There have been a surprising number of air disasters in recent years caused primarily by air data sensors returning false data.
- Birgenair Flight 301 - B757. Pitot tube clogged possibly by insect nest, false overspeed indication, autopilot commanded pitch-up, alarms, stall warning, crew confused about speed, loss of control. 189 dead.
- Air France Flight 447 - Airbus A330. Well known. Pitot tube clogged by ice, confusion about airspeed, loss of control. 228 dead.
- Saratov Flight 703 - An-198. Pitot tube frozen. Three airspeed indicators all disagreed. Loss of control. 71 dead.
- Lion Air - Angle of attack vane failure, from parent article.
That information could be checked against GPS, and at least one aircraft does this. But that has its own problems.[1] Checking against an inertial system is another possibility. Those are complicated, though. The classic airspeed, altimeter, and angle of attack vane are so simple.
So, all it takes is one malfunctioning sensor, which luckily does not happen very often. Add an autopilot which slavishly follows the faulty sensor, as only computers can do so well. Plus two confused pilots, trained to rely on autopilots, suddenly required to do some serious debugging of a complex multi-sensor, multi-control system in seconds, under extreme stress. To sum it all up, you are dead.
I contend that the primary cause is not the sensor but the overconfident reliance on autopilots. When an autopilot intervenes, its whole purpose is to resume stable flight. Should anything unacceptable happen instead, the autopilot ought to switch itself off. Too many (blind) cooks spoil the broth.
Actually, I am shocked at how sloppy their approach to reliability engineering must be not to have even thought of such a basic thing. Reminds of that NY finance company that lost half a billion $ in half an hour because they could not turn off their buggy automatic trading system.
You are nowhere near qualified to say anything about shoddyness both from an individual standpoint and statistical. The competency of aircraft engineering is the highest in the world it cant even be compared to your average financial engineer. To make flying complex systems like planes statistically safer then driving a car is an incredible achievement of engineering.
Numbers show that as Automation has gone up and crashes have gone down. It doesnt establish causation but correlation is a supporting data point.
Additionally, in many of these systems, autopilot does give back control and the pilot in a panic proceeds to royally screw up. The France flight 447 is a specific example of this.
The best way to handle this is to not only train the pilots differently but to change the autopilot. Multiple redundant sensors using different ways to measure airspeed so the detection of a faulty sensor is possible through automation.
Pilots and machines are nowhere near perfect. The goal is not to put both systems at odds, but to move both towards perfection.
I will concede the point that I am not qualified in aircraft engineering, just in autonomous systems, which is a kind of meeting ground here. I have seen way too many people getting over enthusiastic about the capabilities of autonomous systems of all kinds, which I think is a real danger here.
It is strange you quote Air France 447 as an example of some kind of superiority of automation, when in fact its problem was caused by eliminating physical force feedback between the pilots by (over) automation.
This is in no way to detract from your analysis, but Air France wasn't instrument error, it was really pilot error.
The instrument malfunctioned, but one pilot was pulling a lever up, while another pilot was pulling another lever down. This generated a stall. It could have been avoided if the cabin was more well lit, so that the pilot making the error could have been visually seen to be making the mistake.
I have a hard time believing the statement from the fine article that the presence of the MCAS system was unknown to the pilots. I'm not a pilot, just an interested spaceflight and aircraft enthusiast, and I know about that system. There is no way that the pilots did not.
Maybe the pilots did not receive proper sim time on a 737MAX, which I believe has different enough instrumentation and automation systems to require a separate sim from the standard 737. But they almost certainly knew which systems were on the plane, and how to operate them under normal conditions.
>Maybe the pilots did not receive proper sim time on a 737MAX, which I believe has different enough instrumentation and automation systems to require a separate sim from the standard 737
Isn't part of Boeing's marketing strategy that the 737MAX actually DOESN'T require additional training? The entire point of MCAS is to make the larger 737MAX react to control inputs just like a smaller 737, so flight crew can just fly them all "like a 737".
There were too many warnings already. That was the problem. More warning could not have helped. Instead, the fact that the pitot tube was inoperable should not have led to so many alarms, just one, and not an urgent one since the autopilot could have kept the throttle at its current setting. (Air speed is independent of land speed, and it's much more important to know the airspeed than the land speed, but wind speed is not going to fluctuate so much, so land speed can be used as a proxy for airspeed in that situation, and anyways there wasn't anything to be done about the lack of airspeed indication in that situation.)
Not silently. There's a voice alert, "Priority Left" or "Priority Right", and a red light. But with other alarms active, it's likely to be missed.
Airbus statement on sidesticks. [1]
Boeing position on sidesticks.[2]
This is a long-standing controversy. The F-16 fighter was the first aircraft produced with a sidestick. But that was so the pilot could control it during high-G maneuvers. Airbus's use of it has been controversial for years. For a good overview of the Airbus control system, read "Fly by Wire", by William Langewiesche.
But that wasn't the problem with Lion Air.
Airspeed. Attitude. Vertical speed. Altitude. If the pilot is operating on wrong information for any of those, they may lose control of the aircraft. All large aircraft have more than one of each of those. But when they disagree, or fail in a common mode, big trouble.
Whether some other data source like GPS or inertial should be used to back up those is an open question. GPS can and is jammed. Inertial systems drift. Both are complicated. The classic instruments are so simple. But they rely on tubes to holes in the aircraft skin, which might become plugged for a number of reasons - ice, maintenance covers, insects, or dirt.
This narrative is incorrect. The aircraft gave audio and visual warnings when there were multiple control inputs. And we can infer that the crew on AF447 noticed them because the 2 (IIRC) instances of dual input lasted less than a couple of seconds.
And the captain actually noticed it, told the pilot pulling back on the stick to push forward, who did momentarily and then he pulled back again.
