94 Comments on “Bjorn’s Corner: Faster aircraft development. Part 9. Conceptual phase Certification work.”

1. Twenty years ago extensive simulation, FEM, CFD were a fully implemented in design phase.

   I remember the costs of software, programming, modelling, specialists, verification and running extensive simulations where very high.

   Often it was faster & easier to just quickly build a (metal, wooden, glass fibre) model of radical new aircraft designs and put it in the windtunnel right away.

   Quickly getting data, insights, moving ahead..

   Also requiring craftmanship, NC tooling etc, a good tunnel etc, but way faster cheaper at that moment in time.

2. With all these apparently necessary steps to ensure compliance and safety, it’s just baffling that Boeing’s single-sensor-dependent MCAS on the 737 MAX could ever make it through certification.
   Stunning, really.

   • So just to clarify (again), MCAS was not a single sensor design, it had an accelerometer to confirm the AoA sensor output.

     The error was in having one team (flight test) recommending removal of that sensor to resolve another issue, without that change then undergoing a repetitive review by the safety certification team.

     And that in turn happened because of parallel processing of certification tasks. If you have parallel tasks, then you need to have adequate communication between them. Bjorn has mentioned this several times in this series. Or as the FAA has decided and implemented currently, to serialize those processes instead.

     But I’m glad you made this comment, as it illustrates what I noted below, about constructive and preventive criticism. Without understanding of root cause, criticism degenerates into finger pointing that is unproductive because it won’t prevent future occurrences.

     Bjorn is pointing the way to the correct approach. The FAA had to resort to more dire methods, in the face of criticism that they missed the MCAS changes. But those methods also drive up costs and delays, as we have seen. So we can yet hope that Bjorn’s approach will prevail in the end.

     • Rob
       Continuing with MCAS for a moment.
       The other problem not getting too much mention here is that
       up until MCAS was installed, the flight control system of the 737 was left right redundant. The left side ran the left aileron, left elevator half and upper rudder, the rt side ran other side. Gear and flaps were on utility. They were mechanically slaved with weak links to prevent a single actuator failure from jamming things. The gave the MCAS fix 2 soft spots, the first was that each pitch vane ran MCAS on its side of the airplane ONLY when the FCUs cycled from left to right with each power up. This means the loss of a pitch vane sensor only affected 1/2 the flights as the active FCU switched sides with each power up. This contributed to lion air functionally testing the wrong side of the airplane when they changed the pitch vane before its incident flight due to FCU cycling LH to RH on power up. The Second issue was that the MCAS has no off switch. Its either on or failed. There is no direct path to turn it off. People point to the trim motor switches as doing this, but it doesn’t turn off MCAS. The trim motor switches only sever the output path, it doesn’t actually turn MCAS off. This lead to, in my opinion, the thinking that it needed no training since it is not directly cockpit addressable. It had no off switch so there is no way for the crew to affect its operation. This perception that it was not crew addressable lead to the minimalization of training story. Change Board may not have gotten all the correct players in the room when this change happened. It was most likely PRR Supplemental with an insufficient cross section of talent reviewing the Statement of work. Even a JR Stab and Controls guy would have made a difference

       • This is the first I know of any mention of an accelerometer. Not being contentious but I would like to see a ref to that.

         A major compounding factor was morphing MCAS 1.0 to low speed situation, adding a large amount of authority due to speed needs if you are going to do that.

         I have seen no explanation as to why the whole process when it came together was not reviewed.

         My opinion is it was less lost in a process than it was rushed to meet a time goal and not having to add training to convert from NG to MAX (commonality). South West had a million dollar an aircraft penalty if additional training was needed.

         Another aspect that does not get mention is the impossible to turn Manual Trim at higher speeds that got codded out of the Simulators (no one has back traced how that occurred but it was in all sim mfgs so it would seem Boeing did that).

         I am not in the group that thought the alert would have done any good (that was an option). If you don’t know about MCAS 1.0, the alert is meaningless.

         Like the door blank blow out, if you ignore process then you get a failure. And adhering to process is a compliance.

         It depends on the integrity of the mfg and its people.

         • Agree TW, the accelerometer sensor angle seems to have popped up in a few blogs and is taken as writ
           Good to see a proper official source

         • Duke & TW:

           It’s in the OIG report on MCAS certification, at least. Also reported in many news sources.

         • Its not in OIG report
           https://www.oig.dot.gov/sites/default/files/FAA%20Oversight%20of%20Boeing%20737%20MAX%20Certification%20Timeline%20Final%20Report.pdf

           I understand that its discussed elsewhere more generalised with other flight parameters but not as as specific item singled out like you do… thats just from ‘comments’ in a blog. Its not like even a reliable source as we dont know the random commentor background

         • Duke, it’s described in Seattle Times article that is reproduced here. Dominic Gates said he had seen the Boeing proprietary documents that list the accelerometer in the early MCAS design.

           After this article was published, the initial Boeing slide presentation to the FAA on MCAS was leaked, and I have seen them. They directly reference the accelerometer. This was the source Dominic quoted.

           I’m trying to find them again now, but they have been scrubbed from my original source. I’ll keep looking. I posted them here at Leeham back in 2020 as well, but those links will be dead now.

           The OIG report references the MCAS changes indirectly, it doesn’t list them individually. But they did occur, including the accelerometer.

           https://www.afacwa.org/the_inside_story_of_mcas_seattle_times

           “This original version of MCAS, according to two people familiar with the details, was activated only if two distinct sensors indicated such an extreme maneuver: a high angle of attack and a high G-force.

           Angle of attack is the angle between the wing and the oncoming air flow. G-force is the plane’s acceleration in the vertical direction.”

         • @DukeofURL

           I found that the source of the slides I mentioned was the Boeing MCAS records subpoenaed by Congress. However the links on the .gov web site are dead.

           I tried the WayBack Machine and the Internet Archive, but the links were not archived until after they were scrubbed.

           I also checked the Wikipedia archive, but the links there are labeled “permanently dead”.

           So the best I can do is this NYT article, which is based on the Congressional report and interviews with the people at Boeing who worked on the MAX. They all confirmed the accelerometer was there, and some were surprised to learn it had been removed.

           https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

           “At first, MCAS wasn’t a very risky piece of software. The system would trigger only in rare conditions, nudging down the nose of the plane to make the Max handle more smoothly during high-speed moves. And it relied on data from multiple sensors measuring the plane’s acceleration and its angle to the wind, helping to ensure that the software didn’t activate erroneously.

           Then Boeing engineers reconceived the system, expanding its role to avoid stalls in all types of situations. They allowed the software to operate throughout much more of the flight. They enabled it to aggressively push down the nose of the plane. And they used only data about the plane’s angle, removing some of the safeguards.

           A test pilot who originally advocated for the expansion of the system didn’t understand how the changes affected its safety. Safety analysts said they would have acted differently if they had known it used just one sensor. Regulators didn’t conduct a formal safety assessment of the new version of MCAS.

           The current and former employees, many of whom spoke on the condition of anonymity because of the continuing investigations, said that after the first crash, they were stunned to discover MCAS relied on a single sensor.

           To ensure it didn’t misfire, engineers initially designed MCAS to trigger when the plane exceeded at least two separate thresholds, according to three people who worked on the 737 Max. One involved the plane’s angle to the wind, and the other involved so-called G-force, or the force on the plane that typically comes from accelerating.

           The Max would need to hit an exceedingly high G-force that passenger planes would probably never experience. For the jet’s angle, the system took data from the angle-of-attack sensor. The sensor, several inches long, is essentially a small wind vane affixed to the jet’s fuselage.

           The change proved pivotal. Expanding the use of MCAS to lower-speed situations required removing the G-force threshold. MCAS now needed to work at low speeds so G-force didn’t apply.

           The change meant that a single angle-of-attack sensor was the lone guard against a misfire. Although modern 737 jets have two angle-of-attack sensors, the final version of MCAS took data from just one.”

       • @ PNWgeek

         These are all good points. As far as MCAS not having an off switch, there are several factors in that design choice:

         — MCAS was considered part of the speed trim system, which likewise doesn’t have an off switch in the MAX.

         — in the evolution of the two stabilizer cutoff switches, in early 737’s they were used for the two redundant motors. For the NG series which went to one motor, one switch was for that motor but the other was reconfigured as a speed trim system cutoff.

         — in the MAX series, Boeing studied the use of that second switch for speed trim cutoff, and concluded it was basically never used, so felt it would be more useful as a redundant switch for the motor.

         (this means as Richard has written here extensively, the 737 did have an off switch that would have worked for MCAS, for one generation)

         — the procedure for MCAS malfunction was the same as for the well trained runaway stabilizer motor, so Boeing concluded it was best to stick with a universal procedure.

         — like speed trim, MCAS could be overridden at any time with the column ANU/AND power trim switches, which was also heavily trained.

