Here's the design decision that puzzles me the most: MCAS commands nose-down trim. The pilot uses the trim button on the yoke to command nose-up trim. Why isn't that enough to disable MCAS and cause an audible alert?
Think of an analogy: when the autopilot commands a nose-down elevator input, and the pilot pulls back on the control column, that's enough to disengage the autopilot.
Or think of cruise control in a car: if the computer commands acceleration, and the driver steps on the brake, cruise control disengages.
The necessity of MCAS is to meet regulatory requirements for similarity in handling characteristics to achieve a common type rating. It's not strictly an engineering requirement, nor is it a safety-assisting technology. It's an attempt to mask the actual aerodynamic characteristics of the aircraft being flown. That is a conflicting mission if you will.
> MCAS commands nose-down trim. The pilot uses the trim button on the yoke to command nose-up trim. Why isn't that enough to disable MCAS and cause an audible alert?
It does. It's just that MCAS tries again in 5 seconds. That's why the experienced pilots in both the Lion Air and Ethiopian crashes kept the MCAS in check - trimming to neutral column force is second nature to them - and it only crashed when the first officers took over, who allowed it to get to full nose down trim.
A constantly incorrectly trimming system is supposed to trigger the runaway stabilizer trim checklist, so Boeing thought a failure in this system was covered by existing training. Unfortunately, a periodic every-5-seconds trim wasn't recognized as such. I'm not a 737 pilot, so I don't know what runaway stab trim normally looks like; maybe it's usually constant?
> I'm not a 737 pilot, so I don't know what runaway stab trim normally looks like; maybe it's usually constant?
Yes, exactly.
The problem (well, one of the problems) is that during normal operations the trim wheels are constantly moving intermittently, so additional intermittent motion isn't immediately seen as unusual.
(Disclaimer: I am not a 737 pilot either, but I am a pilot, I fly a plane with an electric trim (Cirrus SR22) and the info above came from a very experienced 737 pilot named Juan Browne who hosts an excellent channel on YouTube called Blancolirio.)
4. Intermittent uncommanded stab trim movement is normal. The Speed Trim System and Elevator Feel Shift system regularly adjust trim, so merely seeing the wheels move by themselves is not cause for alarm.
5. MCAS is not documented at all in the flight manual, and the stab trim runaway checklist was not updated to address how MCAS might cause a failure necessitating its use, presumably to avoid the need for additional transition training.
6. MCAS is unreliable due to its reliance on a single AoA sensor.
I think that would open up a different safety issue. Suppose you're in a tight turn for some reason, pulling back hard on the yoke, as you have to do in a tight turn. The aircraft is at fairly high angle of attack, but not yet quite enough to enable MCAS. You've got quite a high column load, and you blip the trim upwards to relieve it a bit. If you blip the trim just as MCAS kicks in, and it disables, then you're now flying at high AoA without MCAS protection. You've not trained for that, and your chances of an accelerated stall just went up significantly as the plane no longer flies quite like you trained.
From what I understand it did but it would reengage again. It's the reason why the Lion Air flight lasted longer in the air than Ethiopian, because the pilots in that case kept hitting the trim and buying themselves 40-60 seconds each time
Yep, and on top of that the 737 MAX did not require retraining for pilots (cost savings for Boeing and airlines) and Boeing did not provide documentation to pilots that MCAS would re-engage after a short timeout.
Pilots use the term "ahead of the plane" to describe being in a state where they understand exactly how a plane and its systems will respond to inputs (including theirs). MCAS (and lack of training) resulted in pilots being "behind the plane", which meant they could not regain control over the plane and ultimately crashed.
They could have disabled the whole thing if they simply followed the standard runaway trim procedure. A system malfunction should appear to a pilot the same way a runaway trim wheel appears. The result is that there is runaway trim checklist—and a procedure to work around it. You turn off the electric trim and go to a manual reversion. It’s something every 737 pilot trains for.
Even if the cause is an MCAS failure, the way that failure presents in the cockpit follows the same procedures as runaway trim: which means to me that the Ethiopian and Lion Air pilots were simply under-trained. The 200 total hours of the Ethiopian first officer supports that assertion. In the US, a first officer has a 1500 hour requirement: having a 200 hour pilot in the cockpit can’t be ignored as a contributing cause especially since following the standard checklists would have saved the plane— if the first officer would have known to consult those checklists. In the US, you can’t even fly Cessnas commercially with 200 hours and this first officer was copiloting a modern 737.
