Engineer's take on the 737 MAX design

Status
Not open for further replies.

GreatLakesFlying

Pre-takeoff checklist
Joined
Mar 4, 2018
Messages
226
Location
Chicago, IL
Display Name

Display name:
Leo
With at least two more threads on the 737 MAX here, why am I starting a new one? Because the article I am about to post is more about the engineering culture at Boeing than about the two accidents.

I have a lot of respect for the IEEE and its flagship magazine IEEE Spectrum, where the article was published. Though I am an engineer and a pilot, I do not have sufficient aviation and engineering experience to tell how correct the article is. But it is a very well written article and it does a great job presenting complex issues to the general public.

I am looking forward to reading your thoughts about this article. Fair warning for the TL/DR brethren: the following article has about 5700 words. Click anywhere on the text below to read the full article on the IEEE Spectrum online edition (free access/no paywall/no registration). I did a quick search on the forums here and I don't believe anyone has posted this yet.


 
Last edited:
Great article! The most alarming issue is the complete lack of physical response the pilots would feel when this system kicked in! That’s really scary!

I also found it fascinating that Boeing could not get the engines to become any bigger without them getting too close to the ground! That seems to me like kind of a huge deal because if this current airframe is not basically maxed out it terms of expandability it seems like the company could have reached a point of no return when it comes expanding this line. That could be enourmous for the future of the company!
 
Last edited:
Great article! The most alarming issue is the complete lack of physical response the pilots would feel when this system kicked in! That’s really scary!

I also found it fascinating that Boeing could not get the engines to become any bigger without them getting too close to the ground! That seems to me like kind of a huge deal because if this current airframe is not basically maxed out it terms of expandability it seems like the company could have reached a point of no return when it comes expanding this line. That could be enlirmous[?] for the future of the company!
Like the B-52, the 737 is flying way beyond its projected expiry date.
As the desire for less noise and lower fuel burn turned into an absolute demand, turbofan engines evolved with larger fans and smaller (relatively) cores. The 737 was designed in the late turbojet / early turbofan era; look an any picture of a legacy 727 or 737 to see the toothpick engines. Note also the flattened area on the bottoms of the nacelles on modern 737s. And the relatively short gear, and relatively flat dihedral. Ain't no room at the inn, so the engines were shoved forward, and still barely fit.
 
Great article! The most alarming issue is the complete lack of physical response the pilots would feel when this system kicked in! That’s really scary!

I agree, this is surprisingly well written, especially to a lay audience.

To your comment, I'll note Airbus aircraft have behaved without physical feedback for decades. Whether your prefer Boeing or Airbus, the stats say they're both very safe designs philosophies when done right. The thing about the Airbus design: you know there's no feedback. You're trained that there's no feedback. A pilot will not be looking for it. In the same way an instrument pilot learns to stop trusting their senses like a visual pilot and rely on the instruments, an Airbus pilot learns to do the same with physical feedback. But just like you can't stick a VFR pilot into the clouds and hope for a good outcome, you can't stick a Boeing pilot into that design philosophy are expect them to react properly. It takes training, and it's clear that just wasn't happening.
 
The author's criticism of the MAX design is summed up in three points:

Boeing produced a dynamically unstable airframe, the 737 Max. That is big strike No. 1. Boeing then tried to mask the 737’s dynamic instability with a software system. Big strike No. 2. Finally, the software relied on systems known for their propensity to fail (angle-of-attack indicators) and did not appear to include even rudimentary provisions to cross-check the outputs of the angle-of-attack sensor against other sensors, or even the other angle-of-attack sensor. Big strike No. 3.

I wholeheartedly agree with his third point: some failure modes of the MCAS are hazardous and require redesign. But I strongly disagree with the first two criticisms.

Balancing the opposing characteristics of maneuverability and stability is at the heart of what aircraft designers do. Practically every aircraft ever built has some kind of "artificial feel" built into it. Springs, bob-weights, anti-servo tabs, stall strips, vortex generators ... heck, even the trim system(s) itself are all attempts to compensate for some underlying feature of the design and to improve the "feel" of the aircraft to the pilot. There's nothing unprecedented about using "clever" control system fixes to compensate for low stability* in some parts of an aircraft's flight envelope.

