Boeing’s Updated MCAS Software
Yesterday, Boeing announced that it had completed its update of the MCAS software which was now with the FAA for certification. This seems like a good time to bump the conversation back to the front page, as there’s been some very interesting issues and articles posted into the comments of the previous articles.
First of all, let’s look at the software update. Boeing have aimed to provide additional layers of protection when the AoA sensors are giving bad data, which appears to have been the case in the two fatal 737-Max crashes.
Boeing: 737 MAX SOFTWARE UPDATE
The additional layers of protection include:
Flight control system will now compare inputs from both AOA sensors. If the sensors disagree by 5.5 degrees or more with the flaps retracted, MCAS will not activate. An indicator on the flight deck display will alert the pilots. If MCAS is activated in non-normal conditions, it will only provide one input for each elevated AOA event. There are no known or envisioned failure conditions where MCAS will provide multiple inputs. MCAS can never command more stabilizer input than can be counteracted by the flight crew pulling back on the column. The pilots will continue to always have the ability to override MCAS and manually control the airplane.
These updates reduce the crew’s workload in non-normal flight situations and prevent erroneous data from causing MCAS activation.
In addition to the news, the BBC have published a long piece about the fatal 737-Max crashes. It’s aimed at a mainstream audience without the experience that most of us have, but it’s worth reading, I think: What went wrong inside Boeing’s cockpit?
Going back to the comment thread, I’d like to call out some of the specific links that have been posted.
Danni posted Six Minutes to Disaster: How Ethiopian Air’s Pilots Battled the Boeing 737 Max and asked if anyone could shed light on the effect of the airspeed on the acciddents.
Andy commented on how it just keeps getting worse for Boeing along with this link: Boeing altered key switches in 737 MAX cockpit, limiting ability to shut off MCAS
Mendel got caught in the spam trap (sorry again) with a piece by Marcel van den Berg about the design change, specifically numbers 28 and 29 on his list: Overview of many failures by Boeing in designing the Boeing 737 MAX. He also posted this article by Jon Ostrower which sheds some light on why they couldn’t use the manual trim: Vestigial design issue clouds 737 Max crash investigations.
I’m sure this will be in the news for quite some time to come, especially with predictions that the Boeing 737 Max might be back in the air by the end of the month. Feel free to keep the conversation going here; I’m very much enjoying the articles and insights and I’m sure other readers are too.
All the changes described in the Boeing announcement seem very sensible:
* one shot trim (no repeated action)
* no trim beyond that which can be corrected by pulling back on column
* take input from both AoA sensors, disable MCAS if excessive difference and alert.
It’s just a shame that so many people had to die before these changes were made, and that Boeing still seem to be in denial that the current/old behaviour was the central factor in why two airworthy plane hit the ground.
One suspects that the legal case will ultimately trump Boeing’s continued assertions that the plane were already “safe”, and that these changes just make them “even safer”.
One also has to question whether other countries will take FAA approval at face value, or insist on their own analysis. I particularly wonder whether there are going to be objections to the underlying pitch-up/stall problem which the MCAS system was supposed to be preventing.
What I find disturbing is that the MCAS could apparently not be overridden by the pilots. In my flying days it was mandatory that the autopilot would switch off if the pilots’ were countermanding it and the input would exceed a certain value.
I still think that Boeing may have continued developig the 737 to and beyond a stage where it actually diverted from the original design to the point that it actually should have been given a new type identification.
Of course, that would require pilots to go through a complete type rating course and the engineering department would have to comply as well with maintenance procedures and training at the introduction of a new type.
This would add a lot of cost to the airlines.
I have the feeling that Boeing was cutting corners. Perhaps the aircraft is safe, but the crew may not have been trained to proper standards.
A quick “differences course” was probably all that was required.
And how drastic are the software upgrades? Is the announcement by Boeing exaggerating the changes in order to reassure the public?
Maybe I am wrong, and I certainly hope so.
Boeing has over the years built a reputation of building superb aircraft. So does Airbus. The one positive aspect of these sad events is that the aircraft industry always takes the lessons from accidents seriously.
Colinto wrote above that “It’s just a shame that so many people had to die before these changes were made, and that Boeing still seem to be in denial that the current/old behaviour was the central factor in why two airworthy plane hit the ground.”
If there’s one thing my own interest in air safety (including Sylvia’s books) has taught me, it’s that each of the incremental improvements that have combined to make commercial air travel as safe as it is today is a story written in spilled blood and twisted metal. It’s always tragic when a plane crashes and lives are lost. I definitely don’t want to minimize that. And yet…and yet, each crash has taught us how to make the planes and the systems that the humans use to operate them more resilient and more reliable and more safe.
I hope this pair of accidents drives learning and evolution and change: In how the 737 MAX’s systems function, in how its pilots are trained, in how aircraft manufacturers design iterative changes to their planes, in how our regulatory agencies oversee and certify that change. I hope the lessons of these crashes aren’t wasted, for that would be an even worse tragedy.
