.

      This theory is based on the theory that the engine mounting is producing lift – a widely accepted theory – but the lift increases in a non-linear manner as the AoA increases. This would accelerate the nose up movement as the AoA increases. A ferocious action may then be necessary to stop the nose up movement because of inertia.

      In other words it’s necessary to slam on the brakes using a ferocious dampening force – the trim stabiliser – before the nose up movement causes the wing to stall.

      This apparent ferocious/fierce pitching moment needs to be looked at. Inertia is inertia. Once it kicks in there may not be enough dampening force available to prevent it. Which is perhaps why MCAS 1.0 was so ferocious in it’s action.

      I agree with the comments that MCAS 1.0 and MCAS 2.0 uses mickey mouse software algorithms

    • FDR data needed.

      You can see in the Lion Air preliminary report that the AOA were quite different even during the takeoff roll, and left sticker shaker was sounding almost continuously in the air, but airspeeds were the same on each side.

      Hopefully in both cases the AOA sensors will be found.

      And of course the CVR should give clues to thinking of the fated pilots.

      • I believe Lion air had bad speed on the Pilots side.

        They had “serviced” the Pitot system as well not knowing where the issue was coming form.

        They may have damaged it in doing so.

  12. So now it’s beyond all doubt that the implementation of the MCAS system was inexcusably badly done, and Bjorn’s previous corner has me convinced that elevator blowback doomed both aircraft. But there’s something about the JT610 and ET302 crashes that doesn’t add up.

    1. On the face of it, JT610 and ET302 went down due to the same reasons – an AoA sensor malfunction causing MCAS to activate and pushing the nose down repeatedly, and the flight crews fighting and eventually losing control due to elevator blowback from moving the nose down. The ET302 crew would have been entirely aware of the previous incident and had an experienced captain at the controls, making it all the more ominous.

    2. The sensor malfunction itself seems bizarre, in the sense that two AoA sensor malfunctions on a new Boeing airplane isn’t something you’d ever expect to happen. This comment and Bjorn’s response show that there’s something odd going on. Peter Lemme’s post linked below.
    So it appears that there’s a fault in the ARINC929 chipset in the ADIRU, even though that’s not Peter’s preferred explanation, right?

    3. Wrong. It now seems that it really is an AoA sensor output fault.

    4. Lion Air maintenance replaced the AoA sensor and tested it upon installation. Possible scenarios-
    (a) The new sensor had the same error or same type of error as the previous sensor and failed the installation test, but was still put on the plane.
    (b) The old sensor wasn’t replaced but the maintenance work was fudged to show that it was (based on the fact that the investigation is examining the JT043 vane, this doesn’t seem to be the case)

    But either of these issues still loop back to point 2, that ET302 apparently had the same fault, which is rare enough.

    If the sensor on JT043 was replaced and correctly installed and tested, having the replacement sensor develop the exact same error in time to doom JT610 just doesn’t seem feasible.

    I’m reading through Peter’s and Bjorn’s opinions and I cannot see a coherent picture for the AoA sensor fault when I take into account all the information. Either the systems on the MAX are not like the NG after all or something else is going on with the MCAS or another system that we’re not aware of.

    • I think I have an answer to how a replacement AoA sensor can have the same fault as the one it replaces. The idea stems from the fact that the MAX flight computer alternates its AoA sensors between flights. We now know that the MAX references only one AoA sensor per flight and if that sensor goes bad it screws with the MCAS function.

      So the flight jt043 crew lands, shuts down the flight computer and informs maintenance of issues. Maintenance wanting to know which ‘bad’ AoA was being used, switch the flight computer back on but overlook the fact that it is now referencing the other ‘good’ AoA sensor. Maintenance now replace this good sensor, thinking it to be the ‘bad’ one, and again shut down the flight computer after doing checks. Flight jt610 crew arrive next day, switch on the flight computer but it is now flipped back to referencing the ‘bad’ AoA sensor. A simple mistake that ends in disaster

  13. Considering the attached, the critical nature and implications of system latency was a known , known back in 2007, how and why the EASA cs25 /671 and AMC, failed to incorporate these latency concepts and awareness requires some serious investigation, in both jurisdictions ie easa / faa.
    EASA Safety Equivalency Demonstration proposal Definitions
    • A failure is latent until it is made known to the flight crew or maintenance personnel.
    • A significant latent failure is one, which would in combination with one or more specific failures, or events, result in a Hazardous or Catastrophic Failure Condition (AMC 25.1309 5.o).
    • Latent = dormant = hidden
    In adopting a clear definition of acceptable risk level for subsequent failures, the approach recommended by ARAC has the advantage of
    (1) addressing latency, and
    (2) eliminating possible dubious judgments in the determination of probable failures.

