“Tecce did not fault the FAA for taking a wait-and-see approach. “A lot of people throwing a lot of rocks at the FAA. Since 2010 we’ve had one aviation fatality” in the United States. “Our safety record is astonishing,” he said. “I don’t think there’s anything wrong with the airplane. If you talk to the pilots who fly them, they’ll tell you it’s not the airplane so much as whether or not the manual properly describes what’s going on.””
Seems more and more consensus is forming around this idea, that the MCAS system generally did what it was supposed to do, _and_ has an appropriate safety cutoff for the pilot if needed, but that Boeing did not focus a lot of attention on this new system in their training/documentation when in fact they needed to.
Computers should never overrule manual controls. If the autopilot is on and the pilot makes an manual adjustment to the yoke, the autopilot shuts off.
They should have designed the MCAS system to recognize when the pilot was fighting it and to disable itself.
It's like the runaway Prius problem. Turning off the car might be considered an appropriate safety cutoff, but not everyone thinks of that in an emergent crisis.
The aoa system was put in place specifically to keep pilots from stalling planes. By design, it has to override manual controls. This is like saying ABS shouldn't override the brakes on a car.
Well "fighting" sort of begs the question, but the MCAS system was by design supposed to only activate in tandem with a pilot's actions, so it can't really work like an autopilot. It supplied stabilizer trim while the pilot was controlling the plane in order to make the ascent feel the same as the older 737's, since the different engine position on the Max 8 would otherwise make it behave differently.
You should probably avoid Airbuses in that case, since (the opposite of) that is a central design principle.
And Airbus has arguably won the design wars, since Boeing is adopting their approach, just in a half-arsed and potentially dangerous way.
I disagree. I've got all kinds of examples were on conventional cable/hydraulic control to control surface aircraft a pilot can overstress the airframe, break it, and crash. If a computer were to exactly know the normal flight envelope, and always proscribe inputs that lead to certain death? I'm all for that. And what does manual control even mean with fly-by-wire airplanes?
>If the autopilot is on and the pilot makes an manual adjustment to the yoke, the autopilot shuts off.
That isn't how it works since the simplest roll only autopilots appeared. It seems a reasonable argument that a single pilot should be able to overpower the autopilot long enough to disable it.
>They should have designed the MCAS system to recognize when the pilot was fighting it and to disable itself.
Unproven. Could be true or false.
Boeing has a different design philosophy than Airbus whereby they include the pilot as integrated into system design, as the primary means of determining system failures. I have no inside information, however I can imagine that MCAS is intentionally designed to only accept one sensor input for two reasons: it's simpler, and you get a fast fail in the form of what appears to be runaway trim for which there is already a procedure to follow.
I have two concerns with this though:
a. The reported optional pay for (?) "aoa disagree" feature which does no decoupling of MCAS, but informs pilots when the alpha vanes disagree. I think that should be standard, not optional.
b. MCAS silently disabling itself is potentially very dangerous even if the 737 MAX required a separate type rating, but it's possibly a great deal worse given that it does not require a separate type rating. MCAS is the thing that inhibits the natural stall behavior of the MAX, a natural stall behavior the pilots aren't trained to recognize or mitigate or recover from because they aren't supposed to get anywhere near this portion of the flight envelope - it's why MCAS exists. Take away MCAS and now its an open question whether the pilots are properly certified for that aircraft or whether the plane is not airworthy, suddenly while in-flight.
I think the justification for an AoA override is there; the system was created as a result of a history of pilot error. And having to disable a switch isn't overly burdensome.
The issue seems to be transparency, letting the pilots know what the system is doing so they can make a judgement to disable it.
For the sake of further speculation: what are the chances that in-fact there would be some other contributing factor or indeed a root cause (where MCAS no doubt maybe plays part) that was missed by Lion air incident analysis. Assuming of course that both incidents would have same / similar root cause.
Let me say again this is only speculation as far as I have seen.
There should be a design intention to communicate information to the pilot as clearly as possible, for automatic systems or otherwise. Relying on training alone for pilots to interpret this failure hasn't worked.
It's too much of a blackbox if pilots can't quickly learn how the system is operating, e.g. how it operates when autopilot is on or off.
Doesn't sound like it's fine to me. In the case of the Lion Air crash, the AoA sensors were JUST REPLACED due to previous flight problems. Sounds to me like the system is fundamentally broken in some way.
The quote you've used also is interestingly phrased: "If you talk to the pilots who fly them", because it seems he might not be one of them. Instead, he's described as a "commercial aviation expert" who is defending the FAA.
Possibly (un)related, he used to be a federal prosecutor.
That doesn't sound right to me at all.
- In 2014, 2 people were killed when a helicopter crashed in downtown Seattle. According to [1], that wasn't even the only news aircraft fatality in the USA in the past 5 years.
- UPS Airlines Flight 1354 (2013) killed 2 people, so we've had more than one commercial airplane fatality this decade, too.