From what I understand, runaway trim looks like a continuous change, where runaway MCAS is intermittent changes every 5 seconds with longer delays if a pilot just touched the throttle trim controls.
> In the US, you can’t even fly Cessnas commercially with 200 hours and this first officer was copiloting a modern 737.
To be fair, it's not clear that the time someone would spend flying a Cessna between their 200-1500 hours in the US is actually helping them become a better 737 first officer..
From what I understand is that the comparison between cruise control and MCAS breaks down when it comes to how quickly the potential catastrophic situation may happen.
When driver steps on the brakes -- the system disengages and car slows down.
When pilot disables MCAS -- the system disengages and the plane is more likely to enter aerodynamic stall and crash.
So with cruise control there is no potential for catastrophic positive feedback loop when the system disengages, whereas MCAS needs to be pretty aggressive in what it does.
Pilot pulling back on the control column does not disengage the autopilot; pilot changing throttle lever settings doesn't disengage the autothrottle. And also, these things can have different behaviors in different modes (or laws, referring to airplane computer control not legal), which vary from make and model of aircraft hence part of the reason for type ratings.
The problem with articles thus far: there's a lot of confusion whether MCAS exists to meet a FAR 25 requirement (aircraft airworthiness for transport category aircraft)[1], or FAR 61 requirement (pilot certification and ratings)[2].
I still don't know the answer to that, but either way it seems problematic to have an ostensibly required function that can be disabled and either have an instantly decertified (not airworthy) airplane, or an instantly decertified (not type rated) pilot, or both.
[1] There's are many behavioral requirements in FAR 25, I'm cherry picking two:
§ 25.203 Stall characteristics. (my emphasis on paragraph a.)
Because if you did that, you'd have to alert the pilots when the AoA sensors disagree and MCAS has been disabled. And you can't do that without training them on what that means, notably how the plane will now fly differently with what you might call "relaxed stability" at high angles of attack. And Boeing really really wanted to avoid retraining of pilots because apparently they had a contract with SouthWest that would cost then $1M per plane if retraining was required.
It's worth noting that there are other more engineering reasons it could be tricky to use both. An aircraft in a side slip will show different reading on the left and right sensors. Also, there are failures which are likely to impact both at much the same time, icing being a big one.
Agreed. Boeing's revised MCAS will disable itself if the AoA sensors disagree by more than 5.5 degrees when MCAS activates, or a sustained difference of more than 10 degrees otherwise. This is to take into account the fact that the sensors disagree to some degree in normal circumstances. These are fairly relaxed limits, but does demonstrate that a reasonable solution is possible.
Related question: how does regulatory approval of planes work, worldwide? I read a few times that the FAA had approved the new plane too quickly, but don't other regulators have their word?
FAA have (or had) such a good record, that other regulators, like EASA, simply trusted a FAA certification. In the same way, FAA trusts an EASA certification for an Airbus plane.
Bilateral certification agreements. Canada and U.S. have one as well (it goes both ways): https://www.tc.gc.ca/eng/civilaviation/standards/int-baa-usa.... It's good in theory (cutting down on a giant amount of repeat work), as long as both certifying bodies maintain their standards and don't get politicized.
Yes. But the AoA disagree indicator did not disable MCAS. In similar circumstances, SouthWest pilots would not have taken off, because AoA disagree would have indicated as soon as they'd begun their takeoff roll. But if an AoA sensor had failed in flight, it would still have been up to the pilots to manually disable stabilizer trim.
If those victims would be primarily from western country, especially US, there would be almost immediate class action lawsuit against Boeing from families (US citizens seem more trigger-happy to fire lawsuits when feeling wronged, at least from my perspective).
But I guess Ethiopian/Indonesian cries for some sort of compensation/justice would have to go very viral in western media to force a corporation like Boeing into anything (since it is also a clear admission its purely their fault, which it seems to be).
Most countries don't have such a thing as class action, and even among the countries that have it, it's only commonly used in the one that invented the idea, and multi-national class action isn't really a thing. So I think you'd find that, far from "especially in the US," you should only expect a class action lawsuit like that for a flight that is either to or from (or both) a US airport.
With lots of of passengers on both flights being from lots of different countries, what they're getting instead is lots and lots and lots of individual lawsuits all being filed in different jurisdictions.
Which is, I'm guessing, likely to be more damaging to them in the long run.
MH370 was a multi-national class-action lawsuit filed in SC that was only dismissed because the circumstances of the disappearance were not clear and nothing to do with it being multi-national
It brings up the question of what it means for the two sensors to disagree. How much do they have to disagree? For how long? How many times? The atmosphere is full of weird effects that can transiently make the two sensors be different. How much and for how long do you get to disable the MCAS system until you can't claim it as a protection? If you can disable it whenever things get strange then why have it at all?
