JPcont

GordonR_Cape

ecto1

If the feel factor on the MAX was changed, it would not be the same as the NG model, and would need a separate type certificate. That does not help anybody...

Sallyann1234

As a mere SEP driver, I tremble to post here.
But after reading this whole thread it seems to me that if an airplane design is modified to the extent that it requires automation to override the pilots' controls without informing them of its actions, that was not a wise modification to make.
As the old saying goes, "Two wrongs don't make a right".

Icarus2001

Vilters

FBW or manual control has nothing to do with these incidents.

If sensors/systems feed wrong information, to a pilot, an autopilot, an ADC, an MCAS, or whatever system, the aircraft is going down.
Some still don't get it.

The MCAS system was working PERFECTLY and did its JOB very PROUDLY and exactly "as designed to do so". .
But it got "WRONG INFORMATION" from the AOA sensors/system, and it was only fed by a single probe => That can be seen as a AOA signal concept error..

Cows getting bigger

Err, sort of agreed in that MCAS did what it was told. Allowing a single source of data to have such influence could be seen as a design flaw. But let's not ignore the fact that MCAS was necessary because there were two mighty engines slung from a 50 year-old airframe that wasn't designed for such a configuration.

There is another question - if Boeing had to include MCAS to certify the 737MAX, what other enhancements were required and, importantly, was there adequate oversight of their development?

Vilters

Tja, certification of newer models of older designs => That is another issue that goes deep, very deep.
Take a new F-16 and compare it to it original design...…
A new C-130, a new F-15, or a new B-747 . . . .

Airbubba

Really? Is that how it works?

Rob21

As soon as the pilot input is in the opposite direction (Yoke, trim or both). If the pilot is trying to raise the nose, he is pretty much certain there is not a pre-stall situation.

Ian W

There is confusion on this thread.
MCAS is not to stop the aircraft stalling - it is to ensure that the correct number of pounds of force are required on the control column per knot of airspeed increase/decrease. This may have the effect of preventing a pilot pulling into a stall (particularly a high speed stall) but MCAS was there to meet 14 CFR 25.173 which reads:

There is nothing in this regulation about Stall. It is expected that one of the effects of the specified pull forces will be pilots less likely to pull into a stall, but the regulation does not mention stalling.

ecto1

I agree, but wise programming in the receiving end will force Murphy to work harder in his sensor breaking job to be able to finally bring the plane down. It shouldn't be like this, but a human pilot software uses much more plausibility checks in his sensor inputs than a computer pilot software. So either we improve digital software or we improve information and skill in the biological software.

I agree also, but MCAS will PROUDLY and exactly "as designed to do" help to bring the aircraft down if, all sensors and systems being 100%, the pilot needs it in a real life situation.

Being it so slow to react, MCAS will leave the "maneuver characteristics" "un-augmented" in the critical first couple of seconds in which the pilot is pulling. And then, if he/she didn't pulled already into a stall because of the unfriendly maneuver characteristics, MCAS will then reduce the loading (when it is already completely unneeded), forcing the pilot to add a steady incremental pull to maintain the g's, an then it will stop doing it suddenly, testing pilot reflexes for the third time.

I wouldn't be such a proud member of the augmentation system's club if i did such a bad job of helping my pilot.

Water pilot

This is the crux of the design problem and one of the "holes in the cheese" that led to a fatal engineering decision. Computer programmers love it when they can reuse code for a different purpose; it seems elegant not to require an "off" switch for MCAS because you already have an "off" switch for the electric trim. Smart! In addition, any MCAS failure kind of sort of looks like runaway trim, so you don't have to tell pilots about it because if it misbehaves they will recognize it as a runaway trim and do the right thing automatically. I can see this argument being made in the design room by people who never actually have to deal with humans.

In retrospect, the flaws in the thinking are obvious. A faulty MCAS resembles runaway trim in the way that a slow hydraulic leak resembles a broken hydraulic hose. A faulty MCAS and a short in the electric trim do both eventually result in a fully trimmed down plane, but the way you get there and the clues that you get on the way are quite different. A runaway trim will not stop running away when the pilot clicks on the trim button and then start again five seconds later unless something fairly complex is happening electrically.

Additionally, having to turn off the entire electric trim system to disable MCAS is like having to turn off hydraulic brake assist and power steering in your car to disable a faulty autonomous driving system (especially one about which you have not told the drivers!)

So far there has been nothing to indicate that the four pilots involved in the crash were particularly unskillful. Obviously it is in Boeing's interest to appeal to ethnocentrism (bad pilots, bad maintenance) but the fact that these were practically new planes points the finger right at the manufacturer. Do we honestly think that, say, the pilots of Colgan Air would have been able to respond any more successfully to this challenge?

hans brinker

I am 100% in agreement with everything you say, MCAS should not use single input, there should have been an AOA disagree light, pilots should have been trained and informed by Boeing about MCAS, and mostly MAX/MCAS is just a bad design in general. I was more replying to the suggestion of having a button that would rapidly reset the THS, which would bring it's own set of issues, I don't have an issue with MCAS disabling itself with AOA disagree plus the pilots having a button to switch it off and keep thumb trim input working for failures MCAS doesn't recognize. I think a lot of us could have gotten into trouble with MCAS before we knew about it, what surprises me a little is the second crash.

