Lion Air 737 MAX 8 Crash: 100 Pounds of Yoke Force, 21 Times
"Rusty Vandura - www.tinyurl.com/keepoppo" (rustyvandura)
03/18/2019 at 09:05 • Filed to:
None
|  5
|  33 |
The system would also pivot the stabilizer that much [2.5 degrees] repeatedly as long as data inputs indicated the aircraft was about to stall, regardless of the pilots’ strenuous efforts to overpower the system. In the October Lion Air crash, which killed 189 people, the flight data recorder counted the captain countering the system 21 times with the first officer taking over for [a] few tries before the captain’s final futile efforts to arrest a 500-MPH dive. The data indicated the nose-down yoke forces peaked at a little more than 100 pounds.
MCAS Certification Flawed: Report
Russ Niles
www.avweb.com
The Maneuvering Characteristics Augmentation (MCAS) system at the center of investigations into two fatal crashes of the Boeing 737 MAX 8 was misunderstood and mischaracterized in a flawed certification process as Boeing and the FAA rushed to bring the new jet to market, a Seattle Times investigation published Sunday alleges.
Citing named and unnamed sources, the Times’ Dominic Gates says the final certification of the system, which was intended to give pilots a control feel on the aerodynamically different MAX similar to that of previous iterations of the 737, not only gave “unlimited authority” to the stabilizer for nose-down trim, it literally fought the pilots’ attempts to correct the condition possibly to the point where they were physically unable to fight the stabilizer down force any longer.
“It had full authority to move the stabilizer the full amount,” Peter Lemme, former Boeing flight controls engineer, told the Times. “There was no need for that. Nobody should have agreed to giving it unlimited authority.”
The Times story said the profound ability of the system to take over a key flight control action should have resulted in close scrutiny in the certification process.
But the original specifications of the system called for MCAS to limit its ability to move the horizontal stabilizer .6 degrees at a time. By the time deliveries began, it could pitch the stabilizer 2.5 degrees, about half its total travel, in one movement, the result of flight testing tweaks aimed at finessing the flight control feel.
The system would also pivot the stabilizer that much repeatedly as long as data inputs indicated the aircraft was about to stall, regardless of the pilots’ strenuous efforts to overpower the system. In the October Lion Air crash, which killed 189 people, the flight data recorder counted the captain countering the system 21 times with the first officer taking over for few tries before the captain’s final futile efforts to arrest a 500-MPH dive. The data indicated the nose-down yoke forces peaked at a little more than 100 pounds.
The newspaper’s investigation said that engineers involved in the safety assessment of MCAS were not aware the system could move the tail five times more than the original specs called for. The certification documents should have been amended to reflect the final configuration but they apparently were not, according to the Times report. If they had been, the seriousness of a potential failure of the system would have required it to receive data from at least two sources.
MCAS gets data from only one of two angle of attack indicators on the MAX and the flight data recorder on the Lion Air airplane showed the AOA feeding MCAS was malfunctioning. “A hazardous failure mode depending on a single sensor, I don’t think passes muster,” said Lemme.
The newspaper is reporting that Boeing’s software fix will wire MCAS to both AOAs and only allow the system to move the tail feathers once, instead of repeatedly battling manual control inputs. It will also require additional pilot training and operating manual changes, both of which were called for by pilots unions following the Lion Air crash.
Boeing’s position, endorsed by the FAA, has been that because MCAS is only supposed to trigger in extreme circumstances—high angles of attack and accelerated stalls—that additional pilot training was not necessary. The company has also said that it assumed that based on their existing training on earlier models pilots would recognize the erroneous nose-down commands and hit cutoff switches that would disable the system. This is a standard runaway trim scenario for all aircraft.
“The assumptions in here are incorrect. The human factors were not properly evaluated,” the Times quoted an unnamed FAA safety engineer as saying.
The story also suggests that due to budget cuts the FAA’s certification managers were under increasing pressure to delegate more and more of the safety assessments to Boeing itself. The unprecedented levels of self-certification in the MAX were compounded by the urgency to get the airplane into service because of competitive pressure from Airbus’s new A320neo series. “There wasn’t a complete and proper review of the documents,” the former FAA engineer is quoted as saying. “Review was rushed to reach certain certification dates.”
DISCUSSION (33)
WilliamsSW
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 09:12
| 1
|
I
just
read
this
article
a
bit
ago,
but
now
Avweb
is
down
again. :(
Not
good
for
Boeing
or
the
FAA
.
Tapas
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 09:17
| 1
|
Thanks for the e
xcellent write-
up/summary of the whole incident.
shop-teacher
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 09:20
| 2
|
When we become complacent with our dependence on technology, people die.
someassemblyrequired
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 09:28
| 4
|
Ouch, I used to do reliability analysis back in the day, along with testing software to do the same. There is so much wrong at Boeing if that article is accurate (and Dominic Gates is a guy with a lot of respect in Seattle and within Boeing so I have no reason to question it).
