During a review of MCAS software changes by the FAA in June 2019, a further problem with the FCC was discovered. The FAA crew were simulating a Runaway Stabiliser during tests in Boeing’s MAX engineering flight simulator, also known as e-cab.
The FAA said that it had identified a new risk that would need to be addressed before the MAX could be ungrounded. Under a scenario where a specific fault in the FCC could cause an uncommanded movement of the stabiliser.
The FAA determined that:
One problem was that a specific Flight Control Computer (FCC) chip was processing data too slowly. It was uncertain whether the chip needed to be upgraded or if a software update could increase speed enough. All models of the 737 have two FCCs but use only one per flight, flip-floping to the other FCC between flights.
Another problem can be caused by cosmic rays hitting circuitry and randomly changing binary code from 0 to 1 or vice versa, are addressed by FAA certification standards but their effects were tested by FAA pilots in relation to the function of the MCAS by flipping five of the binary switches. Although the perfect storm of simulated failures would be an extremely rare occurrence in the air, the FAA said it had to be addressed. “While it’s a theoretical failure mode that has never been known to occur, we cannot prove it can’t happen, So we have to account for it in the design.” Double teaming the flight control computers mitigates that risk because each computer is constantly checking the performance of the other. If either detects a problem, neither will move the flight controls and the aircraft will have to be flown manually.
The solution, incorporated into FCC P12.1.2, was dual processor monitors and a cross FCC monitor. The monitor compares the trim-up and trim-down command outputs from both FCCs with its own trim command calculation. If the outputs differ from the trim-command calculation in the local channel’s monitor for a cumulative one second, then the local channel will take control of STS. The A/P may disconnect and NO AUTOLAND will be available. The SPEED TRIM FAIL will illuminate on recall and STAB OUT OF TRIM light will illuminate when on ground and below 30 knots.
Cross-channel signals are added to ensure the Standby FCC is in MCAS operation any time the Operational FCC is in MCAS operation. The Standby FCC performs a reasonableness check on the Operational FCC signal to activate MCAS to ensure the activation difference is not due to a postulated FCC failure - eg cosmic rays etc.
Dual Processor Monitor
The FCCs continuously monitor each other’s stabilizer trim commands, and in the event an erroneous command is detected, stabilizer trim commands, autopilot trim commands, and CWS trim commands are stopped and inhibited for the remainder of the flight for that FCC.
Stabilizer Cross-FCC Trim Monitor
The Cross-FCC Trim Monitor protects against erroneous stabilizer trim commands.
Autopilot Elevator Monitor
The Autopilot Elevator Monitor protects against erroneous elevator commands that can result in erroneous autopilot stabilizer trim commands.
For more details on the FCC watch this video presentation:
*** Updated 23 Nov 2020 ***
Slide taken from MCAS presentation above