Maneuvering Characteristics Augmentation System

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Movable horizontal stabilizer on an Embraer ERJ-170

The Maneuvering Characteristics Augmentation System (MCAS) is a flight control law (software) embedded into the Boeing 737 MAX flight control system which attempts to mimic pitching behavior similar to the Boeing 737 NG. When it detects that the aircraft is operating in manual flight, with flaps up, at an elevated angle of attack, it adjusts the horizontal stabilizer trim to add positive force feedback (a "nose heavy" feel) to the pilot, through the control column.

The activation logic of MCAS has been shown to be vulnerable to erroneous angle of attack data, as analyses have shown following the Lion Air Flight 610 and Ethiopian Airlines Flight 302 crashes. Flaws found in the MCAS implementation, in crew training, and in operational procedures resulted in a worldwide grounding of the airliner, pending accident investigations, certification inquiry, and necessary changes to the MCAS software, cockpit instruments, and crew manuals and training.

MCAS also exists in another form on the Boeing KC-46 Air Force tanker, where it "similarly moves the stabilizer in a wind-up turn".[1]

The Wall Street Journal reported in May 2019 that Boeing failed to share information about the issue for "about a year" before the crash in Indonesia.[2]

Description[edit]

an angle of attack (AOA) sensor

Background[edit]

The Maneuvering Characteristics Augmentation System (MCAS) is a flight control law[3] built into the Boeing 737 MAX's flight control computer, designed to help the aircraft emulate the handling characteristics of the earlier Boeing 737 Next Generation. According to an international Civil Aviation Authorities team review (JATR) commissioned by the FAA, MCAS may be a stall identification or protection system, depending on the natural (unaugmented) stall characteristics of the aircraft.[4][5][6] Boeing considered MCAS part of the flight control system, and elected to not describe it in the flight manual or in training materials, based on the fundamental design philosophy of retaining commonality with the 737NG. Minimizing the functional differences between the Boeing 737 MAX and Next Generation aircraft variants allowed both variants to share the same type rating. Thus, airlines can save money by employing and training one pool of pilots to fly both variants of the Boeing 737 interchangeably.[7]

When activated, MCAS directly engages the horizontal stabilizer, thus is distinct from an anti-stall device, such as stick pusher, which physically moves the pilot's control column forward and engages the airplane's elevators when the airplane is approaching a stall.

Boeing's former CEO Dennis Muilenburg said "[MCAS] has been reported or described as an anti-stall system, which it is not. It's a system that's designed to provide handling qualities for the pilot that meet pilot preferences."[8]

The 737 MAX's larger CFM LEAP-1B engines are fitted further forward and higher up than in previous models. The aerodynamic effect of its nacelles contributes to the aircraft's tendency to pitch up at high angles of attack (AOA). The MCAS is intended to compensate in such cases, modeling the pitching behavior of previous models, and meet a certain certification requirement,[9] in order to enhance handling characteristics and thus minimizing the need for significant pilot retraining.[10][11][8]

The software code for the MCAS function and the computer for executing the software are built to Boeing's specifications by Collins Aerospace, formerly Rockwell Collins.[12]

The trim wheel and cutoff switches in a previous generation cockpit

As an automated corrective measure, the MCAS was given full authority to bring the aircraft nose down, and could not be overridden by pilot resistance against the control wheel as on previous versions of the 737.[13] Following the Lion Air accident, Boeing issued an Operations Manual Bulletin (OMB)[14] which outlined the many indications and effects resulting from erroneous AOA data and provided instructions to turn off the motorized trim system for the remainder of the flight, and trim manually instead. Until Boeing supplemented the manuals[15] and training, pilots were unaware of the existence of MCAS due to its omission from the crew manual and no coverage in training.[13]

In addition, the system acts on only one of two available AoA sensors, a single point of failure that goes against aviation requirements of robustness and integrity, for example using redundancy.[13][16][17][10]

An AOA "disagree" light illuminates when the two sensors read different values. Airlines could optionally add a software gauge indicator to the multifunction cockpit displays. However, scrutinization has revealed that the two safety features were interdependent, and were inoperable in both doomed flights.

