Maneuvering Characteristics Augmentation System
The is a flight control law first deployed on the Boeing KC-46 Air Force tanker, where it "moves the stabilizer in a wind-up turn". MCAS adjusts the horizontal stabilizer trim to push the nose down when the aircraft is operating in manual flight, with flaps up, at an elevated angle of attack, so the pilot will not inadvertently pull the airplane up too steeply, potentially causing a stall. Contrary to descriptions in news reports, however, Boeing claims that MCAS is not an anti-stall system.
On the Boeing 737 MAX, MCAS was intended to mimic pitching behavior similar to aircraft in the previous generation of the series, the Boeing 737 NG. MCAS activated by input from only one of the airplane's two angle of attack sensors, making the system susceptible to a single point of failure. It could not be instinctively disabled by pulling on the control yoke. During aircraft certification, Boeing removed a description of MCAS in the MAX flight manuals, leaving pilots unaware of the system when the airplane entered service.
On November 10, 2018, Boeing publicly revealed MCAS in a discussion with airline operators and other aviation interests twelve days after Lion Air Flight 610 crashed. Yet, a recovery procedure highlighted by Boeing and the FAA failed to prevent the crash of Ethiopian Airlines Flight 302, which led to the global grounding of all 737 MAX aircraft pending investigations and software fixes.
In April 2019, Boeing admitted that MCAS played a role in both accidents. The investigations identified numerous defects with associated systems, including an AoA disagree message that should have prevented MCAS activation. The Wall Street Journal reported that Boeing failed to share information about that issue for "about a year" before the Lion Air crash in Indonesia.
MCAS on the 737 MAX
The flight control law was implemented on the 737 MAX to mitigate the aircraft's tendency to pitch up because of the aerodynamic effect of its larger, heavier, and more powerful CFM LEAP-1B engines and nacelles. The stated goal of MCAS, according to Boeing, was to provide consistent aircraft handling characteristics at elevated angles of attack in certain unusual flight conditions only and hence make the 737 MAX perform similarly to its immediate predecessor, the 737NG.MCAS's role in the accidents
Investigators determined that MCAS was triggered by falsely high angle of attack inputs, as if the plane had pitched up excessively. On both flights, shortly after takeoff, MCAS repeatedly actuated the horizontal stabilizer trim motor to push down the airplane nose. Satellite data for the flights, ET 302 and JT 610, showed that the planes struggled to gain altitude. Pilots reported difficulty controlling the airplane and asked to return to the airport.On March 11, 2019, after China had grounded the aircraft, Boeing published some details of new system requirements for the MCAS software and for the cockpit displays, which it began implementing in the wake of the prior accident five months earlier:
- If the two AOA sensors disagree with the flaps retracted, MCAS will not activate and an indicator will alert the pilots.
- If MCAS is activated in non-normal conditions, it will only "provide one input for each elevated AOA event."
- Flight crew will be able to counteract MCAS by pulling back on the column.
On April 4, 2019 Boeing publicly acknowledged that MCAS played a role in both accidents.
Purpose of MCAS and the stabilizer trim system
The FAA and Boeing both refuted media reports describing MCAS as an anti-stall system, which Boeing asserted it is distinctly not. The aircraft had to perform well in a low-speed stall test. The "considers that the STS/MCAS and elevator feel shift functions could be considered as stall identification systems or stall protection systems, depending on the natural stall characteristics of the aircraft".The JATR said, "MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used; this identified the potential for the stabilizer to overpower the elevator."
