If I can speculate what went wrong in the design, it was thought that the situation in which MCAS activates would be very rarely encountered - it is just a small part of the flight envelope during manual flight, and a half competent pilot will not get into it. So this being supposedly so rare, the analysis of the MCAS was rushed.
However in this light, the reliability of the sensors themselves was analyzed quite cursorily and **this **was the major mistake. If you look at the AoA vane, it looks like a protruding and rotating piece of metal, prone to hits by birds, dirt and maintenance staff. If these vanes have only a warning function, that may be OK, but if they have the repeated and unlimited authority to trim the plane into ground, this is unthinkable. It is not only a question of correlating the 2 sensors to 5.5 degrees (one of the fixes - and 5.5 deg is a lot !), it is also sanity checking the AoA, for instance on the ground while taxiing or routine checks).
And if the failure of the AoA sensors could have such a catastrophic effect, I would expect to have them in triplicate and in a non-mechanical version (I think I’ve seen laser AoA sensors, non-protruding from the body).
I found this 20-minute “Mentour Pilot” video very informative, though it touches on MCAS only briefly. When recovering from a near-stall do NOT increase thrust until your AoA and airspeed have improved. (This applies especially to 737 MAX. Other aircraft?)
What I touched on earlier was the pilot seeing the trim wheel in motion. I didn’t know they put stripes on the wheel to make it easier to see. It would stand out in peripheral vision particularly with the stripes staggered between the left and right wheel.
I’ve always hated wheel trim in small planes (versus crank handle) for this reason. You can’t easily see how much the wheel moves and it’s well below sight level (when using electric trim). The video shows a wheel next to the throttles and almost level with the yoke handle. Maybe it’s because the video is taken from behind the pilot but it was quite noticeable.
I’m even more inclined to believe the pilots should have been aware that the plane was trimming itself repeatedly and the direct cause of the nose-down movement. the solution to a trim down issue is not to counter it with elevator but to re-trim it up.
Could a faulty angle sensor really create that much confusion in the cockpit? I would expect the training shown in the video to be fairly standard procedure for any plane regardless of any individual flight characteristics.
Can you explain this to a non-pilot? (I read Flight Control Surfaces in wikipedia, but it’s not clear which components are involved in re-trim and why that is the solution).
When the pilot moves the yoke back and forth it moves a flap on the end of the horizontal tail surface. this flap is called the elevator. when a pilot engages trim the ENTIRE horizontal tail surface moves. Both systems lift the tail up and down which changes the pitch of the plane.
The current theory is that a faulty sensor tells the computer the plane is about to stall and the computer uses trim to push the nose down. It continues to do this until it causes a control problem. The solution is to reverse what the computer does. So if the computer trims it nose-down, the pilot trims it so it’s back to the correct position. this would be the end of it except a faulty sensor could still be telling the computer the plane is about to stall. So again, the computer pushes the nose down with trim.
If the pilot corrects a downward trim using the elevator and this is repeated over and over then eventually it’s going to to create more downward force with trim then the pilot can compensate for with the elevator.
Picture the entire tail surface forcing the nose down leaving the pilot with only the end of it to counter the force.
Thanks that helps, but it also introduces a new question: the article in the Seattle Times said that one of the safety analysis flaws for MCAS was that Boeing indicated the MCAS system would only move the elevator 1/4 of what the system would actually do.
Which seems like it implies MCAS is only moving the flaps on the end of the horizontal stabilizer, not the entire thing.
Is there more going on with MCAS than the elevator? or am I misinterpreting something?
It means the original MCAS design only moved the stab trim 1/4 of the amount that the final design did. It is still moving the stabiliser though, not the elevator. The reason it ended up being designed to move more is because they discovered it needed more authority at low Mach numbers (low speeds).
As already mentioned the two 737 MAXs were both in manual flight with autopilot disengaged.
MCAS is a flight control modifier not an autopilot system. It is essentially a poorly implemented add-on software patch for a non-fly-by-wire plane. This was only possible since the stabilizer trim (unlike the other flight controls) was electrically actuated not hydraulically actuated.
The competing Airbus A320neo also had larger engines and also likely required numerous flight control software changes vs the previous smaller-engined A320. The engine mounting location wasn’t as severe but it almost certainly also required flight control software changes.
The difference is the A320 is a fly-by-wire plane, the flight control system is already fully software controlled and the software is already tweaked so each member of the A320 family from smaller A319 to larger A321 fly so similarly that a single type rating is needed. A pilot can move from the smaller A319 to the larger A321 without any significant training because the entire Airbus concept from A320 forward was based on that premise. Even when moving between different family planes like the A320 series to the A350 series, a full type rating training course is not required.
The only Boeing true fly-by-wire planes are the 777 and 787. Those share a common type rating so the airline may choose to have pilots move between planes without training on the new type.
The question about “disarm…auto-anything” is not always possible depending on the aircraft type.
On Airbus planes I don’t think the fly-by-wire envelope protections can be fully manually disabled by any approved procedure. IOW the pilot cannot manually invoke “Direct Law”.
On Boeing fly-by-wire planes the modes are Normal, Secondary and Direct. It is possible to manually select Direct Mode via a PFC disconnect switch, but I don’t know if this is an approved contingency procedure.