The older 737 cockpit has separate on/off control switches for independent electrically-assisted and automatic trim systems. On the 737 MAX, a combined switch is provided and the pilot cannot turn off the MCAS without also disabling electrically-assisted trim. A manual trim wheel is provided, but is not powerful enough to adjust the stabilizer in all flight conditions. Activating the powered trim system can be necessary and this also activates the MCAS.[18]

Inception[edit]

The MCAS design parameters originally envisioned automated corrective actions to be taken in cases of high AoA and G-forces beyond normal flight conditions. Test pilots routinely push aircraft to such extremes, as the FAA requires airplanes to perform as expected. Before the MCAS, test pilot Ray Craig determined the plane did not fly smoothly, in part due to the larger engines. Craig would have preferred an aerodynamic solution, but Boeing decided to implement a control law in software.

According to a news report from the Wall Street Journal, engineers who had worked on the KC-46A Pegasus tanker, which includes an MCAS function, suggested MCAS to the design team.[19]

With the MCAS implemented, new test pilot Ed Wilson said the "MAX wasn’t handling well when nearing stalls at low speeds” and recommended MCAS to apply across a broader range of flight conditions. This required the MCAS to function under normal G-forces and, at stalling speeds, deflect the vertical trim more rapidly and to a greater extent—but now it reads a single AoA sensor.

The FAA did not conduct a safety analysis on the changes. It had already approved the previous version of MCAS, and the agency's rules did not require it to take a second look because the changes did not affect how the plane operated in extreme situations. [20]

Safety engineering and human factors[edit]

As with any other equipment on board an aircraft, the FAA approves a functional "design assurance level" corresponding to the consequences of a failure, using the SAE International standards ARP4754 and ARP4761. MCAS was designated a "hazardous failure" system. This classification corresponds to failures causing "a large reduction in safety margins" or "serious or fatal injury to a relatively small number of the occupants", but nothing "catastrophic".[21]

The MCAS was designed with the assumption, approved by FAA, that pilots would react to an unexpected activation within three seconds.[1]

MCAS on the Boeing KC-46[edit]

MCAS exists in a different form on the Boeing KC-46 Pegasus, an aerial refueling tanker that is fundamentally a Boeing 767-2C. The system takes input on dual redundant angle of attack sensors; it will disengage with stick input by the pilot. The Air Force stated that "The KC-46 has protections that ensure pilot manual inputs have override priority" and that it "does not fly the models of aircraft involved in the recent accidents" and that it is "reviewing our procedures and training as part of our normal and ongoing review process."[22]

MCAS technology readiness[edit]

Boeing implemented the original version of MCAS on the KC-46 tanker, a plane derived from the Boeing 767. The tanker compares the data from both AoA sensors and allows pilots to retake control in the event of large differences; without cross-checking, the MAX flight control computer activates MCAS using just one AoA sensor. In addition, some familiar pilot actions for manually controlling the pitch on other 737 types do not deactivate the MCAS.[23][24]

Boeing presented MCAS to the FAA as being existing technology, avoiding deeper scrutiny. The U.S. House Transportation and Infrastructure Committee provided all 43 Boeing's presentation slides in the document titled "MCAS Development and Certification Overview." at the request of the Seattle Times, which noted that MCAS was not evaluated as an individual system that was "new/novel on the MAX." The FAA is required to be closely involved in the testing and certification of any new and novel features on an aircraft.[25] Aerospace reporter Dominic Gates summarized: "The justification given was a doubtful comparison with the 767 tanker".

Just before entering certification, the functional requirements for MCAS were still changing. Boeing modified MCAS so that it intervened more strongly and at lower airspeeds than originally planned. "Inadvertently, the door was now opened to serious system misbehavior during the busy and stressful moments right after takeoff", said Jenkins of The Wall Street Journal.[26]

The JATR found the technology unprecedented: "If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used. MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If an issue paper had been required, the JATR team believes it likely would have identified the potential for the stabilizer to overpower the elevator."[4]

in November 2019, Jim Marko, a manager of aircraft integration and safety assessment at Transport Canada aviation regulator's National Aircraft Certification Branch questioned the readiness of MCAS. Because new problems kept emerging, he suggested to his peers at FAA, ANAC and EASA to consider the safety benefits of removing MCAS from the MAX.[27]

