Our anonymous blogger ponders the possible reasons behind Boeing’s 737 MAX troubles and what this might mean for the future of civil aircraft design.
I feel it only fair to point out at the start that I am commenting on this matter from a position purely based on what has been reported in the mass media so far, undoubtedly there is still more yet to come to light.
As you are all no doubt aware there has been a crash involving a Boeing 737 Max, sadly with no survivors. This has been the second involving this type of aircraft within five months, both reportedly initiated by the same cause.
From what I’ve seen this a multi-layered problem, in fact most major accidents are caused by multiple failures but I wonder if this one strikes at the heart of the way civil aircraft are currently brought to market?
On the surface there is a simple cause and effect, a new anti-stall system on the aircraft is dependent on a sensor and this was giving false information leading to an ultimately fatal nose down attitude for the aircraft.
Look a little deeper though and, as I suspect all here at least will have immediately grasped, the first cause for concern is “why couldn’t the pilot over-ride the system?” Apparently there was a set procedure for just such a situation as this but what it didn’t do was permanently lock the anti-stall out. Therefore if the problem persists there is no way to stop it taking you into the ground.
I wonder if the system should have been purely a notification device, warning the pilot so that he or she could respond as appropriate
Take this a step further and you have to ask “if there is no way to permanently disable the system why was there only one sensor?”
When I worked on the design of an aircraft we had redundancy in every critical system. Cost and weight are ever more important with airliners but surely one more sensor, on something like this, should have been designed in? In fact I even wonder if the system should have been purely a notification device, warning the pilot so that he or she could respond as appropriate?
Look a little deeper still and you come to wonder why this system was needed in the first place? The Boeing 737 made its maiden flight in 1967 and has been subsequently developed through a number of upgrades on its way to becoming the most numerous jet airliner ever built.
In the push for greater efficiency the 737 Max has been re-engined but because of this there is now a danger of it pitching nose up in flight. A danger sufficiently worrying for the anti-stall system to have been introduced.
We have lived for a long time with airliners that need computer intervention to fly in their operational envelope and mainly this has been very safe. However there is, I would suggest, at least a partial precedent for this sort of failure in the loss of Air France flight 447. In that case its believed a pitot tube on the Airbus A330 became obstructed with ice, causing a cascade of events which ended with the loss of 228 people. A devastating accident that you would think is still actively referenced in the civil aviation world.
Boeing is full of very clever people and I seriously doubt any of them take the potential loss of life that may come from any of their decisions lightly. So how have we come to what, admittedly with hindsight, seems like an inherently dangerous situation built upon a number of questionable decisions: the extension of a design over 50 years old that introduces a known risk, trying to negate that risk with an automated system that directly affects the aircraft’s flight without the ability to lock it out and the reliance on one sensor for input and enforced response.
Whether we have arrived here through hubris, misplaced confidence in technology or financial pressure; I cannot help but think it may be a watershed moment for aircraft design. A reminder too that as engineers we have a duty to maintain our professionalism and stand guard against any inappropriate dilution of standards.
Pushing the Envelope – the 737 MAX
The engines have been placed above the wing which must compromise lift.
The engines have also been moved more forward of the wing. At higher angles of attack these larger engines will have a greater effect on airflow over the top of the wing and hence the reason for the greater risk of stalling.
At take off speeds and weights together with high AOA the 737 MAX becomes closer to Not being able to fly. Boeing created MCAS to keep the nose down
I have read recently that Boeing have stated that the MAX is not suitable for hot and high airports. Why was it flying in Ethiopia and Indonesia?
Making
Compromised
Aerodynamics
Safer
If you have 2 sensors on one system how do you decide which one is performing correctly?
Surely if you use 3 systems or sensors you can then use a majority logical system similar to used on subs power systems surely this would be better than 2 systems / sensors?
OK slightly more weight maybe another 2 kgs but for safety sake surely a better option?