         With regard to the Lion Air testing of the AoA vanes, the MAX aircraft had an intermittent vane from the factory, for over a month, before it was correctly diagnosed. Then instead of requesting a new vane from Boeing under warranty, they replaced it with a refurbished NG vane, which turned out to be miscalibrated.

         And they falsified the testing of that vane after installation, it was in fact never tested, even after the preceding JT043 flight that also experienced the MCAS malfunction. That issue was ascribed to the month long pattern of intermittency, even though the aircraft log showed that vane had been replaced.

         It’s good to objectively review the design choices and other factors involved in the MAX accidents. That’s how we understand how to prevent repetition.

         • Air Current reported that FAA and EASA both found after the crashes that MCAS wasn’t necessary at all.
           The Boeing engineers who designed the new controls for the KC-46 to account for shift of balance due to fuel offloading came up with the MCAS system for their version and MCAS was their suggestion to the Max flight stability engineers. But KC-46 was able to hinder the MCAS action in a simple way

         • @DukeofUrl

           That is objectively false. The MAX needed MCAS for compliance with the FAA rule for force gradient on the column. Bjorn did an article on this going back to 2019-2020. You were here then, as I remember.

           What you might be referring to, is that Boeing could have requested an exemption for that rule from the FAA, as a waiver.

           There is a contingent of critics that allege the risk from the waiver would have been less than the risk from MCAS. You can argue that either way.

           In any case, Boeing went for full compliance and the FAA agreed. The rest is history.

         • Duke
           No
           The reason MCAS was installed was to cure a stickforce gradient inconsistency above something like 12.3 degrees alpha. There is a stickforce gradient curve that the NG was compliant with and the MAX wasnt. The fix was MCAS, which added down elevator trim to get the stickforce per G back into a certifiable window. You could not certify the MAX without MCAS. HOWEVER if anything ever screamed for a waiver, this teeny tiny spot in the flight envelope that no normal human would ever fly a passenger jet deserved one. BA should have filed for it.
           As to the CG maintenance needs for the KC46 as it offloads fuel. There is an autopilot subroutine added to detect trim forces and it commands a transfer pump to unload the stab. Its nothing like MCAS and I think you are a victim of misreading what was reported. ALSO this is an ITAR add to the Autopilot software because the 767-2C has dry tanks in the belly and is not certified to have them filled. The systems in the 46 is nothing like what you describe.

         • @PNWgeek

           My understanding of the KC-46 is that both you and Duke have accurate points.

           It’s true that there are fuel transfer pumps that help maintain trim. But the fuel transfer rates through the boom to large receivers like the B-52, are substantial. The pumps take time to compensate and so there are still trim instabilities introduced.

           It’s less of a problem with drogue refueling, because the fuel transfer rates are much smaller.

           Further the responsibility of maintaining the 1400 pound boom connection force rests with the receiver pilot, but inevitably there are variations. The boom hydraulics absorb a lot of it but not all, so there again are destabilizing trim forces involved.

           Unlike the MAX, MCAS on the KC-46 is active during autopilot. And it’s there for evasive actions as well. And it has a disconnect on the column, if the pilot doesn’t like what it’s doing.

           I’ve visited the KC-46 at an airshow and talked to the crew. They said they like MCAS because it allows them to focus on navigation, coordination and planning. It lifts much of the burden of maintaining trim while refueling.

           In the KC-135, pilots have to do both, and it’s really a two person task (plus the boomer). MCAS is part of the reason USAF was considering pilot/boomer crews for the KC-46, with no copilot. Fortunately I don’t think that went anywhere.

           Incidentally, I wanted to talk to the crew to get an honest assessment of the KC-46 and the RVS system. While they were candid about the problems, as I suspected they said most of the time it’s not an issue. On the whole they much prefer the KC-46 to the KC-135.

           Which runs counter to much of the media narrative, as is so often the case with Boeing. Helps to reference the source.

         • Concur that a slightly more pitch up was found in the tests.

           I don’t remember anyone actually put it to a math test to see what the limits are that would need correction or its opinion.

           Rather than go through a process to determine yes or no, Boeing just threw software at it.

           Sadly it was crappily done, I have worked with enough systems that you know to cross zone a critical item.

           Cherry picking AOA failure data that did not take real world into account allowed a lower safety rating.

           As far as I am concerned Bjorn wrote the definitive assessment on it and it was not primarily pilot error.

           Ultimately you cannot turn MCAS 1.0 off, you could stop it.

           Having been in one incident where things did not work the way they were supposed to, I can see the confusion that results. My only reprieve was a lot of reading and once I got out of my panic, assess, determine the issue and do the correction (some elements were not done per the book but the main one worked).

           When I was taking my motorcycle test, there was an avoid the log in the road setup, you ran at a light bar, the light flicked on left or right side, you went that way and a voiced a painted area.

           So what happens, BOTH lights come on. My brain tried to do two different things at the same time and froze up. I unfroze before I hit the log and went left, got back to the tester and it was, what the blazes?

           You were going too fast and it lights up both if going too fast. You could have told me that. I was full on competition for the tests, I did not just want to pass I wanted to max out the course. Hmmm.

         • I know why Boeing installed MCAS , but according to reliable source FAA said Max didnt really need it at all.

           The one relevant quote is the FAA saying its stall characteristics were “acceptable” with or without MCAS. …. It still would have required additional training because of the difference between the MAX and the NG in stall characteristics.”
           There is that proviso..

           But once Boeing decided on it – under flawed assumptions- they implemented it with flawed assumptions again to bypass the extra training

         • The original iteration of MCAS was developed through simulation of high speed wind-up turns based upon wind-tunnel data. Under this flight regime one needs both high-g forces and high-alpha which is why MCAS that was presented and approved by the FAA using 2-sensors and active only in a corner of the flight envelope. Pilot training is not required because the pilot doesn’t do anything differently during an excursion either during the event or in recovery. The change to MCAS to one sensor occurred in flight test where simulation is not reliable. It is why one does flight test. It is my understanding that the discussion of the waiver only applies to the control force issue identified in low speed regime where MCAS was subsequently provided with substantially more authority.

3. Interesting that there are examples from industry that align closely with the points raised in this article:

   — the EWIS design of the 737 MAX did not fully take into consideration new regulations for wiring separation. That resulted in a retrofit when discovered.

   — using a cockpit simulation model in the 777X to identify and mitigate human factors issues, that wasn’t fully vetted with FAA beforehand . That resulted in the FAA not fully accepting the results during certification.

   — the SpaceJet approach of attaining some aspects of certification after design. That became very costly.

   — lack of a detailed or organized plan for the Starship rapid iteration methods. That has resulted in major underperformance and consequent significant growth in the vehicle design. As well as repetitive failures during testing.

   — basically any US military procurement project in the last 25 years, in terms of advocacy groups packing in features that radically alter and slow the design and certification process. The Navy stands out with the Ford-class carriers, the LCS, the Constellation-class frigates.

   I’m sure others here can think of many other examples.

   It’s notable that these instances were all well intended, no one starts out to drive up costs and add delays. But as this series points out, that is the inevitable result if you don’t have adequate understanding of risk, organization, and planning at the beginning.

   Bjorn and his team should publish this work as a mandatory review when starting major new projects that will require certification.

   Also this series is such an excellent example of both constructive and preventive criticism, that is so much more productive than finger pointing afterwards. This is the way!!

   • The term that has bit the military is concurrent production. We will fix it when we find it.

     As noted, Ford class has many new features and some like no CAD showing where the elevators went only to find the route blocked by another CAD deck drawing (and installed that way, contractor follows the drawings).

     Constellation is different. Its more a I will lie and you will believe me aspect. Using a FREMM desing was the premiss but the US Military cannot tolerate any foreign aspects, so it got redesigned and then made bigger toi suit the Navy (and lost a bow sonar). It also does not have enough power, spec was for two gas turbines (and don’t get me started in the silly 57 mm gun).

     The crying shame is the F100 Spanish Frigate was the other option, it had huge amounts of US systems, including dual gas turbines and a missile load out that is the envy of the world (since they realized the issues with drones and cheap CM)

     While the F-35 is a severe concurrent issue (first 100 are useless as combat aircraft due to the changes that would be needed) it also was a procurement debacle due to the parts system.

     The new Ice Breaker has been through the same process, USCG redesigned it and you might as well start from gro0und zero, it cost a hecvk of a lot less.

     USCG refused the Aviq because it was not a Coast Guard spec ship (when we have virtually no ice breakers). They were forced to buy it. It is in fact well made and the owner provided complete maint and training for the USCG.

     No its not ideal but its 80% and a ice breaker in the hand is worth two in the brain any day of the week. Its now renamed in stationed in Juneau AK (Cold Bay would be better, you never know when a Freighter needs a tow off the rocks and its also tow capable which ice breakers usually are not)

     • I think the recurrent theme is that compromises in the desired design are needed if the goal is to reduce cost by integrating earlier designs.

