November 22, 2019, ©. Leeham News: We continue the series on analyzing the Lion Air JT610 crash by analyzing MCAS in more depth before we go to the final part of the flight.
What was wrong with the first version of MCAS?
We looked at the initial part of Flight JT610 last week. We found out how a bias fault in the left Angle of Attack (AoA) sensor could go undetected from the previous flight (because of a missing warning message for the MAX) and how it caused left side stall warning, IAS and ALT DISAGREE warnings and finally triggered MCAS once the flaps were retracted.
As the Captain, who was flying, compensated MCAS nose-down trim with a nose up manual trim, MCAS reset and trimmed nose down again after a five-second wait. This repeated 22 times before the Captain asked the First Officer (FO) to take over the controls. This was presumably to get the head free to analyze what was wrong with the aircraft as the FO had trouble helping the Captain to understand what was wrong.
Before we go into what happened after this handover, let’s understand why MCAS was trimming nose-down again and again and why the updated version will not behave like this.
As described in the last Corner Boeing classified a misfunction of MCAS as a “Major” safety event but not a “Hazardous” or “Catastrophic” one. This allowed a single sensor trigger of the high AoA augmentation function, where MCAS trims nose down to counteract a tendency for the 737 MAX to “nose up” too easily a high AoA.
With MCAS starting a nose-down trim at say 11° AoA the stick force per AoA and added G feels proportional to the pilot all the way to stall, which we assume starts at 14° AoA for the clean aircraft (clean=no slats/flaps). Without MCAS the stick force per AoA/G would reduce in this region (but it would still be positive meaning you need to pull harder to get more AoA/G).
MCAS will trim nose down at up to nine seconds for the initial part of this trip up the AoA scale to get the right stick force balance and will trim nose up an equal amount when the AoA falls below the trigger value. The amount of trim needed (set by trim time duration) at different speeds and altitudes will be read from a look-up table with AoA and Mach as inputs. The table gives the length of the trimming needed to set the stick force at the right level.
There is no change in this function between the original MCAS and the updated one which is now in test. What has changed is the condition for a reset of MCAS.
The original did not check if the AoA had fallen below the trigger value before it reset. The only condition for a reset was the pilot had used manual trim. With a stuck high AoA, MCAS then started a new cycle until the pilot trimmed the next time, when it all started over again.
Why did MCAS reset if the pilot used trim? MCAS helps a pilot do an emergency maneuver at high AoA (no normal maneuvers are done in this AoA range). It augments the aircraft so he doesn’t have to compensate for a nose-up happiness of the aircraft when maneuvering in this region. He can focus on his emergency maneuver, which with a high probability is dynamic. A pilot doesn’t trim during such a maneuver, you do it afterward when things have settled down, to balance the stick forces.
Consequently, the pilot trimming was taken as the signal the aircraft was out of the critical situation and MCAS should reset, to be ready should it be needed again.
With a “Major” classification of an MCAS malfunction scenario, there was no obligation to list all possible failures and play through these scenarios in a Failure Mode And Effect Analysis, FMEA. Consequently, the case with an AoA sensor stuck at a higher value than the trigger threshold was never properly analyzed. Also, the danger of the pilot’s manual trim as the only reset criteria was not discovered.
The revised MCAS adds that the AoA must have fallen below the trigger threshold, which guarantees only one MCAS activation for each AoA passing of the threshold.
We can see how the “Major” classification of a rough MCAS opens the risk both on the trigger side and the function itself.
In the JT610 final report, the “Major” classification of a rough MCAS was deemed fundamentally wrong. It should have been classified as “Hazardous” which would have forced a redundant trigger and a full FMEA of the MCAS system.
In addition to an improved function, Boeing has also introduced a dual redundant trigger architecture for the updated MCAS. Initially, both AoA sensors’ values were compared and if they differed in values over several seconds MCAS was deactivated and the flight would finish without MCAS.
Isn’t MCAS needed for the safe flight of the 737 MAX? No! This is where most articles about MCAS are lacking. The 737 MAX works without MCAS.
Nothing in normal flying changes, in fact very little in non-normal flying as well. The pilot can do brusk Go-Arounds where he slams the throttles to full power and we won’t even get close to where MCAS steps in. First, because in a Go-Around he has slats and flaps deployed and as the aircraft cleans up he’s way below 11° AoA.
I have problems finding any case where a pilot would fly in a way where an inop MCAS would be missed. And if we for some extreme reason sometimes, somewhere, somehow find us in such a flight situation, the probability that MCAS then is inop is virtually nil.
But still, it all the holes in the cheese line up, flying without MCAS between 11° AoA and up to stall is doable. The aircraft is not unstable, just nose-up happy. If you then swing into stall warning (which starts at say 13°) you will as a pilot let go of the stick, this is an instinctive reaction of all trained pilots. You get out of stall warning and most likely the nose-up happy region.
And even if the MAX swings into stall it’s not the end of the world. Stall in an airliner like the 737 MAX is controllable, just release stick pressure and you are out of it. Not the big deal it’s made to be.
I describe all this to get some proportion into the discussion after the feel of doom around the 737 MAX which has been created by all the MCAS articles. Make no mistake about it, the original MCAS was terrible and dangerous but the revised is not. And the base aircraft has deficiencies, like most airliners, but it’s not a fundamentally dangerous aircraft.
The bottom line is, you don’t need MCAS to fly the 737 MAX. You can even fly in the extreme region where it would be active without endangering the aircraft. Would you slide into stall warning if maneuvering in this region? Probably. You are there because you pull nose-up like crazy to avoid something and you have nose-up inertia in the maneuver. Would you then swing into a stall? Maybe. So what? Every pilot knows how to get out of a stall, it’s straight forward in the 737, including the MAX.
The architecture where two AoA sensor values are compared has since the summer been improved. Now the output of the Flight Control Computer processes are compared and any discrepancy means a command like MCAS will not be carried out. This means all sensors and systems feeding the FCCs and all processing in the FCCs, including FCC hardware failures, are now checked for identical results, not only the AoA values.
This improves the safety of the trigger and function of MCAS and other functions in the FCC to a new level, not found in the 737 before.
In addition to these safety enhancements, there is now a global limitation of the authority of MCAS. We will discuss this in the next Corner when we discuss the actions of the First Officer and why the JT610 crashed.