IEEE Spectrum on Possible Software Involvement in Two Recent Airliner Crashes

(This article is a modified version of one which appeared in the ACM Risks Forum Digest, Issue 31.21)

Gregory Travis published an article on 2019-04-18 on the involvement of the MCAS software
on Boeing 737 MAX aircraft in two recent crashes, Lion Air flight 610 and Ethiopian Airlines flight 302, in IEEE Spectrum. The article is available on the IEEE Spectrum WWW site (site registration is required).

The article has recently been commended by Bruce Schneier in his Crypto-Gram newsletter and blog and by John Naughton in The Observer newspaper (in the section “What I’m reading”).

Travis has written a readable, but unfortunately technically misleading, article on the accidents to Boeing 737 MAX 8 aircraft and the involvement of the MCAS software in those accidents. The purpose of this note is solely to point out some technically misleading parts of Travis’s article and correct them.

Travis suggests that MCAS was devised to inhibit a tendency to stall in certain flight regimes. As far as I know, this is incorrect. Boeing has said in public that MCAS is not “anti-stall SW”. For example, Flight International’s test pilot Mike Gerzanics operates the type for a “major carrier” and says in his very first sentence of his Flightglobal article on the preliminary report of the accident to Ethiopian Airlines Flight ET-302 that “the 737 Max family’s Maneuvering Characteristics Augmentation System (MCAS) is not a `stall-prevention’ or `safety’ feature“.

I understand the situation as follows. MCAS was devised to fulfill an airworthiness certification condition in 14 CFR 25.173 and 14 CFR 25.175. In high angle-of-attack (AoA) flight configuration, it is required that stick force/g (the stick force necessary to produce (hold) an incremental normal acceleration of 1g) and stick movement/g (ditto mutatis mutandis) must increase (or at least not decrease) with an increase in AoA (thanks to Clive Leyman for this formulation). I understand that in flight test, in which “wind-up turns” were conducted (a turn with increasing angle of bank; an increasing angle of bank means ceteris paribus increasing AoA), this condition was not fulfilled. MCAS was devised to ensure its fulfillment.

The reason this characteristic is different in this flight regime from previous 737 models apparently concerns the engine nacelles, which produce lift at high AoA, and apparently the lift they produce as AoA increases means that the stick force/g decreases.

Travis suggests that the geometry of the engines means there is a greater tendency for the 737 MAX to pitch up on power application than on previous versions of the 737. I haven’t seen a good argument that this is the case. Indeed, there is reason to think it might well be lower than on previous 737 models. The “pitch up” is related to the torque generated about the centre of lift (on the underside of the wing) by the engines. The centerline of the engines is, I think, closer to the underside of the wing than it was in previous models (I don’t have a figure), so the “lever arm” (technical term) from the centre of thrust to the centre of lift (on the wing) may well be reduced. Engines of the previous generation of 737 were the CFM 56-7 series, which had 89-120kN of thrust, depending on the precise model. The CFM LEAP-1B engines on the MAX have 130kN of thrust (from Wikipedia). 120kN to 130kN is not a big increase – the shorter lever arm may well make the pitch-up torque less than it was on previous models with 120kN-thrust engines during power increase (Travis: “propensity to pitch up with power application“). Travis connects this “propensity” with a “tendency to stall“; this “tendency” might in fact be reduced on the 737 MAX.

Travis says the “nacelles cause the 737 Max at a high angle of attack to go to a higher angle of attack“. As far as I know, this is not the case. He is correct to call such a phenomenon “dynamic instability” but the 737 MAX, like all other passenger transports, is not dynamically unstable. It is dynamically stable.

Travis suggests that MCAS is “a cheap way to prevent a stall when the pilots punch it“. This is manifestly not the intended purpose of MCAS.

Travis also suggests that in modern transport aircraft there often are “no actual mechanical connections” between control-command systems available to the pilots and the control surfaces. In the 737, all such connections are mechanical — cables and hydraulics — with the exception of the spoilers http://www.b737.org.uk/max-spoilers.htm. This argument is here a red herring.

Travis suggests AoA sensors are unreliable: “..particular angle of attack sensor goes haywire — which happens all the time“. It does not happen “all the time“, or even very often. Peter Lemme writesReliability of the AoA sensor was evaluated over a 4-6 year period, with a mean time between unscheduled removals was 93,000 hours. A typical airframe is modeled at about 100,000 hours, so the AoA vane typically last nearly the lifetime of the airplane.

