Boeing Redesigning Max Control System

26

Boeing is fundamentally redesigning the software architecture of the 737 MAX flight control system to take data from both of the system’s computers and to compare the data from the sensors feeding them. The existing system uses data from only one flight control computer and the second serves as a backup. In the new setup, both computers will be actively engaged in cross checking the performance of the aircraft’s various systems. The Seattle Times broke the story and said the major change is in response to a fault discovered by FAA test pilots which showed that small microprocessor faults could have disastrous effects in the MAX because of the newly added MCAS system.

The faults, which can be caused by cosmic rays hitting circuitry and randomly changing binary code from 0 to 1 or vice versa, are addressed by FAA certification standards but their effects were tested by FAA pilots in relation to the function of the MCAS by flipping five of the binary switches. Although the perfect storm of simulated failures would be an extremely rare occurrence in the air, the agency said it had to be addressed. “While it’s a theoretical failure mode that has never been known to occur, we cannot prove it can’t happen,” one of the Times’ sources said. “So we have to account for it in the design.” Double teaming the flight control computers mitigates that risk because each computer is constantly checking the performance of the other. If either detects a problem, neither will move of the flight controls and the aircraft will have to be flown manually.

Although the redesign of the system is a major project, Boeing still thinks it can be finished in time to have it evaluated by the FAA this fall. Most airlines that fly the MAX are skeptical of that optimism and have eliminated the MAX from their schedules until late in 2019 or early 2020.

Russ Niles
Russ Niles is Editor-in-Chief of AVweb. He has been a pilot for 30 years and joined AVweb 22 years ago. He and his wife Marni live in southern British Columbia where they also operate a small winery.

Other AVwebflash Articles

26 COMMENTS

    • It can happen to ANY circuitry that is not hardened sufficiently. My resume includes experience in this phenomenon.

  1. click-click, Auto pilot Auto throttle off. Now you are in charge. Two small switches aft of the power levers, either auto trim on or auto throttle off. First hint of trim run away, auto trim switches off, manually trim afterwards. Learn to fly the dam airplane not the computers!

      • The stabilizer trim is driven by an electrical actuator either by switches on pilots control wheel or from commands from Flight Control Computer. The switches you are referring to are labeled “STAB TRIM”. You have one switch labeled “PRI” other “B/U”. There is “NORMAL” position which enables the electric stabilizer trim function or “CUTOFF” which disables the electrical function of stab trim actuator. Either switch will interrupt power to stab trim actuator thus all trim inputs must be manually done by the pilots using the manual trim wheels on either side of the pedestal. There is no “Auto Trim” switches on the airplane.

    • So Boeing is changing the design to automatically disable the electric stabilator trim? According to preliminary reports, both the Lion Air, and Ethiopian Air pilots did that, but they were unable to manually adjust the trim because the forces were too great to overcome! I have been optimistic about Boeing’s ability overcome this. I am beginning to think they aren’t even paying attention! https://www.seattletimes.com/business/boeing-aerospace/boeings-emergency-procedure-for-737-max-may-have-failed-on-ethiopian-flight/

      • The “RUNAWAY TRIM” checklist is a very simple & very intuitive memory item checklist because it is immediate action. You don’t wait for the trim to run away, it must be stopped immediately. The 1st Lion Air incident occurred the night prior to the fatal crash, on the same airplane, after their maintenance had failed to correctly install a new AOA sensor. The crew was befuddled, but fortunately had a 737 pilot jump seat rider from another airline who told them what to do. They then flew 600 miles to destination using manual trim, with active stick shaker on capt. side the whole way, but failed to write it up on arrival! Next morning the new crew, unaware of the problem & with no jump seat rider, encountered the same stick shaker on take off, & also retracted the flaps. Why would any competent pilot retract flaps & thereby increase stall speed 30-40 kts at low altitude with an active stick shaker? This made MCAS active & the capt countered it more than 20 times with his electric thumb switch, but never used the cutout switches! He then turned control over to the 1st officer while he consulted the QRH! The 1st officer basically did nothing except utter a prayer to Allah & MCAS trimmed full nose down. Ethiopian, after 5 months of worldwide publicity, warnings from Boeing, & FAA AD, had an even worse “deer in the headlights reaction” & crashed even quicker. Let’s not lay all the blame on Boeing. Read the preliminary reports on these crashes. Third world airlines? Not me!

  2. I’m perplexed as well. Besides this being a perfect case of corporations losing their mission and vision, investor greedy pressures, unimaginable not-redundant systems on an airliner, long lag in responses from the company, arrogance at first, then humility (still to be determined), interference at the federal level, shaming FAA and Boeing practices, including airlines that buy into these systems, and now cosmic rays?

    I feel it’s a safe bet almost everyone here understands the potential of cosmic rays but to use as a potential excuse when those circuit boards should be hardened, redundant, and well documented and trained, especially when they operate at these altitudes is really a wild card to throw out to the public.

    Having said this and due to the cosmic rays today, which, by the way, happens to be a strong geomagnetic disturbance on this planet today: http://www.n3kl.org/sun/noaa.html I’m going to lock the doors and build a Faraday cage until grownups get back in charge 🙂

  3. What good is it if both FCS’s flight control computers are on-line…
    but receiving the same bad data from a duff sensor?
    It’s still up to the pilot to turn the damn thing off and fly the plane using eyeballs, hands and feet.

  4. If the plane climbs to a steep angle when full power is applied isn’t it likely that the new engines were installed at the wrong angle to the air-frame and wouldn’t the correction be to re-position the engines so the thrust is more in line with the aircraft? It would cost more but trying to cure it with computer doesn’t sound correct.

    • The angle of the engines is just fine. The MCAS was designed to mimic the pitch control “feel” of earlier 737 models, in an effort to avoid a level of model-specific pilot training.

    • Not defending MCAS, Raf; just explaining its origin and purpose.

      The MCAS case study does shine a bright light on the one-trick-pony nature of much aircraft “automation.” And the dark side of trying to stuff 5 pounds of sh*t into a 2-pound sack.

      Could Boeing have certificated the MAX without MCAS? IMWO, yes – albeit at the likely cost of requiring more training; worst case, even a new type rating.

      Coulda; woulda; shoulda. 20/20 hindsight. And piss poor design engineering. IMWO.

    • While I appreciate all of the chatter about the hypothetic NMA, the MCAS imbroglio is about HOW Boeing approached the MAX’s hand-flying characteristics – not about whether Boeing never should have designed and built the MAX.

      But I can see the coming best-seller: “A Stretch Too Far.”

  5. Its disappointing that AvWeb has such a misleading headline. The basic control system is unchanged. The changes are in the autopilot computer to the MCAS algorithm and some of the sensor signal processing ‘signal select, failure detect’ Gamma radiation is more a factor during high altitude flight….some of the Collins autopilots (like 747/757/767) constantly test dynamic memory for radiation problems and they are also triple-redundant systems CATIIIc auto-land capable. The late 737 series are not nor are they fly by wire so the extra level of redundancy was not part of the design. Pilots shouldn’t be flying the airplane in the flight envelope where the MCAS is triggered – the design fault is in the failed sensor detection/usage.

  6. Fans keep getting fatter. But gear legs are reticent to grow. Maybe somebody should run a sim of a 737-like vehicle with its fat engines mounted ABOVE the wings – a la the HondaJet – where there’s room for growth. For extra credit, add in thrust vectoring, just for the thrill of seeing what it would do for takeoff and landing lengths.
    One toke over the line…

LEAVE A REPLY