If the author is specifically criticizing the use of computers/software to implement such fixes, that's misplaced concern as well. Just like mechanical systems have to be designed with the necessary strength and reliability to do their jobs, a computer-controlled system must be designed with sufficient robustness to do what it's there for, without introducing other risks (such as what's happened with the 737 MAX).



* The author describes the re-engining effect on the aircraft's "dynamic stability". The MCAS is actually there to compensate for a static stability problem. That misunderstanding doesn't affect the author's fundamental point, though.
 
Balancing the opposing characteristics of maneuverability and stability is at the heart of what aircraft designers do. Practically every aircraft ever built has some kind of "artificial feel" built into it. Springs, bob-weights, anti-servo tabs, stall strips, vortex generators ... heck, even the trim system(s) itself are all attempts to compensate for some underlying feature of the design and to improve the "feel" of the aircraft to the pilot. There's nothing unprecedented about using "clever" control system fixes to compensate for low stability* in some parts of an aircraft's flight envelope.

If the author is specifically criticizing the use of computers/software to implement such fixes, that's misplaced concern as well. Just like mechanical systems have to be designed with the necessary strength and reliability to do their jobs, a computer-controlled system must be designed with sufficient robustness to do what it's there for, without introducing other risks (such as what's happened with the 737 MAX).

I tend to agree with you there, but I believe there was a nuance in the criticism of the software in aircraft. Granted I'm guessing at the author's intent, but I believe he was mostly criticizing the certification of the software, not the actual use of software. Note that he doesn't denigrate the envelope protection of his Garmin A/P (I assume a GFC500). I have to agree: somehow the certification process produced a piece of software with a single point of failure against a failure mode that can cause loss of control of the aircraft. Admittedly, the sentence in that block doesn't really convey that nuance, but the rest of the article seems to have it.

Disclosure: I myself am also a software engineer.
 

My understanding of the issue is that due to the engines being below the CG an increase in thrust pitches the nose up. My understanding is that the MCAS system just tried to eliminate this pitching motion.The Lake Amphibian and Seawind 3000 have similar effects, but in the opposite direction. This is a huge difference from the instability designed into modern military aircraft for better handling. Some of those airframes may not be able to be flown without the system active. The 737 should be fine without the system if the pilots are paying attention.

* The author describes the re-engining effect on the aircraft's "dynamic stability". The MCAS is actually there to compensate for a static stability problem. That misunderstanding doesn't affect the author's fundamental point, though.

If my understanding of the MCAS system and problem (above) is true (it may not be), I would be hesitant to believe the rest of the author's arguments. That being said, point #3 still seems valid.
 
The author is a software engineer which explains a lot but not when it comes to being an aeronautical engineer. I also would not say it is an unstable aircraft in all flight regimes.
With all aircraft there is a give and take.
 
Last edited:
So why can't they just redesign the forward fuselage and inboard wing section to provide room for taller gear? They designed this thing in a matter of months in mid 60s and now 8000+ planes with workarounds to the short gear later they're still using it?
 
So why can't they just redesign the forward fuselage and inboard wing section to provide room for taller gear?
Because then the MAX wouldn't be considered a variant of the original Type Certificate and would require a new TC probably to the tune of $350M+ and several years of testing.
 
Because then the MAX wouldn't be considered a variant of the original Type Certificate and would require a new TC probably to the tune of $350M+ and several years of testing.

They changed the wing significantly on the -700, still no new TC?
 
The article is very well written, but the author is a bugsmasher pilot and some variety of software developer. There is no indication that he has any qualifications at all to make the various sweeping generalizations and leaps to conclusions that he offers. He may be right, he may be wrong, but Spectrum is doing a disservice by implicitly legitimizing him, disclaimer notwithstanding.
 