Description
Background
The Maneuvering Characteristics Augmentation System is a flight control law built into the Boeing 737 MAX's flight control computer, designed to help the aircraft emulate the handling characteristics of the earlier Boeing 737 Next Generation. According to an international Civil Aviation Authorities team review commissioned by the FAA, MCAS may be a stall identification or protection system, depending on the natural stall characteristics of the aircraft. Boeing considered MCAS part of the flight control system, and elected to not describe it in the flight manual or in training materials, based on the fundamental design philosophy of retaining commonality with the 737NG. Minimizing the functional differences between the Boeing 737 MAX and Next Generation aircraft variants allowed both variants to share the same type rating. Thus, airlines can save money by employing and training one pool of pilots to fly both variants of the Boeing 737 interchangeably.When activated, MCAS directly engages the horizontal stabilizer, thus is distinct from an anti-stall device, such as stick pusher, which physically moves the pilot's control column forward and engages the airplane's elevators when the airplane is approaching a stall.
Boeing's former CEO Dennis Muilenburg said " has been reported or described as an anti-stall system, which it is not. It's a system that's designed to provide handling qualities for the pilot that meet pilot preferences."
The 737 MAX's larger CFM LEAP-1B engines are fitted further forward and higher up than in previous models. The aerodynamic effect of its nacelles contributes to the aircraft's tendency to pitch up at high angles of attack. The MCAS is intended to compensate in such cases, modeling the pitching behavior of previous models, and meet a certain certification requirement, in order to enhance handling characteristics and thus minimizing the need for significant pilot retraining.
The software code for the MCAS function and the computer for executing the software are built to Boeing's specifications by Collins Aerospace, formerly Rockwell Collins.
As an automated corrective measure, the MCAS was given full authority to bring the aircraft nose down, and could not be overridden by pilot resistance against the control wheel as on previous versions of the 737. Following the Lion Air accident, Boeing issued an Operations Manual Bulletin on November 6, 2019 to outline the many indications and effects resulting from erroneous AOA data and provided instructions to turn off the motorized trim system for the remainder of the flight, and trim manually instead. Until Boeing supplemented the manuals and training, pilots were unaware of the existence of MCAS due to its omission from the crew manual and no coverage in training. Boeing first publicly named and revealed the existence of MCAS on the 737 MAX in a message to airline operators and other aviation interests on November 10, 2018, twelve days after the Lion Air crash.
Safety engineering and human factors
As with any other equipment on board an aircraft, the FAA approves a functional "design assurance level" corresponding to the consequences of a failure, using the SAE International standards ARP4754 and ARP4761. MCAS was designated a "hazardous failure" system. This classification corresponds to failures causing "a large reduction in safety margins" or "serious or fatal injury to a relatively small number of the occupants", but nothing "catastrophic".The MCAS was designed with the assumption, approved by FAA, that pilots would react to an unexpected activation within three seconds.
MCAS technology readiness
The MCAS design parameters originally envisioned automated corrective actions to be taken in cases of high AoA and G-forces beyond normal flight conditions. Test pilots routinely push aircraft to such extremes, as the FAA requires airplanes to perform as expected. Before the MCAS, test pilot Ray Craig determined the plane did not fly smoothly, in part due to the larger engines. Craig would have preferred an aerodynamic solution, but Boeing decided to implement a control law in software.According to a news report from the Wall Street Journal, engineers who had worked on the KC-46A Pegasus tanker, which includes an MCAS function, suggested MCAS to the design team.
With the MCAS implemented, new test pilot Ed Wilson said the "MAX wasn’t handling well when nearing stalls at low speeds” and recommended MCAS to apply across a broader range of flight conditions. This required the MCAS to function under normal G-forces and, at stalling speeds, deflect the vertical trim more rapidly and to a greater extent—but now it reads a single AoA sensor, creating a single point of failure that allowed false data to trigger MCAS to pitch the nose downward and force the aircraft into a dive. "Inadvertently, the door was now opened to serious system misbehavior during the busy and stressful moments right after takeoff", said Jenkins of The Wall Street Journal.
The FAA did not conduct a safety analysis on the changes. It had already approved the previous version of MCAS, and the agency's rules did not require it to take a second look because the changes did not affect how the plane operated in extreme situations.