There is a tendency to fixate on the bug that caused a crash to the extent that you introduce new more new bugs than you had before.
I think the sensors are on the side of the nose, about as far forward as the pilots. It looks like one is on the left and one is on the right.
These things are essentially just wind vanes that read the direction that the air is moving past them.
Short of the plane flying obliquely into a tornado, I can't think of any atmospheric effect that could lead to a disagreement.
You'd need an atmospheric effect that causes a significant difference in wind direction between two points that are maybe 3 m apart and the difference that atmospheric effect is trying to cause would have to be noticeable when superimposed on the wind vector due to the plane's velocity.
Worse. Why don't they do it with three sensors and a voting system? By using two sensors, when they disagree, MCAS will have to be disabled. It seems the plane is unstable without MCAS, due to the forward positioning of the engines, requiring specific training and abilities from pilots.
No, it is not unstable without MCAS.
MCAS is only designed to change the trim if the airplane is hand flown in flaps-retracted, low-speed, nose-up flight.
This is something almost everyone is missing: A normal flight should not encounter this.
Plenty of normal flights fly manually for a significant portion of the climb-out after takeoff, which is exactly the portion of the flight when MCAS issues happened for the Lion Air and Ethiopian Air flights.
Also, you will have higher AoA in a bank, which can be encountered in manual flight on normal flights.
>> This is something almost everyone is missing: A normal flight should not encounter this.
Nobody said there was anything abnormal about the two flights that crashed. It really doesn't matter since the root problem is the plane doing things without telling anyone and then doing it wrongly. Without MCAS these accidents would not have happened.
That's my understanding. So a simple 'oh we'll just disable it if the readings disagree' seems like a faulty fix. MCAS is required for safe flight. While it may be possible to operate a Max 800 successfully without it, that's not how it was designed to be flown.
Not sure this is right. General aviation pilots often think of wing stalls as a consequence of low speed (their planes don't have AoA indicators!) but they can happen at any airspeed: they simply happen whenever the critical AoA is reached.
I think the idea is that the extra lift generated by the nacelles due to the engine position causes the plane to reach high AoA at e.g. full engine power, not just when flying slowly.
I think it's also the case that the plane does not actually become aerodynamically unstable, it just starts to handle differently (yoke pressure-wise) in a way that fails airworthiness requirements.
So it would only cause a stall if the pilots continued to pull back on the yoke into the stall while it's not fighting them as much as they're expecting it to.
What is your source? This is not what I have been reading. What I have been reading is that the MAX has a bigger engine and this engine has been positioned forward on the wing in order to preserve ground clearance. As a result of this unusual engine position, the MAX has a tendency to pitch up during acceleration. Nowhere did I read that this doesn't happen during normal flights.
MCAS only operates at high angles of attack, higher than normal flight would encounter. The reason it was even a factor in these crashes was the bad AoA sensor readings. If the AoA data had been correct, MCAS would not have been changing the trim.
When an aircraft pitches up, it increases the angle of attack, right? (If not MCAS would not be a fix for the pitching up problem.) And the pitching up can happen during normal flights, correct?
> When an aircraft pitches up, it increases the angle of attack, right?
Yes, but not what you may be thinking. The AoA is the angle of the wing vs relative wind (the angle the wing is attacking the air). You can have high relative pitch (attitude) to the horizon but a low AoA, such as during climb. That same attitude is a full stall at slower speeds/power.
The wing doesn't care where the nose points. All it cares about is its relative angle to the wind. Once it diverges past a critical angle the wing stalls.
What appears to have happened with these MCAS issues is that the MCAS senses that the AoA is too high when it's completely normal and safe, so it auto-trims down.
They can be related but not necessarily. Pitch is where the nose is pointed, while angle of attack is the angle at which the passing air hits the wings.
The nose can be pointed up with a low angle of attack (e.g. a climb during cruise) and conversely the aircraft can be pitched down with a high angle of attack (e.g. descent approach with flaps extended)
As I understand it, no. But airspeed, actually Mach, is an input to the calculation of how much nose down to apply. I.e. the higher the speed, the less trim change is needed to achieve the desired effect.
As far as I understand, the forward positioning of the engines makes it so that the plane tends to pitch up when it is already pitching up, and tends to pitch down when it is already pitching down. This is the definition of an unstable system.