Scrutiny[edit]

Altitude and speed of Lion Air Flight 610

The MCAS has been under scrutiny following the fatal crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302 soon after takeoff. The Boeing 737 MAX global fleet has been grounded by all airlines and operators, and a number of functional issues have been raised.[28][29][30]

The use of a single AOA sensor at any one time creates a single point of failure and leads to the possibility that a single malfunctioning sensor could produce erroneous data, cause the MCAS system to pitch the nose downward and force the aircraft into a dive.[16][10]

The MCAS deflects the horizontal stabilizer four times farther than was stated in the initial safety analysis document..[28] Due to the amount of trim the system applies to the horizontal stabilizer, aerodynamic forces resist pilot control effort to raise the nose. As long as the faulty AOA readings persist, a human pilot "can quickly become exhausted trying to pull the column back".[17] In addition, switches for the horizontal stabilizer trim assist now serve a shared purpose of turning off the MCAS. In simulator sessions, pilots were stunned by the substantial effort needed to manually crank the trim wheel out of its nose down setting.[31][18][32]

Boeing and the FAA decided that the AOA display and an AOA disagree light, which signals if the sensors give different readings, were not critical features for safe operation.[33] Boeing charged extra for the addition of the AoA indicator to the primary display.[34][35] In November 2017, Boeing engineers discovered that the standard AoA disagree light cannot independently function without the optional AoA indicator software, affecting 80% of the global fleet which had not ordered the option.[36][37] The software remedy was scheduled to coincide with the roll out of the elongated 737 MAX 10 in 2020, only to be accelerated by the Lion Air accident. Furthermore, the problem had not been disclosed to the FAA until 13 months after the fact. Although it is unclear whether the indicator could have changed the outcome for the ill-fated flights, American Airlines said the disagree indicator provided the assurance in continued operations of the airplane. "As it turned out, that wasn't true." [38]

Boeing CEO Dennis Muilenburg has stated that there was "no surprise, or gap, or unknown here or something that somehow slipped through a certification process."[39] On April 29, 2019 he stated the design of the aircraft was not flawed and reiterated that it was designed per Boeing's standards.[40] In a May 29 interview with CBS, Boeing admitted that it had botched the software implementation and lamented the poor communications.[41]

On September 26, the National Transportation Safety Board criticized Boeing’s inadequate testing of the 737 MAX, and pointed out that Boeing made erroneous assumptions on pilots’ response to alerts in 737 MAX, triggered by activation of MCAS due to a faulty signal from an angle-of-attack sensor.[42][43]

The Joint Authorities Technical Review (JATR), a team commissioned by the FAA for 737 MAX investigation, concluded that FAA failed to properly review MCAS. Boeing failed to provide adequate and updated technical information regarding the MCAS system to FAA during Boeing 737 Max certification process, and had not carried out a thorough verification by stress-testing of the MCAS system.[6][44]

On October 18, Boeing turned over a discussion from 2016 between two employees which revealed prior issues with the MCAS system.[45]

Certification inquiry on 737 MAX[edit]

In early October, CEO Muilenburg said that Boeing's own test pilots had completed more than 700 flights with the MAX.[46] As of October 28, Boeing had conducted "over 800 test and production flights with the updated MCAS software, totaling more than 1,500 hours".[47]

Certification flight tests, because of the ongoing safety review, are unlikely before November.[48]

Boeing made "dry runs" of the certification test flights on October 17, 2019.[49]

In December 2019, The Air Current reported on pilots attempting the procedure with "inconsistent, confusing" results.[50]

The FAA has identified new risks of failure during thorough testing. As a result, Boeing will make the overall flight-control computer more redundant and both computers will operate on each flight instead of alternating between flights. The planes were said to be unlikely to resume operations until 2020.[51][52][53] On October 8, Boeing was fixing a flaw discovered in the redundant-computer architecture of the 737 MAX flight-control system.[54]