If you read the whole transcript and report it really does show just how wrong the pilot pulling back got it. And it speaks to the training and understanding that pilot had of how to fly the electronics vs how to fundamentally fly an aircraft.
To me, this moment is one of the failure points in the incident and is entirely the captain’s fault.
Captain: What the hell are you doing?
Benin: We've lost control of the plane!
Robert: We've totally lost control of the plane. We don't understand at all... We've tried everything
Now, instead of a team working jointly on a problem, we have two juniors feeling that they have to justify and defend themselves to their captain. It’s a really poor psychological position to be in with a time-critical problem to be solved.
It’s a human response, obviously, but I’m betting it’s the opposite of what his training would have recommended.
IMO, in that moment, the Captain either needed to get his crew problem-solving, or take control himself. unfortunately he did neither.
My understanding is that aerodynamic modelling and simulator runs have shown that a committed decision to push nose-down, regain airspeed and recover from the stall, could have been successfully initiated all the way down to 5000 feet. The Captain had another 2mins 15secs (approximately) before reaching that level, and another 30 secs before impact after that.
There was time, if only someone had said the word
‘stall’ out loud.
I'd expect it from a student, because they're operating consciously. I'm not sure I'd expect it from someone who is in shock, who's experienced thousands of hours of uneventful operation and suddenly everything has changed.
I don't know easily panicked mentality can be tested for. Training is one thing, but training is typically designed to instill automatic response to predetermined stimuli. Sometimes what you want is a reset back to first principles and activation of conscious reasoning. Which is exactly what you don't get in shock or panic, and is the reason for training automatic response.
Of course it is better to have more sensors, but that is not the whole issue. The problem is that firstly, the automation is unable to deal with multiple complex failures. Secondly, pilots are not always capable of dealing with those same failures, particularly when the automation itself is part of the failure. The main solution to this is better training. But we should also question if the automation should include better handling of failures before shunting the problem back to an overwhelmed pilot
The problem is going to get worse. Right now we have thousands of vehicles with trained highly-regulated operators (airplanes) relying on automation, who can be complacent until the automation fails and then must be alert and able to handle a complex situation in a matter of minutes. Soon, we will have millions of vehicles with barely-trained almost unregulated operators (cars), relying on automation, who can be complacent until the automation fails and then must be alert and able to handle a complex situation in a matter of seconds.
They are different but by how much? Could not ground speed be used as an approximation in an emergency situation? Put the airplane level, put engines on a reasonable power and get to a place where you are not forced to act second by second. When the airplane is level and has a reasonable ground speed should that not preclude stall?
How do you propose to get the plane level without knowing the airspeed, pitch, and/or angle of attack? If the pilots or computers had this information, then they would not need the GPS system you describe.
You are describing a navigation system, not a flight computer or an emergency recovery system.
The ram air turbine is only deployed in irregular or emergency situations, and even then, no it would not be a reliable airspeed indicator unless it was reengineered to be one somehow.
Yeah but almost 400 dead people is still 400 more disasters than it should be. Only us engineers can solve this problem and we have a moral responsibility to solve this problem.
Or perhaps our engineering skills, time and resources would be better used saving several order of magnitude more people from death from domestic accidents or drowning.
This sounds like a process, not an engineering problem. The plane had known faulty sensors, and the pilots didn't know about crucial operating features of the plane.
No amount of engineering will save you from this, if you add more they'll maintain it less so that'll fail instead.
The Emergency Airworthiness Directive issued after Lion Air 610 crash was, in summary, "Pilots, remember that there is a runaway stabilizer QRH response and pilots should follow that when indicated."
If you're arguing that the pilots didn't know about the possibility of runaway trim, I don't find that very likely. If you're arguing that they didn't specifically know that MCAS could cause runaway trim, I probably agree but think it's irrelevant as the response to runaway trim is not to diagnose or draw the system diagram of the fault, but rather to simply stop the fault, which the stock 737 checklist would have accomplished, if followed.
How much resources would you put towards improving airplanes to save those 400 people?
You would almost certainly see better returns if those same resources were put towards improving cars, or roads, or curing disease, or infant mortality, or healthcare, or education.
In our current and economic system the money that air travel generates is not going to be made available for any of those other fine causes, it's going to either be used to make air travel safer and more environmentally friendly, or it's going to be used to pay dividends to shareholders. It will only be used for safety and environmental standards (and crew care, and passenger comfort) if travellers demand it is and refuse to fly on lines that don't conform.
Boeing makes safer airplanes than the FAA requires.
For example, twin engines are statistically safer than more engines, and Boeing had to lobby the FAA to allow them over water.
For another, Boeing wings do not have hydraulics that extend past the engines. Torque tubes are used to transmit power further. This is so that a major engine failure won't damage the hydraulic system. This was not a requirement until a crash from another manufacturer's airplane was due to such damage, and Boeing airplanes were not susceptible to that failure mode.
Your theories about how the industry works are speculation.
All theories are speculation, but these are based on observation and contact with the industry. Boeing have acted in exactly the way that my theories predict and dictate; they are certainly reactive to the threat of regulation and customer pressure. If Boeing was to become an "unsafe" brand their shareholders would be very damaged.
The twin engine statistics story that you cite is not the story that I remember for the 777.The FAA had rules which were based on the behaviour of old engines and dictated that an twin engine aircraft should be a smaller distance from an emergency strip than was possible for the best routes across the major oceans (I believe it ruled out the Pacific routes completely). Boeing demonstrated (successfully and correctly) that modern engines failed so rarely that the four vs two distinction was obsolete.