       But then after agreeing to those compromises, the services try to reverse them to restore the original desired design. Which effectively undoes all the cost savings.

       I don’t think the motivation for that is favoring American hardware, but rather the desire to have the most recent revision of all technologies, to avoid the perception of building outdated vessels, aircraft and vehicles. It’s understandable but also counterproductive.

       The USAF did better with the B-21, locking the design early, which allowed it to reach production with less delay and cost growth. To do that, they had to accept an upgrade contract before the first aircraft even flew.

       But I think on balance, that’s a better development method because it clearly defines the upgrade costs and periods, rather than having them be lost in project inflation.

       Concurrency is a double edged sword, it can just as easily kill a project as save it. But again it allows the design to adapt to the latest toys, which is why the services prefer it.

       • I would agree on the last statement as to why the military tries it.

         I don’t know of a case it succeeded, its always added cost and in the end, saved no time.

         As for mods, its not the latest standards, its simply they all have a book on how you do anything, even where a rope (excuse me, line) is hung and what the bracket for it has to be.

         So in the case of the USN or USCG, they change it. Oh, and the stairs (ahem, ladder) does not have the right slope and foot lift, change it.

         When they are done it looks nothing like what they started with.

         USCG was forced to accept the Aviq, and you can read the comments, its not built to our standards. Not just US standards but USCG standards.

         The irony is the F-100 Friegate was perfect for the requirement buts they wold have changed it too (well it needed a good dipping sonar but that is one of the least issues, easier than changing a line bracket !).

         On the Ford they did not build a test article for the Catapult or the Arrestors which were new designs. What happens, yea it fails all the time (both)

         Now? Yea, they built a land version and run tests on it.

         Basic stuff that they don’t get right.

         So yes the B-21 is a better setup. Best yet (godly USN) was the P-8. They just moved the P-3 systems into it.

         But, they knew they had new systems coming, they set it up for what they call spiral development. Upgrade system A but don’t touch B (unless its part of A). The P-3 systems had the built in aspect to upgrade and they just ensured it was kept that way.

         It gets an aircraft to the fleet on time, it ensures future changes – you get 80% and you can upgrade.

         UK paid the price when they changed their mind about their new carriers but the cost to make CATABAR was so high as to be not allowed (so they have F-35Bs landing in Asia and can’t get them back!)

4. An accelerometer “confirms” the accuracy of AoA in MCAS? In MCAS 1.0 only?

   > In the original version of MCAS (v1.0), there were both AoA and accelerometer inputs required for activation. Thus the redundancy criteria were met. The safety analysis for this version was formally certified by the FAA.

   In the later MCAS adaptation to low speed (v2.0), the accelerometer proved too sluggish in response, and was removed from MCAS on the recommendation of the flight test team…

   • Thanks for providing that informative and accurate quote, Pedro.

     Quite a deceptive, misleading statement from that other commenter- since MCAS *with accelerometer was never implemented* in the production Boeing 737 MAX; for example, in the two Boeing 737 MAXs that crashed claiming all 346 lives onboard..

     Par for that one’s particular course, though. 😉

     • Vincent, no one has ever claimed the accelerometer was a production component of MCAS. No one ever, at any time, anywhere. Please cite your source for this statement.

       This appears to be yet another of your frequent false and disengenuous statements. So I will treat it accordingly.

       What has been said, truthfully and accurately, is the accelerometer was part of the original design and was flight tested as such. But was removed from the design when it was found to not have the responsiveness to work effectively at low speeds.

       In a low speed wind up turn, the AoA vane would indicate the range for MCAS activation, but the accelerometer would not confirm it, which defeated MCAS. For that reason, it was removed from the design when MCAS was modified for the low speed case. This is part of the engineering record.

       I get that you may not understand the engineering involved, and as with Pedro, I don’t fault you for that. But I do fault the continuous attempts to misrepresent the truth. Those really have no place here.

       • It would also be good to note that the original issue was high speed and then MCAS got added as a low speed protection as well.

         I do say protection with a jaundiced take, you have a stick shaker already.

         Point of order is the Stick Shaker activated by one AOA?

         They should have been cross linked and its still iffy and certainly the pilots should have known about it.

         Much like the load relieving device on LEAP that puts smoke into the aircraft.

     • Insane this claim:

       “So just to clarify (again), MCAS was not a single sensor design, it had an accelerometer to confirm the AoA sensor output.”

       Clearly word engineered to misrepresent the fact. How low can our poster go?

       Has anyone found that in the OIG report?

       Now, when challenged, it switched to:
       “no one has ever claimed the accelerometer was a production component of MCAS.”

       Spinning, non-stop spinning. It’s a clever deception. It’s not difficult to understand the level of deception, nothing “technical”. Furthermore, Robbie could never provide a proper source:
       “It’s in the OIG report on MCAS certification, at least. Also reported in many news sources.”

   • Cut and past from a blog… where the reliable source for the MCAS V1 &V2 hogwash

     Heres an actual named source
     ‘However, according to interviews with agency directors describing assessments undertaken after the MCAS-induced crashes had occurred, both the FAA and EASA felt that the aircraft would have had acceptable stability without MCAS’
     Jon Ostrower – Air Current

     • You’re creating a Straw Man misdirection, Dukie.

       The MAX’s stability with or without MCAS is not
       what is at issue: what is at issue is Boeing’s *single-sensor-dependent MCAS system itself*, which silently doomed 346 humans to their deaths, since the pilots did not know of that system, were not trained for it, and could not turn it off (“look- no ‘off’ switch, dude!”). Twice your MCAS sent two Boeing aircraft into non-pilot-commanded dives..

       Nice (if lazy) try, though. Do better.

       • Vincent, your assessment fails (as always) to acknowledge that the crews had the ability to command the aircraft at all times, including the ability to reverse any and all MCAS inputs.

         This was established in both the NTSB and BEA rebuttals to the Ethiopian ET302 accident report. That report was criticized for the same factors you exhibit here, incompleteness and misrepresentation.

         All that NTSB and BEA asked, was for the report to be fully representative of the truth. And that is all that is asked of you here.

         If you criticize MCAS, that’s fine, and NTSB and BEA both noted they did not take issue with those criticisms from Ethiopia. But the criticisms have to be contextually within the bounds of accuracy and truthfulness.

         • Pro Forma stuff from you as usual, Robbie.
           Defending the indefensible is tough work!

           I know you have a job to do, dude. How much did
           you get for your soul- and when does your
           contract run out ?

           One more thing: please tell us more about this accelerometer you claimed upthread was part of the as-implemented MCAS system. Thanks!

         • Vincent, you should understand by now that repeating the lies doesn’t make them valid.

           We are now 5 years out from those accidents, the record is fully established, and there is no longer ambiguity concerning the events that transpired. They are fully understood and documented.

           And yet here we still have false narratives being pushed, as part of an over-arching agenda.

           It’s one thing to have done this when uncertainty remained. It’s quite another to do so in the face of facts and evidence.

           All that’s necessary here is to be truthful, and adhere to the documented record. Why is that such an impossible ask?

         • TRANS WROTE

           ow time first officers who don’t have enough experience to contribute to CRM.

           And no I don’t have an answer for that. I don’t think 1500 hours as flight instructor is worth much if anything which is a common us Practice to get the US required hours

           This is fundamentally incorrect… The alleged low time right seater was in fact the crew .ember that switched off the trim motors. They stopped that portion of the issue. The second portion of the issue was the high manual trim forces experienced while recovering the vehicle. The extreme trim forces are an artifact of overspeesding the vehicle and that is specifically addressed by the current training. Current training in place instructs anyone experiencing this to slow the vehicle to unload the trim system. This makes sense se because there’s a wonderful V squared in the forces formula, if you go back thru the documentary on MCAS, they say something like THE KID GOT IT RIGHT……. The Ethiopian crew never slowed the vehicle down to unload the trim, turned the trim motors back on and subsequently lost the airplane. I dont hang the blame on them alone, they are just one of the Swiss cheese holes that lined up…… Lastly I am not a proponemt of a minimum number of hours requirement for a US ATP.. The USAF takes an ab initio pilot and gets him squadron ready in an F16 in approx 400 hours of structured training. That mission is far more challenging than a line pilot position in the US airlines.

         • TRANS WROTE

           ow time first officers who don’t have enough experience to contribute to CRM.

           And no I don’t have an answer for that. I don’t think 1500 hours as flight instructor is worth much if anything which is a common us Practice to get the US required hours

           This is fundamentally incorrect… The alleged low time right seater was in fact the crew .ember that switched off the trim motors. They stopped that portion of the issue. The second portion of the issue was the high manual trim forces experienced while recovering the vehicle. The extreme trim forces are an artifact of overspeesding the vehicle and that is specifically addressed by the current training. Current training in place instructs anyone experiencing this to slow the vehicle to unload the trim system. This makes sense se because there’s a wonderful V squared in the forces formula, if you go back thru the documentary on MCAS, they say something like THE KID GOT IT RIGHT……. The Ethiopian crew never slowed the vehicle down to unload the trim, turned the trim motors back on and subsequently lost the airplane. I dont hang the blame on them alone, they are just one of the Swiss cheese holes that lined up…… Lastly I am not a proponemt of a minimum number of hours requirement for a US ATP.. The USAF takes an ab initio pilot and gets him squadron ready in an F16 in approx 400 hours of structured training. That mission is far more challenging than a line pilot position in the US airlines.