Absolutely agree – The crash review process (and subsequent actions) is undoubtedly what makes air travel as safe as it is. It’s a shame the approach isn’t more widely applied, in particular to the medical world.
I am looking at the Boing page and note that there is still no way to turn MCAS off manually (without turning off electric trim as well), all they have is the promise “now it’ll turn off automatically when you’d want to turn it off”. Which means they’re still using the same regulatory loophole that requires you can’t accidentally flip a switch and have the plane respond outside “normal” behaviour when near stalling (because if that was possible, pilots would have to be trained for it). It seems that is why they eliminated that possibility by design (no more yoke jerk or cutout switch).
They also say this: “Crew procedures and training for safe and efficient operation of the airplane are focused around airplane roll and pitch attitude, altitude, heading and vertical speed, all of which are integrated on the primary flight display.” They imply that that’s all you need to fly the plane safely. Now I’m not a pilot at all, but how could they not mention air speed on that list?
And then they go on to write, “There are no pilot actions or procedures during flight which require knowledge of angle of attack.” So stalling is not something pilots need to worry about during flight? What is MCAS even for, then? Why is there a stick shaker? It’s true that AoA is not a traditional instrument, but I think mentally it is always in a pilot’s mind when thinking about stalling. That, and air speed.
P.S.: The spam filter is another example of an automated system not doing what you’d want it to do. I expected that using an established username/email combo would get my comment with the links at least into the moderation queue, but apparently it didn’t work that way. (It’s not your fault, Sylvia!) Happily, here it can’t cause injury or death.
I am “old school”, retired from flying 11 years ago.
I am also confused.
Yes, I agree with Tammy, and others, that when it comes to analysing accidents and learning from them, the aviation industry has no equal. Full stop, period.
But, to put is as simply as I can, this is what I think:
Boeing has a winner, the 737. The staple short- to medium distance jet airliner that everyone knows. Probably the most successful type ever.
It has been very reliable and built a very good record as a safe aircraft.
One landed safely, even with a large portion of the roof forward of the wings blown off. The cause was due to several unforeseen factors that did not really dent Boeing’s reputation.
So it must be very tempting for Boeing to keep updating the 737. It makes commercial sense, like crew training, and gives the travelling public that warm feeling that they are flying in an aircraft with a long-standing safety record, the 737 goes back more than 40 years.
But what happened recently does not fit in with the enviable record of the 737, so what happened? No, I do not know. Here is the way I see it:
The latest version, the “Max” deviates substantially from the original, even if it still is called the “737”.
But the design upgrades have affected the aerodynamics, to the extent that in a normal climb the aircraft can get out of control and stall.
Boeing has put a “patch job” on this design flaw by introducing MCAS.
The aircraft apparently can become so unstable that electronics have been designed and installed that will take over from the pilots.
And to make matters worse, this system seems to have been designed hastily. As a result, no proper training procedures have been formulated and, anyway, if MCAS malfunctions there is nothing th pilots can do. They cannot disconnect MCAS and they cannot override it.
Now Boeing announced a “fix”, a software upgrade.
Will it be enough? Mendel’s comments make me a bit nervous to be frank. Time will tell. But I am glad that I was a proper pilot, not a systems monitor.
Way. way off topic here. Concorde was developed by the UK and France before I was born. It first flew the year that I was born. And man landed on the moon that same year. Some say that Concorde was the greater achievement. Then the F14 flew (best ever) and the space shuttle had it’s first flight with Crippen and Young in 81. Now what do we have ? Software in a 1967 jetliner. Who put the bean-counters in charge? Sir Anthony Wedgwood Benn put Concorde in the sky, the same as others had to do with similar great aircraft in those days. (not forgetting Kelly Johnson’s achievements obviously). We’re all lost now aren’t we?
The BBC article linked by Sylvia has a nice comparison picture after this: “Look at a photo of one of the early 737s, and you’ll see that the engine is a slim, cigar shape mounted directly beneath the wing.” The issue is that the 737max has changed from that “1967 jetliner” that the 737 once was, and the MCAS is there to make the FAA believe it hasn’t changed that much. The “beancounters” at Boeing have bet the company on that.
If the 737 was still in its 1967 shape, it wouldn’t need software, but then it wouldn’t sell, either, for noise and fuel efficiency reasons, not to mention safety. Great leaps in aircraft design stand out, but small improvements also accumulate to make older designs obsolete.
On a related note, in downtown San Francisco are now two disastrous failures of design and materials. One is the infamous Millennial Tower, a 45 storey tower of condos, which is both sinking some foot and a half so far into the mud, and is leaning about the same amount to one side. The other is the neighboring Transbay Terminal, which was open for two days until huge cracks were discovered in the supporting girders. An easy view from both sites gives us the suspension portion of the Oakland East Bay bridge, which was built in the 1930’s (on time and on budget) which has not given anyone any trouble in the intervening 80+ years.
I don’t think what you say is off-topic at all. Once upon a time we could build airplanes and space shuttles which could navigate space, and buildings and bridges which would last several lifetimes. Now we have the Leaning Tower of San Francisco, which started leaning before it was even finished, and the mothballed Transit Terminal which was open for two days. And the 737 MAX software patch.
