What happened?

  • On October 29, 2018, Lion Air 610 – a brand-new Boeing 737 MAX – crashed with the loss of all 189 passengers and crew. In addition, a diver involved in the recovery also died.
  • On March 10, 2019, Ethiopian Air 302 – another brand-new Boeing 737 MAX – crashed with the loss of all 157 passengers and crew.

What is it about those crashes?

  • Both were attributed to a malfunction of the planes’ Maneuvering Characteristics Augmentation System (MCAS) system. MCAS was introduced on the Boeing 737 MAX generation of 737s.

What is MCAS?

  • MCAS is a software routine added late in 737 MAX development to the plane’s Rockwell Collins EDFMS-730 “digital” autopilot
  • A digital autopilot is an autopilot made from a computer, running computer software. Prior autopilots were constructed of electromechanical components with limited ability to control their behavior with software or none at all. The EDFMS-730 was introduced to the 737 series with the 737 NG in the early 2000s. Prior to that 737s used an electromechanical autopilot
  • For more, see The case of the 737 MAX and Ship the airplane
Stacks Image 40

What was wrong with MCAS?

  • In my opinion, MCAS was hastily developed. This resulted in two fatal limitations which are directly causative of the crash
    • MCAS took as its primary or only input data from a single “Angle of Attack” (AOA) sensor. The industry practice for such systems is a minimum of three as the sensors are known to be unreliable.
    • MCAS did no “sanity” checking on the data coming from the single AOA sensor. In particular, it did not check that the angle of attack readings coming from the sensor were reasonable given physical constraints of aircraft performance
  • In addition, three deliberate decisions by Boeing compounded the above. They are:
    • To conceal the very existence of MCAS from airline pilots and even its own production test pilots
    • To conceal the nature of MCAS functionality from the Federal Aviation Administration
    • To program MCAS to deliberately ignore pilot inputs. This was contrary to what pilots are trained to expect. Namely, that any automatic system controlling the plane will disconnect if the pilots attempt to control the plane themselves.
Stacks Image 43

Why did Boeing put MCAS on the 737?

  • In 2010 Boeing’s arch-competitor, Airbus, announced the A320neo airliner. The A320neo (“New Engine Option”) would utilize the CFM LEAP (“Leading Edge Aviation Propulsion”) engine. The CFM LEAP engine promised a 15% fuel efficiency over the previous engine on the A320, the CFM56 engine. In order to remain competitive, Boeing embarked on a program to fit the CFM LEAP on the 737.
  • Because the 737 sits very low to the ground, Boeing found it impossible to put the larger LEAP engines under the wing. Instead it mounted the engines in front of the wing and higher than it had previously.
  • This created an unacceptable aerodynamic instability in the airplane’s longitudinal (pitch) axis
  • Boeing chose, apparently for cost and speed-to-market reasons, to address that instability with a software patch in the airplane’s autopilot: MCAS.
  • For more see: The Boeing 737 MAX Saga

I read that the pilots in the two crashes were not very good and not well trained. Also that they did not follow standard procedures to deal with the malfunction

  • There is no evidence that either pilot skill/training or maintenance practices played a part in either crash.
  • Boeing has suggested that the pilots should have treated the MCAS failure as “runaway trim.” In the first crash the pilots were not even aware that MCAS existed. For more see “Why MCAS does not present as runaway trim.”

Wasn’t the MCAS on the 737 just a version of the MCAS from an earlier plane?

  • No. Boeing originally claimed that 737 MCAS was a derivative of the MCAS system used in their KC-46 tanker (based on the 767 airliner). They have since walked back that claim. The two systems are almost completely different and designed to serve different functions. They only share a name.
  • For more, see the slides that address KC-46 MCAS vs. 737 MCAS in the Software is Killing Us presentation

Can MCAS be fixed?

  • No. There are two basic reasons, one technical and another cultural.
  • Technical: MCAS is what is called an “envelope protection” or flight control function. Such functions are characterized by automatic (computer) intermediation between the pilot(s) and the aircraft control surfaces. Any system capable of countermanding pilot input or of imparting significant control on the aircraft itself require a sophisticated technical architecture. That architecture is characterized by redundancy, fault detection, and graceful degradation. The 737 has none of that and legacy constraints prevent it from gaining them. For more, see the discussion in “Ship the airplane.”
  • Cultural: In the period between when the 737 was first certified and currently, Boeing’s culture transformed from an engineering culture characterized by robust internal debate, transparency and meritocracy. As the company matured in the 1990s-present that culture became dominated by financial concerns that were intolerant of expertise, dissent and merit. For more, see “Why Boeing Should Never Build Another Airplane, Again.”
By Gregory Travis – a software architect, aircraft owner and writer. His first article identifying the issues with the 737 Max appeared in the May 2019 issue of IEEE Spectrum magazine.