Re: Boeing 737 and 737 MAX software

[tranngocduong@gmail.com]

On Friday, April 19, 2019 at 5:04:54 AM UTC+7, Paul Rubin wrote:
> FWIW here's an article that just came out in IEEE Spectrum, by a
> programmer and private pilot pontificating about the 737 software and
> MCAS.  I don't have the impression that it's a good article from an
> paviation standpoint but don't know enough about the topic to be sure.
> 
> Anyway, here it is, since it has been getting some attention:
> 
> https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer

Thank you for introducing the article. 

I, too, am under similar impression. I think that the article may contain oversimplified or otherwise imprecise information. Nevertheless, I find it inspiring: it hepls me to come up with a theory which can explain many conflicting facts and viewpoints. (Example of conflicting facts, the general public believe MCAS is an anti-stall, i.e. critical, system, while Boeing insists it is a control-quality, i.e. non-critical, system.) 

I'm just trying to sort things up in my mind. I'm not intended to blame or to defend anyone.

1. The 737 has two, not only one, autopilots (AP1 and AP2). They work without any coordination, with the only exception that at most one can be active at a time. In particular, neither of them monitors or can override the other.

2. Technically, an autopilot can take input from a set of sensors on its side as well as a second set of sensors on the other side. However, as a design philosophy, to keep them as independent as possible, systematic effort was made to let them not to look at the other side's set of sensors unless it is absolutely necessary.

3. Each autopilot can detect sensor failures on its own side and manage to fly even in case of one or couple of simultaneous faulty sensors. It disengages if the number of faulty sensors go beyond of its ability.

4. For simplicity, the two autopilots are documented as "the autopilot" and there is only one button on either (captain or first-officer) side to engage/disengage one. The simplicity comes at certain inconvenience. For example, the captain can only activate AP1 while the first officer can only activate AP2, and the captain may fail but the first officer may succeed to activate "the autopilot".

5. On the 737 MAX, two anti-stall systems (AS1, AS2) were added, in the same design principle that there is no coordination between the four systems (AP1, AP2, AS1, AS2) except that at most one can be active at a time. Because AS1 and AS2 have authority to move control surfaces (such as the horizontal stabilizer), they're classified safety-critical.

6. Additionally on the MAX, "maneuvering characteristics" (MC), a control-quality tweaker, was added. The very purpose is to keep the control stick feeling exactly as it was on previous 737 generations. It changes the [artificial] control feeling by the classical mechanism: a "force generator" controlled by a "feel computer". It does not touch any control surface. Because of that, it is classified non-critical.

7. In order to save time, the MC and the ASs were submitted to certification, and were eventually certified, as a single system, under the umbrella name MCAS. The name Anti-Stall was changed to Augmentation System. The category was changed from safety-critical to non-critical.

8. Like AP1/AP2, AS1/AS2 is able to detect faulty AoA sensor on its side and terminate itself. However, a bug causes AS1/AS2 fail to do its job in certain cases, such as multiple sensor failures.

9. After the first accident, the FAA ordered to "fix the MCAS". After the second accident, it finds that the name "MCAS" not correct anymore and insists in resolving _two_ problems. Maybe MC and AS. Or AP and AS. And it insists in re-classifying the AS safety-critical. Although generally, that would be very hard to impossible, in this case that's no problem for Boeing: the AS was designed to be (1) safety-critical, and (2) separately of the AP, in the first place. Therefore, about 10 - 14 months (since the first accident) would suffice.