Now open to all readers.
By Bjorn Fehrm
September 14, 2020, © Leeham News: The FAA and EASA Safety of Flight authorities have examined and test flown the changes Boeing has done to the 737 MAX to make it safe to fly again. Everything points to these authorities re-certifying the 737 MAX as safe to fly in the coming months.
In a Saturday article Dominic Gates of The Seattle Times quotes from a recent interview with me and an experienced 737 Captain, Mike Gerzanics, where we both say we consider the MAX safe to fly with the changes.
Here my reasons as an aeronautical engineer why I think so.
The Boeing 737 still keeps the same base design as when it started operation with Lufthansa 1967. Its safety record over the 53 years of operation is good, one of the better of airliners that have flown our skies.
The accidents that have been haven’t had a pattern, like for the McDonnel Douglas MD11 that was difficult to land. The base design is sound with none of the stability quirks of T-tailed airliners like the BAC-111 or DC-9/MD-80/90.
The problem with the 737 MAX was a flight control smoothing system, the Maneuvering Characteristic Augmentation Systems (MCAS), had an uncharacteristically sloppy design, making it outright dangerous.
This is not the base aircraft being dangerous. It’s about Boeing cutting corners in getting the MAX to market, without spending the necessary care and effort when adding a smoothing function to its flight control system for the type.
The inadequate analysis of the design of the system and its safety made it outright dangerous, capable of overwhelming even experienced flight crews, as demonstrated after the crashes in Boeing’s simulators where US airline 737 flight crews had problems with a malfunctioning MCAS, despite knowing what to expect.
Let’s now go through the typical questions about the MAX and it’s flight characteristics and where the MCAS problems came from.
The 737 MAX is a safe aircraft to fly also without MCAS. How can I know, I haven’t flown the MAX?
No, but test pilots from Boeing, FAA, and EASA have. And they don’t certify an unstable aircraft, they can’t. The flight safety rules for airliners denies unstable aircraft certification.
The updated MCAS will be deactivated when its sensors disagree. Then the aircraft is flying without MCAS and by definition, it can’t then be unstable. This is why I know.
To explain one step deeper.
An unstable aircraft will pitch/turn/roll without the Pilot giving it a command to pitch/turn/roll. I have flow such aircraft and when they start to depart it happens fast. You have to counter the move with a quick and large push on the controls.
In the MAX case, the additional pull in pounds-force to get the nose to a higher pitch Angle of Attack (AoA) was not linear close to stall AoAs. Let’s say it was 4 lbs per additional AoA in the normal flight regime and reduced to 2lbs for the last degrees before the stall.
This characteristic differed to the 737 NG (the previous 737 version) and would have required special simulator training to learn the pilots the difference in characteristics between the MAX and NG. This is not desirable when there is a pool of perhaps 50,000 pilots that are trained on the NG.
Boeing did what other aircraft manufacturers do, it fixed the change in pull force with a minor change to the flight control system. The most rational way was to extend the functionality of a helper trim system already on the 737 for decades, the Speed Trim System (that changes the horizontal stabilizer trim slightly so the Pilot gets a better feel for the aircraft during speed changes in climb and descent).
Now Boeing used Speed Trim in a modified form to give a linear force feel also for the last part of the AoA range before a stall. Doing this is OK if it’s well analyzed and implemented. This is where things went seriously wrong.
Implementing Flight Controls Systems (FCS) for aircraft that fly a large speed range, such as airliners, is complicated stuff. The requirements on the FCS at low speed, like takeoff and landing, is different to cruise, where supersonic effects on different parts of the aircraft complicate things.
Aircraft designers have learned how to master this and the 737 FCS is a run-of-the-mill example of such a system.
Implementing MCAS should have presented no problem if thorough work practices had prevailed. They didn’t. We have enough evidence from all the investigations to say that.
Critics of the original MCAS implementation has centered on the system being triggered off a single AoA sensor. It detects the aircraft is passing an AoA pitch threshold (say 10° out of 14°, where stall occurs) and then trims the horizontal stabilizer so the pull force on the Yoke when entering this region remains 4lbs per degree AoA. When the AoA descends below 10° AoA, the trim is reset to its previous position. With this logic pitch increases require 4lbs per degree for the whole below stall AoA range, going up or down.