I’m not an aircraft engineer, but work mainly in electronics, non avionics. As soon as everyone was mentioning MCAS to blame, I was saying I don’t feel this is the only factor. OK, so oversized engines, quite high up on a low slung frame are added…and an electronic counterbalance is then needed as could cause an issue to go into a stall position. Actually, although nobody has mentioned it, I think the chevrons cut out on engine designed to reduce noise (less thrust) could be creating vortices, possibly in combination with the winglets, that are reducing lift in a tilt upwards position. The whole design is questionable. Maybe, short of doing what was done in old days, using depleted uranium as weights, maybe hiring pot bellied pilots, lol, may help.. God help Boeing, they’ve truly lost the plot!
As far as I know the max have two angle sensor and is the difference in reading the angle what triggers the MCAS to take control and lower the nose
The question is, of course, “Why did the sensor apparently fail?” Undoubtedly, Boeing has other questions to answer about what happens when the sensor does fail, but ultimately these should be very reliable. Two apparently failing in a relatively short time is more than just “bad luck”. Have they specified the right sensor for the job? Or does the sensor manufacturer have some questions to answer too?
As the rest, i only know some of what is in the public domain – but it would be interesting to pull out the Failure Modes, Effects and Criticality Analysis documentation to see if this hazard was considered in the first place, and if not, why not.
The sensor, as I understand it wasn’t the failure cause, rather the software which re-set the zero point of the system at the last attack angle, thereby over-riding the max. 2.5degrees, making the limit now a max. 2.5 +2.5 degrees, which is an unsupportable state.
As with the previous comments, has the aerospace industry forgotten all previous accidents/ near-misses and how was the auditing system allowed to be over-ridden with embedded Quality Engineers?
Boeing 737 MAX MCAS issues
The 737 is/was a classical flight control aircraft. Relying on being a naturally stable aircraft for flight control design(s), augmented in selected areas. Once such area is with artificial yaw damping (AYD) , present on virtually all large jet passenger aircraft (to stop passengers getting sick from the aircraft’s natural tendency to Dutch Roll = Wagging its tail).
Until the Boeing 737 MAX, there was no need for “artificial auto-aids in pitch attitude”. Once the aircraft entered a stall condition (to be avoided on any passenger jet ! ) , there are several actions which assist any pilot to exit a stall condition.
The larger nacelles on the 737 Max, due to using higher bypass LEAP-1B engines, changes all this. When flying at normal angles of attack (3° at cruise and say 5° in a turn) the destabilizing effect of the larger 737 MAX engines is not felt.
The nacelles being not designed to generate lift in normal flight, as would generate unnecessary drag from the engine nacelle. The aircraft designer focuses lift via use of the efficient “high aspect ratio” wing.
If the pilot manoeuvres the aircraft hard, generating a high angle of attack close to the stall angle of around 14°, the 737 MAX engine nacelle generates lift !. Lift which is felt by the aircraft as a pitch up moment (at it’s …ahead of the Centre of Gravity (CG) line).
This 737 MAX nacelle lift is so much more significant a factor than on the old Boeing 737’s and destabilizes the 737 MAX in pitch at higher Angles Of Attack (AOA). The most difficult situation is when any manoeuvre has a high pitch ratio. During take-off ! ……The aircraft’s inertia can then provoke an over-swing into stall AOA.
To counter the MAX’s lower stability margins at high AOA, Boeing introduced The “Manoeuvring Characteristic(s) Augmentation System” – (MCAS). Dependent on AOA value and rate, altitude (air density) and Mach (changed flow conditions). MCAS is a software loop in the Flight Control computer, and initiates a nose down trim above a threshold of the Angle Of (wing) Attack AOA.
MCAS activity can be stopped by the Pilot counter-trimming on the Yoke or by him hitting the CUTOUT switches on the centre pedestal. It’s not stopped by the Pilot pulling the Yoke, which for normal trim from the autopilot or runaway manual trim triggers trim hold sensors. This would negate why MCAS was implemented, the Pilot pulling so hard on the Yoke that the aircraft is flying close to stall.
It’s this counter-intuitive characteristic, which goes against pilots …who have been trained in jet simulators and (and original pilots stall training /trimming technique used say on a Cessna 152/172 training aircraft ! ) for ….unwanted autopilot trim or manual trim runaways,
This has confused pilots.