What has happened in recent years is that another failure mode has emerged, it's a complex one due to pilot training, HCI and the vulnerability of automated systems to failure in modes where common sense knowledge could protect them. I expect and believe that the systems and institutions of the aerospace industry will be fully strong enough to manage this, but I don't think that this is the case for many other industries that are beginning to experience the same sort of problems - notably self driving cars and computer medicine.. Many people think differently - the test of theories is time, so we shall see.
I'm not claiming there is no trade-off saving 400 more people (as basically all everyone replied to me) but engineers have an implicit agreement with the society and ethical practice is a big part of engineering, at least this is what I was taught. The reason this trade-off is irrelevant is because if you're not employed by an aeroapace company, you do not have any implicit responsiblity regarding those 400 people. So what is being claimed here is not that we all should stop and save those 400 people. E.g. I work for a telematics company I'm absolutely responsible of every person injured in a car crash that my engineering solutions could save them. But the same cannot be said about casualties in airplane crashes.
I used to work for Boeing on the 757 stabilizer trim system. I can verify that the engineers who work on such flight critical systems are very much aware of their responsibilities to make them as safe as they can. None of them want anything to do with creating an unsafe design.
It's not the number, but the number with the same general cause. Any failure of a complex system has multiple causes, and the NTSB/FAA usually responds to incidents with multiple recommendations, to eliminate any possibility of this chain of events happening again. This has been remarkably successful.
It's surprising to me that airline designers continue to add sensors and computers and automation, when in so many of these cases it's the automation which itself is the problem.
Would the NTSB ever issue a recommendation like "Your aircraft is too complex" or "You rely on too many computers"? It seems to me like that could be a valid cause, but it's simply not in their vocabulary.
> It's surprising to me that airline designers continue to add sensors and computers and automation, when in so many of these cases it's the automation which itself is the problem.
New features can indeed raise unanticipated problems. But that automation isn't added for the lulz, it is added to address other safety problems. The safety record has gotten dramatically better over the decades, and that speaks for itself.
> Would the NTSB ever issue a recommendation like "Your aircraft is too complex" or "You rely on too many computers"? It seems to me like that could be a valid cause, but it's simply not in their vocabulary.
Neither of those vague hand-wavy recommendations are actionable, so the NTSB would never issue them.
Although vague concerns aren't themselves actionable, the actions that could be recommended in both cases would be research. To look into whether "too many computers" is actually causal and what might be done about that. My guess is "No" but if the investigators thought we need to check that's what they'd recommend.
But most often what's needed is smarter machines, not less of them.
Inadequate engine performance during take off is a periodic cause of problems. Research was done into whether airports could add markers so that pilots could tell if their acceleration was less than expected. That went nowhere because humans don't have an accurate sense of acceleration or time passing. Today new Airbus jets integrate their position over time and will warn audibly "Check acceleration" if underperforming, long before V1 (maximum abort speed). Meanwhile a common underlying cause of inadequate performance is entering incorrect air temperature, modern Boeings will delete input temperatures that don't resemble the measured temperature at an air intake when the engines switch on. Pilots must enter a plausible temperature and try again, or perform a fully manual take off. So investigators now might recommend one or both of these countermeasures be adopted, or that the research be done again knowing these options exist.
The NTSB seems to take the overall view that automation in airliners is generally reliable, though balances that with the view that pilots must be prepared to take over for unanticipated circumstances (United 1549).
Small nit: V1 is the takeoff decision speed, not the maximum abort speed. If the decision is made to abort right at V1, the airplane will continue to accelerate for a second or so while the crew implements the first action to effect the abort/RTO.
Overall, flying is safer now than in the days of manual control or more simplistic autopilot. The problem seems to me to be that when things do fail, the cause and effect may not be obvious to the crew so they struggle to understand why the plane is doing what it's doing, and how to correctly respond.
Do aircraft inertial measurement systems ever provide linear velocity information that isn't trash? I had assumed not (except for special cases where you can do e.g. a zero-velocity update)
An inertial measurement system cannot measure velocity. It's insensitive to which inertial frame it is in. (to move from a non moving frame to a moving frame, you must accelerate, which it could detect. but then you have to integrate these accelerations over time)
Your assertion is simply demonstrated to be untrue.
Inertial systems integrate all measured accelerations over time to compute present velocity and position. They are periodically corrected with external references. The accuracy is limited to the accuracy of the accelerometers, the sampling frequency and the accuracy of the digital math, among other things.
This IMU idea could be used, but I am not aware of any current commercial IMUs in airliners - but I am not an airline pilot so that does not count for much.
If I were given conflicting information I would see how the plane is acting. I have flown planes with various primary instrument failures over my decades, some in actual instrument conditions, and always had sufficient secondary sources of data to determine the situation. As an example in a piston plane: Tachometer fails? Cross check fuel flow, manifold pressure and airspeed - subject to mixture control which can be reasonably set using "lean to roughness and enrich" method. Been there, done that. I have had an altimeter fail insidiously slowly, when water got into the static lines (despite redundant ports and properly routing them upward), while in actual near minimums in a non precision approach. (I used GPS altitude cross reference and odd seeming behavior of altimeter needle to diagnose and switch to alternate static.)
Importantly, if the plane is flying straight and level and sufficiently fast, over time this becomes a "feel" and you can tell if something is extraordinary. Maybe not on airliners, but definitely the piston planes I fly a lot and probably the small jets I fly on occasion.
This is why some of these things are mystifying to me. If your engines are set to a certain power and seem to be operating properly, and your attitude is just so, in the absence of unusual meteorological conditions your plane should be performing in a manner consistent to your last experience. If your stall warning is going off, well, maybe the instrument broke. Air France is really scary mystifying.
Look, I am a software engineer so I get it, people can get locked into a misconception about a fault and not step away long/far enough to consider other alternatives. It happens a lot in debugging. But for whatever reason my brain works much faster and more dynamically when shit happens in the left seat of an airplane having problems.
