In the Boeing 737 MAX crisis we have extensive coverage from many affected stakeholders except the aeronautical engineers, who actually hold responsibility of every factor significant in the loss of 346 lives in the Lion Air 610 and Ethiopian 302 accidents:

• Design of an unsafe (single-point-of failure) augmentation system: the MCAS
• Self-certification of the aircraft types through FAA delegation policy in a fast forward manner
• Angle-of-Attack (A-o-A) sensors with such a high probability to fail so early in the course of their life span as symptoms of supply chain control or maintenance troubles
• Inadequate response to the initial Lion Air accident, failing to raise awareness of the risk to continue flights with the existent MCAS (in spite of a timely FAA warning that in the next 10 months from the Lion Air accident, a similar occurrence was expected, on statistic grounds)

Added to those, FAA announced they recently discovered another weakness in the AFCS software, unrelated to the MCAS. This too may cause excessive pitch down under some exceptional circumstances and needs to be corrected.

As an aeronautical engineer specialized in avionics, I am very worried and would like to make some points from this side.

After FAA grounded the 737 MAX, Boeing came with a plan to fix the software, which made sense:

• Limit the authority of MCAS from total stabilizer deflection down to say half, which would ensure human pilot control over the airplane in case of another occurrence of inadvertent trigger of the system[1]
• Angle-of-Attack disagree module made available to everyone as standard
• MCAS takes Angle-of-Attack information from both sensors and is inhibited if they disagree by 5.5° or more
• Training of pilots on the MCAS

The first two points imply software updates only and they seem straightforward to implement in a commensurate amount of time. They should have been ready many months ago.

The third one also seems a simple software update issue. The data packs from both A-o-A sensors flow through the data buses of the aircraft, and can be routed in such a way that the MCAS uses both A-o-A indications to decide. For some surprising and unobvious reason, this is not so. The Boeing insiders claim the 737 MAX architecture does not allow both sensors to be used in the control loop, so the architecture itself needs an overhaul. I cannot imagine an architecture preventing a piece of software to fetch significant data packs from a data bus, since there is one data bus common to both aircraft port and starboard (in fact they are two buses for redundancy, but they are both common). This technical issue is beyond the extent of my imagination, and I hope someone from inside (Boeing or Collins) would explain it more clearly. Moreover, if this is architecture schizophrenia is true, how comes the A-o-A disagree function operates at all?

This third issue alone is the probable cause for such a long delay of 737 MAX grounding. If the architecture needs to be rethought, this is a time bomb, could take time to design, implement, test, and certify.

Besides these MCAS related problems, it seems that other two issues came up to add uncertainty:

• The above mentioned glitch found in the AFCS software, which could also cause unwanted pitch down movements
• The initial objections by FAA regarding the rudder cables layout, which could cause loss of control in case of an uncontained engine failure

This latter objection of FAA back in 2017 was ignored by Boeing at the time, 6 months late in the Airbus A320Neo catch up game. Now, the objection resurfaced, and according to the new FAA Administrator, there is plenty of time to fix everything, since there is no time limit to the 737 MAX grounding. Technically, the rudder cables problem is way much harder to fix than the other software or even hardware issues. Is there a real risk with the 737 MAX rudder cables? Or was it just excessive prudence from the regulators back in 2017, now just pouring gas on the fire? If someone asked this question before Southwest 3472 uncontained engine failure in 2016, maybe my answer would have been different. In the meantime we also had Southwest 1380 in 2018, a strikingly similar uncontained engine failure affecting another 737 NG. We also have to bear in mind that 14% cut in fuel consumption in the new LEAP-1 737 MAX engine is pushing the envelope even further. As low as it is, the risk of an uncontained engine failure was not reduced in LEAP-1 as compared to CFM-56. If this low risk could compromise the lateral controllability of the airplane, it needs to be mitigated.

