Boeing, The Max, And Process
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Full-Text Search & Archives

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2019-09-30 07:00 by Karl Denninger
in Corruption , 138 references Ignore this thread
Boeing, The Max, And Process
[Comments enabled]


When attempting to communicate if you fail it's on you.  Apparently, I did, so let's try it again, and if the second time the same thing happens with the facts laid out on a bullet point level then, well, it's on people who don't want to debate -- they're hiding something and likely have a personal interest in doing so.

Let's look at what Reuters reported here:

NEW YORK (Reuters) - The U.S. Federal Aviation Administration process for certifying new airplanes is not broken but needs to be improved, the chair of an international panel of air-safety regulators, tasked to review Boeing Co’s (BA.N) 737 Max, said on Friday.


Here's the reality on the 737MAX, all from what's in the public record.

  • The MAX, due to engine reconfiguration (for a newer, more efficient engine design) required either a change in how the engines were mounted or landing-gear (and possibly airfoil, fuselage and stabilizer) redesign.  The latter would have broken a business model that Southwest (and likely some other carriers) had which Boeing had relied on: No new type certificate requirements, thus reduced training requirements to cross over to each new iteration of the aircraft.

  • Boeing engineers included "MCAS" as part of the computer flight control package, an inseparable part of same, as a means of countering a potential power-on stall condition that might be unrecoverable.  In short under certain flight conditions the aircraft, due to where the engines were mounted, could stall but application of more power would actually force the nose upward which deepens the stall.  Most aircraft with swept wings have some flight envelope parameters where this can happen, but the MAX's engine mounting exacerbated the risk under certain flight conditions.

  • Boeing engineers, in their design work, set the maximum amount of trim authority that MCAS had at 0.6 degrees.  That is, it could move the stabilizer trim to lower the nose if it detected the above condition by 0.6 degrees.  This was, according to Boeing's design, adequate to address that risk.  This, like all other flight control "laws", control functions and similar, was run through a failure analysis (e.g. "what happens if this doesn't work as designed?") and was deemed not a critical failure -- that is, it would not lead to either serious injury of passengers nor loss of the aircraft.  It was for this reason that using one sensor for MCAS was deemed acceptable.

  • At the same time it appears (from the published documentation) that the trim disconnect switches (there are two) were changed so that both must be off to prevent the flight control computer from actuating the power trim.  The previous aircraft appear to have both a master disconnect on the left (all power off) and a computer disconnect (on the right) which permits the trim switches on the control yoke to work but denies the computer's "auto trim" functionality.  Again, it appears that due to the above MCAS limit of authority the analysis that was run deemed this acceptable -- that is, that separate disconnect authority (which would deny MCAS the ability to control the trim but would leave the power trim switches on the yoke active) was not required (or, quite-possibly, was deemed inadvisable.)

So far, assuming those analysis are correct, everything is ok.

But then everything went to Hell.

During flight testing the MCAS control authority was discovered to be insufficient.  The exact reasons for this have not been made public to the best of my knowledge nor have the flight envelope conditions that led to that conclusion.  But these limits weren't just found insufficient: They were found GROSSLY insufficient, in that four times the original authority was required.

That change was made during flight testing, increasing the limit of authority from 0.6% to 2.5%.

2.5% is approximately one half of the total travel available from a "neutral" trim position to the limit of movement.  In other words two of those actuations, starting from neutral, and the trim is at its hard stop where it cannot move any further instead of eight such actuations.

This is a radical change and it was not expected by the Boeing engineers who originally specified and designed MCAS.

The evidence appears to show that the FAA was not notified of this change.

There is also no evidence that the critical fault analysis was re-run not only for MCAS under that greatly-increased control authority but for all other elements connected to or impacted by it, including most-specifically the inability to shut the damned computer off but leave power trim manual controls on the yoke operational.

The latter is especially damning in my opinion because it also appears to be a fact that under some conditions of the flight envelope and trim setting the manual trim wheels in the cockpit cannot be rotated by human power.  In other words without electrical assist there are circumstances where for all intents and purposes the trim is jammed in a wildly-inappropriate setting against which human power is insufficient and the aircraft, in that circumstance, is not controllable.