The article is very well written, but the author is a bugsmasher pilot and some variety of software developer. There is no indication that he has any qualifications at all to make the various sweeping generalizations and leaps to conclusions that he offers. He may be right, he may be wrong, but Spectrum is doing a disservice by implicitly legitimizing him, disclaimer notwithstanding.


The government won't certify a car engine that can't run when a single sensor is giving bad data but the FAA gave a pass to an airplane that won't fly when a single sensor is giving bad outputs. Oh but aviation is different.
 
With at least two more threads on the 737 MAX here, why am I starting a new one? Because the article I am about to post is more about the engineering culture at Boeing than about the two accidents.

I have a lot of respect for the IEEE and its flagship magazine IEEE Spectrum, where the article was published. Though I am an engineer and a pilot, I do not have sufficient aviation and engineering experience to tell how correct the article is. But it is a very well written article and it does a great job presenting complex issues to the general public.

I am looking forward to reading your thoughts about this article. Fair warning for the TL/DR brethren: the following article has about 5700 words. Click anywhere on the text below to read the full article on the IEEE Spectrum online edition (free access/no paywall/no registration). I did a quick search on the forums here and I don't believe anyone has posted this yet.


So what does this software developer think of every Airbus ever made?
 
Very interesting read. I would be curious to see the results of Boeings software acceptance testing criteria and results. Then the integration testing etc.
 
I've asked this question before on another board, and I'll ask it again. And I don't know the answer.

Google is failing me. I distinctly remember reading articles about fuel trim systems that shift weight backwards on some commercial airliners to take advantage of more efficient operation at aft CG. It was my understanding that this system only kicked in at cruise, and the plane could not be hand flown as it was too unstable. Questions:

1. Anybody know anything about that?

2. Is it fair to say that the 737 Max aircraft are operated at close to the aft CG limit to gain efficiency, and that is the reason for instability, or is it something else? The pitch up tendency of the engines stated in the article?
 
My understanding of the issue is that due to the engines being below the CG an increase in thrust pitches the nose up. My understanding is that the MCAS system just tried to eliminate this pitching motion.
The problem, that MCAS was designed to solve, is that the pitch "feel" is too light is some very high AoA situations. This comes from the higher residual thrust of the Leap engine and more aerodynamic pitch-up moment from the larger engine nacelles and nacelle positioning (at very high AoA). MCAS adds a nose-down bias through the introduction of nose-down trim.

Numerous reports have incorrectly said that MCAS is a stall prevention, or stall recovery, system. It is a Maneuvering Characteristics Augmentation System and would not be expected to activate during any normal flight conditions.

So why can't they just redesign the forward fuselage and inboard wing section to provide room for taller gear?
There is no room. The main gear retract inward and there is no extra room for longer gear. That is why Boeing has designed a telescoping gear system for the upcoming 737-10 MAX which will be 66" longer than the current 737-900 and 737-9 MAX.

 
1. Anybody know anything about that?
The MD-11 used "relaxed stability" in the way that you describe and it is relatively aggressive with it. I think Concorde did the same with tail trim tanks. I'm not sure what other airplanes use it.

Is it fair to say that the 737 Max aircraft are operated at close to the aft CG limit to gain efficiency, and that is the reason for instability, or is it something else? The pitch up tendency of the engines stated in the article?
No. That has nothing to do with it. I also disagree with the term instability. The 737 is not unstable. See my post above.

All airlines try to bias their loading programs toward aft-CG so as to improve efficiency.
 
They changed the wing significantly on the -700, still no new TC?
New wing foils, engines, cabin stretches, gross weight increases can all fit into a variant upgrade protocol provided the main structure is retained. As mentioned above there is no room to put the required components into the existing main structure. Once a OEM starts redesigning the "backbone" of an aircraft then they stray into new TC territory. Is the 737 design at it design limits? I think so. But as stated multiple times the MCAS addition had nothing to do with the basic design of the MAX. It only was added because the flight control feedback forces in extreme attitudes at the edge of its certified flight envelop did not meet the requirements of a specific FAA Part 25 rule. It was not added because a pilot could not control the aircraft within that same certified flight envelope.
 