       • Vincent, respectfully, you aren’t correct here.

         The Vanes were Dual channel for redundancy and the outputs were split between the Left and Right FCUs. The fault isn’t your supposed use of single channel logic, it was quite well developed and electrically redundant. Both accidents were the result of the defeat of the mechanical portion of the vanes, the electronics worked as planned. The accidents were caused by BOTH channels of the redundant sensors being defeated simultaneosly by mechanical damage, Thats a far cry from claiming it was 2 accidents caused by single sensor failures. We should be accurate. Missing the coaxial nature of the encoder package allowing loss of both sensors simultaneously should have been caught, but thats way sown the fault tree from your position on the incident

         On the 737, the angle-of-attack (AOA) vane assembly (often called the pitch vane) is built around a single aerodynamic vane shaft connected to the fuselage. The shaft drives two independent angle sensing elements (resolvers/encoders). Both sensors are mechanically slaved to the same vane shaft but provide separate electrical outputs for redundancy. (Dual Channel)

         Each AOA vane assembly therefore has dual-channel sensing, one output going to the Captain’s systems, the other to the First Officer’s/standby systems. The vane itself is single, but it drives two angle sensing encoders slaved to that vane shaft.

         737 MAX Specifics

         The 737 MAX uses dual-channel AOA vane units manufactured primarily by Rosemount Aerospace.
         Each vane has two independent digital resolvers (angle sensing encoders) on the same shaft. One channel routes to the left Air Data Inertial Reference Unit (ADIRU), the other to the right ADIRU.
         This split is critical because the MAX’s Flight Control Computers (FCCs) alternate between Captain’s and First Officer’s side each flight, so both encoders are actively monitored.
         The vane outputs are in digital ARINC 429 format, replacing the older analog resolver style in NG/Classic.
         Boeing incorporated AOA disagree alerting in the PFD logic using these dual encoder outputs — though early production MAX aircraft had a software misconfiguration that tied the alert to an optional feature.
         both accident aircraft (Lion Air 610 and Ethiopian 302) were equipped with the same 737 MAX dual-channel AOA vane configuration described.
         Key points specific to those jets:
         Each airplane had two vanes total (left and right), one on each side of the nose.
         Each vane assembly was single-shaft, dual encoder — one channel feeding the left ADIRU, the other the right ADIRU.

         On both accidents, one entire vane assembly produced faulty outputs (not just a single encoder channel).

         Lion Air: faulty left AOA vane.

         Ethiopian: faulty left AOA vane.

         Because each vane’s two channels are mechanically slaved to the same shaft, when the vane itself fails (e.g., physically damaged or biased), both encoders report the same wrong angle — so to the FCC it looks like “good data from that side.” That’s why MCAS repeatedly activated: the FCC logic trusted the faulty side without requiring both vanes to agree.
         So yes, both accident aircraft had the dual-encoder per vane design, but the failure mode was at the vane shaft itself, which meant both encoders agreed on bad data, defeating the intended redundancy.

         The cause of the Lion Air incident was an out of range component improperly calibrated feeding identical bad data for both encoders as it was bolted to the aircraft rotated out of range. The second incident appears to be a bird strike on the vane pinning the vane at an impossible pitch value. This caused both encoders to feed identical irrational pitch values to the system.

         • “On both accidents, one entire vane assembly produced faulty outputs (not just a single encoder channel).”

           Yes. And how could the the actuation of MCAS be dependent- as it in fact was- only on “one entire [sic] vane assembly”? There is only
           *one signal source being acted upon* here.. a faulty one, in the case of the two MAX Crashes.
           Talk of multiple “encoder channels” and such strikes me as hand-waving, since they are both / all dependent on one signal.. correction from you is welcome.

         • Vincent
           No correction necessary. Dual encoders on pitch vanes are the industry standard. Airbus and I believe Embraer also use them. The risk isn’t in the unit itself, this is proven by the fact that a maintenance error at the depot level allowed a corrupt vane into the system. That vane was set up with a split output value between the two encoders in excess the spec, so MCAS didnt see 1 value, it saw 2. That shop lost its license and ceased business. The Ethiopean flight had data indicating a large birdstrike on the vane itself , disabling the vane. Same risk set as all other users of the same component in the fleet. Remember I started this out respectfully, and I gave you exactly what happened. No corrections needed because if you recall, the Max is currently flying with the same dual channel vane as the incident aircraft, if it were the issue, it damn sure wouldn’t comtinue to fly.

           My position about MCAS is that they should have waivered the airplane first, because nobody fly’s at over 12 degrees alpha, and protecting against that is really questionable. Second simplicity done correctly is always safer that complications. MCAS was a complication of questionable merit.
           Have a great day. ALSO read the MCAS Esq story about the Boeing 707 flying like crap and not passing CofA in Great Britian until it got a stick pusher added. Its in Scotts new book……. This isn’t a new thing.

           What I was pointing out to you is that you are using an overly simplistic storyline that tends to make you less believeablr to those who do this stuff for a living. You have some decent points but your delivery relying on the incomplete story isn’t working well as it tends to impeach your credibility. I’m offering the story so you can tune it up.. You can make a factual argument that coaxial encoders on a single shaft are potentially less safe that 2 encoders on separate shafts, maybe, because there is a completely different risk assessment there and it revolves around statistical potential for a target of size x carrying 2 encoders being at less risk than 2 encoders on 2 vanes at a size larger than 2x that if 1 is hit causws a failure.. What I gave you was the truth behind the incident so you can get on the page with facts,

         • @Vincent

           No one disputes that removing the accelerometer, while not providing for an alternate check of the AoA vane, was an error and introduced a flaw. Not even Boeing denies this.

           There was always the possibility of a common mode mechanical failure of the two resolvers in the AoA vane. So it should have had a second safety analysis. This is the conclusion of several reports and is part of the established record.

           The fault tree explains partly why this happened:

           — the original hazard classification of MCAS was based on the lesser control authority, which could not apply more than 15 pounds of force on the column (in the worst case), and in most cases well less than 10 pounds. As Peter Lemme pointed out, that classification needed to be reassessed after the MCAS changes in control authority, but wasn’t. The revised MCAS could apply 35 pounds of force, and further that could become cumulative for multiple activations. The omission of the reclassification itself is a process failure.

           — the fault tree branch for MCAS instead terminated with crew actions, which Boeing believed would be routine, but in fact were found not to be in practice, during the FAA testing of flight crews. The FAA determined that crew proficiency, especially in foreign crews, should not relied upon for fault mitigation. Boeing also concluded there was no difference in the crew recovery actions required, with or without the accelerometer, and so deemed it as a “no change” scenario. Which ignored the change in severity of the outcome, because of the failure to reclassify the hazard. This is documented in the discovery email record.

           This is why the FAA changed their human factors evaluation for the MAX recertification. Boeing could not rely on crew action to overcome a documented failure condition in the fault tree. Instead they had to alter the fault tree to eliminate the condition. This is what led to the software rewrite, which included even the esoteric case of a cosmic ray strike. Even that rarified event could not depend solely on crew action in the fault tree.

           This is the kind of accurate discussion I would hope we could have here. I don’t expect anyone to know all of this, I only know it because I’m retired and spent a great deal of time researching all the documentation.

           Also clearly the goal of this presentation is not to avoid criticism of Boeing or MCAS. In fact it’s the opposite, to ensure the criticism is as accurate as possible. That is how you prevent a future occurrence. Criticism is only useful if it’s accurate, otherwise it becomes a distraction.

           Thus I am baffled by the constant arguments that erupt here, which insist Boeing is an evil criminal organization. Or that I am corrupt for establishing or correcting the record. Not only is that not indicated by the facts, but it distracts from the true problems that need to be addressed.

           If the FAA in fact pursued the “evil organization” theory, and not the evidence as presented above, there would be no actual improvement in safety, or reduction of risk.

           Similarly if FAA did not pursue the crew component, holding the crews without responsibility as is so often advocated here, they could not reduce those risks either. This is why NTSB and BEA rebutted Ethiopia. It accomplishes nothing to deny the crew roles in the accidents.

         • I am having a problem with use of the language dual channel.

           Technically its correct, but the reality is its all based on a single point of failure aka the AOA and its associated shaft.

           A minimum is to cross link both AOA into the software such that both have to indicated in order for that software to engage.

           Factors that Bjorn concluded were MCAS 1.0 first, pilots 2nd.

