The two recent accidents involving the Boeing 737 Max 8 are heart-wrenching. The preliminary reports issued by Ethiopia and Indonesia uncover some startling flaws of the Maneuvering Characteristics Augmentation System (MCAS). But my biggest takeaway from the reports is this: 737 MAX pilots have not been properly debriefed and trained to identify and address MCAS malfunctions.

The MCAS is appropriately at the center of attention. The MCAS trims the aircraft’s nose down - accomplished by deflecting the leading edge of the horizontal stabilizer upwards - when it senses that the aircraft’s angle of attack is too high. What remains unclear to me is what drove the design and implementation of the MCAS. Was it designed to meet a control force profile required (per FAR Part 25) to enter a stall? Or proactively prevent entry into a stall? Facilitate stall recovery? Imitate the handling characteristics of the 737 NG for expedited certification? These factors are related to one another, but I am very interested in knowing exactly what the consequence of removing the MCAS would be.

The enigma of the MCAS is that it appears to be a critical system, but isn’t designed as one. It can’t be disabled while hand-flying the aircraft (with flaps up) unless electric stabilizer trim is cut out entirely; this is why it appears to be a critical system. But critical systems typically boast multiple redundancies and are rigorously tested during development. In contrast, the MCAS can fight the pilot with full stabilizer authority based off one sensor measurement. Furthermore, the MCAS is a single sensor system that didn’t incorporate any sanity checks using other available sensor readings.

While the MCAS has its faults, these accidents could have been avoided with proper training and documentation. After the crash of flight LNI610, Boeing doubled down on trim runaway procedures. Trim runaway is colloquially known to be continuous in nature; this malfunction will drive a control surface to its hard stop, and keep it there. The MCAS is entirely different: it intermittently commands the stabilizer, and allows the pilot to fight it to a limited degree. I don’t like the idea of applying the trim runaway procedure to the MCAS malfunction because there is such little room for error. If the MCAS malfunction is not identified fast enough, the control forces will get too heavy for any pilot crew to overcome. It doesn’t help that the MCAS won’t look or feel like a typical trim runaway condition either. At a minimum, pilots should have been mandated to complete full-flight simulator training for the MCAS. Tragically, 737 MAX pilots were never made aware of the existence of the MCAS until after the crash of flight LNI610.

Boeing is supposedly working on two software fixes that will bring the 737 MAX series back into service this summer. This baffles me. The second AOA sensor measurement can be added into the control laws of the MCAS, but that alone should not be the solution. Two sensor readings will still leave tough corner cases to deal with. I would certainly expect to see a less aggressive MCAS, and more sanity checks performed in the software so that it does not remain active as the aircraft is redlining into the ground. But above all, I’d like to see the pilots getting better documentation and training to deal with an MCAS malfunction.

I’ll be closely following the developments of the 737, and am interested to see how the FAA will respond now that they are under the microscope.

Preliminary Reports

Preliminary Accident Report of Lion Air Flight 610
Preliminary Accident Report of Ethiopian Airlines Flight 302