By Bjorn Fehrm
November 18, 2020, ©. Leeham News: The FAA has declared the Boeing 737 MAX 8 and 9 safe to fly after a 20 months grounding. On March 10, 2019, the Ethiopian Air ET302 crashed after Boeing’s pitch augmentation software MCAS triggered erroneously and caused the aircraft to crash. This accident followed a similar accident of Lion Air JT610 on October 29, 2018.
Ethiopia grounded the MAX on the day, China the day after, and the FAA on March 13. The 737 MAX has been grounded worldwide since the FAA grounding.
It has been a gruesome 20 months for Boeing, where it’s gone from denial of guilt to a full acceptance of responsibility and a complete change of attitude. With changes to the MAX verified by FAA, EASA, Transport Canada, and Brazil’s ANAC, it’s now ready to fly again.
We will cover the return to flight of the 737 MAX in several articles, the first dealing with the question: Is the 737 MAX safe to fly?
Airliner safety has reached an unprecedented high standard over the last 20 years. The 737 has been part of this safety development. Before the 737 MAX crashes, the 737 had a good safety record spanning 50 years of service.
This comes from a sound base design with no particular vices or shortcomings. It’s an old design with the first version certified in 1967. Though its systems are old in their architecture, this is not necessarily bad for an aircraft.
The areas that needed updates are updated, and the world’s mechanics and pilots know the aircraft as their pocket.
It’s flight characteristics are consistent, with no quirkiness that has beset several of its contemporaries.
So for an aircraft with this good track record, what when wrong in the evolution to the 737 MAX version?
In the MAX modernization, the LEAP engines’ larger nacelles meant the aircraft’s pitch stability in a clean configuration decreased just before stall (the state when the wings stop producing additional lift). The ease of pulling the nose up further for the last degrees of Angle of Attack, AoA (the angle of the wing to the wind stream) was not acceptable to the certification rules from the FAA.
The airplane is perfectly flyable in this region for a pilot who knows about the quirk, but this is not good enough for an airliner seeking certification. It needed a fix from Boeing.
Boeing implemented a flight control software fix by extending an automatic pitch trim system already active on the previous 737 generations, the Speed Trim System. Speed Trim trims the aircraft so that a pilot flying the plane manually gets a better feel for the aircraft’s state when speed changes.
Now the Speed Trim algorithms were used to trim the aircraft nose down when AoA passed the threshold of reduced stability just before stall. It helps the Pilot from sliding into a stall if he, for instance, flies bruskly when exiting a high altitude circling pattern.
The nose-down trim by Speed Trim based on AoA was called MCAS (Maneuver Characteristics Augmentation System). It triggers when an AoA threshold is exceeded by the active AoA sensor in the 737 MAX (it had two AoA sensors in an active + standby concept).
MCAS was analyzed as non “hazardous,” so it was OK to use a single AoA sensor as the trigger. It’s a principle that has been used on other Boeing aircraft for non-hazardous functions without adverse effects.
The key to having a function triggered by a single sensor (that can malfunction or give wrong values) is that the activated function in itself is non-dangerous. This is where MCAS failed, with dire consequences.
To achieve the same yoke feeling for the Pilot all the way to stall, MCAS needed to trim 2.4 units nose down when passing the AoA threshold at the low speeds flown in a climb after takeoff.
An erroneous nose-down trim of 2.4 units is fully controllable for the Pilot in this situation as long as it stays at one trim action. And for the MAX stability problem, one trim action was enough. This trim state shall remain as long as the AoA is over the threshold, neutralizing the trim again with 2.4 nose-up units when passing below the threshold.
This is also how the updated MCAS works. It only trims once when the aircraft AoA goes over the threshold and back it out when passing down, to be ready should the AoA go up again.
Had the original MCAS behaved in this logical fashion, the accidents wouldn’t have happened, and 837 Boeing aircraft would not sit on the ground today.
The whole drama came from the omission of a few code lines in the MAX Flight Control Computers software.
Speed Trim, the host function for MCAS, has the pilot trimming as reset criteria. It’s logical as it augments the pilot’s feel around trimmed speed. When the Pilot trims, he changes the trimmed balance, and Speed Trim checks if it shall help the pilot at the new trim state.
For MCAS, this reset function is not OK. I asked my friend, Mentour Pilot, an experienced 737 training/examiner captain with a major airline, what he would do if MCAS triggering erroneously when in manual flight.
He would hold against the MCAS nose-down trim action (which is no problem), then trim the 2.4 units nose-up to get back to a normal aircraft. No drama, no hazard, but a look at the panel if there was an indication why the aircraft suddenly trimmed nose-down.
The original MCAS listened to the Speed Trim reset, “the Pilot trims,” instead of the correct “AoA is below the threshold again.” The result was MCAS trims, the Pilot trims, MCAS trims, the Pilot trims…. After 24 rounds in the Lion Air jet, the Pilots lost the race with MCAS.
MCAS went from a Pilot assist to a highly hazardous function by this single mistake in the MCAS software code.
I describe the above in sufficient detail so we can understand how little in MCAS needed change to take it from a hazardous function to one that would have caused no trouble if wrongly triggered.
In addition to this change, Boeing has made additional changes to increase safety further.
A single sensor no longer triggers MCAS. Both AoA sensors on the 737 MAX have to agree on the aircraft AoA, or Speed Trim including MCAS is deactivated (neither is needed to fly the plane. They are augmentation functions, i.e., good to have but not necessary).
The checking of the AoA values for the aircraft is no longer at the sensor level, but after the Flight Control Computers, meaning any slip-up in the processing of these values is also caught and deactivates Speed Trim/MCAS.
On top of the dual-sensor activation of MCAS, its global authority, no matter what, is limited. The Pilot always has enough pitch control to fly the aircraft.
To make MCAS safe, we only needed the correct reset criteria. But as the investigations dug deeper into how Boeing and FAA could miss how dangerous the original MCAS was, the requirements for changes grew. All eventualities, even remote ones, should be covered.
After two years of investigations and work on the MAX flight control system, flight tests flown by hundreds of test-, certification-, and airline pilots during 3,000 flight hours, it’s the most penetrated and honed flight control system of any 737 variant. One can comfortably say it’s now safe to fly.
In the course of the investigations, the matter snowballed to the most massive crisis in Boeing’s 100-year history. Contributing was the initial denial attitude of Boeing. It argued the Pilots should have handled the miss-firing MCAS. As more and more airline pilots flew simulators with misfiring MCAS, this attitude changed.
A Boeing more focused on business gains than its products’ ultimate safety gave way to a company assuming full responsibility, making the necessary changes to the aircraft but also to its organization and processes.
The Boeing that emerges from this crisis is a $20bn poorer Boeing (the end bill is in this ballpark) with a changed, humbler attitude, its reputation seriously tarnished by what happened.
Boeing knows it can only regain its customers’ and the flying public’s trust by a perfect execution from now on. It has to avoid a repeat of the MCAS fiasco at all costs.