- I assume they're ignoring the Q400 incident (really in no way the FAA's fault), and my first guess was that they mean "no passenger fatalities on a commercial jet in the US", which could then be referring to Southwest Airlines Flight 1380 (2018) -- but Asiana Airlines Flight 214 (2013) had 3 fatalities.
So I'm really not sure what they mean by this claim. Any way I slice it, there's definitely been more than one.
[1]: https://en.wikipedia.org/wiki/List_of_news_aircraft_accident...
How much effort goes into updates to manuals and training between new versions of aircraft? Does the regulator mandate particular updates, or retraining?
just that they exists doesn't mean they work. doesn't mean they don't either so the safest bet is to wait for the investigations.
One thing to note is the mention of a "Runaway Trim Checklist". When piloting an airliner, there is a checklist for almost everything. Sometimes there are multiple checklists with branching paths. Most emergency/malfunction checklists involve what are called "memory items". These are checklist steps that the pilot must remember in order to react quickly to any possible problem. After the memory items are completed, the pilots will break out the checklist binder and follow the checklist procedure that comes after the memory items.
Every procedure the pilots undergo has passenger safety as it's #1 concern. Pilots are free to make whatever decision they deem necessary to ensure the safety of their passengers, even at the detriment of the airline's bottom line. They are free to make these decisions without question, even if the problem seems small.
I believe it's important to note the above information whenever we look at these horrible accidents and try to reason about them. Often, pilots are the first line of defense against failures. Most aircraft have 2-3 redundant systems for almost every control and feature. Pilots need to understand and know how to work with and around these systems in order to react to emergency situations. That's why I think the MCAS isn't really to blame here as much as Boeing is to blame for not properly documenting it's operation in their manuals.
The pilots may not have recognized (in time) that it was a runaway trim issue. Many such issues involve trim being continuously applied. The trim wheel spins wildly.
MCAS will trim in increments of 10s. So it will trim, pause, trim some more, pause. This may have confused the pilots. And they don't have much time to begin with – MCAS engages with autopilot off and flaps retracted. Most takeoffs have at least minimum flaps, so the plane will fly fine and then start misbehaving while still relatively close to the ground.
> Most aircraft have 2-3 redundant systems for almost every control and feature.
Yes. MAX 8 has two AOA sensors. Only one needs to misbehave for this issue to happen. But even with two, it is difficult to know which one is fault (for a machine). With three, it would be possible to tell.
In any case, all of this is still speculation.
No, not quite. By itself MCAS will only trim once, I believe.
But if it's interrupted by a pilot manually trimming, then it will stop, wait 5 seconds, and then try to do its 10 second trim again.
The characteristic up-down pattern from the Lion Air flight I think was from the latter scenario of MCAS starting to trim, the pilot manually trimming back (disabling MCAS for 5 seconds) and then it activating again.
> Yes. MAX 8 has two AOA sensors.
But I think the MCAS system only gets its input from one! (And it switches each flight.) If true, that's just appallingly bad.
Fascinating. That sure seems to line up with the 20 second period found in the vertical profiles of both LionAir and this crash.
https://www.nytimes.com/interactive/2019/03/13/world/boeing-...
I pretty sure the Ethiopian pilots would have been aware of the Lion Air crash and MCAS issues. The fact they still crashed suggests there's more to it.
No point speculating when hard data is just around the corner. With the planes being grounded, there shouldn't be any safety issues if we wait.
The 737 MAX only uses one AoA vane when deciding whether to lower the nose, so this just isn't true in the situation we're talking about.
There is a problem with the "working around" some systems. While there are definitely some situations where a pilot should bypass something, one must also look at the situations where that would be a mistake. Some systems cannot be bypassed because the chance of a pilot bypassing them in error is far greater than he or she actually needing to.
For instance, asymmetric flaps. One can contrive a situation where the ability to alter flap setting asymmetrically might save an otherwise doomed aircraft (multiple control surface failures) but the risk of misusing that ability far outweighs the benefit.
This anti-stall system may well have crashed these aircraft, but are there any situations where is saved an aircraft? Perhaps someone calculated that the risk of allowing pilots to bypass it outweighed the risk of it malfunctioning. Perhaps that judgement call was incorrect in this case, but I wouldn't say that pilots should always be in a position to bypass every system.
There were a number of incidents in the 1970s where pilots got so distracted solving a problem that they let the plane crash (by running out of fuel, or by gradually descending into the ground, or several other things), so training tries to explicitly account for this problem by ensuring the pilots are very clear about who is responsible for flying and who is solving the problem, and that they clearly communicate the steps they are taking to each other.
https://en.wikipedia.org/wiki/Eastern_Air_Lines_Flight_401
https://en.wikipedia.org/wiki/United_Airlines_Flight_173
One example of CRM success:
Most are focusing on the flaws of the plane (which I'm not discounting) but pilot training is also a big part in recovering from unexpected situations, overriding MCAS or automation in general when things go south, and hand-flying the airplane.