           You can argue all day long a percentage, but sans MCAS 1.0 and or trialing, neither crash would have happened.

           Another contributing cause is low time first officers who don’t have enough experience to contribute to CRM.

           And no I don’t have an answer for that. I don’t think 1500 hours as flight instructor is worth much if anything which is a common us Practice to get the US required hours.

           I lean more to 500 hours minimum and an extensive sim background in unexpected (not scripted same oh same oh) events.

           My personal view is that there are pilots who should not be flying, they don’t have the mental aspects required that comes out during an emergency.

           Its also you don’t fail on the first bust, if you can build that reproach to trouble shooting ans assigning the captain, nothing wrong with it.

           The US has moved to unscripted events which is to the good.

     • Duke.
       Yes the MAX would have has ACCEPTABLE stability without MCAS, Thats why I don’t understand Boeing not running a waiver request as the first course of action addressing the stickforce curve requirement. BUT ACCEPTABLE is far different from CERTIFIABLE, and it wasn’t certifiable because of its divergence from the published stickforce gradients at the extreme nose up portion of the envelope.

       • Thank you for confirming this.

         I can’t speak to the merits of the waiver vs MCAS, or how the FAA would respond to that. There are no similar waivers in the record for other aircraft.

         But I suspect if Boeing had applied for the waiver, that would have been a source of criticism, as every other waiver has been. And this waiver directly impacts the handling if the aircraft, so it’s understandable to me as an engineer that Boeing would decide against it. I would as well.

         • Who noted the so called issue?

           If it was the FAA it required a response.

           Keep in mind the FAA was highly inclined to accept Boeing take at the time.

           We are viewing the past from the post MAX crash and Door Blank blowout history.

           While I was not a lettered engineer I was in an engineer position (yea, odd world) and I went with the KISS principle.

5. Robbie’s words at the beginning of the thread, in response to my initial comment re MCAS:

   “So just to clarify (again), MCAS was not a single sensor design, it had an accelerometer to confirm the AoA sensor output.”

   I’ll let others decide what he was doing there, by commission, and careful omission.

   #slippery

   • And I will equally let others determine what Vincent’s agenda is here.

     Given that I have explained the engineering of MCAS countless times here, my position is well known and heavily documented. There is nothing “slippery” about it.

     • I wonder which of us is paid for our words posted here, and which is not.

       I am not. And you?

       • Stop the personal attacks, or you will be out, as it’s against the forum rules.

       • Vincent.

         Not a penny here, not a dollar either.

         I also heard about the use of an accelerometer on one of the early MCAS iterations, but never actually saw it. It makes sense if you are trying to use a look up table plotting AofA and G load in real time to define an output, but that’s pretty complicated and I’m not surprised it got abandoned. They simplified the programming rules a lot to say, if flaps up, gear up and autopilot off, an aggregate pitch value above 12.3ish degrees will command a down trim activation. That eliminates any g load data requirement and with it the accelerometer.

         • And I missed it and I was deeply into reading all I could get my eyes on.

           I am happy to stand corrected.

           I will continue to support the area of disagreement on the dual channel. I don’t care if its Vincent or Pedro or Bryce disagreeing.

           Again its technically correct but factually when the dual channel comes from single point of failures, its not dualy redundant or you can say its not cross zoned. If a single shaft or vane is damaged or failed, aka put into a wrong position showing a stall, MCAS 1.0 was triggered.

           The sad fact is the two known incidents triggered MCAS 1.0.

           I worked with boilers which have an incredible amount of latent energy.

           The Temp safety was a totally separate device from the operating control (device).

           I worked with Halon suppression systems. We always cross zoned those.

           One I had to fight an inspector over, the others came cross zoned as they were dedicated systems that the designer knew it was required.

           When life safety is involved, you cross zone, or you have two totally separate inputs.

6. If one is semi pro Boeing they are getting paid?

   • No.

     But consistently pushing a highly contrarian narrative without tendering clear and specific quotes from supporting links — that’s certainly suspect.

     Sweeping, non-committal assertions that proof “can be found in the public record” don’t count, since anyone can make such an assertion about anything.

     Turning this around: if someone here were persistently making highly contrarian, unsupported claims about Airbus, Embraer or COMAC, what would you think?

     • Sadly for some its an MO.

       Rob and PNWgeek I believe are being too engineery in this case and technically they are correct.

       Better put a single damaged/ failed AOA in the wrong AOA indication triggered MCAS 1.0.

       MCAS did exactly what it was designed to do.

       The design sucked (using a non engineer term).

       • TRANS.
         Reframe for a second. You are missing the fact that tbe 737 is a mechanically controlled aircraft. It is certified with dual flight control computers, but they run things like speed trim and mach trim. There are 2 on the airplane, but only 1 side is active at one time and the primary and secondary function switches between them at each power up. The pitch vane each feed both computers. Channel 1 fed the computer on that side of the airplane, channel 2 fed the other side. This is how you would be able to detect an AofA mismatch. Suggesting that the system is at risk because both left or right vane outputs are shaft dependent isnt valid. The opposite vane still feeds its reference value to both computers. The background programming annunciated an AofA mismatch but it may have been masked depending on software versions and somebody clashing it as an option for a while. The program should have been able to detect a few things. 1) an impossible out of range value and prevent tactuation. You cannot possibly expect the aplha value post bird strike to be flyable. 2) there should have been a lookup between left and right value for correlation and a disagree value. Exceeding thatvvalue should have inopped mcas and given you a speed trim fail.. your assertion that parking 2 encoders on 1 shift creates a single point of failure isnt valid. The software was the issue not the hardware feeding the data

7. I’m wondering if we might come upon a mutually agreed
   name for the Boeing *MCAS system that was actually implemented* at the time of the Lion Air 737MAX and Ethiopian 737MAX crashes, as an aid in clarity, and to hopefully avoid various obfuscations.

   Any suggestions ?

   • Vincent

     MCAS works fine.

     • I have always put it as MCAS 1.0, clearly tells you which version and often its the beta version of software that gets fixed.

       Failure to read posts? If I comment on a post I read it.

       Tragically a lot of people were killed before it was tamed.

       Its a tragedy it got put into MAX, but once in FAA is not going to allow it removed, ergo the re-write and they made sure it would never raise its ugly head again.

   • @ Vincent
     How about “actual MCAS”…?
     As opposed to the “paper MCAS” that’s being used above as a smokescreen?

     And of course you’re correct in pointing out that “actual MCAS” relied on just one sensor — for example, this FAA report makes it abundantly clear (see, for example, the first line of the table on page 7):

     https://www.faa.gov/sites/faa.gov/files/2022-08/737_RTS_Summary.pdf

     However, with the new administration, new BA CEO, new NPA proposed deal between the DoJ and BA (not yet green-lighted by the court in Texas), etc., there is a new pilot-blaming narrative being re-pushed.

     P.s. It’s good to note that the revised MCAS still doesn’t even have an off switch!
     It’s posssible to “disable” MCAS — by switching off the electric stabilizer trim — but that, de facto, entails loss of the electric stabilizer trim, as opposed to only switching MCAS itself off.
     An analogy: rather than switching off the ceiling light in your kitchen, you go to the fusebox and pull out some fuses — which certainly causes the light to go out, but also causes other appliances to lose functionality.
     Just a small example of how MCAS is still a highly amateuristic system 🙈

     • Abalone — Please Stop. This post is loaded with inaccuracy. There is no need to post misinformation here, it contributes nothing to the discussion.

       But it’s an example of the escalation that occurs whenever the truth is established here. Above all things, the true narrative must not be allowed to stand in the face of propaganda. Or so you seem to believe.

     • As a supplement:
       For those not willing to pore through official documents like the FAA report posted above, the following NYT article gives a dizzying elucidation of everything that fell short in the MCAS design:

       “Boeing Built Deadly Assumptions Into 737 Max, Blind to a Late Design Change”

       https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

       Some choice quotes:
       “A year before the plane was finished, Boeing made the system more aggressive and riskier. While the original version relied on data from at least two types of sensors, the final version used just one, leaving the system without a critical safeguard”

       “But many people involved in building, testing and approving the system, known as MCAS, said they hadn’t fully understood the changes. Current and former employees at Boeing and the Federal Aviation Administration who spoke with The New York Times said they had assumed the system relied on more sensors and would rarely, if ever, activate. Based on those misguided assumptions, many made critical decisions, affecting design, certification and training.

       ““It doesn’t make any sense,” said a former test pilot who worked on the Max. “I wish I had the full story.””

       —

       “The company also played down the scope of the system to regulators. Boeing never disclosed the revamp of MCAS to Federal Aviation Administration officials involved in determining pilot training needs, according to three agency officials. When Boeing asked to remove the description of the system from the pilot’s manual, the F.A.A. agreed. As a result, most Max pilots did not know about the software until after the first crash, in October.”