The Joint Authorities Technical Review found the technology unprecedented: "If the FAA technical staff had been fully aware of the details of the MCAS function, the JATR team believes the agency likely would have required an issue paper for using the stabilizer in a way that it had not previously been used. MCAS used the stabilizer to change the column force feel, not trim the aircraft. This is a case of using the control surface in a new way that the regulations never accounted for and should have required an issue paper for further analysis by the FAA. If an issue paper had been required, the JATR team believes it likely would have identified the potential for the stabilizer to overpower the elevator."
In November 2019, Jim Marko, a manager of aircraft integration and safety assessment at Transport Canada aviation regulator's National Aircraft Certification Branch questioned the readiness of MCAS. Because new problems kept emerging, he suggested to his peers at FAA, ANAC and EASA to consider the safety benefits of removing MCAS from the MAX.
Scrutiny
The MCAS has been under scrutiny following the fatal crashes of Lion Air Flight 610 and Ethiopian Airlines Flight 302 soon after takeoff. The Boeing 737 MAX global fleet has been grounded by all airlines and operators, and a number of functional issues have been raised.The MCAS deflects the horizontal stabilizer four times farther than was stated in the initial safety analysis document. Due to the amount of trim the system applies to the horizontal stabilizer, aerodynamic forces resist pilot control effort to raise the nose. As long as the faulty AOA readings persist, a human pilot "can quickly become exhausted trying to pull the column back". In addition, switches for the horizontal stabilizer trim assist now serve a shared purpose of turning off the MCAS. In simulator sessions, pilots were stunned by the substantial effort needed to manually crank the trim wheel out of its nose down setting.
Boeing CEO Dennis Muilenburg has stated that there was "no surprise, or gap, or unknown here or something that somehow slipped through a certification process." On April 29, 2019 he stated the design of the aircraft was not flawed and reiterated that it was designed per Boeing's standards. In a May 29 interview with CBS, Boeing admitted that it had botched the software implementation and lamented the poor communications.
On September 26, the National Transportation Safety Board criticized Boeing’s inadequate testing of the 737 MAX, and pointed out that Boeing made erroneous assumptions on pilots’ response to alerts in 737 MAX, triggered by activation of MCAS due to a faulty signal from an angle-of-attack sensor.
The Joint Authorities Technical Review, a team commissioned by the FAA for 737 MAX investigation, concluded that FAA failed to properly review MCAS. Boeing failed to provide adequate and updated technical information regarding the MCAS system to FAA during Boeing 737 Max certification process, and had not carried out a thorough verification by stress-testing of the MCAS system.
On October 18, Boeing turned over a discussion from 2016 between two employees which revealed prior issues with the MCAS system.
NTSB
On September 26, 2019, the NTSB released the results of its review of potential lapses in the design and approval of the 737 MAX. The NTSB report concludes that assumptions "that Boeing used in its functional hazard assessment of uncommanded MCAS function for the 737 MAX did not adequately consider and account for the impact that multiple flight deck alerts and indications could have on pilots' responses to the hazard". When Boeing induced a stabilizer trim input that simulated the stabilizer moving consistent with the MCAS function, "... the specific failure modes that could lead to unintended MCAS activation were not simulated as part of these functional hazard assessment validation tests. As a result, additional flight deck effects resulting from the same underlying failure were not simulated and were not in the stabilizer trim safety assessment report reviewed by the NTSB."The NTSB questioned the long-held industry and FAA practice of assuming the nearly instantaneous responses of highly trained test pilots as opposed to pilots of all levels of experience to verify human factors in aircraft safety. The NTSB expressed concerns that the process used to evaluate the original design needs improvement because that process is still in use to certify current and future aircraft and system designs. The FAA could for example randomly sample pools from the worldwide pilot community to get a more representative assessment of cockpit situations.
