SteinarN

As i said, I had to make several assumptions, the most major assumption was at what AOA the MCAS starts, and at what AOA MCAS reaches its full travel. If MCAS starts putting in AND at 10 degrees AOA and reaches full 2,4 units of travel at 14 degrees AOA, then I would argue that the aircraft pitch behaviour would be in the neighbourhood of what you stated.

However if MCAS starts at say 8 degrees AOA and dont reach full travel until say 16 degrees AOA then the stick force lightening without MCAS would be much less, but I am convinced it still would be ligthening, not just flat.

Anyway, what this boils down to is that it would have been extremely interesting to have a stick force and stick position graph with inoperable MCAS all the way well into stall region, both at 1G/decaying speed and at a higher constant speed wind up turn.
So I fully support EASA's requirement of flight testing this part of the flight envelope, with inoperable MCAS.

groundbum

it's clear MCAS needs it's own switch so it can be turned off yet electric trim stay available to the pilots. This, along with the AOA disagree light, and knowledge of MCAS, would most likely have prevented the 2 accidents so far.

A third accident is the end of the MAX, which is the end of new 737s.

G

Smythe

Does MCAS then add to the 737 anti-stall system? The NG stick shaker activate, the stall management yaw damper, speed trim, and elevator feel?

On the NG, during a stall the FCC's command the nose down and the EFSM and column cutout switches make sure the pilot cannot easily stop the automated stab movement with column nose up input....

Is this all still active when MCAS kicks in?

Speed of Sound

Peter H

An idea which seems to offer an easy path to two incremental improvements.

1) If you keep the operation of this switch to the fixed wiring (i.e. computer-out-of-loop) the need for low-latency MCAS-deactivation
computer responses seem to go away. So no need to add another computer, and its inherent complications?

2) If the switch is automatically hardware-toggled by emergency-level pulling on the stick, then its operation doesn't require deep
analysis of the situation. So a fast response with limited training, even in the presence of distracting alarms?

meet and greet

Honestly, even if Boeing, the FAA, the airlines who own or have ordered the 737 Max, and everyone else gets this show back on the road, there is a much bigger problem.

Passengers! Those whom I have spoken to here at Dublin Airport who travel regularly and know the score, have without exception said there is no way they will fly on a Max. Those who are not fully aware, the occasional pax who fly once a year on holiday, will be heavily influenced by the media. The media in turn will report what they wish, regardless of the facts, and the news will not be good. The PR teams for Boeing, and indeed IAG, FR, AA etc etc must be having some sleepless nights.......

infrequentflyer789

How is this different to the aft column cutout switch which is already there?

I mean, yes, great idea, doesn't need any training because it's how the a/c did work and was understood to work anyway, but apparently MCAS can't do its "job" with that switch in the loop, so it was bypassed.

Now, some of us might think that bypassing that switch should have been a red flag, that it wasn't put there in the first place just to use up some spare contacts, and that if you have to remove (or bypass) a safety device that's been there for decades without causing any issue in order to meet a safety certification, then you're doing it wrong... but from where we are now, putting it back would appear to be a non-starter.

Speed of Sound

ST Dog

Indeed.
That's bigger problem. One group says safety should look at it again and another says no. And like many past example, management makes a call based on multiple factors, but mainly how persuasive the people saying safety needs to look again are.

Sadly we will never see the problem reports/change requests and the other documentation surrounding the change in MCAS.
The FAA probably has it. The other investigators will. But not the general public, not that they could understand the arguments made.

The methodology is. But when looking at 1000s of what-ifs, you have to decide which are credible and how likely they are.
After the fact you can see something happened and trace it through the system to see the effects.

But before that? How likely did the event seem?

I could probably put together a hazard assessment for MCAS and show it at several criticalities based on different assumptions and probabilities for different faults.

horizon flyer

It may turn out to be a cheaper option than an Mcas fix, who is going to trust the fix without a lot of testing.

A further idea is modify the engine air intakes to reduce lift at high AoA.
Boeing changed intake shape to increase ground clearance so why not to reduce lift, with Delta fins may solve the problem and it looks like re certification may be cheaper.
Perhaps make them elliptical in the vertical plain may work.

etudiant

Do not believe that is a big issue.
Most passengers have little interest in the aircraft beyond the quality of the seats and of the service.
So once the MAX is returned to flight, I'd expect the issue to die down quickly. Of course, there had better not be yet another crash anytime soon thereafter...

esa-aardvark

I think the real issue that the regulators must, sooner or later, deal with, is that the
persons insisting on 'Grandfather rights' are accountants, not licensed engineers.
Additionally, those who could have intervened abrogated their rights.
Of course the regulators are also those who could have intervened.
BTW does Boeing have a risk management office ?
John

Notanatp

The AoA indicator in JT610 was north of 20 degrees when sitting on the ground at zero airspeed. Surely that was enough to trigger a sanity check of inputs. Even in flight, something more than 20 degrees (particularly when it had never been less than 20 degrees, much less in a valid range) would have been an unambiguous indication of bad input (I assume the 737 will stall well below 20 degrees AoA).

The exact parameters of the optimal input checking for MCAS (i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range.

