A low-down analysis on the 737 MAX problem

This is a lengthy and detailed explanation of the problem and what Boeing chose to do about it. The writer is both a pilot and a software engineer. There are several important key take-aways here.
  • The fundamental problem is that in order to re-engine the 737 airframe with the much larger CFM LEAP engine, without making major structural changes to the airframe to increase ground clearance under the wing by changing wing dihedral and/or lengthening the landing gear, Boeing made aerodynamic compromises that made the aircraft dynamically unstable. This is a very bad thing in a commercial passenger aircraft.
  • In order to manage the dynamic instability, Boeing introduced the MCAS software system which allows the flight control computers to command the nose down in the event of what it considers a hazardous angle of attack. The aircraft has two redundant flight computer systems, but each reads only one of the two angle-of-attack sensors, and they do not cross-check with each other. Only one is active at a time.
  • The MCAS system provides feedback to the pilots by pushing the stick forward. By default it provides no other clear indication that MCAS has activated. This system can apply hundreds of pounds of force to the control stick, making it physically exhausting for the pilots to try to counter it.
  • Boeing deliberately kept documentation of MCAS to a minimum in order to maintain a bureaucratic fiction that the aircraft is "still just a 737" despite having twice the thrust and carrying 72% more passengers than the original 737, in order to avoid having to do an expensive new-type certification. But by any realistic aerospace engineering standard, the 737 MAX is a new aircraft that should have had a full airworthiness certification process. But that would have cost Boeing a lot of money. So Boeing lied.
  • Because the FAA is overloaded and has been suffering a "brain drain" to the provate sector, the FAA trusted Boeing to tell it whether the 737 MAX was airworthy and safe to operate, which is why Boeing got away with the lie.
#aviation #tech #boeing #737
If you want my opinion, the entire airframe needs to be re-certified from scratch.
I would definitely have to agree here.
I have heard many comments on the deficiencies of having a single AoA sensor for MCAS. But there's a white elephant in the room that doesn't seem to get mentioned. It might be more apparent if somebody bothered to ask a pilot what is observable on a plane that is about to stall; or perhaps better still, what does not occur when going into a stall.

When a plane is nose-diving into the ground, it picks up speed very rapidly. There are three pitot tubes to measure this; and they are cross-checked and fed to both flight control computers. When an AoA sensor indicates excessive up-angle, that would normally indicate a stall is imminent. But NOT if the airspeed is increasing - especially if it is increasing at an usually high rate! Right there you have a clear indicator of sensor failure - absolutely no need for two AoA sensors! Regardless, the correct response would be to have the automation disconnect itself, manual "law", sound the klaxon.

That the software for MCAS did not bother to query the normal flight-control-computer modules for speed delta is a damning reflection of shoddy software engineering (though the actual coding of the software may have itself been fine). Even a junior programmer should have thought to ask what "readily available" parameters could be used to gate the decision-making of the module.
Yup. The criteria of "high power plus high angle of attack" is a great description of "Hey, look, we're taking off."
It is indeed. It's putting the fox in charge of the henhouse.

The F-35 is much the same situation. DARPA did not independently pen-test any of the F-35's software suite. It just trusted Lockheed Martin's word that it was secure and safe ... which it turns out it most emphatically is not.
CFM LEAP engine? Is that related to the erotica use of "CFM heels" ?
Heh. :) I don't think so, but the Japanese have a heck of a lot of weird anime with anthropomorphic everything. If you can have an anthropomorphic battleship, why not an airliner?
Never doubt there is art of it somewhere... But the closest I can find right now is
Nothing like sticking your nose in somebody's carpet. :-)
Excellent capsule summary. As someone who works in the aerospace industry every one of the items in your list pisses me off. Passenger planes should be aerodynamically stable by default. (Fighters and stunt planes are different; high maneuverability comes at the cost of some instability.) It boggles my mind that the AoA sensors weren't cross-compared; MCAS can manipulate flight control surfaces FFS! My experience with people working in flight controls is that they consider their systems to be DAL A+. (DAL A, where failure is "catastrophic," is the highest official level.) They wear a tinfoil hat over their tinfoil hat. They're paranoid as f*ck and they goddamn well should be. How anyone signed off on that design is beyond me. I sure as hell wouldn't want my name on it.

As you said, Boeing wanted to get to market fast and cheap. They also wanted to boost sales by pretending that little pilot retraining was required. It was a perfect storm of incentives to paper over significant differences and questionable design decisions. Heads should roll at Boeing for this. There should be criminal accountability.
@Michael Carman++
I could not agree more. Nearly four hundred people have died as a direct result of the decisions Boeing made.
@Michael Carman, you take back what you said about properly paranoid engineers wearing tinfoil hats over our tinfoil hats. We do no such thing. What if it's tin that has a problem?

It's goldfoil over the tinfoil, thank you very much.
/me grins :)
And you wondered why NASA satellites are always wrapped in gold foil...
(Note: I've never worked in aerospace except by osmosis. Some years ago when I was putting together engineering best practices for writing election software, my research group did a survey of existing software engineering methodologies. We concluded aviation software engineering had a very good track record and that we were going to pattern voting software engineering on the aviation model.)
@Michael Carman Thanks for your comments. I have similar experience to yours and I agree entirely with your comments.
I get confused about whether the lead foil goes on the inside or the outside...
@Phil Stracchino Gold foil? Hah, those bean counters replaced real gold foil with faux gold mylar to, uh, save beans I guess. ;-)
@Rob Hansen "Pattern voting software on the aviation model?" It sounds good in theory, for sure. And I bet your group did a good job along those lines. But from what I've heard of voting software in general (most of it third hand from #SANS), it's riddled with issues that are hidden behind closed doors.