I already mentioned that acceleration measurements can be integrated to get velocity. I asked a question about the reliability of the velocity information available to an IMU, and your reply did not address that.
Ground speed (which is what inertial system would indicate) is not very helpful for the pilot. All piloting relies on airspeed which is how fast the aircraft travels in relation to surrounding air.
The difference between ground-speed and airspeed is the wind. In normal conditions, ground-speed is a useful proxy for airspeed - perhaps not good enough for an airliner precision approach, but more than adequate for normal flight.
For the Lion flight, winds were light and the aircraft was at low altitude, so ground-speed would have been very close to airspeed.
In any case (as pointed out by earlier comments) a proficient pilot should have no trouble flying in daylight and good conditions using only the "Mark I eyeball". It appears the aircraft crashed because the crew didn't fly it - a surprisingly common occurrence for automation-dependent crews!
"An inertial navigation system (INS) is a navigation aid that uses a computer, motion sensors (accelerometers), rotation sensors (gyroscopes), and occasionally magnetic sensors (magnetometers) to continuously calculate by dead reckoning the position, the orientation, and the velocity (direction and speed of movement) of a moving object without the need for external references.[1] It is used on vehicles such as ships, aircraft, submarines, guided missiles, and spacecraft."
Inertial Navigation System (INS) measures linear acceleration (via accelerometers), angular velocity (via gyros) and optionally magnetic heading. Using integration and filtering (Kalman or similar) you get aircraft velocity, position and attitude. Without constant correction (GPS for example) calculations based on INS measurements degrade over time (due to instrumental and calculation errors) but in range of minutes they are pretty accurate.
The comment I was replying to implied that checking with the inertial measurement system was an alternative to checking against GPS.
I still think I'll be surprised if accelerometers provide useful velocity information over timescales useful to a pilot. But maybe that's because I only have experience with cheap MEMS accelerometers from around 15 years ago.
In any event, what would be the use of inertia-based calculations, when airspeed (through an atmosphere always changing) is the important more bit to keep the plane in the air?
Aviation does not usually require the precision assumed here. The aircraft would have flown fine anywhere between (say) 150k and 300k, so an initial-nav indication of (say) 250k +/- 20k would tell the crew that things are "close-enough".
More useful at the time would be to set a "sensible" power level and maintain approximate altitude ... and looking out the window is usually helpful!
What the pilots experienced was indistinguishable from runaway stab trim, and shutting off the stab trim from the switches on the console is the correct response. There's a loud distinctive sound when the trim runs, and the wheels that bracket the console turn, so it's pretty obvious. The previous flight's pilots had indeed done this. The pilots are trained for this. They has 12 minutes to shut off the repeated action of the runaway stab trim.
Additionally, the airplane should have been grounded after the previous flight, as runaway stab trim is a serious problem, until the fault was found and corrected.
Equally badly, the flight crew was probably not informed of what had happened on the previous flight.
Well sort of but not quite. When the pilots clicked the trim up switch on the yoke, it disabled the MCAS system for 5 seconds -- i.e. it made the problem go away temporarily. Then MCAS comes right back with more nose down trim. This is not a typical runaway trim situation where it's just continuously rolling in more trim. The pilots had no idea that this system existed or that a "runaway trim" failure could have these characteristics.
Sure, it's easy to say from the ground with what we know now that all they had to do was flip a couple of switches, and that a previous crew managed to land safely. However, the job of an airplane is not to be safe only with quick thinking, above average pilots. If a single sensor failure can present a situation that 99% of pilots will successfully diagnose and recover from, you're looking at multiple crashes per year.
The pilots did not need to diagnose the system. It would have been obvious that the trim system was running, and was causing the nose down. The trim cutoff systems are right there on the center console. They dealt with the issue for 12 minutes, lightning reflexes were not necessary.
The NTSB will of course look into the CVR, the pilots' training, background and track record to try to figure out why they did not use the cutoff switches. I'm very curious about that.
Similar types of accidents have occurred in the past and turned out to be CRM (Cockpit Resource Management) issues, where the copilot recognized what was wrong but was intimidated by the pilot into doing nothing.
Exactly. While Boeing indeed added a new system, the malfunctions and resolutions matrix didn’t change. Thus Boeing didn’t need to change training and claimed that new planes can be flown without any additional training. It’s hard to fault Boeing here.
Are you saying that pilots can transition from a 737 to a 737MAX with no sim time? I thought that they had different instrumentation, at the very least.
What is never mentioned is that since forever runaway stabilizer is one of the FEW memory items.
Here it is. To be qualified as a pilot you have to have this memorized.
I. Runaway Stabilizer
CONTROL COLUMN - HOLD FIRMLY
AUTOPILOT (if engaged) - DISENGAGE
Do not re-engage the autopilot.
If the Runaway Continues
STAB TRIM CUTOUT SWITCHES (both) - CUTOUT
All this drama around "fighting the controls" and "fighting the plane" is weird. This is not some procedure you need to lookup, this is one of a few memory items.
That process isn't sufficient on the 737Max. That is the point; to make it fly like a 737NG Boeing added an additional system, MCAS, that requires the AoA sensors to be manually disconnected during a malfunction or it will continue commanding elevator pitch. You could run through your memory drill as many times as you like, it wouldn't have helped in this case.
The FAA Airworthiness Directive (2018-23-51) can be found at the address below (pdf). There is no mention of manually disconnecting the AofA sensors. The addition to the Airplane Flight Manual required by the AD explicitly says "do the existing AFM Runaway Stabilizer procedure above, ensuring that the STAB TRIM CUTOUT are set to CUTOUT and stay in the CUTOUT position for the remainder of the flight."
While I don't think pilot training is the only issue, we can't assume a crash was the most probable outcome following from the failure of the AofA indicator in question.