In Germany there’s an entire airport which is by now more or less delayed longer than it was supposed to take to build it in the first place.
Fire protection regulations were not met. And now the list of problems is getting longer than the list of satirical jokes left which could be made about it…
What still baffles me about this entire MCAS story is one question:
If MCAS was a dedicated hardware box, how could it be approved airworthy without being able to read and compare both AoA sensors? And if it was a software solution running inside the plane’s flight computers, why on earth didn’t they use both/all sensor data available in the first place?
Could anyone more fluent in modern avionics be of help here?
To design an airplane which could go into stall by simply pushing the throttles forward IMHO is a questionable decision in the first place (and I’d rather not fly a plane which is designed that way), but apparently the design of the electronic solution to an aerodynamic problem already looks broken to me as an interested layman passenger. And I think that should worry the professionals.
Marcel,
Those slim engines were low bypass jets.
The current engines are (very) high bypass, but that does not necessarily change the aircraft all that much. Not by itself.
What is “bypass”?
The original jet engines sucked in a lot of air, compressed it, added fuel and ignited it in the combustion chambers.
Next, the air that had become very, very hot (naturally) was spat out at the back.
It drove a turbine which had the purpose of driving a compressor to suck in a lot of air, etc.
The relatively narrow stream of exhaust gas had a very high speed when it left the engine. That caused a difference in the internal engine pressure: Very high to the front, little or nothing to the back, so the engine – attached to an aircraft of course – was pushed forward. Action = reaction.
So far so good.
But there were a few disadvantages:
The very high speed hot air mixed with the much lower speed outside air, causing a lot of turbulence that was audible. Very audible, a very high level of noise.
The other problem was that very high speed of the stream of hot exhaust gas, much higher than the speed of sound, a few times higher in fact.
The aircraft could not fly that fast and that, in turn, caused a loss, a waste of energy. In other words: the early jet engines were very noisy and not very fuel efficient.
The engineers had a solution, called “bypass”. Part of the air was ducted around the engine. Where is formed a slower moving tube around the hot air. It cocooned the high speed air, the turbulence was reduced and with it the noise.
But also, the total speed of the exhaust gas, mixed with the bypass air, was reduced. Closer (though still a lot faster) to the speed of the aircraft. The result: A better “match”, less noise, better fuel efficiency.
With better metallurgy it became possible to produce large fans to do the job. Now most of the air is ducted around the engine. The noise is greatly reduced, the speed of the aircraft now much closer to that of the gas-cum-bypass air, therefore the fuel efficiency greatly improved. A “win-win”.
The only problem is that these engines have become very large and a crosswind landing is a bit more tricky. The engine nacelle is quite close to the ground. But most, if not all, pilots master the skills to cope with that.
The early jets had one shaft, driving the compressor by the turbine. They could be very tricky to start. The compressor could stall and valves were installed to bleed off excess air from the compressor during start. But the more modern, large engines have hollow shafts driving turbine and compressor. Sections can find their own speed equilibrium. The result is a massive boost in power output with a modest increase in fuel consumption. Ergo: it was possible to make the aircraft itself bigger.
But in order to keep the same old formula, maintain the same type, the “737”, and, not to forget, manufacturing processes – it can be prohibitively expensive to change the design e.g. of wing spars and other essential structural parts – not too much could be changed.
So it would seem that by mounting engines that are far more powerful on an airframe that still owed a lot to its 1967 forebear, an airframe that had been stretched to carry 3, 4 times its original number of passengers, some strange things happened.
It woiuld seem to me that the balance of the original design had changed. How otherwise can we explain that an aircraft can get out of control during a normal climb to the extent that an electronic, computerised system had to be designed to prevent the aircraft from stalling? A relatively simple stick shaker and stick pusher had been sufficient in older designs, why does the 737 Max need these electronic gizmos? So the design teams came up with MCAS and I still suspect that it may have been a fix that was added to the “max” late in its design phase, possibly designed in a hurry.
An AoA indicator is nothing new, it can be a great help to pilots with or without MCAS.
But two aircraft flew into the ground and, if I understand properly, the crews were unable to disconnect or override the “safety” system for which they were not even properly trained.
Now Boeing has announced a “fix”, a patch.
I just do hope that it will be enough.
People might be interested to know that Frank Whittle proposed the high bypass turbo fan design before the war. It has taken all the subsequent decades for designers, engineers and metallurgists to catch up with him!
A patch to fix a malfunctioning patch does not inspire much confidence, when judging by the performance of my PC…….. I too am glad to have been trained as a pilot and not a systems monitor. I have been a nervous flyer since the introduction of fly-by-wire.
Whittle was far ahead of his time. He had indeed worked out the basics before the technilogical ability to produce it had caught up with him.
BTW fly-by-wire is fine as long as it augments the pilots ability, not as a patch that cannot be overridden when it malfuntions.
Genuine question; did the 747-400 require crew recertification. Because I would imagine that the removal of the flight engineer would change the nature of flight crew’s work.