They/we have always learned that holding against the trim will stop nose down, and then you can take normal normally actions, like counter-trimming or outright CUTOUT of the trim servo. But it doesn’t yet on the 737 MAX! . After a 10 second trim to a 2.5° nose down stabilizer position, the trimming starts again despite the Pilots pulling against it with The faulty high AOA signal still present.
Result …runaway down trim ….and near inevitable crash ! ….. And its apparently not Autopilot linked, so cutting out the Autopilot will still currently ? keep MCAS operating and allow such a potentially dangerous “controllability in attitude” issue!. Normally only pilot experience-able at take off in the noise abatement High Angle Of Attack (AOA) scenario !
Ok, so Boeing screwed up. Having shedloads of guys and money didn’t apparently help – I suspect because someone, somewhere, higher up the food chain decided that it was ‘good enough’.
What about the automatic pilots now being touted for our motor vehicles? Many more, independent, manufacturers creating their own systems with probably far less oversight than would be found in the aerospace industry. Two planes from one manufacturer certainly concentrated minds., but how many of these autopiloted cars are going to ‘drive into terrain’ before it comes to attention.
Look at how long it took for the Dieselgate scandal to create action.
Engineers will always be looking for the ‘best’ solution to any problem, it is the ‘commercial’ arm-twisting that goes on behind the scenes (to make it cheaper, quicker, quicker to market) that can cause these alternative solutions to get into the public domain.
Without repeating the above comments, which display incredulity that such a situation was allowed to progress into use. I read somewhere that the reference system is a simple pivot and counterbalance shaft with an external vane (referencing the pattern of airflow), that had been sheared off, possibly by bird strike. I can’t believe that in this day an age of smartphones being able to sense position etc that something a bit more vulnerable wasn’t considered, let a alone a simple multipoint redundancy system. Not being able to disable it properly with a manual switch just beggars belief. Obviously there was a lack of critical review and risk assessment in the design process. Whoever signed it off has a lot to answer for!
the point of 2 sensors is that they should both give the same reading, if they don’t the pilot must decide – all have thousands of hours behind them, they are good at their jobs.
aside from the question of why build in dangers
why build an aircraft that can’t fly in the areas of the world where aircraft usage in most increasing? restrictions mean that the airlines can’t move the planes around, so have limited use. climate change means more airports are hot – european ports are up to mid 30s in summer so often hotter than indonesia
the real question is why boeing was carrying out in house checking without independent verification of critical products and the answer to that death dealing question is political lobbying
Such a sad situation all round, but ‘break Nature’s Laws and both detection and punishment are immediate and inevitable.’ I do recall a lovely mnemonic “BLUETIT” -before leaping/leaving/ learning understand everything, think it through, that might help.
Engineers will always be looking for the ‘best’ solution to any problem, it is the ‘commercial’ arm-twisting that goes on behind the scenes (to make it cheaper, quicker, quicker to market) that can cause these alternative solutions to get into the public domain.
Why is there never (apparently) time to do it right, yet we always have to make time to do it again!
I echo much of what others have said. Another questionable decision that’s not been mentioned. Reportedly, there is a warning indicator to alert the pilots in the event that the two angle of attack indicators disagree. But the indicator is an optional extra! Seriously? As if it were some trivial item on a par with a glovebox light. Surely the cost price of this indicator would be tiny, so the motivation to make it an “extra” is pretty questionable.
Folks, Does no one remember the Lockheed Tri-star back in the 60s. Well it was eventually fitted with a take-off/Landing Hands off system, with one very important feature.
The Pilot/Co-Pilot could place there hands on the flight yoke and move it slightly. At which point the Auto system was immediately disabled and the crew had full control of all flight functions.
Why did not, one of the Boeing’s [supposedly the best] flight engineers ever consider putting in place the same as Lockheed did with the Tri-Star [still flying today as a fire-water tanker and was also used a flying fuel tanker for many air forces].
Someone needs to look back at this auto disable switch to the Auto-take-Off and Landing disabling set-up.
No one seems to look at what has been designed-used in the Past… is pure laziness and engineering ignorance, along with the Older Upper Management who were probably around when the Tri-Star was carrying Passengers/Cargo! Computers are OK but still need Human over-ride capability– Lockheed recognized this factor when they put this in the Tri-Star, nearly 40+ years ago.