I hope this level of training isn't common with pilots - if so we are in trouble! Seriously. This is basic 101 type stuff, and if pilots have this little clue, we need to work to get them out of the cockpit.
"requires AoA sensors be manually disconnected" ? Where is this coming from?
"it will continue commanding elevator pitch" even though stab cutout?? Uh? Again, do you have a citation here?
Seriously, where / what airline is training that? The airworthiness directive literally says - don't forget to follow the runaway stabilizer procedure in this situation. That is LITERALLY what Boeing and FAA are saying, and now you are telling us this other stuff?
That would make sense. Do you think they lacked experience or received improper training?
From what I remember when preparing for the helicopter license, it was emphasized that being able to use manual sensors and controls was critical in case of such failures.
Terrible maintenance (well known issue with this airline). Seriously, a plane in US is HIGHLY unlikely to fly this many times with this type of issue. So in the US, risk of this even happening is MUCH lower.
We don't hear about the situations pilots respond properly too. Despite the other person correcting me, most pilots do know this stuff in US. Go arounds, single engine landings, stab trim cutout etc all happen with some frequency.
Runaway stabilizer has a cutout switch and wheel for a reason, the manual control you describe. It's actually a memory item - memory or recall items are used for time critical situations with risks of severe aircraft damage. You do the memory items and then look at checklist. There are not that many.
My own view here - despite what others are saying, if pilots had cut out the electric trim, they would have been fine.
99% of time flights go per the plan and are boring, so pilots do sometimes take shortcuts. They don't brief the flight properly, they don't maintain a sterile cockpit, they don't look over past issues on a plane before takeoff (maintenance log book) and they don't follow procedures exactly.
Planes are so safe a lot of pilots lean HEAVILY on the automation. So I'd be very curious about cockpit voice recorder. It seems almost impossible to go 12 minutes without doing the 20 second memory item.
An example - properly using an elevator - you hit the button, when doors open, you enter. If doors closing you hit the button outside again or hit the door hold button inside and then enter or WAIT if doors don't open. The sensors in the door to avoid crushing you are meant as a backup.
BUT, folks are so confident in those backup sensors they skip the procedure, and actually stick their hand into a closing door on purpose to keep it open. It works 99% of time I'm sure - but there will be that .01% where it doesn't.
That's like flying. 99.999% it actually works if you take a shortcut (ie, in many cases you can cut out trim with control column input). But that IS NOT the actual procedure. So you see pilots say things like, "I've always done it this way", and yeah, it works 99.9% of the time BUT the designers intended you to follow the damn procedure - in which case you'll almost never have a problem.
Another problem, you remember what you do. So if you are used to cutting out stab trim with control column as a shortcut and not switches, then yes, you could be in trouble here, especially if you never fall back to the actual procedure. There was a change here which mean more cases in which stab trim would be flight commanded and some shortcuts wouldn't work on it.
The page is graphics loaded page with floating paragraphs over a single "sheet of wallpaper" showing interior and exterior diagrams of the aircraft. I can see it not working worth a damn in any kind of Reader View.
FWIW, nothing new here, but it's a good 3rd grade overview for the layperson.
And I am a Boeing guy, through and through, but they screwed the pooch on this one. RIP, Lion Air 610.
Looks like there was a problem with the autopilot trim, likely due to a faulty sensor, and the pilot just needed to switch off the autopilot instead of fighting it — the previous flight of that aircraft experienced a similar issue, and they just turned the autopilot trim off and carried on normally. :(
The graphs on PDF page 23 are particularly morbid, and you’ll note that two of the final auto nose-down commands are of longer duration than all the rest.
Apparently it wasn’t the standard autopilot trim, but a special safety program specific to the 737 MAX. Which still is just a switch to disable, if you know that switch is there, or that there is a checklist for dealing with runaway trim, or that you’re aware that auto-trim commands are the reason your plane keeps nosing down...
I think the most important point described in that article is that the MCAS trim, unlike the other kinds of elevator trim, isn't defeated by limit switches on the yoke - and that this critical information was not in the training or flight manual.
If true, then this right here is the problem root. Why isn't pilot limit respected with regard for the MCAS specifically? Are any other systems so independent?
I remember years ago the Boeing folks claiming that the automated Airbuses would be dangerous because the pilot always knows best. So how did it come to this on a Boeing?
The answer appears to be something along the lines of "because the whole point of MCAS is to stop the pilot flying the aircraft beyond the limits of stability".
Just a note for anyone looking for these, I think this is a reference to the graphs on the PDF page labeled as Page 14. (The PDF has several pages before Page 1.)
This wasn't the default autopilot but a new system, as such they didn't know what was causing the behaviour. On top of that all their sensors gave them different information.
> If the autopilot tries to screw things up it is standard procedure to turn it off. Is failing to do so is human error? I guess so.
You have a new automatic system pilots are not told about that will deep dive a plane with 200 people into the ocean unless you do things you have learned to apply in a different situation. I don't think you can call that a human error.. Except for maybe the human that decided not to tell the pilots?
I can't see how you can learn anything from it not in a reader view either. oh, and if you need any assistive technology (e.g. perhaps you're blind): tough luck!
If you didn't read about it after the accident this seems like a pretty easy to understand explanation. Why couldn't anyone learn from it? It explains the issue pretty well in my opinion
These human-machine interface failures always fascinate me. The NYT makes the quip about not being able to look down and note the trim, but speed doesn’t need to be high to have these failures. It seems to be more related to system complexity misunderstandings or compounding interpretation issues. Look at the grounding of the Royal Majesty - not exactly some high speed object; it all amounted to a misunderstood icon. See: https://ti.arc.nasa.gov/m/profile/adegani/Grounding%20of%20t...
You would think it would make sense to automatically disable the MCAS system and sound a warning if the aircraft detects conflicting readings from it's sensors.