The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees? What about readings that are pegged at exactly the same number for a period of time (e.g., frozen or jammed sensor)? Or that suddenly jump from a reasonable number to an out-of-range number?

I just think somebody forgot to ask the question: what is the valid range of inputs and what are the error cases? It wouldn't have taken any time at all to include some kind of basic sanity checks.

ST Dog

Unless you get the input from a validated source (or was claimed to be such).

Seen a lot where there's an input app (partitioned code) that's supposed to do all the validation (range checking, not jabbering, etc) and pass that on to other apps in the partition or other partitions. In this case, the AoA value was available in the code, same one used for other apps, like speed trim. It was presumed good, checked, validated, etc.

Turns out that wasn't entirely true.

I've had just that discussion before. I said everything that uses a value should check that value. They said it was already checked earlier in the system, in a higher DAL partition. I lost that argument.

GlobalNav

ST Dog

Was that for the low, slow changes or the original conditions for MCAS?

The original situation was only 0.6 units of trim, not 2.4. And as far as I've seen it was still only 0.6 units in that situation.

The crashes were at lower speed/altitude that used the changed behavior. And it's never been clear that the low speed changes were certification requirements. The larger trim change was needed because the control surface had less effect in that situation.

Peter H

My emphasis.

It's different because:
- MCAS trimming is disabled by an additional force-operated switch which "is automatically hardware-toggled by emergency-level pulling on the stick".
- while non-MCAS trimming is still disabled by the original cutout switch.

ST Dog

Not sure on that. Outside my knowledge area.
I just know there are reciprocal agreements where EASA accepts FAA certification and the FAA accepts EASA certification.
Builder then certifies once and can fly anywhere. Without them the world certification system grinds to a halt. Then can barely handle what they do now. No way they can all handle al the aircraft/systems/parts being developed. No does it make sense to repeats all that effort a dozen times.

Of course individuals don't care if the aircraft costs 10 million or 100 million, or takes 4 or 5 years longer to get in service.
They also don't care about the costs for pilot training.
They'd just balk at ticket prices, complain, and fly less.

The same as arguments over a part that costs $1 more on an automobile. Individuals don't see that that's millions of dollars to the company.


Just like the worries about the general public refusing to fly on the MAX. If you about to board and find it's a MAX. Do you wait 4-5 hours for a different aircraft?
I'll wager most won't.

Shoot I've been offered $100+ to wait 3 hours for a different flight and not accepted. (Those offers always occur when I need to be somewhere at a specific time, and the change would ripple into me arriving 5-6 hours later. Not good when I have a big meeting/event the next morning)

SLF3

It seems EASA are asking questions that Boeing and the FAA are going to struggle to answer.

EASA are asking Boeing to address aerodynamic stability with MCAS turned off. As I understand it, MCAS is only required because without it the Max does not meet the certification performance standard. So that will be an interesting conversation.

They have further asked Boeing to demonstrate the loads on the trim wheel are acceptable, which given that the stabiliser is larger, the trim wheel smaller, and sky goddesses more common, should also be an interesting conversation.

I don't think it is a given the public will flock to the Max once it is cleared to fly: occasional travellers may not know what they are flying on but if frequent fliers avoid the Max that will have an impact. My frequent flier colleagues all plan to avoid it out of disgust with Boeing: they acknowledge it will be safe if recertified, but that is a secondary consideration for them. If the FAA say it is OK, and EASA are ballsy enough to say it isn't, my guess is outside North America it will stay grounded: and a lot of Americans will think twice.

It seems US airlines are very aware of the potential toxicity of the Max: are bookings down on airlines with the Max in their fleet? Noticeable that all the major airlines have said they won't bring the Max back before Thanksgiving, presumably because they need people to book flights. Christmas is next. The offer of free transfers of Max flights by some airlines suggests people are already voting with their feet and the airlines are being forced to respond.

Despite Boeings best efforts, the general public are not buying 'pilot error'. If the problems with the Max, and the culture that led to the problems, were not deep seated it would be flying again by now. Boeing are still on the back foot: this is getting uglier by the day.

MurphyWasRight

My bold in quote, main point is things are not necessarily as simple as it seems;

1:AoA sensor is not active until enough airflow to move the vane, so position with zero airspeed is meaningless. This complicates any input validation since it would require airspeed to turn on any checks.

2: Introducing state (history) can greatly complicate verification since the code must be exercised to reach and respond at to least a subset of all possible states. It also complicates the code which of course adds to risk of bugs.

3: It would have taken some time to code and significantly more time to verify. The greatest schedule impact however might have been getting agreement on valid/invalid values, keeping in mind that MCAS is supposed to respond to somewhat extreme conditions. Even then the checking would not cover all cases, had the Lion AIr sensor chain had less offset it could have triggered MCAS with a totally valid input.
What is shocking is that the second sensor was not used as a cross check, "both must be within x%" is much more robust than any attempt to filter a single input.

As a final note one possible factor in the Air france tragedy was that due to reasonableness checking the stall warning was disabled at low airspeeds only to trigger as the crew lowered the nose, increasing airspeed (while still stalled).
This at a minimum would cause confusion and likely discourage lowering the nose; it yells at me when I do this == don't do that.