I am neither an engineer nor an aerodynamicist. I am a frequent flyer though that works in technology and there is no way I will ever rely on software for a design flaw. If I ever see that my flight is one if these aircraft, I will not be getting on it.
Boeing have no chance of recovering this one.
Not only remember it, but flew often therein down to Mexico from East and West coast of the USA.
I certainly recall my first flight. Looking into the pilot’s cockpit as we entered, there appeared to me to be almost no instruments whatsoever in the space! because I believe this aircraft was one of the first with digital screens: and was known as the best designed and safest aircraft then in the sky! I do remember as we left Mexico City on the return journey, there were several loud ‘bangs’ the engines actually being starved of air (that was what the pilot said!) because of a substantial cross wind. If I recall Mexico City is both high and hot (great for the textile industry because folk often wore two sets of clothes -Tropical for day and Western for evening!) and this is an issue too. The Tristar had started to really earn its place (and a massive potential market for RR Engines) until the terrible incident in Paris. Nothing to do with any major design issue: but a baggage handler failed to secure the cargo door properly, the depressurisation caused the floor to collapse, taking the control systems to the rear engine ‘out’ and sadly that was enough for it to crash. Here in Macclesfield we still recall the episode as amongst some 300 passengers who died were the local amateur rugby team. I believe the Tristar was recognised by pilots and public before the incident as an amazing advance: sadly not another was ever sold.
Suspicion is that re-training costs were allowed to dominate the decision making process by not implementing a mandatory sensor warning … ensuring no change required from current 737 operating procedures. Adding new engines to the 737-MAX was therefore not being treated as a ‘visible’ change and therefore not given the gravitas it deserved. A Pilot Over-ride (as per Geoff Daly comment on Tri-star) should have been the obvious option to incorporate … along with a mandatory warning for sensor discrepancy that would alert the pilot to take control.
There are other sensors on the aircraft that could give context for aircraft attitude. If an aircraft sensor is flagged as deviating this should be given a lower priority and alternative information from other aircraft sensors and systems should be sought to quickly analyze the true situation. For example something as simple as GPS positioning would have indicated a downward trend for height rather than the perceived upward trend in height from the automated MCAS system.
Perhaps aircraft computers need to get smarter with more AI built in rather than a dependence on a select sub-set of sensors. This would give more accurate contextual information before making vital life saving decisions!
The baggage door crash was a DC10 not a Tristar.
My sincere apologies: in fact I did look on the www (after! my post) and was surprised to see no reference to this in the Lockheed history : so realised that I had made an error! Dr Altzheimer is getting closer and closer.
I was working back in the UK and do recall that, in Feb 1971 when RR went belly-up (they were persuaded to take a very punitive contract by Lockheed for price for RB 211 engines) the Chairman of ‘our’ firm did circulate a memo to all staff suggesting that by “placing impossible terms on a supplier…though it may look good on some internal memo… is inviting him to let you
down. I believe RR collapse was followed shortly after by that of Lockheed?
I believe that the reason why the aerodynamics are altered was because of the overall geometric design of the airframe of the 737 and its history.
INITIALLY, the 737 had very slender jet engines that allowed Boeing to design the landing gear to be short and stout as part of the original design philosophy of producing jets capable of taking-off and landing in the relatively short runways of the era (1960’s), since the engine diameter was MUCH less than in their own latter designs. That can be seen from the 737-300 on. The series 300 needed a much modified nacelle that is quite flattened on its bottom to avoid contacting the runway. To be able to rise the whole airplane, all the structure where the landing gear attachs to the wing would need to be redesigned, necessitanting heavy reinforcement; so they went “the easy way” (also known as “the quick-and-dirty”): Flatten the engine nacelles!!! That made the airflow to the engine less than stellar, but it was not too bad (and not too good at all either, but the competitors were not so strong back then). More recently, the Airbus 320-NEO became more attractive in respect to fuel consumption and overall performance, so that BOEING was pressed to respond to that threat, and because designing a completely new clean-slate design is asking too much from top level bean counters, management decided that “just pushing a little their proven design” was the way to go. SO, one more time, Bean Counting reigns over engineering; and the MAX was imposed as the new product to be. Initial design exercises resulted in definite improvements, BUT, those were still short of the needed iones to compete against the 320 NEO, necessitating not one, but TWO consecutive engine fan diameter augmentations! While all this was being done on the computer screen and CAD, the designers, hard pressed by Bean-Counting management, found that the necessary engine fan diameter installation was like trying to tuck 20 people into an old VW Beetle (it certainly can be done, but the result is ugly!) The engines do not fit between the wing and the tarmac… but management pushes harder and they decide that “it just needs a little more pushing” (like forcing the last 3 people into the VW Beetle) SOOO, Why not just push the engine forward and upward, more, more… MORE… just a little more… finally YES! (management shouts: “You see bunch of myopic engineers, WE TOLD YOU IT WAS EASY! Now GET TO WORK!”)