MCAS compensates this by trimming elevators. Without MCAS, it is up to the pilot to handle the unstable system.
The way you describe it the faulty sensor would have not caused two crashes. If the code would check all these preconditions it would still ignore the AoA sensor.
It’s obvious that the code was executed during the regular flight conditions which means it has to be applied even then.
The motors simply push the plane nose up too much compared to the previous models, threating the plane to enter the stall. Once in the stall the plane is just not controllable. MCAS was there to hide that.
And now that the problem is known to the world either will Boeing provide the proper solution, no matter the cost, or there will be a third crash and that will be too much. Boring still tries to present all that as “business as usual.” It’s wrong.
It is possible that it was clear from the start that this is the right way to go, but a modern plane is a very complex and highly regulated piece of equipment. Even minor changes could have a long tail of ramifications for operation (some of those have been noted, such as likely very different performance when crabbing at crosswinds).
I am not saying that Boeing did not try to cut corners (I just do not know), but the current media circus painting Boeing as a bunch of [idiot engineers | greedy execs | lazy testers] is likely far from reality or at least a major oversimplification. Boeing planes (including 737 max) are still very safe (compare to cars). Mistakes should be calmly assessed and fixed and making a public circus of this simply pushes engineers to avoid everything but uber-conservative, uber-safe solutions, which has major costs in itself. My 2c.
Cause is always complicated in an air crash. We don't officially know the cause of either of these crashes.
When MCAS was established to be a likely factor in the first crash, Boeing issued an emergency airworthiness directive to all operators of the 737 Max, alerting pilots to the possibility of undesired nose down trim, and reminding them that the runaway trim procedure would disable it.
Which was far from enough as we can see. Full retraining and perhaps other actions should have happened immediately so Boeing could hold any form of moral high ground here.
When it comes to mass transport, safety should definitely have higher priority than pushing some potentially new cool tech ASAP (which is debatable, making plane unstable ain't cool by any measure)
All 737s have two AoA sensors - they're used for several purposes, not just MCAS. Originally MCAS used only one of the two sensors, though it alternated which one with each flight. The optional features were an AoA disagree indicator, and the AoA data itself being displayed on the cockpit displays. Having either optional feature didn't change the fact that MCAS only used one sensor.
That's not very surprising to anyone who has been following along. The more interesting question is why they failed to identify the trim runaway condition, or if they did indeed identify it, why the procedure failed to correct it?
This is significantly different to the Lion air incident where you can easily give the pilots the benefit of the doubt because the failure mode hadn't been previously identified. The details of MCAS and the procedure to handle it was communicated to all operators months before this accident.
A major factor in this is that they were told that this plane flies exactly the same as the previous 737. If you do the same "right" things you always do, how are supposed to know things are going badly when you've been lied to from the jump?
40 seconds is an eternity to accomplish the memory items on runaway stab trim non-normal checklist. It’s literally “control column - hold firmly” (already a given, since MCAS only affects manual flight and the increased back pressure required is the cue that something is amiss), “autopilot and autothrottle - disengage” (click-click, click-click), (if runaway continues) “stab trim cutout switches - cutout (both)”, (if runaway continues) “trim wheel x grasp and hold”
All of those are “above the line, memory items” which the crew must be able to recall and execute prior to referencing the checklists in the QRH.
Boeing has some significant fault here, but I’d expect a full performance crew to handle this emergency and suspect the CVR and FDR data will show them in a less than fully flattering light, especially after Lion Air, the emergency AD, safety memos, and general publicity surrounding the previous crash.
Going from previous discussion, apparently it would be hard for pilots to recognise it as trim runaway. The last description mentions: stall warning going off, column shake, incorrect airspeed (on one side, due to the faulty sensor), trim wheel doesn’t move, plus the fact MCAS operates in 10s intervals.
Has the information disclosed to pilots after the LyonAir incident been made public?
Yes, easy to imagine a chaotic situation causing distraction, or hyper focus on the wrong thing, etc.
What I have gathered from reading other forums about this, many pilots say they would interpret any significant undesired trim as a runaway condition, regardless of whether it was happening in intervals or it was literally continuous.
Others say that depending on training, and the policies of the operator, a much more literal reading of procedures is enforced.
I don't fly, but apparently trim is a very fundamental control for a pilot. It's easy to recognize when the aircraft is out of trim, and reacting to it is about as natural as it is for a driver of a car to use the steering wheel to keep the car centered in a lane.
So my assumption is, that with the AoA disagreement, and resulting multiple alerts and chaos in the cockpit, the pilots lost awareness of what the trim was doing.