       —

       “At first, MCAS — Maneuvering Characteristics Augmentation System — wasn’t a very risky piece of software. The system would trigger only in rare conditions, nudging down the nose of the plane to make the Max handle more smoothly during high-speed moves. And it relied on data from multiple sensors measuring the plane’s acceleration and its angle to the wind, helping to ensure that the software didn’t activate erroneously.

       “Then Boeing engineers reconceived the system, expanding its role to avoid stalls in all types of situations. They allowed the software to operate throughout much more of the flight. They enabled it to aggressively push down the nose of the plane. And they used only data about the plane’s angle, removing some of the safeguards.”

       —

       “A test pilot who originally advocated for the expansion of the system didn’t understand how the changes affected its safety. Safety analysts said they would have acted differently if they had known it used just one sensor. Regulators didn’t conduct a formal safety assessment of the new version of MCAS.”

       “The current and former employees, many of whom spoke on the condition of anonymity because of the continuing investigations, said that after the first crash, they were stunned to discover MCAS relied on a single sensor.

       “That’s nuts,” said an engineer who helped design MCAS.

       “I’m shocked,” said a safety analyst who scrutinized it.

       “To me, it seems like somebody didn’t understand what they were doing,” said an engineer who assessed the system’s sensors.”

       —

       “The change meant that a single angle-of-attack sensor was the lone guard against a misfire. Although modern 737 jets have two angle-of-attack sensors, the final version of MCAS took data from just one.”

       —

       “The original version of MCAS could move the stabilizer — the part of the tail that controls the vertical direction of the jet — a maximum of about 0.6 degrees in about 10 seconds. The new version could move the stabilizer up to 2.5 degrees in 10 seconds.

       “Test pilots aren’t responsible for dealing with the ramifications of such changes. Their job is to ensure the plane handles smoothly. Other colleagues are responsible for making the changes, and still others for assessing their impact on safety.

       “Boeing declined to say whether the changes had prompted a new internal safety analysis.

       —

       “On March 30, 2016, Mark Forkner, the Max’s chief technical pilot, sent an email to senior F.A.A. officials with a seemingly innocuous request: Would it be O.K. to remove MCAS from the pilot’s manual?

       “The officials, who helped determine pilot training needs, had been briefed on the original version of MCAS months earlier. Mr. Forkner and Boeing never mentioned to them that MCAS was in the midst of an overhaul, according to the three F.A.A. officials.

       “Under the impression that the system was relatively benign and rarely used, the F.A.A. eventually approved Mr. Forkner’s request, the three officials said.”

       • Just to clarify, Mr Forkner committed fraud, for which Boeing as his employer was responsible.

         But the evidence against him was in private text messages, concealed from Boeing and his superiors. Thus as stated in the Boeing DPA, Boeing management was not aware of the fraud. And the charges against Boeing are now being dropped as part of that DPA settlement.

         These posts are made over and over again, always without the full context, but the facts don’t change in the meantime. Repetition is not itself evidence.

         • @Rob: Forkner was found Not Guilt by a jury in a federal court trial.

         • Agreed, the DoJ could not secure a conviction. Juries are reluctant to hold employees accountable for corporate actions.

           Similarly the engineers who declared the well sealed in the Deepwater Horizon incident were acquitted, except for one plea bargained misdemeanor charge of pollution.

         • Agreed.

           Some weird stuff went on with the MAX and Forkenr hire to that position was one of them.

     • ABALONE wrote

       MCAS still doesn’t even have an off switch!
       It’s posssible to “disable” MCAS — by switching off the electric stabilizer trim — but that, de facto, entails loss of the electric stabilizer trim, as opposed to only switching MCAS itself off.

       MCAS cannot perform it’s task of keeping the 737MAX flying in a certifiable condition if it has an off switch. Your proclamation that it STILL doesn’t have one and calling it “Just a small example of how MCAS is still a highly amateuristic system indicates

       You dont know what you dont know. Your assertion that an off switch actually lines up with my waiver thinking. Certification required MCAS to patch the stickforce gradient issue. That fix needs to be in place any time the airplane is flying. Your supposed off switch would allow the crew to select “UNCERTIFICATED” because that’s the outcome of turning MCAS off. MCAS is not “Disabled” by turning off the trim motors switches. It’s still running because its a subroutine of Speed Trim, and its either on or failed. If it fails, and there are many modes of failure, one response is to switch off the trim motors IF NEEFED to address a failure. Your concentration on the lack of an MCAS off switch and proclaiming how amateurish that makes the system is actually your silent admission that you havent got a clue about the system requirements of actual function of MCAS and you’re just slinging mud for fun or whatever gain you receive……

       Stick to facts, they work better for you.

8. Only pilots of the 737 Classic era would have known the roller coaster method which is not “in U.S. pilot manuals for decades, and pilots today are not typically trained on it.”

   I don’t believe anyone who has followed the twin MAX crashes can say with a straight face that the pilots are at fault. It’s insane here and other sites on the net there’s a recent flood of misinformation popping up.

   How much was pilot error a factor in the Boeing 737 MAX crashes?
   https://www.seattletimes.com/business/boeing-aerospace/how-much-was-pilot-error-a-factor-in-the-boeing-737-max-crashes/

   • Pedro, everyone has said with a straight face that the crew contributed to the MAX accidents. After 5 years it’s no longer a matter of speculation, it’s a matter of the documented record.

     The BEA stated formally that even without MCAS, there was a substantial risk of an accident, based on crew response to the failed AoA sensor alone. The aircraft over-speeded and was likely over-stressed by the failure to reduce throttle after takeoff.

     This forum is actually one of the last bastions I’ve seen, of trying to claim otherwise. It’s verging on a conspiracy theory when the record is so abundantly clear.

   • @ Pedro
     As I posted above, there’s a new drive to try to pin the MAX crashes on the pilots, as part of Boeing’s “turning the corner” re-birth narrative.
     It falls into the same category as book burnings, Tylenol-tarring, climate change denial, etc. — might receive some following in a particular country, but zero traction in the rest of the world 🙈

     • This is a false allegation made to protect and distract from the false narrative that underlies it. Which is a classic tactic, but ineffective.

       There is no “new drive”, there is only the established record which some here won’t accept. But as stated so many times, denial is not evidence.

       • Unfortunate but as I did see Scotts directive, have to terminate it in regards to MCAS.

         I will say from some truly life or death experience, reactions in any emergency are a factor of the individual as well as their experience.

         Maybe it was WWII that they could teach almost anyone to fly, but too much was left as opinions on how pilots react and not any science (the infamous backup warning systems on equipment)

         OSHA mandated steel tools (and latter composite) but toes are only involved in 15% of foot injuries.

         Cases of where the steel toe was smashed and cut the toes off.

         My worst hits have been on the side of my foot and in my case I wore ankle or higher boots that saved the side of the foot. Not required.

         If I put lines in the sand, first would be tests to weed out pilots who simply are not mentally capable of responding to emergencies and the other would be use the human factors research and apply systems that work.

9. Everyone:

   This post is not about relitigating MCAS. Enough. Return to the topics of this post, or I will close comments.

   Hamilton

   • Scott.
     THANK GOD

     NOW we can talk about the inevitable outcome of Concurrent development. The creation of multiple new aircraft that require incorporation of changes to get the aircrafts s Built Tecord to match the Certification ABR. This process is called Change Incorp. In the case of the 777x, there are a number of units sitting in inventory awaiting delivery. Knowing the process, I would hang my hat on the fact that there are literally hundreds of minor and perhaps a few significant changes needed to each airplanes ABR to get it into a deliverable state. This is an artifact of the somewhat iterative process of building the airplane and finding things that dont fit or are otherwise problematic. You have a choice, continue to build it and correct all the open items in change incorporate, or stop building until the fix is ready….. Nobody in their right mind would stop and wait for every correction to be made when found because you never get to fly a cert program that way. You address what must be addressed when found, the big stuff, and you defer corrections of minor issues to change incorporate. This also means that the inventory birds all require different levels of rework of different things as none of the are probably alike. This has been going on for multiple programs at.multiple companies and for some reason gets glossed over a lot

     • Yes, and also is nothing out of the ordinary. Bjorn’s series is taking a look at the process planning that can minimize these events, but they will always occur, to some extent.

       If you end up with mostly minor changes, you’ve had a successful development cycle. But you will never have none, and it’s perfectly normal to have a small inventory of initial aircraft requiring rework at certification.

       • Rob.
         This is exactly why its no terribly big deal to see the 777Xs in inventory. The quantity is sub optimal but the existence of the aircraft themselves shows the change incorp process is alive and well…..

         • I would amend that to it works with certain well understood aspects and commercial aircraft done by the same company would be one of those.

           How many 787s were built with that sub standard wing box? Or the non conformity of the -8 with the -9 and -10. As I recall Leeham has it at under 20% (that may have changed a bit when they went to a common rear fuselage). That is massive changes between the -8 and -9. I would say it failed on a new production materials and or method.