Returning to MCAS, I will try to solve a mystery. Since Boeing announced that they will limit the authority of MCAS, how is it going to cope with real high Angle-of-Attack situations? What justified such a forceful reaction of MCAS initially? Another mystery of the MCAS design is the 10 seconds on – 5 seconds off logic, using aerodynamic feedback only, based on a single A-o-A sensor only. If one moves the horizontal stabilizer of a 737 fully downwards (and this is acknowledged by the stabilizer pitch angle sensor feedback) and if the aerodynamic feedback (A-o-A sensor) gives nothing, not the slightest nose down, what scenario could justify the 10-5 algorithm? Why repeat this action in a loop, since the unique explanation of such a behaviour is a faulty A-o-A sensor? Why disregard completely the pitch angle of the aircraft at −40° while you try to avoid an extreme high angle of attack? Why is the pitch angle not part of the aerodynamic feedback, such as in the autopilot design? Too many questions here, I wish I could answer to for my students.

Regarding the abusive authority of the initial MCAS design, our picture shows what happened when the larger diameter engines were fitted under the wings of 737 MAX. The engines were moved a bit forward with respect to the wing, and their geometric centre was placed slightly lower. Some sources even say it was placed slightly higher! This contradiction can be explained: the larger diameter engine appears to be higher at the intake and on the ground (due to the extension of the landing gear by 0.4 m), but the geometric centre of the engine is approximately 4% lower than the aircraft centre of gravity. We are comparing the 737 MAX family aircraft with the previous 737 NG family, which did not require MCAS or an equivalent of MCAS. MCAS was supposed to compensate for the pitch up effect of the 737 MAX at high angle of attack attitudes. Why does this pitch up effect appear in case of 737 MAX?

In the first place, if the engines were higher, the upward momentum of the thrust force would have been lower than at the 737 NG. So forget it, it is lower 4%, but 4% is not such a scary change. What about mounting the engines further to the front? What does it do to the thrust force upward momentum? Well, nothing. The momentum of a force is the force multiplied by the distance of the centre to the direction of the force. Moving the engines front or aft does not change the momentum. So geometry does not really explain the necessity of MCAS. What then?

Contrary to most sources (including my own article Legendary Safety of Boeing 737 Family, where I was superficially adopting the general current of opinion), it is not the engine geometry that justified the MCAS solution. There are two other factors which push the nose up when throttling up from a high angle of attack situation:

• Larger engine thrust of 737 MAX engines (roughly 10%)
• Larger engine nacelles, producing extra aerodynamic lift L_e at high angle of attack (and here the fact that the engines are mounted forward comes into play, since the lift force is perpendicular on the wing)

The pitch up rotation momentum M_theta is strictly T×d and thus is not directly influenced by front-aft movements of the engines. Also, I have to disappoint the Internet experts who claim that in high Angle-of-Attack situations, the engines push a lot of air and exhaust gas down and that is why the aircraft pitches up more. T×d for the 737 MAX is not greater than 1.1×1.04 = 1.14 times the momentum for 737 NG. Adding the extra lift of the larger engines nacelles, the pitch up momentum does not look like more than 17% as compared to the unprotected B737 NG. Thus, I can hardly find any justification for the disproportionate authority that the initial MCAS was designed with. A large margin design is not a good design practice in aerospace engineering. Excessive structural resilience or excessive actuating forces do not indicate good engineering practice in aerospace, in contrast to other fields of engineering. Aerospace is on the edge, so doing too much good is hurting someone.

Regarding the blame attributed to the pilots in both accidents, we should make it very clear once and for all that in both accidents, pilots were not to blame. Blaming the pilots was a mistake. It is very easy to understand by following YouTube demos in flight simulators what the pilots went through in both accidents[2].

Another issue is that the MCAS represents the ending of the era of Boeing airplanes as pilot’s airplanes. Airbus has the Fly-By-Wire philosophy since the 1980s, so basically flying the aircraft is the job of robots who decide what to do. Human pilots just tell the robots what they want, but they have no veto on the robots. Perpignan A320 accident is the story of a bad decision by the robots, while excellent human pilots on board of that aircraft contemplated the disaster, since they could not take over from the suicidal robots. To do them justice, the robots were misled by two simultaneously faulty A-o-A sensors (in agreement), which were blocked due to incorrect washing of the airplane prior to the flight with water under pressure. The cause of the Perpignan accident was a fatal mistake made by the personnel on the ground, prior to the flight.