GordonR_Cape

I think the outcomes of AF447 and TAK363 tell the opposite story! Pilots in day/VMC have a different level of information to those flying at night/IMC, or while experiencing Somatogravic Illusion.

IMO no computer software decisions should be based on assumptions about what the pilots may or may not know. And no single solution works for all eventualities.

GlobalNav

Perhaps so, but if it was designed to keep fighting the pilot who was desperately trying to regain control of the airplane, then it was designed wrong. Certainly the MCAS did not malfunction, it behaved as designed, but when it apparently received the wrong AoA value from the single input and the pilot(s) desperately sought to recover the airplane, the MCAS behaved badly, unsafely and unacceptably. It was designed wrong.

lapp

Agree with that. The post that you've quoted is referring to faulty sensor input as an unpredictable condition, coming from an extraneous device, which clearly is not the case. The entire airplane control system - the entire cockpit must be designed to maintain safety and facilitate pilot's efforts under any conceivable situation. I think that designing MCAS to trim down so aggressively is wrong on multiple levels, the first of course is that it has proved able to win over the desperate efforts the pilot(s) to keep the plane from falling, and the second is that its continued action created an uninterrupted emergency situation drawing away all attention and cold thinking needed to perform a not-so-obvious action - its disconnection.
Now, how many documented occurrences of MCAS acting for what it has been designed do we have?

Water pilot

I agree, the second crash is pretty surprising and might indicate that there is much that is not known about the problem. The pilots reported that they could not trust any instruments, so it was much more complex than the clean MCAS scenario that we have considered so far. Cascades of errors are common in the failure of software systems as the first failure can put the system outside of the testing envelope. From following this thread it looks like the MAX had a glass cockpit (screens instead of analog gauges) that the other models did not have, is that correct? I have actually done almost exactly that sort of programming and it is not as simple as it sounds.

Both planes were (according to media reports) practically brand new which should mean that they were pretty close in the production line. That is kind of a scary fact on its own.

CurtainTwitcher

This is a very fast moving thread, it is difficult to keep up with this in conjunction with the previous Lion Air one. Lots of good information came out.

It was not a "clean MCAS" scenario [take to mean an approach to aerodynamic stall] as you rightly point out.
We know from the first accident the MCAS nose down trim activation was a ONE consequence of erroneous data from an Angle Of Attack vane. The other consequences of the erroneous data were:

• IAS Disagree (airspeed is an AoA dependant value, visual warning)
• Stick shaker activation (tactile and audible warning)
• Elevator Feel Differential warning (visual)
• Almost certainly multiple other visual warnings

Note, these warnings were from lift off.

If you want to get a sense of what the crew faced, this is a 5 minute loop of the 737 stick shaker. The Lion Air crew had this for the entire 11 minutes of flight. I've posted this video multiple times to demonstrate just one of the difficulties the crew were faced with.

Particularly in the Lion Air case, when the MCAS was unknown, all the crew would be able to comprehend for the first seconds of flight is the aircraft is that the aircraft was actually still flying, and not in fact stalling. Once they came to terms with a pitch attitude and takeoff thrust set that kept them flying, it was then a case of trying to figure out what is going on. They probably understood they needed to run the airspeed unreliable checklist and felt they had things under enough control to make a safe landing.

The really insidious part is the MCAS was silently sitting there armed due to the AoA erroneous data, but inactive until the flaps were retracted. Once they retracted the flaps, MCAS became active and the fight between it and the crew began, the crew searching the checklist for a solution, not realising what was wrong. They went from being able to fly straight and level to having some weirdly inconsistent pitch issue simply by retracting the flaps. Nothing in the IAS disagree checklist cautions against moving the flap lever. There shouldn't be a connection from their system knowledge. We now know the crew tried to find a checklist to cover this problem until the end of the flight. They probably had the target attitude and thrust for straight and level flight at 5,000' as per inflight performance for unreliable airspeed, but the aircraft just kept fighting them. Remember they still had the stick shaker and all the other associated warning until the end.

Why is the Ethiopian accident different? MCAS appears to have become active very soon after takeoff, as reported by porpoising from the Tower and other aircraft on the ground. The answer as to why MCAS activation happened sooner than for Lion Air has not been publicly revealed.

safetypee

A0283

@Fceng84 and Gums – In his testimony during the US Senate Aviation Safety hearing of the 27th FAA’s Mr Elwell stated that [according to the FAA – and Boeing] MCAS was a subsystem of STS. I would be VERY interested in hearing your respective views on this statement. That from a technical functional point of view, technical implementation point of view, and from a pilot’s perspective.

If you have already answered these questions, I first have to say sorry, but hope you could point me to these answers - in which thread and in what post they were answered.