I'm wondering if there's not a deeper problem within the air data systems. Why are the AoA sensors on new aircraft failing? They are just simple vanes, normally very reliable. The same ones are used on many different aircraft. So I don't think the actual sensor is a problem. But maybe there's something different downstream of the sensor itself. I would think if there were persistent problems with bad AoA data in 737s generally, it would have been addressed. Because the stick shakers, unreliable air speed, and everything else would still be happening regardless of MCAS.
> I'm wondering if there's not a deeper problem within the air data systems. ... Because the stick shakers, unreliable air speed, and everything else would still be happening regardless of MCAS.
This is a very good point. If the AoA sensor failed say climbing through cloud at 5000ft on auto-pilot, dropping control of the aircraft to a pilot who's busy thinking about what he's going to have for lunch, with half a dozen alerts going off, an AF447 type incident could easily happen MCAS or no MCAS.
I wonder if the difference in behavior between the trim buttons on the stick and trim cutout switches on the panel was the problem?
If I've read correctly, the former only temporarily disengages MCAS. The pilots may have repeatedly hit the button on the stick, but then 20s later, MCAS re-engages and sends the plane nose down again.
I agree that the procedure calls for flipping the switch on the panel. But, not sure that's actually what the pilots were doing.
In the image below, you can see the electric trim control on the stick in the left portion, and the manual trim cut-out switch on the panel in the top right.
Main stream media made it sound like 40 seconds is way too short of a time to troubleshoot the issue. But now that you state it that way, I gotta agree with you it's not Only Boeings fault. Sure they are big significant part of the issue. But not the only part.
As someone who's done a bunch of human factors design training for critical situations in a previous career as a UI/UX designer and now works as a systems engineer doing a bunch of alerting, 40 seconds is too short of a time to troubleshoot the issue.
When this situation happens, five things happen at once. MASTER CAUTION (whoop, whoop noises and a big red light!), ALT DISAGREE alert on the MFD, Incorrect Airspeed on the MFD, the stick shaker goes off, and by the way, if you take the time to look down at the throttle section of the dashboard with all those other alerts going off, you'd see that there is suddenly a lot of trim on the APL trim indicator but the trim wheel doesn't actually move (which would provide an audible 'click click click' that would probably trigger that there was a problem with trim.
Each of those things has a separate memory checklist that you have to run down, and subtract ten seconds to register them, prioritize, communicate with the other pilot, and start executing them.
The worst part here is that they've added another alert and then changed how the airplane will fly in the middle of an emergency. While the extra alert narrows down the number of branches from the "prioritization" part of the checklist, I'm not sure that's "fixing" the problem.
The fix for the problem is that it can no longer repeatedly drive the trim to it's extremes. There should be plenty of elevator authority counter a single trim movement of 2.5 units.
I appreciate your point about all of the alerts going off however the pilot is manually flying the aircraft at this point, they should feel that something is going on through the controls and react to that firstly. Imagine having a blow-out in a fancy car with pressure sensors, sure lots of alerts are going off but you have probably not registered that because keeping the car going in a straight line is taking 100% of your attention.
40s is only enough if you know what to do right away from the start of the situation. A failing sensor may confront the pilots with many (unrelated to a trim runaway) warnings (like unreliable airspeed, stick shaker, alt disagree). That has been the case for Lion Air at least.
Take a car analogy. Suppose your car starts drifting into oncoming traffic. Maybe the road crown changed, maybe your alignment changed from a debris strike, maybe you have a tire going down, maybe you have a crosswind.
In all those cases, your reaction is the same and instinctive regardless of whether or not you know the root cause.
Flying an airplane manually on instruments, the pilot sees the airplane undershooting the pitch target and pulls back on the control column every bit as naturally as the car driver above. When the pitch target is correct and the control force high, use the stab trim to take the force away. This is every bit as much a continual process as the driver lane keeping.
If MCAS is trimming against you every time you let go of the trim, you get feedback that this is likely a trim issue. Keep flying the airplane and trimming as needed.
This is not a case where the airplane automation fails and an airplane suddenly gets “dumped” onto a pilot who has to regain control and figure things out.
It’s obvious that the time and space available was not enough for that Lion Air or that Ethiopian Air flight, so you have real world evidence to support your point. I acknowledge that fact, of course.
The layperson in me wants to know why things like trim don't have a meter/display that shows the actual setting. Seeing +6/-6 seems like it might trigger recognition of runaway adjustment.