Due to the way the engines are mounted on the frame, which enhances their efficiency, they also cause more of a "upward thrust vector." This makes it very easy for this plane to reach dangerously high AOA in certain scenarios, particularly during turns.
The MCAS has a specific and important function and just turning it off is probably not going to increase safety. The real problem was the Boeing did not disclose the existence of this device and it's functions in aircraft training, according to one source, because they did not want to inundate new pilots with too much information about the plane and it's attendant safety systems.
Perhaps, had the pilots known, they would have seen the stick shaker/stall warning system activating on _one side only_ as a serious indication of an Airspeed/AOA system fault and the potential for incorrect MCAS outputs being generated.
They might have known to disable the electronic trim control, bypassing the MCAS, and then to manually fly and trim the plane with the aforementioned thrust vectoring taken into consideration. They could have trained for this. That would have all given them the best safety margin for survival here.
In the case of a disagreement between the AoA sensors, the obviously correct thing to do is for the computer to disable MCAS and put up a warning light. The conditions MCAS addresses only happen when the AoA gets very high, such as in a slow speed over banked turn. The plane is stable in normal operation.
Think of how a human would react: One sensor says everything is normal. The other says a very rare emergency situation is occurring. Since the sensors disagree, you know one of them is defective and wrong. Applying a very rarely needed emergency correction when you know that you have a sensor fault is not reasonable.
Even applying the stick shaker is confusing to the pilots and dangerous. Much more appropriate is a warning light of a sensor malfunction/MCAS disabled. Then the pilots must simply be extra careful to not make overly banked turns for the remainder of the flight, and replace the sensor on landing.
> the obviously correct thing to do is for the computer to disable MCAS and put up a warning light.
The only problem with that is that problems rarely happen isolation, and you have to consider whether the pilots are going to notice the warning in the midst of several others and if they are going to give it the appropriate priority and consideration while flying.
> Think of how a human would react
That's exactly it, though.. look at Air France 447. The system automatically disabled itself and put the plane into an "alternative law." All automatically. The pilots did _not_ notice this, and still flew the plane into the ocean even though they had several minutes to work the problem.
It's not that simple.
> Even applying the stick shaker is confusing to the pilots and dangerous.
All evidence to the contrary. The stick shaker is an amazing safety device because it demands priority of consideration. It's not going to get lost in the noise of a degrading cockpit. Seriously, go listen to some cockpit voice recorders of a disaster.. it's never what you would expect.
Problems usually happen in isolation. Your dataset is skewed because you've read a bunch of accident reports. When there are multiple failures together, this is much more likely to lead to an accident. When there's just a single problem and it's handled with no loss of life, they don't write a report about it.
I agree, the stick shaker gets a pilot's attention. What the stick shaker tells the pilot is that he's about to stall, but that's not what was happening. Shaking the stick is loudly yelling false information at the pilot!
Let's look at the epistemology here. If we're only looking at the two AoA indicators, and one reads 5 degrees and the other reads 25 degrees, we know that there has been a sensor failure. All you can say that the airplane does not know what its angle of attack is. That's fine though, we've been flying planes for a hundred years without AoA indicators, even ones that had way worse pitch instabilities than the 737MAX. If the airplane doesn't know the angle of attack, there is no reason for it to activate the stick shaker, put in nose down trim, or do anything else except to calmly notify the pilots that AoA is unavailable and therefore MCAS is disabled. All the pilots need to do then is fly the plane normally and not do any crazy banked turns or extremely abrupt pullups at low speed. It's definitely wrong for the plane to start dialing in nose down trim "just in case", because the "just in case" can kill you if it's not necessary!
On AF447, there were as usual, a lot of mistakes made. One problem clearly though was that the plane was giving the pilots a lot of conflicting information that confused them. If the plane was seeing three different airspeeds, the best thing for it to do would have been to put a big red X over the airspeed tape and let them fly by pitch and power. This is exactly why a lot of instrument pilots in older smaller planes carry a little instrument cover. If say your AI fails in IMC, you don't want to see the wrong indication at all, so you cover it up and use your other instruments. Seeing a wrong indication, even if you know it's wrong is very confusing and can lead people to make errors in reasoning, especially in a stressful situation.
Im sure it has a useful function if it's operating on good data, but when it has bad data it can kill 189 people.
I don't really know just how unstable the aircraft is without this automation, but it seems like it would be better to warn the pilots they need to manually manage their trim, then send them crashing into the ocean.
If, without this device, it is very easy to reach a dangerously high angle-of-attack in turns, then it is beginning to look more like a necessary feature (at least from a certification point of view), which would raise additional questions about why such an important device is so vulnerable to sensor failure. It would also tend to heighten suspicions that Boeing has not been entirely forthright about the device's purpose, capabilities, risk if malfunctioning, and why it is being used in this model of aircraft. Could Boeing have downplayed its importance in order to simplify certification and training, or was all this made clear at the time?
> because they did not want to inundate new pilots with too much information about the plane and it's attendant safety systems
They didn’t want to require pilots to simulate for the plane. That was a big selling point. MCAS is a big enough change that it probably should have required training. (Not sure where on the fuck-up go fraud spectrum this falls, though.)
Adding MCAS didn’t change the symptoms / responses matrix. It’s mailfunction is the same as runaway trim and responses are the same (turn it off). This was a fair engineering decision to do not requir retraining for this.
Not a pilot, but isn't stalling dependent on AoA and airspeed? If airspeed is very high(as would be for a plane flying down into the ground), why would AoA safety levels matter?
The definition of stalling is exceeding the critical angle of attack... regardless of airspeed. You can stall an airplane at any airspeed, though typically you stall at slower speeds because you are operating closer to that critical AoA.