Then, the ever present computer whizzes that nowadays claim that EVERYTHING must be done by software, ran a series of simulations (what else this days), and they claimed the aerodynamics were OK (they aren’t, but the simulations are colorful and deceiving), so, when things go a little sour, the same computer geniuses claim “they have THE solution: MORE SOFTWARE! (What else?)”
As the new engine placement and its corresponding nacelle causes an uncomfortable “Pitch-up tendency, they conclude that the “MCAS” (please read the acronim explanation and true meaning by John Wilson, I believe he’s right on the point!) is the answer. Management, faithful to their tradition, decides that it is extremely convenient to use ONLY ONE sensor of AOA (Angle of Attack) to feed the system, as it saves them many yards of wiring, and that it is an excellent idea to cut the price of the new 737MAX by offering their customers to reduce the price by deleting the AOA display in the cockpit too, and that it is even a BETTER IDEA to assume that, since it is a 737, and “ALL 737’s are 737’s, ARENT THEY”? they need not telling anything about the uncomfortable alteration in flying behaviour caused by the shoehorning of the damn engines, so that the ADVERTISING DEPARTMENT can claim that there was no need to bother with MCAS retraining, because Management sayz: a 737 is a 737, isn’t it?, so pilots go and fly it like a 737 (and crash it twice). Can anybody validly blame both crews for fighting against the BRILLIANTLY written sofware and losing ??? At least, Boeing computer whizzes can claim that their software was “pilot-proof”. Sarcasm aside, this modern design belief that everything can (and should) be made by an (ab)use of software is reaching absurd levels. In these sad cases of both accidents, not only Boeing is to receive the blame, but the FAA for its complacency in supervising the company and losing sight of the required redundancy (only one sensor), or lack of dedicated training, as well as an alarming tendency to allow the fabricator to supervise itself.
Correct. That was a DC-10, but contrary of what Mike Blamey said, it was indeed a terrible design (for the hatches). As always, trying to put convenience above safety is what produces accidents. The PROPER way to design a hatch, is EXACTLY like how the doors are designed: they seat and seal much better when the door (or hatch) opens into the fuselage, because internal pressure will keep them well seated and sealed!, BUT, as stoopid designers of the DC-10 put convenience (slightly more cargo capacity) over physics, the hatch was prone to bursting open at the slightest misadjustment or wrong operation. Not only the DC-10 had that fatal flaw, but the Boeing 747 also had an accident caused by the latches failing and the hatch being violently opened and teared away. Intelligence is lamentably always below commercial interest. The latest 737 does not escape from tath condition.
Many thanks to those who have commented upon my error. Having spent some of my career dealing with errors (that resulted in substantial financial claims) in textile production, I recognise that mankind does often show 20/20 hindsight. After the event, its much easier to see what went wrong, and apportion blame. Thinking the unthinkable is always difficult: and “there’s always the Insurance who will pay up!” Just think how many lawyers are gearing-up to make massive fees dealing with the castigation of Boeing (or Piper-Alfa or Deep Sea Horizon) or whatever is the present route to the Insurance ‘pot’. Were this additional intellectual entropy, ‘energy’ applied at the start…perhaps the error would not have occurred in the first place. And who would lose most in that situation. Step forward more of those whose livelihoods depend on the conflict, not its outcome?