I just can’t believe you’d allow almost full trim with a single input. The first rule of software testing is to feed the code bad data and edge cases, then move closer to “real world” scenarios.
Then you do it all again. The idea in reliability engineering, especially if you are working in commercial aviation, is that there need to be sufficient redundancies for six 9's or better (99.9999% reliable systems).
So here’s a quick stab at the way the code should have worked:
AOA sensor 1 reads high
Check input from AOA sensor 2, take minimum AOA from both sides. If AOA sensor 2 and AOA sensor 1 provide similar inputs, engage MCAS.
If there’s a disagreement, flag system as in reduced capacity, start indicating to pilots that there’s an AOA sensor malfunction, and MCAS is operating in degraded condition, indicate thrust levels should be reduced as soon as safe (this achieves the same goals as MCAS, to prevent the odd CG and high power engines from causing problems).
Now potentially you have an opposite situation, where the AOA sensor 2 is reading low. So you need to cross check with other available data.
So, check climb rate of the aircraft. Given things thrust lever positons, climb rate and elevator position, the true state of the airplane’s condition can be derived and the correct AOA input established, though the threshold for MCAS engagement should be raised and its authority to control pitch should be reduced in this scenario.
If the pilots make control corrections during MCAS operation, it should automatically disable and remain inactive until restarted by the flight crew. The fact that the system is disabled should be indicated to the crew.
Rusty Vandura - www.tinyurl.com/keepoppo
> WilliamsSW
03/18/2019 at 09:34
| 1
|
That’s why I pasted the copy from the article when I could access it for a moment.
This aeroplane literally and deliberately killed almost 400
people in two separate incidents. 100 pounds is more force than many typical people are able to exert.
Rusty Vandura - www.tinyurl.com/keepoppo
> Tapas
03/18/2019 at 09:34
| 1
|
You bet. Many aviation professionals and fans on Oppo.
Rusty Vandura - www.tinyurl.com/keepoppo
> shop-teacher
03/18/2019 at 09:35
| 1
|
People didn’t merely die; the technology
killed
them in dramatic fashion, by design.
Yes. That makes perfect sense. And if you and I were seasoned pilots, we’d probably figure out quickly how to disengage things and hand-fly the airplane. I have not confirmed this yet, but I believe that in the case of the Lion Air crash, the first officer had
200 hours of experience in the type and was expected to keep his hands off the controls. So I expect to read at some point that there is a thick layer of human factors and lack of experience that will overlay the inherent deadly design of the MCAS hardware and software. This entire
debacle makes me angry.
Ash78, voting early and often
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 09:41
| 0
|
100 lbs?
BRO DO YOU EVEN LIFT?
/sorry
Yes. In sets of fewer than 21 reps and when
159 lives — including my own —
are not in immediate peril
.
/no joke
A lot of engineers tend to forget human factors are much different in your cubicle than they are with a misbehaving airplane at 2000 ft. Plus they know what to expect - and how to fix it because that is their
focus. They aren’t worried about
flying 200 people
from Cleveland to Phoenix, with all the other fine points that requires.
You want things to go wrong gradually and in such a way as instantaneous, correct reaction is not mandatory outside of normal reactions (i.e., if nose pushes down, pulling back should address the situation temporarily).
People’s instincts should allow
to manage the situation in the short-term to get the airplane to a safe condition, at which point they can start working through the process of disabling trim switches and checklists.
Ash78, voting early and often
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 09:47
| 2
|
Well, it’s not like 150 lbs was the magic number. There wasn’t one.
This whole thing irritates me because pitch stability when changing the power is a NORMAL thing. Granted, the MAX was going to be more dramatic than most jets because of the engine placement, but I still feel like training the pilots for this is preferable to having MCAS do the work.
Every time I fly (almost entirely 737s), I notice the pitch effect of power changes. If you pay attention, you will, too: Initial descent, the power drops and the nose immediately pitches down. Later, closer to final approach, changes in throttle always result in a pitch adjustment, which is almost always corrected immediately by the flight crew.
Now I suppose if you were on final approach and went from 30% throttle to 100%, it could be a drastic change without MCAS to intervene. Maybe.
But there are so many aerodynamic nuances these folks (should) train for, I still don’t see the need for MCAS. It’s like having radar cruise control in your car, then you HAVE to use it on every drive whether you need it or not. That would definitely mess with my head...and my habits.
If
it’s
all
true,
then
there
was
zero
redundancy
for
the
AoA
sensor,
which
apparently
isn’t
that
reliable
even.
Terrible
system
design.
I
do
wonder
why,
though,
the
pilots
didn’t
follow
a
runaway
trim
procedure
and
shut
it
off.
Failure
by
Boeing,
or
perhaps
the
airline,
or
a
crew
failure?