As a former Boeing software engineer (not on the commercial plane side) I can say without any hesitation that you're completely wrong in your description of what goes on at Boeing. The "bloat" you speak of is the very reason we are not subjected to many more tragedies like this. Safety takes time and people.
Why roll out a change without notifying someone? Why make systems more complex when miscommunication results in death?
This isn't to say that manual, mechanic controls are better that automated electronic ones. Indeed the Air France crash from Brazil was mechanical pilot error.
But for me it is not sufficient to say "we do a really good job and have a lot of safety protocols."
Yes, especially since there are only 2 AOA sensors so you can't know which one is incorrect by comparing to a third sensor. I've read that it's possible to derive AOA from other sensors but don't think these aircraft have that ability.
You should always have at least three and preferably an odd number of similar sensors so that you can get at least a vague idea of consensus. The British Royal Navy rule was: take one chronometer or three, never two because with two you will always be unsure which one is correct while with three you can, usually, just average the two that are closest together and regard the third as an outlier.
Serious lack of redundancy in a life-safety critical-system. It should have:
- 5+ AOA sensors of different types
- discard any sensor values that are stuck or providing incorrect readings
- have a spray, heating system (some do) and camera system for automatically deicing and verifying AOA sensors in-flight
Without a camera system to verify sensors, crews won't have a definitive way to know if they're getting true or false information from clogged pitot, stuck AOA or malfunction.
From the article, "Outside the plane, one of the plane’s angle of attack sensors falsely indicated that the plane’s nose was pointed too high, and the aircraft could stall."
I'm not in any way eligible to comment on aviation systems, but why that equipment needs to measure the angle of airplane be outside? Couldn't something like gyroscope mounted inside do the job?
It's measuring the angle of the plane relative to the air moving past it (i.e. the angle the plane is "attacking" the air). Knowing the angle of the plane in an absolute sense isn't as useful when it comes to detecting stalls, etc.
It's not as useful but it is far from useless. The ordinary artificial horizon indicator should have been able to show that the external sensor was far out. I don't know anything about the aircraft or Boeing but as a software designer and implementor I would have wanted to use the output of the artificial horizon as well as the angle of attack sensor in an attempt to gauge the quality of the readings. I'm guessing here but it seems likely the aircraft was equipped with a normal gyroscopic instrument in addition to the external angle of attack sensor.
Of course the Boeing engineers who worked on this could easily tell us exactly how it works and why. I don't suppose that will ever happen though.
I think the problem is that moving air (such as an updraft) can alter the angle of attack independently of the pitch angle. That is important during landing where low thrust levels are set and the air is turbulent. But in other phases of flight it should be possible to keep the aeroplane stable using know thrust and pitch settings and ignore air speed and AOA sensors completely. Of course that requires fully functional control surfaces and engines. Maybe it would be better to remove the erroneous sensor type completely and have procedures that can cope with that.
I'm amazed that Boeing isn't the focus of more - much, much more - criticism. It seems clear to me they are vastly more culpable than the pilots or airline.
I agree that Boeing's share of responsibility is big. I think media coverage has largely reflected it too. I don't recall reading any article where it put the blame on the pilots. Based on what I've read, it felt more like, 70% Boeing, 29% airline, 1% pilot.
If this is the case we seriously need to consider getting rid of the pilots. Stab trim issues are a memory checklist item under existing training with clear cutoffs easily available.
"Getting rid of the pilots" has already mostly happened. You know this. Autopilot on at 400-1000' and off at MDA/200'/DH to rollout. In between they are system administrators. Heck, even I can and often do fly my much smaller planes this way. And, as you also probably know, autopilot is required to be flying the plane above 28,000' (Google RVSM for interested readers).
I am sometimes glad I have access to Cubs, Decathlons, and other simple planes to keep me an honest pilot. :)
So true, and overseas actually a bigger issue I think because they don't always have the recreational / GA flying world going on. Some pilots in airlines trying to develop local skills are going basically straight onto an Airbus flight deck. Not saying it's bad, but they don't seem as comfortable with manual flying. And frankly manual flying is more complicated on these planes - the number of autopilot and throttle modes etc etc - a cessna - pitch, power... I do wonder if adding a basic safe flight pitch power button (ignores everything and just goes to a safe pitch power setting smack in middle of power curve) might help. Literally ignore AoA, ignore speed, ignore everything. Just trim to middle and set power. Air france? This flight? These planes are flying fine otherwise. You don't 100% need all the automation (though the MAX did introduce some weird instability near stall which is annoying in a big way). My own view - make a naturally stable plane (MAX moved away from this), and have a way to fall back to a basic setting that takes advantage of that.
I think you got it wrong. If you fly a plane you are responsible for the people you are taking. Failing to be reliable manage the plane in every situation is human error. Boeing did not force the airline to buy this model, it did not force them not to have training and finally which is the most serious Boeing did not fail to disengage the autopilot that is a standard procedure in such situation, the pilots did. So I guess it is 99% pilots,1% airline,0% Boeing.
Nope, if pilots fail to handle an emergency due to poor training, then it's the airline that trained them which is really responsible. Blaming individuals for failures of an organization is not a good strategy for improving safety
Also, in this situation disengaging the autopilot would not stop the nose down inputs. It's a new design on 737MAX, and whether Boeing informed airline about it well enough determines if they are at fault or not.
What the plane did here is not technically reasonable. We had optimal estimation and sensor fusion in the sixties. With two AoA sensors, three pitot/static systems, GPS, and a full IMU, the plane had more than enough information to determine that there was no high AoA situation requiring its intervention.calling for the computer's intervention.
Since this dangerous high AoA situation is so rare, even a simple rule requiring both AoA sensors to agree that AoA was dangerously high to override the pilot completely solves the problem. Even with just one AoA sensor and a little memory, the simple fact that the system had rolled in so much nose down trim, which should have lowered AoA, with no apparent effect should have clued it into the fact that it’s model of the system was wrong and caused it to stop.