    • could it be the case that those “modern” methods can’t be applied to the grandfathered 737 NG/MAX as that would present a re-certification. ( extremely sophist point of entry but that is the MoO how Boeing pushes for these things to not apply. )

      • I wouldnt think ‘grandfathering’ would apply for flight controls certification.
        Boeings overriding concern was ‘ to match or even less’ pilot conversion training than Airbus for the neo version.
        Its long been an issue from the major 737 buyers, Southwest for example didnt even have the auto throttle available for the then new 737-300.
        Has Boeing been the ‘meat in the sandwich’ as it closely involved large buyers of its 737s in the features of the Max during development ( Southwest alone has 9100 pilots , all flying the 737) and without the FAA looking too closely , Boeing has allowed its big customers to influence the pilot conversion process it recommends.
        As in the VW dieselgate investigation ,documents show very senior executives were complicit in ‘shortcuts’

        • Presumably different type cert means renegociated pay scales in a lot of countries. A few hours in a sim is probably the cheapest of cost worries. That´s why a lot of airlines will fight tooth and nail to prevent MAX becoming a different type.

  14. Three observations from someone who has been there ….
    1. In my opinion, it’s unlikely the Boeing CEO, the Boeing Commercial Airplanes CEO, or the 737 Programs Director of Engineering had any knowledge of MCAS prior to the Lion Air event.
    Why, because the Boeing “culture” would have prevented upward information flow on this system unless it was identified as a risk to program cost or schedule.
    My guess is that the FMEA identified the top two failure modes as a) unwanted system operation and b) failure to operate. Both would have been considered benign as there were existing procedures for dealing with uncommanded trim and stall recovery.
    2. In the Ethiopian event, why did the crew fail to maintain a positive rate of climb after just five seconds into flight? The flaps would not have been retracted that early in the flight profile.
    3. Has the review of production records (rejection tags and flight squawks) identified any common irregularities between the two airframes?

  15. Have Boeing effectively just made the safe flight envelope smaller?If so,is that acceptable on the grounds that the pilot would probably have crashed anyway if they got into this corner?

  16. Simply put the 737 Max is a 737 variant gone too far. Boeing’s quick and cheaper response to the A320NEO was a mistake. 737-800 is great Max is not…should of spent the money on a clean new build…

    • There isn’t enough information in the public domain for the general public to determine whether the 737MAX is (a) a fatally flawed design that cannot be fixed (b) a decent design that had a serious but correctable mistake made in one area of the flight regime. At some point in the next two years at least some of the data from the LionAir and Ethiopian crashes will be released, but the public will very likely never see Boeing’s aerodynamic models and stability calculations – even in a lawsuit Boeing would petition for that information to be provided only under permanent seal, and at least in the US would have a good chance of that being granted. So firm declarations that the MAX is a “design too far” or a “Frankenplane” are currently premature and will be difficult to support based on evidence. Emotion and/or dislike are other factors, but no ones regulators or airlines are likely to pay much attention to.

      • Your world is a world that doesn’t exist anymore. Boeing need to explain or nobody will fly Boeing.

        • That’s one line of thought. The other is that Travelociy, Expedia, Kayak, etc. and their corporate equivalents rule the airline world today and six months from now the only thing that will matter to ticket buyers (recreational or business) is which airline is offering the lowest ticket price.

          • Perhaps people value their lives above a holiday. I certainly do.

            I’m not flying a 737 MAX until I know it’s safe and that applies to my family.

          • sPh:

            A voice of reason, I love it.

            After some of the early Airbus FBW accidents we could have written off the whole system as well.

            98% of the world wouldn’t know a Boeing form an Airbus if their lives depended on it (and sometimes they have for both)

            6 months from now only the Av Geeks will remember this.

            Airlines need the 737 and unless it is deeply flawed other than one stupid software bit, Airlines have to have it.

            Lufthansa has said they expect it will be fine and are accepting bids from Boeing. As Luft has one of the premier world engineering operations as well……….

            Yep, sPh has it right.

      • I think this is the interesting conundrum. Who is checking Boeing’s work? They have just failed to self regulate.

        Like Keesje says, ‘ignore all questions, deflect, don’t look behind the curtain, it is beyond your comprehension’. I don’t think that approach works this time.

        To regain confidence in the MAX, do US and world passengers then shift their trust to Canadian, Chinese, or Brazilian authorities to vet the MAX?