Supporting systems
The updates proposed by Boeing focus mostly on MCAS software. In particular, there have been no public statements regarding reverting the functionality of the stabilizer trim cutout switches to pre-MAX configuration. A veteran software engineer and experienced pilot suggested that software changes may not be enough to counter the 737 MAX's engine placement. Seattle Times notes that while the new software fix Boeing has proposed "will likely prevent this situation recurring, if the preliminary investigation confirms that the Ethiopian pilots did cut off the automatic flight-control system, this is still a nightmarish outcome for Boeing and the FAA. It would suggest the emergency procedure laid out by Boeing and passed along by the FAA after the Lion Air crash is wholly inadequate and failed the Ethiopian flight crew."Boeing and the FAA decided that the AOA display and an AOA disagree light, which signals if the sensors give different readings, were not critical features for safe operation. Boeing charged extra for the addition of the AoA indicator to the primary display. In November 2017, Boeing engineers discovered that the standard AoA disagree light cannot independently function without the optional AoA indicator software, a problem affecting 80% of the global fleet which had not ordered the option. The software remedy was scheduled to coincide with the roll out of the elongated 737 MAX 10 in 2020, only to be accelerated by the Lion Air accident. Furthermore, the problem had not been disclosed to the FAA until 13 months after the fact. Although it is unclear whether the indicator could have changed the outcome for the ill-fated flights, American Airlines said the disagree indicator provided the assurance in continued operations of the airplane. "As it turned out, that wasn't true."
Runaway stabilizer and manual trim
In February 2016, the EASA certified the MAX with the expectation that pilot procedures and training would clearly explain unusual situations in which the seldom used manual trim wheel would be required to trim the plane, i.e. adjust the angle of the nose; however, the original flight manual did not mention those situations. The EASA certification document referred to simulations whereby the electric thumb switches were ineffective to properly trim the MAX under certain conditions. The EASA document said that after flight testing, because the thumb switches could not always control trim on their own, the FAA was concerned by whether the 737 MAX system complied with regulations. The American Airlines flight manual contains a similar notice regarding the thumb switches but does not specify conditions where the manual wheel may be needed.Boeing's CEO Muilenburg, when asked about the non-disclosure of MCAS, cited the "runaway stabilizer trim" procedure as part of the training manual. He added that Boeing's bulletin pointed to that existing flight procedure. Boeing views the "runaway stabilizer trim" checklist as a memory item for pilots. Mike Sinnett, vice president and general manager for the Boeing New Mid-Market Airplane since July 2019, repeatedly described the procedure as a "memory item". However, some airlines view it as an item for the quick reference card. The FAA issued a recommendation about memory items in an Advisory Circular, Standard Operating Procedures and Pilot Monitoring Duties for Flight Deck Crewmembers: "Memory items should be avoided whenever possible. If the procedure must include memory items, they should be clearly identified, emphasized in training, less than three items, and should not contain conditional decision steps."
In November 2018, Boeing told airlines that MCAS could not be overcome by pulling back on the control column to stop a runaway trim as on previous generation 737s. Nevertheless, confusion continued: the safety committee of a major U.S. airline misled its pilots by telling that the MCAS could be overcome by "applying opposite control-column input to activate the column cutout switches". Former pilot and CBS aviation & safety expert Chesley Sullenberger testified, "The logic was that when MCAS was activated, it had to be, and must not be prevented." In October, Sullenberger wrote, "These emergencies did not present as a classic runaway stabilizer problem, but initially as ambiguous unreliable airspeed and altitude situations, masking MCAS."
In a legal complaint against Boeing, the Southwest Airlines Pilot Association states:
An MCAS failure is not like a runaway stabilizer. A runaway stabilizer has continuous un-commanded movement of the tail, whereas MCAS is not continuous and pilots can counter the nose-down movement, after which MCAS would move the aircraft tail down again. Moreover, unlike runaway stabilizer, MCAS disables the control column response that 737 pilots have grown accustomed to and relied upon in earlier generations of 737 aircraft.