Note: fly-by-wire does not mean no hydraulics. Even the fly-by-wire space shuttle used hydraulic actuation for aero-control surfaces. I think all current commercial fly-by-wire airliners use mostly hydraulic actuation. IOW there’s not a wire that runs from the computer to an electrical motor near the control surface. The wire runs to a hydraulic system, hydraulic lines of some length complete the run to a hydraulic actuator for each control surface. There are exceptions such as the stabilizer pitch trim system on the 737 which is electrically actuated.
You can get into direct law by turning off all inertial reference units via three push buttons on the overhead panel.
Also, anytime the aircraft is in alternate law and the gear is lowered the system changes to direct law. Turning off two of three air data units via push buttons on the overhead panel will get you to alternate law.
So if you need direct law for some reason, you can get it pretty quick.
My point was whether there was an approved contingency procedure for this. I don’t see any such procedure in the A320 FCOM handbook. My friend who flew A320s for years said he had never had the plane degrade from natural law in flight in his entire career. He also had never talked to any other pilot at his airline who had experienced that. He said they sometimes would practice “lost protections” in the simulator but there was no practiced procedure for manually invoking that in flight.
Re the question why the 737 MAX didn’t have a single “kill switch” to disable all automation, there was no automation to disable except for the stab trim and that had its own switches.
Ironically on Boeing fly-by-wire planes there IS a single switch which disables the FBW protections, on Airbus there is not, yet the 737 MAX (which is not fly-by-wire) apparently crashed due to a protection system which could have been disabled.
It is understandable why the undocumented MCAS system could cause the Indonesia crash but presumably the Ethiopia crew would have been aware of this and the recommended procedure. There was an Emergency Airworthiness Directive and bulletin for their plane which listed stick shaker, unreliable airspeed indications, etc. I’m sure the investigation will probe that area
For what it’s worth, I participated in the design of the primary 787 pilot controls. My role was minor…I was working for a subcontractor of a subcontractor. Boeing went to great lengths to ensure that the 787 fly-by-wire controls felt and behaved almost exactly like the cable/hydraulic controls on their non-fly-by-wire planes.
Yes, Boeing was able to seamlessly automate stab trim because it is electrically actuated, but I can’t help wondering whether that seamless added to the confusion. In other words, one small aspect of a non-FBW aircraft is in fact fly-by-wire. In a true FBW aircraft, the pilot knows that the “control law” software is always active, even if it’s in a direct-control mode. At some level, I’d think, the pilot of a FBW aircraft would always be aware—even subconsciously—that any uncommanded dive could be initiated by software. Meanwhile, in a non-FBW aircraft, a given uncommanded dive is probably not initiated by software, especially when autopilot is disabled.
There are other things that could initiate an uncommanded dive (like maybe a stick pusher) but a stick pusher gives the pilot haptic feedback directly through the yoke. A stressed-out pilot experiencing an uncommanded dive may well assume it to be a “pure” mechanical problem on a 737 M8 if he/she believes that software isn’t really involved in controlling the plane at the time.
While disabling a software feature solves the MCAS problem, I can’t help wondering whether the mixed FBW/non-FBW control model in the 737 Max 8 unintentionally points pilots in the wrong direction when they’re trying to resolve the problem in real time.
You’re obviously right about this, but one major advantage of fly-by-wire controls is that you can put the hydraulic actuators close to the control surfaces they operate, thus replacing hundreds of feet of hydraulic tubing and fluid with hundreds of feet of wire, saving significant weight. That said, Boeing devoted a surprising (to me) amount of mass and bulk on the 787 project to full-sized pilot control linkages extending well beyond what’s visible in the cockpit. The 787 was significantly overweight when I joined the project, and it would have been less so if Boeing had stopped replicating the linkage further “upstream” than they did.
I guess it depends on your definition of “approved contingency procedure”. There are is no procedure titled “Activate Direct Law” or similar, but there are numerous approved contingency procedures that result in Direct Law when followed, a dual RADALT failure for instance.
This is the point I mentioned upstream: the MCAS effectively takes over control of the plane based solely on input from one sensor, which can be flawed, unlike all other planes where the pilot has the final say-so.
If there were anyone else in the White House this would lead to major changes at the FAA.
It’s kind of odd that athough the preliminary report was publicly summarized by Ethiopian authorities, it hasn’t yet been publicly released. However the picture that is now emerging seems to be the following:
there is a strong similarity in symptoms and probable cause with the Lion Air crash, and once again, the MCAS appears to be to blame
one of the angle-of-attack sensors malfunctioned 70 seconds into the flight, which activated the MCAS
most significantly and surprisingly, the Ethiopian Air pilots were well aware of the Boeing directive for disabling the MCAS automatic nose-down trim. They did so and it didn’t work. It was also reported that at some point the electric trim cut-off was turned back on again.
The closest we have to an explanation at this point is this:
Recognizing a problem with the automatic trim, the pilots followed emergency procedures and turned off the system. Instead, the pilots tried to use the backup manual trim wheel to adjust the trim, but the airplane was traveling too fast and the manual trim wheel would have been physically impossible to operate.
A different article states the plane was traveling at about 600 mph at this point due to the power dives. That kind of airspeed at very low altitude is far outside normal specs, and the forces on deflected control surfaces under those conditions must have been immense.
So it’s beginning to look like Boeing and the FAA have some big PR and liability problems here due to what may have been an inherently flawed and unsafe flight control system design. In a word, it seems that what happened to the Ethiopian flight – it’s been theorized that maybe a fluke bird strike could have disabled one AOA vane – could have happened to any 737 MAX flight anywhere, even with the best pilots and the best maintenance.