Ah, so that indicator would have been abnormally in the "nose down" area after MCAS over adjusted it. Interesting. Information overload, and nobody looked because that amount of auto adjustment wasn't anticipated. And also means they didn't correlate the fairly noisy/visual turning off the wheels to get it in that position.
There was a PDF incident report going around earlier with a chart showing a graph of the inputs from MCAS and the pilots over a period of time. There was a "nose down" command from MCAS, followed by a "nose up" command from the pilot, then a "nose down" command from MCAS, a "nose up" command from the pilot... repeated about 20 times in a row...
Yes, right, they would have had to figure out they needed to hold the wheel to keep it from auto-adjusting. Which wouldn't be real intuitive if you didn't know MCAS existed. Though holding the wheel is supposedly part of the normal runaway stabilizer trim checklist.
Over a period of six minutes, the captain repeatedly (at least 25 times) re-trimmed nose up. If that does not say trim runaway, I don't think a meter would make a difference.
I am not talking about these specific pilots about which I know nothing. But not every single commercial pilot is passionate about his job. For some it is just a day job and until they are asked to do a particular training, may not even be aware that MCAS even exists.
Think professional developers (granted the bar is infinitely lower). You would assume no one would introduce a SQL injection vulnerability in new code given all we know and all that happened. Well...
Also some commercial pilot on HN provided another element of answer. When you are in an emergency situation, you don't have the time to sit back and think, you revert to experience, muscle memory and training. Even if it may have crossed these guys mind that it was the same problem than Lion air, they may not necessarily know the procedure to fix it while trying to keep the plane from crashing at the same time.
That would be a huge failing on behalf of the airline. There was an emergency airworthiness directive which should have brought this to the attention to all pilots of these aircraft even if they somehow missed all of the other coverage.
But this directive said "handle like a trim runaway". However MCAS may present itself differently from a trim runaway when failing. Furthermore a failing sensor may activate the stick shaker and the last thing a pilot is trained to do is pull up in such a situation. So you might get:
- unreliable airspeed warning
- stick shaker (=stall is imminent)
So you don't know your airspeed (otherwise you can conclude you're safe for your current pitch and vertical speed) and a stall warning. The last thing you do is to look for horizontal trim.
The full list of potential indications is included in the AD. It also describes the operation of the trim system under MCAS control.
You can see them in the Lion Air preliminary report linked above.
Pilots are trained to deal with partial panel situations. The mantra is pitch + power = performance. In VMC this should be well within the capibilities of a normal pilot, put the nose on the horizon and set something like 65% power.
That 40 second quote is a bit misleading. As I understand it, if the pilots do absolutely nothing then they only have 40 seconds until MCAS has adjusted the trim the maximum amount. But the Lion Air flight flew for several minutes with the MCAS firing; the pilot manually counter-intervened each time. It was only when he handed control to a co-pilot that the plane nosedived. Theoretically they could have flown indefinitely while they debugged the problem.
> Theoretically they could have flown indefinitely while they debugged the problem.
Not true. From what I have read, MCAS runs in 10 second intervals, with the amount of trim added increasing with each successive run. Once the trim has reached a certain point, it over-powers the amount of control the pilot has by putting pressure on the yoke (this controls elevators, which have less overall influence on the aircraft than the trim at full bore).
We know that the pilots on the previous flight with the 3rd deadheading pilot were attempting to right the plane using yoke pressure, and at one point the first officer mentioned that the yoke was "too heavy to hold back". That indicates that MCAS had pushed the trim past the point at which the pilots could physically overcome it's influence using the elevators. (source here: https://www.reuters.com/article/us-ethiopia-airplane-regulat...)
The pilot can run the trim in the other direction using the normal switches on the yoke. You can see that if you look at the trim position graph in the Lion Air accident.
For some reason before the crash the pattern of repeatedly correcting changes, possibly because he handed control to the first officer.
"The undated EASA certification document, available online, was issued in February 2016, an agency spokesman said.
It specifically noted that at speeds greater than 230 knots (265mph, 425kph) with flaps retracted, pilots might have to use the wheel in the cockpit’s center console rather than an electric thumb switch on the control yoke. "
So, yes and no. It gives SOME control over the trim, but if the trim keeps getting bumpped progressively higher by the MCAS, it will eventually outstrip the yoke control.
My guess is that that change you mentioned is the threshold at which their yoke trim control became insufficient.
They are saying there that near Vmo (maximum operating speed) with an aft centre of gravity (the aircraft loaded in a specific way) there might not be enough nose down trim authority available within the limits of the electric trim to completely trim the aircraft (allow the pilot to relax the forward pressure on the yoke).