The article is very well written, but the author is a bugsmasher pilot and some variety of software developer. There is no indication that he has any qualifications at all to make the various sweeping generalizations and leaps to conclusions that he offers. He may be right, he may be wrong, but Spectrum is doing a disservice by implicitly legitimizing him, disclaimer notwithstanding.

Ad hominem. Not really a valid argument.
 
I've asked this question before on another board, and I'll ask it again. And I don't know the answer.

Google is failing me. I distinctly remember reading articles about fuel trim systems that shift weight backwards on some commercial airliners to take advantage of more efficient operation at aft CG. It was my understanding that this system only kicked in at cruise, and the plane could not be hand flown as it was too unstable. Questions:

1. Anybody know anything about that?

2. Is it fair to say that the 737 Max aircraft are operated at close to the aft CG limit to gain efficiency, and that is the reason for instability, or is it something else? The pitch up tendency of the engines stated in the article?

The A300 does that. Starts sending fuel to the tail tanks when climbing through 10k if I remember correctly. System works well and yes you can still hand fly it just fine.
 
Ad hominem. Not really a valid argument.
Really? Observing that he has no qualifications is ad hominem? We should ignore the qualifications of an author when evaluating the credibility of his statements? Not in my world. Maybe in yours?
 
Ad hominem. Not really a valid argument.

Certainly logically true that the qualifications of the author themselves do not necessarily mean that the analysis is flawed. And, for those that understand the subject material, it should not really be a consideration. But for people attempting to evaluate the validity of the work of someone else in a field outside of their own expertise, the qualifications of the author may certainly be a reasonable consideration in determining whom to trust.
 
Certainly logically true that the qualifications of the author themselves do not necessarily mean that the analysis is flawed. And, for those that understand the subject material, it should not really be a consideration. But for people attempting to evaluate the validity of the work of someone else in a field outside of their own expertise, the qualifications of the author may certainly be a reasonable consideration in determining whom to trust.

Agree. But the response was from someone claiming to be savvier than the author, which I suppose I should have been more explicit about.

The author is absolutely qualified on the subject of software systems. As am I, with 27 years of experience, including 13 years of experience on fault-tolerant systems promising and achieving six nines over years. I find the arguments around that credible, both from his experience and from his argument. MCAS choosing to rely on a single sensor and having the ability to make the aircraft uncontrollable is an unfathomable sin.

The parts about the aerodynamics and stability are less credible. His basic engineering facts, except for the debate on whether to call it dynamic or static stability, appear solid. However, the risk tolerance and acceptable engineers choices for that in aerodynamics are a little suspect. I don't have the background to determine where things land on that.

But it doesn't matter. Though he spends time on it, it's not actually relevant to argument around the software. The software exists, and the reason for it isn't actually important. It's now clear that a wholly predictable failure mode around a failed AoA sensor was able to cause loss of control.

It's not useful to circle the wagons around Boeing here. They screwed up. MCAS violated several principles around good software craftsmanship, especially where it relates to human life. We study those screw-ups in ComSci classes. This will become another case study. Calling out and understanding the mistakes is the way forward to not repeating this and the way forward to Boeing clawing its way back from this PR disaster.
 
...The author is absolutely qualified on the subject of software systems...MCAS choosing to rely on a single sensor and having the ability to make the aircraft uncontrollable is an unfathomable sin...

Yea but we already knew that and none of us are software engineers.
 
Why would you say that?

Just re-read your post and it didn't imply it as strongly as my first impression took it to be. I should cross-referenced my impression against what you actually wrote before I responded. Apologies.

So, I'll be more specific in my inquiry: Which sweeping generalization or leap did you find in the article that undermined for you the basic argument?

I'll admit bias. His take on this, particularly the software certification aspect, matches my own view that I'd developed for myself. That's not too surprising: we share a software engineering background, so not too surprising we came to the same conclusion. Confirmation bias is definitely possible. I downgraded the argument around the aerodynamic considerations as result of reading some comments here and elsewhere. Still at the level of concern, but I don't see those aspects as necessarily fatal engineering choices.