As of October 8, the FAA and the EASA were still reviewing changes to the MAX software, raising questions about the return to service forecast. The FAA will review Boeing's "final system description", which specifies the architecture of the flight control system and the changes that Boeing have made, and perform an "integrated system safety analysis"; the updated avionics will be assessed for pilot workload.[48] The FAA is specifically looking at six "non-normal" checklists that could be resequenced or changed. The assessment of these checklists with pilots could happen at the end of October, according to an optimistic forecast.[55]

Final simulator-based assessments are expected to start in November.[56] On October 22, FAA Administrator Steve Dickson said in news conference that the agency has received the "final software load" and "complete system description" of revisions; several weeks of work are anticipated for certification activities.[57]

As of mid-November, Boeing still needed to complete an audit of its software documentation. A key certification test flight will follow the audit. In a memo and a video dated November 14, FAA's Steve Dickson instructed his staff to "take whatever time is needed" in their review, repeating that approval is "not guided by a calendar or schedule."[58][59]

On December 6, 2019, the FAA posted an updated Master minimum equipment list for the 737 MAX; in particular, both flight computers must be operational before flight, as they now compare each other's sensors prior to activating MCAS.[60]

Improvements[edit]

The updates proposed by Boeing focus mostly on MCAS software.[3] In particular, there have been no public statements regarding reverting the functionality of the stabilizer trim cutout switches to pre-MAX configuration. A veteran software engineer and experienced pilot suggested that software changes may not be enough to counter the 737 MAX's engine placement.[61] Seattle Times notes that while the new software fix Boeing has proposed "will likely prevent this situation recurring, if the preliminary investigation confirms that the Ethiopian pilots did cut off the automatic flight-control system, this is still a nightmarish outcome for Boeing and the FAA. It would suggest the emergency procedure laid out by Boeing and passed along by the FAA after the Lion Air crash is wholly inadequate and failed the Ethiopian flight crew."[62]

References[edit]

