Certification process for the 737 MAX silent gradual pusher system

A reader was kind enough to send me “Flawed analysis, failed oversight: How Boeing and FAA certified the suspect 737 MAX flight control system” (Seattle Times), which gives some more detail on how the world’s first “silent gradual pusher” system was unleashed on airline passengers and crew. (See https://philip.greenspun.com/blog/2018/11/11/boeing-737-crash-is-first-mass-killing-by-software/ for my description of how the conventional stick pusher works; it requires two sensors to agree before it will activate and the pushing is readily apparent to the pilots; disabling the pusher in a simple turboprop aircraft is as simple as pushing a button on the yoke).

The Seattle Times article describes the delegation process by which an employee of Boeing can actually do a lot of the work that members of the public imagine FAA employees would be doing. Boeing is an “Organization Designation Authorization” holder (“ODA”). A Boeing employee puts on an FAA hat periodically and checks work done by fellow Boeing employees.

Putting government workers in the critical path for engineering improvements slows things down so much that safety ends up being compromised. And having people pay designated or delegated authorities cuts the cost to taxpayers. But I wonder if it is time to say that certification scrutiny should be done by an independent private engineering team, not by engineers employed by the manufacturer.

6 thoughts on “Certification process for the 737 MAX silent gradual pusher system

  1. This is the first time I’ve understood how the MCAS system works with unlimited authority over the stabilizer, as well as the (%$*##*%#@!) fact that it will continue to kick in until the stabilizer goes to full travel! I’m not a pilot, an aeronautical engineer, an avionics engineer, a human factors engineer, a certification authority or anything – but my goodness – how could anyone build a system acting on such a large and important control surface, tie it to a single sensor and software that runs without announcing itself, and then not train the crew: “Yes, this thing can move the stabilizer all the way, by itself, and it will do that if you keep…” It just sounds crazy.

    I wonder if this has anything to do with the fact that so many of our modern military jets are aerodynamically unstable without their flight control systems, which therefore *need* to have full authority over the control surfaces? Now I keep thinking of the 2008 B2 bomber crash.

    https://en.wikipedia.org/wiki/2008_Andersen_Air_Force_Base_B-2_accident

    “The findings of the investigation stated that the B-2 crashed after “heavy, lashing rains” caused moisture to enter skin-flush air-data sensors. The data from the sensors are used to calculate numerous factors including airspeed and altitude. Because three pressure transducers had been improperly calibrated by the maintenance crew due to condensation inside devices, the flight-control computers calculated inaccurate aircraft angle of attack and airspeed. Incorrect airspeed data on cockpit displays led to the aircraft rotating at 12 knots slower than indicated. After the wheels lifted from the runway, which caused the flight control system to switch to different control laws, the erroneously sensed negative angle of attack caused the computers to inject a sudden, 1.6‑g, uncommanded 30-degree pitch-up maneuver. “

    • Copying established pusher designs would have been reasonable. As Alex points out above, it is plainly crazy to have a system that can drive the trim to full “nose down” and not have a voice annunciation for the pilots (a TI Speak & Spell from the 1978 would have been sufficient technology; if we multiply the cost by 100 for aviation that’s still only $2,000). Operating off a single mechanical sensor is also an obvious huge risk.

      The second AOA sensor that lights up a “sensor disagree” warning seems like a terrible design decision. Why set the pilots up for runaway trim and give them another blinking light in the cockpit? We have decades of experience proving that blinking lights in the cockpit are not especially helpful. Why not have the software be smart enough to integrate the two sensors and not operate the frantic trim system unless the two sensors agree? (as with the Pilatus PC-12 pusher).

  2. As just a dumb CFII and embedded systems dev, I’ll try to embarrass myself by suggesting that copying a stick pusher would not achieve the stick force per g certification objective.

    The problem with the engine installation appears to be a reduction in static pitch stability and the attendant reduction in stick forces at high AoA. The lower stick force leads to a tendency for non test pilots to over pitch the airplane and stall. MCAS adds pitch down trim to increase the stick force per g felt by the pilot.

    As a pilot, yea, I agree the aircraft should not be working hard to sucker me into a fatal mistake. But, then, that’s what training is for. If the trim wheel is whirling around, and the stick forces are getting worse, maybe the trim cutouts should be pulled. I *am* supposed to know where those things are in my airplane.

    As far as the intermittent MCAS trim activation not having the same signature as some other stuck trim fault — what about a simple intermittent trim wiring fault? That could present the same way.

    So fine, it is a design problem. But, do I feel safe flying in cattle class behind pilots who can’t handle an unusual runaway trim issue? Not one bit. And fixing MCAS perfectly will not fix that problem.

    The MAX product is a cost reduction exercise — more efficient engines. Is there any surprise they tried hard to control other life cycle costs? They made a mistake.

    Every software dev looks at every other software dev’s code, and says, “that’s crap” and “that’s crazy” until such time as the design requirements, organization politics, and other relevant factors become clear. And then it’s “oh, I see.” Let’s not be too quick to judge.

    People are still slogging around in the clag guided by sclerotic KX-170Bs largely because the certification expenses drive replacement avionics cost to ridiculous levels. So does more certification burden actually result in enhanced safety?

    • As a pilot, yea, I agree the aircraft should not be working hard to sucker me into a fatal mistake. But, then, that’s what training is for.

      Training is good, but not having your aircraft designed in a way that it is trying to kill you so that they can save a few bucks is even better.

      They made a mistake.

      No, no, no – a mistake is when the annunciator voice speaks in Spanish instead of English or something. When you kill hundreds of people in order to save a buck, it’s called a crime, not a mistake.

      Every software dev looks at every other software dev’s code, and says, “that’s crap”

      Sometimes because it really is crap, even taking all factors into account. It’s one thing when crap code causes my Angry Birds game to crash, another when a real aircraft crashes.

      So does more certification burden actually result in enhanced safety?

      Yes. Maybe it’s not worth it in most cases but when you are talking about hundreds of dead people, you can justify a LOT of burden.

  3. The Seattle Times article is by far the best overall summary and in depth investigation of the MAX MCAS system that I have read (so far).

    Numerous pieces of the puzzle have been floating around for some time (along with some erroneous assumptions), but this pulls all the pieces together.

    It is good to have a single factually correct reference, and mainstream media are already starting to refer to this, rather than their ‘aviation experts’.

Comments are closed.