        To some degree in the modern world, I believe Boeing has to interact with the experts in the public domain, and answer the questions and concerns of Bjorn or Peter Lemme. If they give a credible technical explanation to the public, and are vetted by experts in the public, that would be more convincing

  17. With MCAS now nutered to a degree, is the plane now at higher risk of stalling? The trim authority was arrived at after test flying, so by making MCAS safer have they increased the risk of stall accidents? Could this airframe just be too flawed to put back into service?..EVER?

  18. It’s either delusional or probably deeply impressive that the worlds airline industry thinks that it can just deal with 700-800 grounded planes if this goes on until the end of September.

    • Its under 400 planes, yeilds are super high, many airlines are making a killing. WOWs fleet and Jets fleet are probably worth a premium now.

      • WOW has only 11 aircraft now so it will make little difference.

        Jet has maybe 7x as many (though some grounded) but, like Monty Python’s black knight, they are not quite dead yet!

      • It will be well over 700 by the end of September if you include all the planes that were due to be delivered and Boeing has no intention of stopping production. There could be all sorts of complicated effects by then such as rising ticket prices and severe shortages of parts for older narrowbodies which will have to be kept in service.

  19. I’ve done enough reading to understand basically what has happened, and It appears that Boeing acted in a most reprehensible manner. The 737 Max’s MCAS design should have never been put on an aircraft (Mistake #1), and after the Lion Air tragedy the 737 Max fleet should have been grounded until a fix was found (Mistake #2). After the Ethiopian tragedy, Boeing should have called for a fleet-wide grounding (Mistake #3)…but they didn’t. Additionally, Boeing should have never offered a software fix until a full study of both accidents was complete – but they did (Mistake #4). And it’s Mistake #4 that makes me really question Boeing’s credibility!

    Maybe there’s more than just 4 fundamental mistakes – I don’t know. But…there is a guy out there who is going to find out exactly how many mistakes were made – and when – and he’s a guy Boeing should fear more than any other man that walks planet earth: Ralph Nader. Ralph Nader has taken down foes bigger than Boeing (just ask General Motors), and this time it’s personal: ya’ see, Mr, Nader’s beloved niece (RIP) was aboard the Ethiopian 737 Max that went down. Who knows, in the future maybe Mr, Nader will write a book about the 737 Max entitled, “Unsafe at any Altitude”?

    As a result of these events and observations, I have a couple of predictions. The first prediction is that Boeing’s reputation will be damaged for the next 20 years – especially after a few unflattering documentaries and a book or two. The second prediction is that the “Boeing Era” is over: Airbus will be #1 for the foreseeable future, at least until the Chinese get something going.

    • Well that to is another view, Unsafe At Any Speed II anyone?

      Ralphs day has come and gone. My step dad had a Corvair, nice car.

      • “Ralphs day has come and gone. My step dad had a Corvair, nice car.”

        Not quite- ralph had a family member on one of the flights that crashed-

        Guess what Ralph is now doing?

        the first two dont count

  20. Do we really need AOA?

    What did we have before?

    Light aircraft has a vane that sensed disturbed airflow as stall approached and had a buzzer. Worked well.

    What did the 727 -747 – 707 use?

    • Well faulty AOA sensors have been a cause of accidents- along with pilot errors contributing- for a long time.
      1992 TWA Tristar on aborted takeoff from JFK when
      had ‘stick shaker stall warning’

      “It appeared that the right Angle of Attack (AOA) sensor had experienced 9 previous malfunctions. The intermittent malfunction was not detectable during pre-flight system tests by the pilots and didn’t trigger a fault light. This permitted the sensor to cause a false warning when the air-ground sensor on the landing gear went into the air status on takeoff.
      Like any sensor, it can indicate its working or not working , but a false positive can say is its working but it isnt. ( and false negative too)

  21. One thing to keep in mind if guessing how long it will take to return the 737MAX to service is that at least one vendor is involved – the maker of the computer hosting the software. (And the maker of the display if different and if it takes changing – may not if just enabling already proven options.)

    Boeing and the vendor will already be accustomed to working together, the vendor may be cautious in this case.

    (Options may be enabled by ‘program pins’ (some shown on a diagram of the NG) and by what is now called a ‘personality module’ or such. (NVM bolted to the airplane, old timers might think of the module chained to the avionics shelf that plugged into the front of the 727’s CADC, I forget what Boeing called that. Sundstrand Data Control had an innovative method of modules that plugged into the front of the computer and showed part of the total p/n, plus IIRC program pins or personality module in wiring, that took some time for a new-to-it FAA person to get his head around, keeping the discussion going saved the day.)

Leave a Reply

Your email address will not be published. Required fields are marked *