In May 2019, The Seattle Times reported that the two stabilizer cutoff switches on the MAX operate differently than on the earlier 737 NG. On previous aircraft, one cutoff switch deactivates the thumb buttons on the control yoke that pilots use to move the horizontal stabilizer; the other cutoff switch disables automatic control to move the stabilizer in the tail. On the MAX, both switches do the same thing: they cut off all electric power to the stabilizer, both from the yoke buttons and from an automatic system, like MCAS. With all power to the stabilizer cut, pilots have no choice but to use the mechanical trim wheel in the center console. However, as pilots pull on the 737 controls to raise the nose of the aircraft, aerodynamic forces on the elevator create an opposing force, effectively paralyzing the jackscrew mechanism.> It becomes very difficult for pilots to hand crank the trim wheel. The problem was encountered on earlier 737 versions, and a "roller coaster" emergency technique for handling the flight condition was documented in 1982 for the 737-200 but did not appear in training documentation for later versions.
MCAS circumvention for ferry flights
During the groundings, special flights to reposition MAX aircraft to storage locations, as per 14 CFR § 21.197, flew at lower altitude and with flaps extended to circumvent MCAS activation, rather than using the recovery procedure after the fact. Such flights required a certain pilot qualification as well as permission from corresponding regulators, and with no other cabin crew or passengers.Horizontal stabilizer actuator
The horizontal stabilizer is fitted with a conventional elevator for flight control. However it is itself all-moving about a single pivot and can be trimmed to adjust its angle. The trim is actuated via a jackscrew mechanism.Slippage concern
Sylvain Alarie and Gilles Primeau, experts on the horizontal stabilizers, observed anomalies in the data from the aircraft data recorders: a progressive shift of 0.2 degrees of the horizontal stabilizer, before the crash. "It may not seem like much, but it is an order of magnitude higher than what is normally allowed when designing systems like these", says Gilles Primeau. They say that the movements are easily observable, and disallowed according to Regulation 395A. These anomalies raise fundamental questions about this jack screw, which controls the horizontal stabilizer since the beginning of the 737 models, first certified in 1967.These slips are particularly visible on flight ET302: "While there is no MCAS command, and no control of the pilots, we see a movement of the jack screw which controls the horizontal stabilizer, we see a slip. And at the very end of the flight, the jack screw starts to slide again with an increase in the speed of the plane and its dive," says Alarie.
Since its original design, the 737 has become 61% heavier, 24% longer, and 40% wider, and its engines twice as powerful.
These experts are concerned that the loads on the jack screw have potentially increased since the creation of the 737. By regulations, the controls must be designed for 125% of the foreseeable loads. These experts have raised concerns about the motors possibly overheating in April 2019.
Manual trim stiffness
In the early 1980s a problem was found with the 737-200 model. When the elevator operated to raise or lower the nose, it set up a strong force on the trim jackscrew which opposed any corrective force from the control systems. When attempting to correct an unwanted deflection using the manual trim wheel, exerting enough hand force to overcome the force exerted by the elevator became increasingly difficult as speed and deflection increased and the jack screw effectively jammed in place.A workaround was developed called the "roller coaster" technique. Counter-intuitively, to correct an excessive deflection causing a dive the pilot first pushes the nose down further, before easing back to gently raise the nose again. During this easing back period, the elevator deflection reduces or even reverses, its force on the jackscrew does likewise and the manual trim eases up. The workaround was included in the pilot's emergency procedures and in the training schedule.
However while the 737 Max has a similar jackscrew mechanism the "roller coaster" technique has been dropped from the pilot information. During the events leading to the two Max crashes, the stiffness of the manual trim wheel repeatedly prevented manual trim adjustment to correct the MCAS-induced nose-down pitching. The issue has been brought to the notice of the DoJ criminal inquiry into the 737 Max crashes.
In simulator tests of Ethiopian Airlines Flight 302 flight scenario, the trim wheel was "impossible" to move when one of the pilots would instinctively pull up from the nosedives. It takes 15 turns to manually trim the aircraft one degree, and up to 40 turns to bring the trim back to neutral from the nose down position caused by MCAS.