In the crashes there was too much nose down trim and MCAS kept adding it more. They are trying to move it in the other direction.
Just to clarify, it's B-05/MAX under Issue 10. Took me a minute to find it.
> there might not be enough nose down trim
After reading it, I'm not sure how you are gathering that it's only nose down trim. It only mentions an inability to completely set the trim longitudinally. Longitudinal doesn't mean in one direction. It only indicates which plane we are talking about, which in this case is pitch.
> Vmo (maximum operating speed) with an aft centre of gravity (the aircraft loaded in a specific way)
"The aisle stand trim switches can be used to trim the airplane throughout the flight envelope and fully complies with the reference regulation Simulation has demonstrated that the thumb switch trim does not have enough authority to completely trim the aircraft longitudinally in certain corners of the flight envelope, e.g. gear up/flaps up, aft center of gravity, near Vmo/Mmo corner, and gear down/flaps up, at speeds above 230 kts"
The issue mentions that there are certain corners, and lists what you posted after e.g. That isn't the only corner case in which the yoke trim control becomes insufficient.
I was reading between the lines on the fact that the scenarios the listed involved high speeds (which generally need nose down trim) and an aft centre of gravity which also needs nose down trim.
Further, the section on EUSA's position clarifies that they wanted to improve the margin of safety on an out of trim dive, this is where 3 seconds of nose down trim (incidentally, that's how long they expect it to take for a mediocre pilot to identify a trim runaway) are applied without pilot intervention and the pilot has to demonstrate controllability.
But that point is pretty moot because the electronic trim cannot drive the jackscrew to the extremes that the manual trim wheel can, but it can return from the extremes to the centre. MCAS is driving trim to the nose-down extreme and the pilot is trying to return it to neutral.
Still doesn't answer the question of, why if MCAS is required during critical portions of the flight to prevent stalling is disabling of MCAS an acceptable solution for this aircraft?
Introducing a new condition of "We think MCAS is on, but we're not quite sure / it's cutting in and out due to censor disagreements" is preposterous.
This might be splitting hairs, but MCAS is not there to prevent stalling. It's there to meet a specific certification requirement on control stick forces at high angles of attack. Yes the intent of the requirement is to reduce the tendency of the pilot to pitch up too much near the stall. But MCAS doesn't prevent stalling.
Modern aircraft have many automatic systems that are there to make the pilot's job easier. That doesn't mean they are unsafe to fly if those systems malfunction and have to be disabled.
Every source I've found refers to it as an anti stall system, and the system is designed to limit angle of attack (eg, prevent the system from stalling).
It's definitely a safety feature that's required and not an assistive device. It was required for certification, and in fact as originally specified was unsuitable to prevent stalls, so Boeing had to increase the authority of the system to make it functional.
most modern fighter jets would drop out of the sky like a rock without software
they'll eventually get this right - they just need to step back and recognise that the MAX is a completely new type of aircraft and stop taking shortcuts on certification and training
what saves them is that Airbus is at production capacity on the neo
While it's true that fighter jets have been aerodynamically unstable for decades, they're not built for transportation and have ejection seats.
The main reason they are unstable is to increase agility. Is this necessary or even wanted in passenger aviation? I don't know but I'd guess not. Probably safety, comfort and fuel economy are far more important and can (should?) be achieved with a stable airframe.
fighter jets are the more extreme and established example, it also applies to most modern airliners which have software systems in place to prevent human controls from exceeding the aircraft flight envelope
fuel efficiency in these modern aircraft has been gained with swept back wings, larger intake engines etc. which with direct control and no software would be almost impossible to keep flying
discarding all of these systems because of a problem with one would set airline safety and efficiency back decades
Swept back wings and larger intake/bypass engines does not make the airframe inherently unstable.
The fly-by-wire system has multiple redundancies and layered protection, including direct law (at least for Airbus). Fly by wire is, like you say, of course a great innovation for improved control and safety, but it's nice when the plane continues flying even during a failure, however unlikely.
I guess in the case of MCAS the software was activity working against the pilots so maybe it's more of a problem with the design of this particular system and training.
I wouldn't hold fighter jets up as an example of safety. They spend more time broken then they do operational. Require a an entire team of engineers for each airframe, and the number of pilot deaths/flight time is pretty atrocious. But since it's 1-2 pilot deaths rather than >100 passengers we put up with it.
A well designed aircraft should not have a single point of failure, including the software.
Fly-by-wire does not necessarily imply that there is software interfering. You can have a very linear system that just translates yoke input into control surface deflection, but uses software and cables instead of hydraulic lines.