While a single sensor trigger is a design practice that some other OEMs avoid (they have three AoA sensors so two can outvote the third as malfunctioning), Boeing has used this design principle on the two AoA sensor 747, 757, 767, and 737.
With two sensors you can’t decide which one is giving incorrect values, you need a two versus one vote structure to achieve this. Instead, Boeing relied on the Pilot detecting a miss-trim situation if MCAS trimmed when it shouldn’t. The Pilot should then shut the malfunctioning electric trim system down, and rely on the manual trim system (via a crank handle) to trim the aircraft.
This would have worked, even with the 10 seconds Pilot detection time of the miss-trim that the crash recorders showed instead of Boeing’s assumed 4 seconds, IF MCAS WOULD HAVE TRIMMED ONCE for each pass into the 2lbs region, as motivated by the AoA range logic I described above. But MCAS didn’t.
It had trimmed 22 times for one AoA pass when the Lion Air JT610 Captain handed over to the First Officer to get the head free to understand why the FCS trimmed intermittently nose down, something he had to counter with nose-up trim.
The First Officer was told to trim against MCAS but was overwhelmed by the intensity and repeated attacks from MCAS. He countered four times but MCAS outperformed him and after five attacks the aircraft nosed-over for ground. The stabilizer trim was then at 100% nose-down.
It’s these non-understandable repeated MCAS trims that I characterize as “really criminal” in the Seattle Times interview. The key here is how MCAS resets itself to be prepared for any subsequent AoA passes into the over 10° region.
The logical reset criteria is an AoA that passes 10° going down. This is also how the reworked MCAS resets. If this would have been implemented in the original MCAS the accidents wouldn’t have happened.
Both the JT610 crew and ET302 flew with one nose-down MCAS trim without problems. The natural reaction is then for the Pilot to correct the miss-trim with the electric trim button on the Yoke. This is where things go wrong in the original MCAS.
For some unexplained reason, Boeing left the reset criteria from Speed-Trim = “the Pilot trims” unchanged. Why? I cannot figure it out, nor can experts I have talked to. The smoking gun is Boeing changed it to the logical criteria for the updated MCAS. This is the root cause these crashes happened and it shouldn’t have been.
Why wasn’t this dangerous reset criteria detected? Because no FMEA (Failure Modes and Effects Analysis) was made in the original MCAS work. This is where all possible failures in inputs to the system and its components are analyzed for their effect. Boeing judged MCAS failures as only a “Major” hazard and this class of system doesn’t require an FMEA.
The consequences of an AoA failure giving a constant high value (which is a very probable failure mode for this sensor) were never analyzed and the severe danger of the wrong reset criteria was not detected.
The leaving of an unlogical reset criteria from the donor system and not analyzing its consequences is where my verdict is “really criminal” as stated in the Times article.
Boeing knows it is using a fail prone trigger system with the single AoA system design. Yet it doesn’t analyze the consequences of such failures other than “the Pilot will fix it”.
You can design in such a way if you make absolutely sure the consequences of sensor failure is fully analyzed as non-dangerous. To shrug it off with “the Pilot will catch it” is totally unacceptable.
As discussed the 737 base aircraft lacks quirks and it has a good safety record from its 53 years in service. The larger engines for the MAX introduced larger nacelles and these caused a lessened additional Yoke pull force for higher pitch angles in the region before stall.
A flight control system fix was introduced, a move in itself that is standard industry practice. If it had been implemented with the care such changes require the lost lives of the crashes would have been spared and the 737 MAX would be flying today. As pointed out, a proper adaptation of the MCAS software from its donor system, Speed-Trim, would have avoided the crashes.
The updated MCAS introduces convincing changes to the logic around the AoA sensors, a change of the reset to what it should have been from the beginning, and also, a global limitation on the authority of MCAS over the aircraft’s flight control system.
The changes have been scrutinized and tested in simulators and flights like no FCS system parts before. The chances this part of the aircraft would cause a MAX crash must now be nil.
With the base aircraft safe as discussed, I have no problems flying on the revised Boeing 737 MAX.