An Exclusive by Seattle times reporter Dominic Gates has detailed some of the lapses in the design of the Boing 737Max8 MCAS control algorithm.
Flawed analysis, failed oversight.
How Boeing and the FAA certified the suspect flight control system on the 737 MAX.
Boeing's System Safety Analysis of MCAS was flawed.https://t.co/LX8pOJw2Zp
— Dominic Gates (@dominicgates) March 17, 2019
It raises several questions about flaws in the design, design process and safety reviews.
My hypothesis published soon after Lion Air JT610 crash is along the similar lines.
I will try to answer some of the questions raised in the Seattle Times article and also in my previous blogs about this issue since we now have more information.
- Why was the MCAS algorithm put in place?
The algorithm was required to get FAA airworthiness certification for Boeing 737Max due to possibility of high speed stall. This situation was determined to be possible by the nature of the design of the aircraft with bigger engines and different mounting locations. Possibly via CFD analysis etc.
Possible. But how likely was it?
2. So what went wrong?
Sensors. Angle of Attack (AOA) sensors to be precise. It appears that either one or perhaps both of the AOA sensors were compromised. The MCAS is an algorithm. It needs input from the sensors to act. If the data is flawed, it will act in unintended operating envelopes. Unless of course, it is designed to account for that. Which it wasn’t perhaps?
3. Why was the sensor data flawed?
There could be several reasons for this. Let us see what is believed to have happened In the case of Air France flight 447 crash in 2009.
In that case (Airbus Air France Flight 447) it was determined that the Pitot Tubes (Speed sensors) were flash frozen due to super cooled condensation in the air. This caused the aircraft to stall. To bring it out of stall, the pilots needed to pitch the nose down. However, the stall alarm algorithm had a design flaw. It would come on when nose was pitched down and turn off when nose was pitched up since in the up condition with zero speed it assumed the aircraft was on the ground. So the pilots got confused.
In this case (Boing 737Max), the Lion Air FDR showed that there was an offset between the two AOA sensors. Lion Air Aircrafts do not have the optional AOA sensors mismatch light. However, the previous flights of the same aircraft had encountered similar flight control problems and it appears the maintenance crew determined that the sensor(s) were bad and replaced them.
The optional light just alerts the pilot to possible issue. Doesn’t impact the operation of the MCAS algorithm.
4. So if the sensors were replaced, then how come they went bad again?
Now it is possible that the new sensors were also bad. How likely is that? So possibly there is something else going on. A system issue (raised in my Lion Air Post above).
5. So how come just one bad sensor out of the two caused MCAS to trim down?
That is the big question. My initial thoughts on this was that MCAS was simply selecting the worst case/input. It appears that is not the case. It is only getting only one input? If this true, then why have two sensors?
My guess is that there is some pre selection of the signal via signal conditionining ASIC or ECU before feeding the input to MCAS algorithm ECU. The two ECU’s might not be the same – the signal selection and MCAS algorithm ECU. There could be several reasons for this.
Would be interesting to know the ECU vintages and commonality with prior and/or other 737 models. This could be the smoking gun in my opinion.
6. Why doesn’t MCAS look at other inputs and conditions and determine validity of the sensor signal before acting on it?
Good question. It should. Should have been flagged in safety reviews. Seattle Times article has good info on this.
7. What about how far it can trim and how much?
This is an aeronautical engineering question. Outside my scope of expertise. Seattle Times Dominic Gates articles covers this well. I will add this though:
The trim limits and activation thresholds should have been engineering calibrations in the algorithm. It would have made it possible to “tune it” for each aircraft variations.
The FAA CANIC (Continued Airworthiness Notification to International Community) published does seem to (?) address all three issues (5,6,7). See my Ethiopian Airlines post on this.
8. So if the fixes are in the works, we should be good right?
No. It isn’t just about this MCAS feature anymore. The whole design and development of this aircraft and possible all aircrafts at Boeing is suspect now. It is imperative that it be investigated properly. In the works maybe?
Just came across this. Even Airbus Aircrafts have anti stall systems which get triggered falsely due to bad AOA sensors!!
— Shaker Cherukuri (@ProcessISInc) March 18, 2019
Interesting twitter conversation with Peter Lemme (interviewed for the Seattle Times article above) back in November.
It is a flawed design. The feature need to be disabled. Usually such safety features can be calibrated off.
— Shaker Cherukuri (@ProcessISInc) November 27, 2018
Note: Will update as needed.