  1. ^ a b "The inside story of MCAS: How Boeing's 737 MAX system gained power and lost safeguards". The Seattle Times. 2019-06-22. Retrieved 2019-06-24.
  2. ^ Andy Pasztor; Andrew Tangel; Alison Sider (May 6, 2019). "Boeing Knew of Problem for a Year". Wall Street Journal. p. A1.
  3. ^ a b "737 MAX SOFTWARE UPDATE". Boeing.
  4. ^ a b Hart (2019). Boeing 737 MAX Flight Control System : Observations, Findings, and Recommendations (PDF). FAA.
  5. ^ "FAA Updates on Boeing 737 MAX". www.faa.gov. Retrieved 2019-10-19.
  6. ^ a b "FAA failed to properly review 737 MAX jet anti-stall system: JATR findings". Reuters. 2019-10-11. Retrieved 2019-10-11.
  7. ^ Warwick, Graham (Mar 20, 2019). "The Boeing 737 MAX MCAS Explained". Aviation Week. Retrieved 2019-06-04.
  8. ^ a b Zhang, Benjamin (29 April 2019). "Boeing's CEO explains why the company didn't tell 737 Max pilots about the software system that contributed to 2 fatal crashes". Business Insider.
  9. ^ "14 CFR § 25.203 - Stall characteristics". LII / Legal Information Institute. Retrieved 2019-07-02.
  10. ^ a b c Ostrower, Jon (November 13, 2018). "What is the Boeing 737 Max Maneuvering Characteristics Augmentation System". The Air Current. Retrieved March 14, 2019.
  11. ^ Bazley, Tarek (March 11, 2019). "Control system under scrutiny after Ethiopian Airlines crash". Al Jazeera.
  12. ^ "Boeing's 737 Max design contains fingerprints of hundreds of suppliers". Washington Post. Retrieved 2019-06-04.
  13. ^ a b c "My Testimony Today Before the House Subcommittee on Aviation". Sully Sullenberger. 2019-06-19. Retrieved 2019-06-20.
  14. ^ "Boeing Statement on Operations Manual Bulletin". Boeing. November 6, 2018. Retrieved 2 July 2019.
  15. ^ "FAA Issues Emergency AD Against Boeing 737 Max 8". Flying. Retrieved 2019-07-02.
  16. ^ a b Baker, Mike; Gates, Dominic (March 26, 2019). "Lack of redundancies on Boeing 737 MAX system baffles some involved in developing the jet". The Seattle Times.
  17. ^ a b Travis, Gregory (April 18, 2019). "How the Boeing 737 Max Disaster Looks to a Software Developer". IEEE Spectrum.
  18. ^ a b Mike Baker and Dominic Gates (May 10, 2019). "Boeing altered key switches in 737 MAX cockpit, limiting ability to shut off MCAS". The Seattle Times.
  19. ^ Tangel, Alison Sider and Andrew. "WSJ News Exclusive | Before 737 MAX, Boeing's Flight-Control System Included Key Safeguards". WSJ. Retrieved 2019-09-30.
  20. ^ Nicas, Jack; Kitroeff, Natalie; Gelles, David; Glanz, James (2019-06-01). "Boeing Built Deadly Assumptions Into 737 Max, Blind to a Late Design Change". The New York Times. ISSN 0362-4331. Retrieved 2019-06-07.
  21. ^ Campbell, Darryl (2019-05-02). "The many human errors that brought down the Boeing 737 Max". The Verge. Retrieved 2019-06-13.
  22. ^ "USAF Reviewing Training After MAX 8 Crashes; KC-46 Uses Similar MCAS". www.airforcemag.com. Archived from the original on 2019-03-23. Retrieved 2019-03-23.
  23. ^ Everstine, Brian; Tirpak, John A. (March 22, 2019). "USAF Reviewing Training After MAX 8 Crashes; KC-46 Uses Similar MCAS". Air Force Magazine. Archived from the original on 2019-03-23. Retrieved 2019-03-23.
  24. ^ Sider, Alison; Tangel, Andrew. "Before 737 MAX, Boeing's Flight-Control System Included Key Safeguards". The Wall Street Journal. Retrieved 2019-09-30.
  25. ^ "After Lion Air crash, Boeing doubled down on faulty 737 MAX assumptions". The Seattle Times. 2019-11-08. Retrieved 2019-11-09.
  26. ^ Jenkins, Holman W. jr. (2019-11-05). "Boeing vs. Technological Chaos". The Wall Street Journal. Retrieved 2019-11-09.
  27. ^ "Transport Canada safety official urges removal of MCAS from 737 Max". The Air Current. 2019-11-23. Retrieved 2019-11-24.
  28. ^ a b Gates, Dominic (March 17, 2019). "Flawed analysis, failed oversight: How Boeing and FAA certified the suspect 737 MAX flight control system". The Seattle Times.
  29. ^ Fehrm, Bjorn (2019-04-05). "Bjorn's Corner: ET302 crash report, the first analysis". Leeham News and Analysis.
  30. ^ Gates, Dominic (October 29, 2019). "Live coverage: Boeing CEO Dennis Muilenburg testifies to Congress about 737 MAX". The Seattle Times.
  31. ^ Bjorn, Fehrm (2019-04-03). "ET302 used the Cut-Out switches to stop MCAS". Leeham News and Analysis.
  32. ^ Sean Broderick (May 10, 2019). "Ethiopian MAX Crash Simulator Scenario Stuns Pilots". Aviation Week Network.