           F-35 and Ford have undergone extensive changes.

         • One difference is whether the changes are planned or unplanned.

           The F-35 and Ford-class carriers were designed to incorporate changes across production lots.

           The 787 much less so, that’s the kind of program that could have benefited from Bjorn’s series.

     • I wonder if any BA’s reach forward losses cover a new generation of “terrible teens”.

       The F-35 and the Ford ofc mark the time when it all started to go down hill.

       • The Ford class is an example of having to establish new metrics for new technologies. The linear energy delivery systems for the catapults, arrestors, and elevators have entirely different characteristics and failure modes than the systems they replaced. So evaluating them by older standards was not accurate or effective, as the Navy learned.

         For example, steam catapults can fail with a “cold shot” where the system doesn’t have enough energy to launch the aircraft. Since the consequences of launching an aircraft into the ocean are dire, the metrics required an extremely high reliability. As well as that failure in a steam system might take it out of service for a few days for inspection and repair.

         With the electronic catapult, the energy in the system can be precisely measured, so there are no cold shots. The system won’t launch without sufficient energy, but it may require a reset of the charge cycle first, which might take a few minutes. But you can tolerate much more frequent electronic reset events, than you could inspection events with a steam system. The arrestors were similar. There’s a learning curve involved in identifying new defining metrics.

         With the elevators, the issue was achieving high accelerations combined with precise stop positioning, with very large mass loads. The earlier hydraulic systems utilized precise manual valving (like construction equipment), but the electronic systems are fully automatic. They have to sense the load and calculate the accel and decel ramps to optimize travel time, while arriving at a precise stop. Overshoot or undershoot are unacceptable for unloading, even if correctable. It took some experience and rethinking to get that performance reliably. But they are much faster and much safer for the crews than hydraulics.

       • @ Pedro

         The 777Xs out in the parking lot will cost a fortune to upgrade and de-mothball (more man hours than needed for the initial manufacture), and will have to be heavily discounted, seeing as they’re far from new (you order new — you expect new). That’s going to be interesting.
         We saw the same with the MAX inventory.

         On the Ford:
         “How the World’s Greatest Aircraft Carrier Became a $13 Billion Fiasco”

         https://www.popularmechanics.com/military/a38941815/how-the-uss-gerald-r-ford-became-a-dollar13-billion-fiasco/

         Dozens of articles on the failings of the F35, of course.

         It is, indeed, interesting to ask what has gone wrong in a particular country’s commercial aviation and military-industrial complexes, and why…

         • Well, this is the usual modus operandi of response.

           Refuse the factual engineering context and understanding that is provided, and instead search for an Internet article that can be selected as a form of confirmation bias, to avoid the factual evidence that was presented. Which you have neither countered nor refuted.

           At least you are consistent, I’ll give you that. 🙂

           Notably both the Ford and the F-35 are in active service and performing well, despite the deficiencies in their development programs.

           That final evidence undoes your selection of negative articles, but I realize that’s not your objective or your agenda.

         • “..will have to be heavily discounted, seeing as they’re far from new (you order new — you expect new)”

           What’s the definition of “new”? How long does a product have to stay in inventory before it is “old”? What’s the shelf life of a new airplane?

           These planes whichhave had extended stays in the parking lot have been maintained during that time. You could argue that they have been tested more throughly than “factory fresh” planes. And they have accumulated very few hours. These are essentially “new” airplanes, not “seconds” or substandard builds like the early 787s.

           I would expect that Boeing could offer discounts for these planes, but only if they have trouble moving them out of inventory otherwise.

         • New is simply an aircraft that has not been delivered.

           You could buy a new vehicle that sat on a lot for 5 years and in theory still be treated as new (warranty by the mfg). Mfg might have a policy negating that, but its theory, a dealer is going to get rid of a newer build vehicle one way or the other.

           Machinery that has not been in service also ages. Partly it depends on the climate. Heat can dry gaskets and seals out, failure to rotate machinery will leave surface low or non lubricated.

           As long as Boeing provides the warranty, they will sell as new. Or they can offer a discount and or lower warranty for a lower price. Not the same as a discount as a calc on what the warranty period normally costs (average) and removing those costs.

           Its really up to Boeing and an Airline how they work things out. FAA only plays a role if they do the certification and that is based on meeting the tech specs.

           If there are time maint items those too would have to be performed before delivery.

           Its no longer an issue, the stored aircraft, both MAX and 787 have been through their process to service reliable and if they have not moved to into service they will soon.

           777X that have been completed will follow the same process.

           Separate aspect is any compensation for delay in delivery and what the contract says is on Boeing and what is not. In the end it winds up as a package though that may apply to a number of aircraft.

           There is a significant difference in an aircraft stored but maintained and one that is just stored or worse, just parked.

           We saw a 757 try to fly to Asia for Freight conversion. It had been parked in Florida for years and no maint. FedEx did the maint but it had deteriorated in that climate (hot, humid and some degree of salt in the air). It got as far as Anchormen as I believe it tried for Asia flight 4 or 5 times. Something required broke after take off. They sent it back to the lower 48 to be converted there.

           Keep in mind it was not a new aircraft so it had a lot of service time as well as no maint and sitting in a bad areas (there is a reason they like dessert for storage, it may be hot but its dry and no salt)

           Moses Lake being on the East side of the Sierra tends to dry. Victorville tends to dry. Everett or Renton do not.

           I have started equi9pment that has sat for 20 years and it does just fine. Of course I did the maint on it first and then re-did it after a short run (oil, filters, grease). We tend to cold and drier so not a bad place to have stuff parked.

         • It should be clear that the F-35 has a dismal availability rate. Less than 60%

           The Ford seems to have worked out the EMALs and arrestor system and they re-cut the passages to allow the munition elevators to go from bottom to top.

         • @TW, the main reasons behind the F-35 availability are well known.

           The first is F-135 engine maintenance availability, which is lower than desired, for two reasons:

           — the F-135 has to deliver more compressor bleed air than anticipated for power and cooling of the F-35 radar and avionics. This consumes engine life faster and so the maintenance frequency is increased.

           — the F-35 program had diverted funds from maintenance depot standup, to fund purchasing more aircraft than were requested by the services, among other priorities in the program. That worked initially when the fleet was young, but now that the fleet is in the regular maintenance cycle, there are not enough facilities, so aircraft have a backlog. The JPO has been standing up facilities at the rate of 1 or 2 per year, but some backlog remains. Also the services have been backfilling those aircraft with new units coming off the line. Which again works when Congress orders more aircraft than requested, but will fail as production slows later in the program.

           The other reason is aircraft surface maintenance. The F-35 requires specialized surface coatings for full stealth capability. So in many cases the aircraft are flying but with degraded stealth, which is recorded as partial mission capability.

           This is a common feature of all stealth aircraft. They all have reduced full mission capability rates because of surface maintenance. The F-35 is better than the F-117, the F-22, and the B-2, in this regard.

         • ABALONE.
           I have had the pleasure of writing and supervising the authoring of Change Incorp planning all the way back to the MD83 in Long Beach. Your assertion that the work packages will take more labor hours than assembling the aircraft is laughable. Change incorp is a scheduled process where the decision to install an MRB fix to the airplane or wait for a change incorp window defaults to MRB action for all tags except when repair parts must be acquired, In those cases, the make buy team gives us an availability date and we schedule the RandR events needed in the correct control code with the correct planning paper to do the job. The biggest basket case I’ve had to work on sucked up about 4200 man hours. Change incorp airplanes in my experience didn’t get discounted because the customers are watching all the MRB decisions we make and sign off on them. They are free to insert custinsp points into the planning as they wished.

           Your assertion that they are not new is also not technically correct. Aircraft age is measured by the consumption of its designed fatigue life. That is measured in flight hours. If you contract to deliver to a customer a vehicle that misses its delivery date by unit time, that has no effect on the Fatigue life of the vehicle. There are items on the airplane with calendar lives, but the vast bulk of those are things like fire extinguishers, seat belts, slide packs, O2 bottles and a host of other small things that are for the most part BFE, Buyer Furnished Equipment. When that kind of stuff is hung up by late deliveries, the owner is free to reallocate it back to his fleet for use, he owns it after all. A few large aircraft items have Callendar service intervals, specifically Landing Gear and Brakes. The component manufacturers set up overhaul intervals in months and years. Last time I looked the 767 main gear legs came out every 5 years. These parts all have their own logbooks issued to the serialized components, not the aircraft, they are listed on the aircrafts equipment list for tracking. this is a dynamic listing that the users maintenance department oversees. The reason for calendar life is that usage cannot be easily recorded as weights of each flight, go arounds, rejected takeoffs and such are difficult to easily track in the fleet environment. Those components age starting with their placed into service date in their logbook, and the manufacturer or delegate dates them at delivery.

           The end result of this is that the aircraft as delivered is new, it retains its maximum available fatigue life hours, and maximum calendar rated major component intervals. This is why nobody is concerned about how long preserved components are stored before use.