The amount of Boeing hate is phenomenal. "scrap the plane" ! "require a new type certificate" "never fly in a 737 max, no matter what".
Boeing made a plane that conformed to all rules and regulations. As part of the design process, they made many, many tradeoff's. What kind of fastener goes on this panel? How often does this data go across the data bus? What material is used for this cable? Literally thousands of them. Not every one , by itself is safety critical; but many of them can turn out to be.
The MCAS design was not some engineer skirting the law, or wanting to kill people, or even disinterested in safety. It was a compromise design of cost vs safety; in hindsight it looks like the compromise was done poorly.
A 100% safe airplane weighs too much to fly and costs too much to build. This means every design decision has to take into account other things than just 'raw safety'.
They made a mistake. Even when you are not "moving fast and breaking things", people make mistakes. process adherence misses the mistake.
And in this case people die. Unfortunately, that is how we improve aviation safety. With the blood of passengers and crew. Not on purpose, not because boeing is greedy, but because people make mistakes, systems fail, airplanes crash.
This was not a single failure of the aviation safety system. N things had to happen for these crashes. And the system is going to fix each one of them, and do a humans best effort to change the process so it does not happen again.
i would fly a Boeing aircraft tomorrow (yes, a 737 MAX 8). Or an Airbus. They are both built and overseen by the best our world has to offer.
This is not the first design failure that has been the cause of an incident (or even a series of incidents) and it will not be the last.
And I'll say that I'll happily fly the 737 Max with a first-rate airline, and avoid flying any plane on an airline with a worse safety record than Aeroflot. Both Lion Air and Ethiopian Airlines have similar safety records to this century's Aeroflot, whether by incidents/hour, incidents/rotation or incidents/plane. No comparison to the American/Delta/United/BA/KLM/Air France/Lufthansa/etc of the world. (Seriously, if you've had more 'incidents resulting in fatalities' this century than Aeroflot while flying half as many planes... Let's just say that Ethiopian does not meet my standards for a safe airline. And that's only counting 2000-2018)
Similarly, I'd like any plane I'm flying in to have a fully qualified pilot AND copilot, and I don't consider 200 hours of total flight experience to be 'fully qualified'.
I'm not going to defend Boeing's conduct here for one moment, but I do think your statement is an over-reaction. The company employs 150,000 people, it contributes billions to the US economy, and builds significant aerospace know-how in the US. I imagine we could come up with lots of reasons why Boeing is a net positive.
These crashes are tragic and Boeing's conduct deserves condemnation, but a solution that keeps the company going and fixes the culture that led to this seems to be a far better solution than them going out of business entirely.
If you can actually pay 150k people, maybe you do, since you're bloody good at it!
Joke aside, let's be fair, Boeing did not sell air. Their greed got the better of them, and the institutions set to prevent that did not do their job. They should take responsibility for the things they did (or in this case, did not). There is no penalty high enough to bring back lives.
Has the Overton window shifted so much that the idea of a somehow successful company that produces 0 positive value by selling a completely fake product is legitimately humorous or an appropriate subject for levity?
Perhaps my sense of humor is broken but I find the fact that jest was even made quite alarming. I'm used to playing word games, and taking refuge in audacity...but damn.
I wish there was a law to nationalize a company that was found guilty of gross negligence, to subsequently pay damages and re-sell them in the market. Make shareholders accountable, instead of sending a couple of middle managers to jail and keeping the same incentives that caused the first tragedy in place.
> instead of sending a couple of middle managers to jail
So you want to turn the company over to the same governmental body that lets companies get off by firing a few middle managers? The same body that possibly allowed this lapse in safety to get through regulations in the first place?
Temporarily, yes. It doesn't have to be the same government agency, and the aim would be to divest as fast as possible, so hopefully less short-sighted and more responsible shareholders would control it in the end.
It does the search for you, but WSJ is paywalled even in private browser sessions. But, there are other sources for this particular topic, as it's covered extensively by the MSM.
Think of an analogy: when the autopilot commands a nose-down elevator input, and the pilot pulls back on the control column, that's enough to disengage the autopilot.
Or think of cruise control in a car: if the computer commands acceleration, and the driver steps on the brake, cruise control disengages.
The necessity of MCAS is to meet regulatory requirements for similarity in handling characteristics to achieve a common type rating. It's not strictly an engineering requirement, nor is it a safety-assisting technology. It's an attempt to mask the actual aerodynamic characteristics of the aircraft being flown. That is a conflicting mission if you will.