The facts appear to show that in at least one of the crashes this condition existed either prior to or right at and near the aircraft exceeding VNE -- that is, the maximum allowed airspeed.  It is not yet known in public on a factual basis whether the condition exists below VNE although the graph from the second crash appears to show that it does.  If in fact it does then the manual trim wheels are not usable in a portion of the flight envelope that is not prohibited.  There is likely some question as to exactly where that crossover from "can" to "can't" happens as well since as with any human-powered device there are differences in humans -- that is, the amount of force that an individual human can develop with their muscles is not a constant.

Now we have an apparent "fix" that amounts to the MCAS software taking input from two instead of one sensor.

I assert this is not sufficient so long as there is some part of the flight envelope where, if the system goes insane, the pilots cannot reasonably override it and lock it out.

Further, if the aircraft is unstable in some part of the flight envelope to a degree that automated intervention consuming fully one half of the available command authority with a single actuation is required then I question whether the design is airworthy on a physical basis in the first place.

So here are my questions:

  • Why was Boeing allowed to continue development and certification of the MAX without a full FAA-cleared (not self-certified!) analysis of all critical flight path elements once it was discovered that the design limits of MCAS authority were not only insufficient they were insufficient to the tune of needing to be increased to four hundred percent of its original amount?  That is not a minor miscalculation.

  • Who, specifically, signed off on the increased limit of authority for MCAS not elevating that subsystem and everything connected to it from a non-critical flight element (that is, not requiring full redundancy from one end to the other) to one that is flight-safety critical?  Names, positions, and the full chain of custody and sign-offs -- NOW.

  • Who had knowledge of the Lion Air flight the day before the first crash and the fact that an off-duty pilot in the jump seat was the only reason that plane did not go down?  Did Boeing or The FAA know of it?  If they did why was not an emergency AD issued on the aircraft, grounding them all until said issue was addressed?  In addition why wasn't that specific aircraft immediately grounded whether by Lion Air or the civil aviation authorities?  150 people died on it the next day, I remind you.

Finally, why are we seeing assertions that the process "isn't broken" when it is not in dispute that Boeing increased the control authority of an automated system by 400% over its initial design limits and, the public record appears to show, did not notify the FAA of this nor did the FAA perform any independent analysis of the impact on flight safety from that change?

If MCAS had 1/4 of the authority it did have in those two aircraft, that is, it's "corrections" were 1/4 as violent and forceful as they actually were it is quite probable that both of those incidents of it going insane due to a bad sensor would not have resulted in crashes and loss of all souls on board.

It is a fact that malfunction of MCAS was directly in the path of causation of both crashes.  It therefore falls upon the FAA, as the regulator involved, to explain why the designed authority of that system was increased by four hundred percent without a full exposition of why that was necessary and the safety impact of doing so was not assessed sufficiently to prevent that failure from occurring at and through the FAA's certification process.

To the best of my knowledge there is no evidence that the FAA was even notified by Boeing of this change say much less that any independent analysis was taken by the FAA prior to issuing the MAX's airworthiness certificate.

There are those who claim this was an "unforeseen" set of circumstances.  Bunk.

When you design something with a given limit of authority and discover during testing that you were wrong by a factor of four there is nothing unforeseen beyond that point unless you can demonstrate a full, exhaustive analysis which explains why you were wrong, why the increased limit of authority is a reasonable means to address your incorrect design specification (rather than doing something else so your original specification is now valid) and thus why the increased limit of authority is both appropriate and safe.

There is nothing in the public record I can find that shows that any such analysis ever took place.

If that information exists let's see it -- in public.  Boeing's CEO can bring and disclose it all when he comes to "testify."

Because if it doesn't exist -- and from the information available to the public it sure appears it does not -- then the process is broken and that broken process killed over 300 people.

Indeed I believe what we should be demanding here are indictments and the promise of hard prison terms for manslaughter both for these two crashes and any in the future with a similar chain of "I didn't look" sort of evidence.

Further, until that evidence of analysis of safety with the MCAS authority at 400% of original design limits is produced and run to the ground by independent expertsnot Boeing or any sort of "internal" program the MAX must not fly again.

View with responses (opens new window)