           The only reason you can point to the MAX parking lot as being different was that the customer cross-section changed as a number of airlines ceased operations and foreign governments stopped import approvals. There were discounts associated then, but even at that, all those aircraft were delivered as zero time.

           Fatigue life is so important that the production line is actively measured for crane landing speeds because large uncushioned impulse loads can take fatigue life out of the vehicle. It’s so critical that the railroads run accelerometer equipped survey cars over the tracks the fuselages take from Wichita. The trains are allowed only on surveyed and monitored tracks and 1 path is currently approved.

           ALSO Take note that I have never said, or mentioned, that late airplanes delivered by Airbus are anything other than new because I know the facts. I also never speak of Airbus suffering a worldwide product grounding in 2012 that didn’t get the whole fleet back into service until 2015. We could, but it serves no purpose except to excite the jingoistic folks here.

         • That last point is especially well taken.

           There is no value obtained in going after Airbus for AD’s, flaws, and flight incidents, because they aren’t representative of the quality of the Airbus fleet at large.

           They are mostly representative of the normal addressing of safety concerns that arise in a working fleet. Which is a net positive for air safety, not a negative.

           The same can be said for Boeing, so it would be nice if the commentary here could be free of those aspects.

           Criticism, sure, but within the representative working context.

       • Pedro.

         Well thank God you are wondering about that, because it keeps you away from discussions based on facts and data.

         Cheers

10. https://www.stuff.co.nz/travel/news/111385127/scrutiny-on-sensors-after-boeing-737-max-crashes
    In 2014, Lufthansa Flight 1829 took off from Bilbao, Spain, and was ascending normally when the plane’s nose unexpectedly dropped. The plane – an Airbus A321 with 109 passengers on board – began to fall. The co-pilot tried to raise the nose with his controls. The plane pointed down even further. He tried again. Nothing, according to a report by German investigators.

    As the Lufthansa plane fell from 31,000 feet, the captain pulled back on his stick as hard as he could. The nose finally responded. But he struggled to hold the plane level.

    A call to a ground crew determined that the plane’s angle-of-attack sensors – which detect whether the wings have enough lift to keep flying – must have been malfunctioning, causing the Airbus’s anti-stall software to force the plane’s nose down. The pilots turned off the problematic unit and continued the flight”

    “Aviation authorities in Europe and the United States eventually ordered the replacement of angle-of-attack sensors on many Airbus models.”

    • In addition, following the MAX accidents, Airbus conducted a review of their own pitch augmentation system, and found a problem that could lead to excessive pitch that would be beyond crew control.

      This resulted in brief restrictions on aft passenger seating on the A321, until Airbus could roll out a software patch.

      I mention this not in criticism of Airbus. Indeed, I rather laud their safety culture, that the MAX accidents prompted them to check whether similar issues might exist on their aircraft. This is the way.

      But as with Duke’s post above, it highlights that unforseen issues arise for both manufacturers, and little is achieved by criticism which doesn’t consider that full context.

      https://viewfromthewing.com/airbus-a321neo-has-a-problem-similar-to-what-led-boeing-to-install-mcas-on-the-max/

      • Of course they should find the root cause of the problem after a serious incident where a plane nearly crashed because of an AOA fault. However the later incident shows there is still discrepancies.
        Just goes to show even having 3 AOA sensors and FBW doesnt make a plane ‘safer’- especially not of the old A320/321 heritage, nor was training adequate as they had to check with ground maintenance on ‘what to do’

        This a deeper description of control problems on LH 1829
        https://asn.flightsafety.org/wikibase/171411

        ‘When the crew disengaged the autopilot at 08:03, AlphaProt became active. AlphaProt protects the aircraft from an excessive angle of attack. Depending on the Mach number and angle of attack (as reported by the AOA sensors), the AlphaProt can activate. In this case the aircraft was flying at Mach 0.675 and the AlphaProt limit was 4.2°. Since the AOA sensors incorrectly reported a value of 4.5°, AlphaProt activated. AlphaProt disabled the (manual) trim and lowered the airplane’s pitch . The third AOA sensor, operating correctly, now started showing conflicting values, and the flight computer disregarded this value as incorrect since it was programmed to consider two similar values as the correct values.’

        ‘Aphaprot’ sounds like MCAS under a different name

        • All aircraft that employ pitch augmentation have an MCAS-like function. And I don’t know any modern aircraft that don’t have pitch augmentation.

          This point was established here 5 years ago by engineers working in the field.

          The thing that made the 737 MAX distinct was adding it via a separate system like MCAS, which was a modification of the existing speed trim system. Most of the others are fully integrated into control law.

          • I know its going off track per Scott but will plead that I was lead astray by others!

            Going on the last part, I don’t see any single flight computer segment as more integrated than any other.

            Its all lines of code, with jump directives to other lines as certain conditions are met or are not. In the case of Boeing (avoiding that M word) it was installed and referenced in the Speed Trim area.

            The bad aspect was not what they put in but how they triggered it with a single fallible input. Any time you change a code area, it should trigger a review. Not any different than the door plug blow out, only as good as people complying with the system.

            As for LH flight, there looks to be some serious holes in what happened.

            They had to have gotten alerts on AOA disagreement. Why the auto pilot would hold in and it activate after its turned off makes no sense. Usually (AF447) its the auto pilot that bails first.

            The point worth keeping in mind, 3 AOAs are not redundant. They can and do have common points of failure.

            Ergo, the synthetic AOA and speed is how it should be, not another vane that can be failed in a number of ways.

            This also gets into you have that wonderful logic, until suddenly you do not. If nothing changed, aircraft should continue as was and put out the alerts be it EICAS or a MAX/NG setup.

            Any flight change is going to be reflected in the VSI, speed and altitude instruments. Its the basis of instrument flying, scanning and checking them off against each other and eliminate a failed one if its wrong.

          • Rob,
            Respectfully, no.
            Control laws assume a measure of automation that allows programming. Not all aircraft are suitably automated. The F4 Phantom for example, going back into my personal way back machine, has a completely separate sensor set and hydraulic package to do STAB AUG. In fact, that’s what it’s called, STAB AUG, a separate standalone unit. Saying something has an MCAS like function is easily misinterpreted as the 737MAX version where a repeated down trim action was its output. Swept wing aircraft suffer from center of pressure changes with speed, and a speed trim compensation must occur to keep the pitch moments in check to maintain controllability. Mach trim is somewhat the same, but it is limited to those changes that occur in the transonic/supersonic flow range. Both are required for swept wing aircraft that fly in portion of the envelope.

            I’m sorry to sound nitpicky, but use of the nomenclature MCAS will potentially cloud the fact that its actually called many things in many places. You won’t actually find it in any fly by wire system, except when you look into the code itself because in those aircraft, its seamless and not discreetly named. Airbus doesn’t use MCAS, its just doing the same tasks namelessly inside its control laws. These are fine points perhaps, but some here are unable to rationally parse such things.

            Have a great day

11. And in a different program, this is how it can get shoe horned into the system. It would not be allowed to fly into any country that agreed. For sure not to Europe or a number of African countries. It would get public exposure to how China handles it with support, reliability etc. An incident would be a nightmare to investigate but if the AHJ does not care? Nepal comes to mind.

    https://barristerng.com/nigeria-considers-approving-chinas-c919-jets-for-local-airlines-as-an-alternative-to-boeing-and-airbus/

12. When I first hired into Boeing in 1985, we were just beginning to implement desktop computers. We relied solely upon dot-matrix printers and all coordination sheets and memos were typed up by our office administrators. We’d pass along the draft memo to the OA and we’d get to make mark-ups on the initial draft after routing it through management for review. The OA let us know that mark-ups after the initial first round of comments were not acceptable. Trust me that you don’t want to cross your OA. There were incentives for first-pass quality.

    Similarly when we were working with mylar or even CAD assisted design, we’d get one look at a layout and all comments were reflected on that layout. You’d get one shot at incorporating comments and after that you’d need to live with your decisions.

    Thirty-five years later when we were working only with Model Based Systems Engineering (MBSE) datasets, we would make a lot of dumb mistakes that would have been caught on paper/mylar drawings.

    I saw it time and time again that the digital world where revisions can be made easily results in needless churn where reviews aren’t as thorough as they could be. There is an acceptance that one can always go back later. This applies not only to engineering datasets, but also to memos and coordinating sheets, power point presentations that percolate up through chains of management, certification documents, etc. It is really difficult to convince someone to accept “good enough” when changes can be so easily made.

    So just a word of caution that the allure of a highly integrated single source of data is not going to be a panacea. There is the human element that needs to be considered as well in how to work with that technology.

13. Comments are closed.

    Despite my post that this column is not about re-litigating the MCAS, readers insist on continuing this debate. Then we get to automobiles, aircraft carriers and the F35.

    When will you people learn?

    Hamilton