Angle of Attack (AoA)
As per Boeing technical description: "the Angle of Attack is an aerodynamic parameter that is key to understanding the limits of airplane performance. Recent accidents and incidents have resulted in new flight crew training programs, which in turn have raised interest in AOA in commercial aviation. Awareness of AOA is vitally important as the airplane nears stall." Chesley Sullenberger said AoA indicators might have helped in these two crashes. "It is ironic that most modern aircraft measure and that information is often used in many aircraft systems, but it is not displayed to pilots. Instead, pilots must infer from other parameters, deducing it indirectly."AoA sensors
Though there are two sensors on the MAX only one of them is used at a time to trigger MCAS activation on the 737 MAX. Any fault in this sensor, perhaps due to physical damage, creates a single point failure: the flight control system lacks any basis for rejecting its input as faulty information.Reports of a single point of failure were not always acknowledged by Boeing. Addressing American Airlines pilots, Boeing vice-president Mike Sinnett contradicted reports that the MCAS had a single-point failure, because the pilots themselves are the backup. Reporter Useem said in The Atlantic it was "showing both a misunderstanding of the term and a sharp break from Boeing's long-standing practice of having multiple backups for every flight system".
Problems with the AoA sensor had been reported in over 200 incident reports submitted to the FAA; however, Boeing did not flight test a scenario in which it malfunctioned.
The sensors themselves are under scrutiny. Sensors on the Lion air aircraft were supplied by United Technologies' Rosemount Aerospace.
In September 2019, the EASA said it prefers triple-redundant AoA sensors rather than the dual redundancy in Boeing's proposed upgrade to the MAX. Installation of a third sensor could be expensive and take a long time. The change, if mandated, could be extended to thousands of older model 737s in service around the world.
A former professor at Embry-Riddle Aeronautical University, Andrew Kornecki, who is an expert in redundancy systems, said operating with one or two sensors "would be fine if all the pilots were sufficiently trained in how to assess and handle the plane in the event of a problem". But, he would much prefer building the plane with three sensors, as Airbus does.
AoA Disagree alert
In November 2017, after several months of MAX deliveries, Boeing discovered that the AoA Disagree message, which is indicative of potential sensor mismatch on the primary flight display, was unintentionally disabled.Clint Balog, a professor at Embry-Riddle Aeronautical University, said after the Lion Air crash: "In retrospect, clearly it would have been wise to include the warning as standard equipment and fully inform and train operators on MCAS". According to Bjorn Fehrm, Aeronautical and Economic Analyst at Leeham News and Analysis, "A major contributor to the ultimate loss of JT610 is the missing AOA DISAGREE display on the pilots' displays."
The software depended on the presence of the visual indicator software, a paid option that was not selected by most airlines. For example, Air Canada, American Airlines and Westjet had purchased the disagree alert, while Air Canada and American Airlines also purchased, in addition, the [|AoA value indicator], and Lion Air had neither. Boeing had determined that the defect was not critical to aircraft safety or operation, and an internal safety review board corroborated Boeing's prior assessment and its initial plan to update the aircraft in 2020. Boeing did not disclose the defect to the FAA until November 2018, in the wake of the Lion Air crash.
Consequently, Southwest had announced to pilots that its entire fleet of MAX 8 aircraft will receive the optional upgrades. In March 2019, after the second accident of Ethiopian Airlines Flight 302, a Boeing representative told Inc. magazine, "Customers have been informed that AOA disagree alert will become a standard feature on the 737 Max. It can be retrofitted on previously delivered airplanes."
On May 5, 2019, The Wall Street Journal reported that Boeing had known of existing problems with the flight control system a year before the Lion Air accident. Boeing defended that "Neither the angle of attack indicator nor the AoA Disagree alert are necessary for the safe operation of the airplane." Boeing recognized that the defective software was not implemented to their specifications as a "standard, standalone feature." Boeing stated, "...MAX production aircraft will have an activated and operable AOA Disagree alert and an optional angle of attack indicator. All customers with previously delivered MAX airplanes will have the ability to activate the AOA Disagree alert." Boeing CEO Muilenburg said the company's communication about the alert "was not consistent. And that's unacceptable."