This is not a particularly sophisticated insight. The engineers all knew this when they designined the system. They had a reason for doing it the way they did, though, and that was to slip the new system in a bit under the radar of the FAA. Since the MCAS is required to maintain the stability of the plane at high angle of attack, it should have been certified as a Stability Augmentation System. That would have subjected it to more redundancy requirements and eliminated this failure. The problem was that Boeing wanted the MAX to not require significant training or certification beyond the 737/737NG. A big new Stability Augmentation System would have required extra certification and probably pilot training. Instead, they chose to sort of launder this system through an existing one, the Elevator Feel Shift system. The EFS adds some nose down trim at certain speeds and altitudes to make the 737NG feel like a classic 737.
Since the FAA already determined that the EFS wasn't a stability augmentation system, but it could control the elevator trim, Boeing figured they could piggyback the new MCAS onto it, adding just one new input, the AoA sensor, and no new outputs. Since it only controlled the trim and not the main flight controls, Boeing could keep to its manual control philosophy, and they could slip it through certification. They couldn’t give the computer both AoA inputs, because the air data system is supposed to have two totally independent and manually selectable sets of sensors. If you give a computer both AoA inputs, you lose that redundancy concept.
So why did the EFS system never cause any problems despite having the same lack of redundancy? My guess is that the EFS is essentially an open-loop controller. It applies a fixed amount of forward trim for a given speed/altitude combination. If the pitot/static system goes haywire, the worst that happens is fixed, moderate amount of nose down trim, easily and naturally compensated for by the pilot or autopilot. The MCAS appears to be closed loop in that it will just keep adding more and more nose down trim until the AoA sensor says things are OK again, the pilot pulls its circuit breaker, or the plane smashes into the ocean.
People in the industry blaming the pilots one bit are making a mistake the industry collectively stopped making seventy years ago. We don’t blame the pilot anymore, we blame the system. Given enough time, humans will make any mistake that can be made. If the plane cannot be flown completely safely by significantly below average pilots, it's an unsafe plane. Demanding that the system be safe even with imperfect pilots is why commerical aviation is so amazingly safe today. It’s also ironically why the MCAS is in there in the first place. Boeing could have just put in the manual to never exceed 14 degrees of AoA, and even average pilots would never have a problem. The FAA would never certify such a plane to carry paying passengers with such a limitation though. It would be too dangerous. Eventually someone would screw up and the plane would go out of control, so there had to be a computer to prevent this. As it stands, the plane does not IMO meet certification requirements for the transport category, and the only reason it isn't grounded is because there are literally half a trillion dollars worth of these things in service or on order. I'm racking my brain to think of another single product produced anywhere that is so valuable.
I agree that that more focus should be placed on the system, however, with so many NTSB reports naming "pilot error" as the cause of accidents/incidents, I think we're still very much focused on the the pilots.
>>> People in the industry blaming the pilots one bit are making a mistake the industry collectively stopped making seventy years ago. We don’t blame the pilot anymore, we blame the system. Given enough time, humans will make any mistake that can be made.
Excellent rundown by cameldrv all-around. Framing this a bit of certificatory sleight-of-hand is spot on, far as I can tell.
All these years of listening to Boeing bigots talk about how bad Airbus planes are because they are too automated, flown by machines, unsafe.. And then a Boeing automated system seems to a significant cause of a fatal accident. Not sure what if any conclusion to draw from that, just the context.
Would it be possible to have a single switch that disables all automatic systems and puts the plane in complete manual control as much as possible? Can these planes even operate in a complete manual mode?
Certainly possible but not required. In the B737 family, most of the main controls are essentially power assisted direct controls.
Boeing consistently has preferred more-or-less manual controls, while Airbus took the other direction (in which the pilot guides the computer, which operates the controls).
All airlines can fly happily in completely "manual" mode. Boeings are doing this most of the time, Airbus's only do this when the situation is outside the computer's envelope.
There was an erroneous stick shaker that captured the crew's attention and diverted attention from the trim stuffing the nose down. The NYT graphics show a miniscule part of the problem. Most likely the FDR data has been played through a full motion simulator - it would be a hairy ride, but the crews have to keep it confidential until the Indonesian authorities release the data.
Human technology has it limits, reliability is one of them. The more complex systems we produce the less reliable they become. The correct course of action is not just blame the manufacturer but have a run book for every scenario of failure that makes sure the best outcome. System operation people are aware of this as much as emergency unit workers and pilots too. In this situation the pilots failed to follow the standard protocol to disengage the auto-pilot and safely navigate the plane like the previous flight team did.
The fact that the FAA issued an emergency order with instructions after this crash suggests to me this wasn't sufficiently covered by existing procedure. In fact:
> The FAA's directive orders airlines within three days to update flight manuals to include specific steps pilots should take to recover.
- Birgenair Flight 301 - B757. Pitot tube clogged possibly by insect nest, false overspeed indication, autopilot commanded pitch-up, alarms, stall warning, crew confused about speed, loss of control. 189 dead.
- Air France Flight 447 - Airbus A330. Well known. Pitot tube clogged by ice, confusion about airspeed, loss of control. 228 dead.
- Saratov Flight 703 - An-198. Pitot tube frozen. Three airspeed indicators all disagreed. Loss of control. 71 dead.
- Lion Air - Angle of attack vane failure, from parent article.
That information could be checked against GPS, and at least one aircraft does this. But that has its own problems.[1] Checking against an inertial system is another possibility. Those are complicated, though. The classic airspeed, altimeter, and angle of attack vane are so simple.
[1] https://www.gpsworld.com/gps-disruption-a-full-fledged-aviat...