Travis writes that there are “…several other instruments that can be used to determine things like angle of attack. such as the pitot tubes, the artificial horizons, etc.” I don’t see how pitot tubes can be used to sense AoA. Pitot tubes measure dynamic air pressure, which, along with static ports to measure static air pressure, are used to determine airspeed (usually so-called “indicated airspeed”, IAS). When the pitot is not directly in line with the flow of air around the aircraft, say when the aircraft is at a high AoA, then errors can be induced into IAS; AoA acts as a corrective input to pitot/static sensing, rather than the other way around. Artificial horizons are display instruments, not sensors; I see no way they can be used to sense AoA.

One astonishing misleading statement from Travis reads as follows: “In a pinch, a human pilot could just look out the window to confirm, visually and directly, that, no, the aircraft is not pitched up dangerously. That is the ultimate check.” No, it is not the `ultimate check’. Travis seems to be confusing AoA with pitch angle/attitude. This is something which pilots from the beginning of their training are expressly taught not to do. AoA is the angle which the aircraft makes with the airstream over the wings, and is invisible. Pitch angle/attitude is the angle which the aircraft makes with the earth below, and is (somewhat) visible as indicated by Travis.

The reason for this early emphasis on not confusing pitch angle with AoA is as follows. There are general aviation accidents in the landing pattern, often when pilots are turning on to their final approach, lined up with the runway, from their “base leg”, which is at right angles to final (see the diagrams in the Wikipedia reference). Pilots can misjudge the turn and “overshoot”, that is, reach their line up to the left of the runway centreline (when flying base from the right of the runway), resp. right of the centreline (when flying base from the left). Pilots realising they might overshoot might be tempted to turn more steeply, which increases AoA and can lead to a stall. Recovering from a stall, especially an unanticipated stall, often takes more altitude than the airplane has when turning base-to-final; and the result is that the airplane augurs in. It still happens, still too much (for example, an accident to a Cirrus aircraft in Bielefeld, where I live, in 2010).

Travis writes “It is astounding that no one who wrote the MCAS software for the 737 Max seems even to have raised the possibility of using multiple inputs.” Quite why he thinks this is any responsibility of the software engineers is unclear. It is not. It is the responsibility of the control engineers who designed the system and the safety engineers who performed the safety analysis.

The safety engineers will have performed a Failure Mode and Effects Analysis, FMEA, which consists in listing all the possible failures you can think of, and determining their effects on the flight situation. They will then have classified those effects according to their severity as none, “minor”, “major”, “hazardous” and “catastrophic” (these all have explicit definitions in FAA AC 25.1309-1A). According to unverified information I received from a usually-reliable source, the effect was classified as “major” in level flight and “hazardous” in turns.

We now know after two accidents in level flight that this classification, if indeed it was as reported, is inappropriate. A further issue, to which I do not know the answer, is whether the analysis was performed on the STS system as a whole, or MCAS separately. The manufacturer and regulator classify MCAS as a function of the STS: “Pitch stability augmentation is provided by the MCAS function of STS”, (Flight Standardisation Board Report, Draft 17).

This is all specialist analysis which is generally not performed by software engineers (although the best software engineers are aware of how to perform such analyses). Nothing follows from this that software engineering was somehow responsible for the outcome.

In this context, Travis repeats his assertion that the Boeing 737 MAX is “dynamically unstable“. I say again: it is not. I don’t think any dynamically unstable aircraft could be certified according to 14 CFR 25.

One last comment, on a small aircraft this time. Travis suggests that “the Lycoming O-360 engine in my Cessna has pistons the size of dinner plates“. The cylinder bore for 0-360 engines (I flew one for 12 years) is 13cm (see the Wikipedia article). My dinner plates, small as they are, have a diameter of 21cm. My espresso saucers are 12.5 cm. I commend Travis’s nourishment discipline, but suggest it does not easily generalise. (For what it is worth, I had understood the bore and stroke were designed for a low compression ratio; it is only 8.5 to 1. The reason for a low compression ratio is reliability, not efficiency. You don’t ever want your single engine to go out on you while in flight. Some do, of course. Picking out the best field for landing and approaching it well is an essential part of the biennial currency flight with an instructor.)

Leave a Reply