Visual AoA indicator
Boeing published an article in Aero magazine about AoA systems, "Operational use of Angle of Attack on modern commercial jet planes":Boeing announced a change in policy in the Frequently Asked Questions in a about the MAX corrective work, "With the software update, customers are not charged for the AOA disagree feature or their selection of the AOA indicator option."
In 1996, the NTSB issued Safety Recommendation A-96-094.
TO THE FEDERAL AVIATION ADMINISTRATION : Require that all transport-category aircraft present pilots with angle-of-attack info in a visual format, and that all air carriers train their pilots to use the info to obtain maximum possible airplane climb performance.
The NTSB also stated about another accident in 1997, that "a display of angle of attack on the flight deck would have maintained the flightcrew's awareness of the stall condition and it would have provided direct indication of the pitch attitudes required for recovery throughout the attempted stall recovery sequence." The NTSB also believed that the accident may have been prevented if a direct indication of AoA was presented to the flightcrew."
Flight computer architecture
In early April 2019, Boeing reported a problem with software affecting flaps and other flight-control hardware, unrelated to MCAS; classified as critical to flight safety, the FAA has ordered Boeing to fix the problem correspondingly.In October 2019, the EASA has suggested to conduct more testing on proposed revisions to flight-control computers due to its concerns about portions of proposed fixes to MCAS.
The necessary changes to improve redundancy between the two flight control computers have proved more complex and time-consuming than the fixes for the original MCAS issue, delaying any re-introduction to service beyond the date originally envisaged.
In January 2020, new software issues were discovered, affecting monitoring of the flight computer start-up process and verifying readiness for flight. In April 2020, Boeing identified new risks where the trim system might unintentionally command nose down during flight or prematurely disconnect the autopilot.
Microprocessor stress testing
The MAX systems are integrated in the "e-cab" test flight deck, a simulator built for developing the MAX. In June 2019, "in a special Boeing simulator that is designed for engineering reviews," FAA pilots performed a stress testing scenarioan abnormal condition identified through FMEA after the MCAS update was implementedfor evaluating the effect of a fault in a microprocessor: as expected from the scenario, the horizontal stabilizer pointed the nose downward. Although the test pilot ultimately recovered control, the system was slow to respond to the proper runaway stabilizer checklist steps. Boeing initially classified this as a "major" hazard, and the FAA upgraded it to a much more severe "catastrophic" rating. Boeing stated that the issue can be fixed in software. The software change will not be ready for evaluation until at least September 2019. EASA director Patrick Ky said that retrofitting additional hardware is an option to be considered.The test scenario simulated an event toggling five bits in the flight control computer. The bits represent status flags such as whether MCAS is active, or whether the tail trim motor is energized. Engineers were able to simulate single event upsets and artificially induce MCAS activation by manipulating these signals. Such a fault occurs when memory bits change from 0 to 1 or vice versa, which is something that can be caused by cosmic rays striking the microprocessor.
The failure scenario was known before the MAX entered service in 2017: it had been assessed in a safety analysis when the plane was certified. Boeing had concluded that pilots could perform a procedure to shut off the motor driving the stabilizer to overcome the nose-down movement. The scenario also affects 737NG aircraft, though it presents less risk than on the MAX. On the NG, moving the yoke counters any uncommanded stabilizer input, but this function is bypassed on the MAX to avoid negating the purpose of MCAS. Boeing also said that it agreed with additional requirements that the FAA required it to fulfill, and added that it was working toward resolving the safety risk. It will not offer the MAX for certification until all requirements have been satisfied.
Early news reports were inaccurate in attributing the problem to an 80286 microprocessor overwhelmed with data, though as of April 2020 the concern remains that the MCAS software is overloading the 737 MAX's computers.