By nature, Boeing 737 is different. Pilots can veto any automated system in all 737 families, except for 737 MAX and except for the robot called MCAS. When this robot takes over, it could kill everyone without any way for the human pilots to intervene. This is yet another unexpected feature for experienced Boeing pilots. A Boeing 737 pilot is in control of the airplane, and if a function is delegated to an automated system, this can be cut off in case anything wrong happens, unlike the Airbus pilot. MCAS philosophy violates this principle. Of course, if Airbus is violating this principle and keeps flying successfully for the past 30 years, why Boeing would not be allowed to, just a bit?

The MCAS design now openly explained, Boeing pilots understand that they have a fellow robot in the cockpit who can take control. Sadly, this robot cannot be stopped if it goes out of its mind. The robot points to the ground for 10 seconds, releases pressure for 5 seconds and repeats. Airbus pilots know they have these beasts on board, got used to them, and 30 years of safe operation raised the confidence in the reliability of their robots. Even too much so, because when Airbus pilots are deprived of the functions of the robots, sometimes they unexpectedly fail on the manual control (AFR 447, AirAsia 8501). This phenomenon is called overreliance on automation. However, Boeing pilots are entitled to their sovereignty in the cockpit, this is fundamental of their flying culture.

MCAS is not only a robot who failed twice due to a faulty sensor. MCAS is an overturn of an aircraft control philosophy. This raises a worrying question: how could FAA agree to extend an airworthiness type certificate issued in 1967 for Boeing 737-100 and 737-200 down to 737 MAX, since 737 MAX includes a revolutionary flight control philosophy? This was not explained to the pilots (in fact not even to FAA as it turns out), making the issue of fixing the MCAS even more problematic.

In our opinion, a FBW aircraft requires a separate certification process, even though it is aerodynamically identical to a classic aircraft.  Also, a non FBW aircraft which includes at least one augmentation system which takes over and cannot be switched off, such as the MCAS, becomes a de facto FBW aircraft. This species could be called Sometimes-Fly-By-Wire (SFBW). However, the presence on board of an automated decision maker, totally changes the processes and the culture in the cockpit. Boeing 737 pilots were not prepared for that change.

In conclusion, the situation of Boeing 737 MAX is less bright than expected. My previous piece on the subject demonstrates excessive optimism in hindsight. As always, things are more complex than they appear.

One lesson that I get from here is that avionics engineers should be aerospace engineers and not electronics / computer engineers or even worse, software programmers. These people need to understand fully how and why does an aircraft fly and what are all possible consequences of their software and hardware design and malfunctions. They should be educated in the cult of absolute responsibility and in the spirit of low margin aerospace engineering. They should understand human pilots, and even more than that, they should fly airplanes themselves. Without being a pilot, at least occasionally, one will never make a good avionics engineer or aeronautical engineer. (Due to objective reasons, astronautics engineering is exempt).

Aerospace engineering has shifted its centre of gravity over the years from mechanical engineering into electrical engineering (while spreading over both though). Aerospace engineering schools have to adapt to this reality, instead of leaving computer engineering schools to fill the gap. The reason for that is explained in another piece of mine (3DEXPERIENCE: The New French Revolution).

Certification process of a new type of aircraft should be taken very seriously. FAA, EASA and other national authorities have a major responsibility to the flying public, otherwise the confidence in air travel gets thin, in spite of the asymmetrical efforts for superb safety performance that this industry is capable of. My opinion is that EASA should have been particularly pro-active with 737 MAX cutting corners of certification. EASA should watch FAA and vice versa, they should back each other up. Apart from grounding the plane two days earlier, EASA did not do much on the 737 MAX. If I can understand the delegation principle and the motivation of the FAA to promote US aircraft types, EASA should be motivated differently, and thus provide some balance. EASA issued their certificate for 737 MAX types on 27 March 2017, only 19 days after FAA. Was this rush really necessary?

[1] “MCAS can never command more stabilizer input than can be counteracted by the flight crew pulling back on the column. The pilots will continue to always have the ability to override MCAS and manually control the airplane.” from Boeing 737 MAX Updates published by Boeing

[2] https://www.youtube.com/watch?v=OxPsxmU_ocI