That's when I realized it doesn't matter to the argument. The aerodynamic stuff is a red herring, in my view. It makes for an engaging story that is needed to pull the lay reader along. It connects the dots, by explaining the why of MCAS. But is doesn't matter, at the end of the day. Why MCAS exists is far less important than the fact that it does exist. If it's going to exist as a piece of software, it needs to follow the sorts of processes that should surround life-critical engineering. Several hundred people dead says that didn't happen.

There are lots of links in the chain of these accidents. The software is not the only one. It just feels like one that should not have remained whole. Sometimes the links are out of anyone's control. This one wasn't. There's culpability around the fact that this chain link wasn't broken.
 
... The author is absolutely qualified on the subject of software systems. ...
Really? " ... at the age of 13, he wrote Note, one of the first social media platforms ... "

It looks to me like you are more qualified than he is.

... As am I, with 27 years of experience, including 13 years of experience on fault-tolerant systems promising and achieving six nines over years. ...
 
For what it's worth, he's a pilot. Greg Travis was one of the major lights of the early USENET days, with the aviation groups there.

Ron Wanttaja

Do you have a link to his LinkedIn profile, by chance?
 
... Which sweeping generalization or leap did you find in the article that undermined for you the basic argument? ...
What I said was "He may be right, he may be wrong ... "

Decades of managing large terrestrial and space-based technology projects has taught me the lesson that it is foolish to listen to someone's technical opinions without first determining the qualifications of the speaker. There are legions of what we used to call "viewgraph engineers," now "PowerPoint"engineers who have made successful careers out of being bulls#hit artists. Filtering these guys out is a critical skill in the technology business, but I am sure you already know that.
 
What I said was "He may be right, he may be wrong ... "

Decades of managing large terrestrial and space-based technology projects has taught me the lesson that it is foolish to listen to someone's technical opinions without first determining the qualifications of the speaker. There are legions of what we used to call "viewgraph engineers," now "PowerPoint"engineers who have made successful careers out of being bulls#hit artists. Filtering these guys out is a critical skill in the technology business, but I am sure you already know that.

If you're an engineer, why the doubt? The arguments made around the software seem especially sound.
 
If you're an engineer, why the doubt? The arguments made around the software seem especially sound.
The viewgraph engineers always sound convincing, but I have all of them reflexively on automatic "ignore." Life is too short to search for possible gold in s#itpiles even though once in a while it exists.

Regarding the thesis that it was ultimate stupidity for a single-point failure to have that effect on the airplane, of course. But none of us actually know whether that was the case or whether there was some other more complex chain of events that occurred. Whatever happened the result was preventable disaster, but I'll wait for authoritative information (like an NTSB report) before I get too spun up by what are effectively hypotheticals. Right now we mostly have press ignoramuses voraciously feeding at a trough that contains very few facts but lots of detritus contributed by said ignoramuses and being recycled by them.

It is good to remember what H. L. Mencken told us in 1917: "Explanations exist; they have existed for all time; there is always a well-known solution to every human problem — neat, plausible, and wrong."
 
Ad hominem. Not really a valid argument.

It's always valid to question the qualifications of someone offering a professional opinion, particularly when that person is opining on a subject with important factors peripherally related to his area of expertise, as is the case in this instance.
 
Do you have a link to his LinkedIn profile, by chance?
Sorry, haven't heard from him for ~20 years. Oddly enough, I have received recent contact from a couple of other USENET people from around that period.

Ron Wanttaja
 
:p I gotta say it: This guy looks like a PowerPoint engineer to me. A near-complete compendium of buzz words, lots of activities listed but few if any accomplishments, ... Technical Education: 30 YO undergraduate History degree. Patents: none Technical Publications: none.

If this resume came to me in a pile, it would have a quick trip to the wastebasket.

But to give some credit ... if the Spectrum article is a fair sample, he's a decent writer. That's a valuable skill for a PowerPoint engineer.
 
Status
Not open for further replies.
Back
Top