  33. ^ Freed, Jamie; Johnson, Eric (November 30, 2018). "Optional warning light could have aided Lion Air engineers before crash: experts". Reuters.
  34. ^ Newburger, Emma (March 21, 2019). "Crashed jets reportedly lacked key safety features because Boeing charged extra for them". CNBC. Retrieved March 26, 2019.
  35. ^ Tabucho, Hiroko; Gelles, David (March 21, 2019). "Doomed Boeing Jets Lacked 2 Safety Features That Company Sold Only as Extras". The New York Times. Retrieved March 21, 2019.
  36. ^ Gelles, David; Kitroeff, Natalie (2019-05-05). "Boeing Believed a 737 Max Warning Light Was Standard. It Wasn't". The New York Times. ISSN 0362-4331. Retrieved 2019-05-11.
  37. ^ "FAA considered grounding some Boeing 737 Max planes last year: source". news.yahoo.com. Retrieved 2019-05-11.
  38. ^ Koenig, David; Krisher, Tom (2019-06-07). "Boeing wanted to wait 3 years to fix safety alert on 737 Max". AP NEWS. Retrieved 2019-06-11.
  39. ^ Daniel McCoy (Apr 24, 2019). "Boeing CEO: Nothing slipped through in original 737 MAX certification". Wichita Business Journal.
  40. ^ Dominic Gates (Apr 29, 2019). "Facing sharp questions, Boeing CEO refuses to admit flaws in 737 MAX design". Seattle Times.
  41. ^ May 29, CBS News; 2019; Pm, 6:50. "Boeing CEO says he would put his family in a 737 Max "without any hesitation"". www.cbsnews.com. Retrieved 2019-06-12.
  42. ^ Kitroeff, Natalie (2019-09-26). "Boeing Underestimated Cockpit Chaos on 737 Max, N.T.S.B. Says". The New York Times. ISSN 0362-4331. Retrieved 2019-09-26.
  43. ^ "Safety Recommendation Report: Assumptions Used in the Safety Assessment Process and the Effects of Multiple Alerts and Indications on Pilot Performance" (PDF). www.ntsb.gov. NTSB. 19 September 2019. Retrieved 2019-09-26. Lay summary.
  44. ^ Gelles, David; Kitroeff, Natalie (2019-10-11). "Review of 737 Max Certification Finds Fault With Boeing and F.A.A." The New York Times. ISSN 0362-4331. Retrieved 2019-10-11.
  45. ^ Laris, Michael (2019-10-18). "Messages show Boeing employees knew in 2016 of problems that turned deadly on the 737 Max". The Washington Post. Retrieved 2019-10-18.
  46. ^ Cite error: The named reference EASA on proposed fixes was invoked but never defined (see the help page).
  47. ^ Muilenburg, Dennis (October 28, 2019). "Boeing CEO: We are taking actions to enhance the safety of the 737 Max". USA Today. Retrieved 2019-10-29.
  48. ^ a b "Boeing 737 MAX timetable uncertain as regulators continue safety review". Reuters. 2019-10-08. Retrieved 2019-10-09.
  49. ^ Oct 23; Norris, 2019 Guy; Daily, Sean Broderick | Aviation. "Boeing 737 MAX Dry Runs Underway". aviationweek.com. Retrieved 2019-10-24.
  50. ^ "Pilot procedure confusion adds new complication to Boeing 737 Max return". The Air Current. 2019-12-12. Retrieved 2019-12-13.
  51. ^ Pasztor, Andy (August 2, 2019). "737 MAX Safety Tests Covering Increasingly Remote Failure Risks". The Wall Street Journal. Retrieved August 7, 2019.
  52. ^ Pasztor, Andy; Sider, Alison; Tangel, Andrew (July 14, 2019). "Boeing 737 MAX Grounding Could Stretch Into 2020". The Wall Street Journal. Retrieved August 7, 2019.
  53. ^ Cite error: The named reference Seattle Times 20190801 was invoked but never defined (see the help page).
  54. ^ "Boeing 737 MAX timetable uncertain as regulators continue safety review". Reuters. 2019-10-09. Retrieved 2019-10-09.
  55. ^ Cite error: The named reference :35 was invoked but never defined (see the help page).
  56. ^ Cite error: The named reference cnn.com was invoked but never defined (see the help page).
  57. ^ "Boeing has made progress on 737 MAX, but FAA needs weeks to review". Reuters. 2019-10-22. Retrieved 2019-10-23.
  58. ^ Shepardson, David; Johnson, Eric M. (2019-11-15). "FAA administrator tells team to 'take whatever time needed' on 737 MAX: memo". Reuters.
  59. ^ "FAA pushes back on "pressure" to return Boeing 737 Max to service". The Air Current. 2019-11-15. Retrieved 2019-11-15.
  60. ^ "FAA Takes Big Step Towards 737 MAX Recertification". Simple Flying. 2019-12-07. Retrieved 2019-12-08.
  61. ^ George Leopold (March 27, 2019). "Software Won't Fix Boeing's 'Faulty' Airframe". EE Times.
  62. ^ "Why Boeing's emergency directions may have failed to save 737 MAX". The Seattle Times. 2019-04-03. Retrieved 2019-06-03.

External links[edit]

Further reading[edit]