The two crashes happened in developing countries, Indonesia and Ethiopia, with local crew. While I don't know the specifics here, often times local airline pilots in developing countries (i.e. no pool of experienced general aviation or military pilots to recruit from) are trained ab initio to have a high reliance on automation, not so much hand-flying the jet. That's how you get, e.g. a first officer with 200 hours.
I do believe that the US civil and military pilot training pipelines, flawed as they are, teach hand-flying and build up experience, and these crashes would be very unlikely to happen with a US carrier and crew.
Also, these same airline pilots in developing countries have managed to fly the older 737 models just fine, for decades...
https://en.wikipedia.org/wiki/Lion_Air#Incidents_and_acciden...
I would not be surprised if the cause ends up being more complicated than the currently suggested causes. There's definitely a lot to suggest that the cause of the Ethiopian and Lion Air crashes is the same, but the current explanation seems overly simplistic.
The failure modes in the leading theory for the Lion Air crash were a broken AOA sensor causing the MCAS to kick in erroneously, combined with the pilots not reacting properly to a runaway trim situation. From what I understand, while MCAS is new, the process for reacting to runaway trim is not new to the 737 Max. This is probably also why the FAA and airlines like Southwest were confident their pilots would handle this situation correctly.
For the cause of the Ethiopian crash to be the same, the pilots would also need to be unfamiliar with the runaway trim process. This seems unlikely though after the Lion Air crash since it put so much attention on that scenario. That suggests to me there might at least be other contributing factors to both these crashes. I think we just need to wait and see what the investigations of both these crashes find.
It's interesting to note that American Airlines released a statement that they have not observed any MCAS related malfunctions in any of their fleet data.
In particular, there is only one account of (alleged) MCAS malfunction (possibly due to a faulty AoA sensor, which was subsequently replaced... hmmm.... new part still didn't fix it?) where the plane wasn't destroyed. And that account notes several drops in altitude before being able to stabilize.
So, you better hope MCAS malfunctions at 8k feet about ground instead of 800.
“When Boeing built the MAX, in order to increase fuel efficiency, they went with a different engine, explained Fred Tecce, a commercial aviation expert. “Because the 737 sits pretty low on its landing gear, [Boeing] had to move the engines up a little bit and move them forward a little bit” on the MAX versions. “In order to compensate, they extended the nose gear by eight to 12 inches" and repositioned the engines which "affected the airplane’s pitch characteristics and center of gravity.”
Tecce concurred that control inputs and the resulting pitch changes were challenges that had to be overcome in the latest version of the world’s best-selling aircraft.
“In order to compensate for what the engineers perceived to be an issue with respect to pitch, they added this MCAS system that operates when the autopilot is off and the angle of attack exceeds certain limitations and when the airplane is banked pretty steeply.” He said the technology runs the stabilizer pitch down for several seconds and it “reassesses and will start again until it believes the airplane has reached a safe angle of attack, and it operates without the pilots knowing [about it].”
Tecce noted that in the case of the Lion Air Boeing 737 MAX crash, “now the airplane is pitching down and actually moving the control wheel will not stop that system. If the pilot uses the trim system on the yoke, the [MCAS] system will stop" but "if the airplane isn’t in the proper attitude it will reactivate,” Tecce said, further forcing the aircraft downward if pilots fail to recognize the situation and take proper corrective action.
A pilot familiar with the system pointed out that recognizing this scenario was crucial to determine if there was a problem that warranted activating the trim cutoff switches. Additionally, if the autopilot is engaged, activating a yoke trim switch disconnects the autopilot and gives full control back to the pilot immediately.
Tecce did not fault the FAA for taking a wait-and-see approach. “A lot of people throwing a lot of rocks at the FAA. Since 2010 we’ve had one aviation fatality” in the United States. “Our safety record is astonishing,” he said. “I don’t think there’s anything wrong with the airplane. If you talk to the pilots who fly them, they’ll tell you it’s not the airplane so much as whether or not the manual properly describes what’s going on.”
With the LionAir crash, they thought there was an a problem with the AoA sensor and replaced it but problems continued. On the flight before the fatal one and "Passengers in the cabin reported heavy shaking and a smell of burnt rubber inside the cabin." (wikipedia) " The plane floor is hot. During the flight, it's never been like that" (https://news.detik.com/berita/d-4278530/kesaksian-penumpang-...) also "erroneous airspeed indications were still present"
Then with the Ethiopian flight several witnesses reported smoke and a weird sound from the plane. Also the pilots were aware of the Lionair crash and MCAS issues.
I guess they'll figure it eventually.
We don't know, but will eventually find out, whether either plane was flying during the final descent to crash. By that I mean, was the wing producing any lift (dive to crash), or was the wing stalled (stall to crash) or some combination of both and in which order? And the stall behavior very well may become highly relevant.
It's a whole lot of ifs, a lot of questions, and not many answers.