That’s
an
important
part
of
this
investigation
also.
facw
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 10:35
| 0
|
MCAS gets data from only one of two angle of attack indicators on the MAX and the flight data recorder on the Lion Air airplane showed the AOA feeding MCAS was malfunctioning. “A hazardous failure mode depending on a single sensor, I don’t think passes muster,” said Lemme.
�
This is the thing that’s most insane to me. How on Earth were they not checking both instruments
and issuing some sort of warning if they disagreed? Potentially crashing the plane if the pilots didn’t react quickly and calmly due to a single point of failure? Even relying on both of them together seems a little suspect, since it seems quite possible that icing conditions that would break one could break both, but it seems like there are a bunch of other inputs they could use to sanity check whether the wing really is about to stall. Or you know just sound the stall horn and let the pilots figure it out. I have high hopes for increased automation in aviation, but you can’t have these single point of failure scenarios.
MUSASHI66
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 11:01
| 1
|
Boing should be sued by every single family member. To design a system that only uses one sensor when two are available; to override pilots input constantly because it knows better; to change the design specifications and increase the aoa 4x over the original specs without telling anyone... unbelievable hubris.
And in simpler situations. For example: I was driving my brother-in-law’s clapped-out Gen 2 Prius last year. The thing went through almost as much oil as it did gasoline. I was coming down an off ramp and as I neared the bottom, and applied the final measure of brake, the CEL flashed for a moment. There may have been an audible as well, but I don’t remember. I thought,
I bet there was a momentary oil starvation
. Turns out I was correct and the crankcase was something like 2.5 quarts low with a 4 qt capacity. Slightly less complex than operating a B737 MAX 8, I’ll grant you. But because I understood well the various systems involved, and knew of the idiosyncrasies of that particular vehicle, I understood what was going on.
Had my wife or my sister-in-law been driving, not so, though they are experienced drivers and licensed.
You have to understand how the systems work individually and in synchrony with each other. I suspect that the unfortunate pilots of these two MAX 8s did not. And evidence sounds like it points to Boeing — and their employers — not providing them with the information, anyhow.
Piloting does not suffer fools gladly.
When I am dead, I want to be remembered as one of the greatest pilots who never flew. It’s very cool to know that you fly 737s. I always enjoy chatting up the pilots after a flight to ask them specifics about how they did their flying. It usually takes two or three back-and-forths for the pilot(s) to realize that I am not just some clueless pedestrian, but that I really did notice something and once they figure that out, they are usually quite happy to discuss their art.
I have a very good head for detail, a good feel for mechanical systems, and a knack for precise protocol. And good hands. I think I’d have made an excellent pilot, though at this point in my life, I don’t see it happening ever. I mean, if I came into some money, I might enjoy hiring an instructor and a fun airplane — like a Cessna 206 or even some turboprop single — and going for some rides, but that’s about as likely as me coming into some money.
Still, I’m a great fan and I think that what has happened with these MAXs is criminal. 9-11 angered me also, apart from the obvious reasons like carnage, I particularly
resent that they’ve taken something that I love, namely commercial aviation, and weaponized it. The world is coming unhinged.
Rusty Vandura - www.tinyurl.com/keepoppo
> WilliamsSW
03/18/2019 at 11:50
| 1
|
I think that when they peel the onion, above the rotten and culpable
core occupied by Boeing and the launch airlines, there will be a substantial layer of human factors, inexperience chief among them, that led to the crash. I’ve read and heard that in Lion Air at least, the first officer had only the barest minimum of experience. I cannot confirm this, but I have suspected it all along. When I fly Southwest, the captain is always (a man) in his mid- to late fifties. In other words, long in the tooth. I have assumed throughout this debacle that if the MCAS tried to kill one of those crews, the crew would carry the day and there’s be a hew and cry in the Ready Room after the flight.
Rusty Vandura - www.tinyurl.com/keepoppo
> facw
03/18/2019 at 11:51
| 2
|
Criminal culpability on the part of Boeing and the FAA, I expect to see.
Rusty Vandura - www.tinyurl.com/keepoppo
> MUSASHI66
03/18/2019 at 11:52
| 0
|
Hubris? No. Criminal? I should think.
Nope...not a pilot, sorry for being misleading... I meant as a passenger. I grew up in the front seat of small planes, so I’ve always been keenly aware of what’s going on during flight, and like you, always very interested in learning more.
In small planes, changes in power usually have a different effect — torque and p-factor.
Older jets with fuselage-mounted engines had
more “centerline thrust” (727, MD-80, L-1011) often didn’t have the same severity of p
itch issues as the 737 MAX
, but at the end of the day, having wing-mounted engines won the design battle because they’re so much easier to service (among other things). Still, if you look closely,
fuselage-mounted engines are almost always pre-pitched slightly up or down depending on the plane and it’s weight/balance.
Cé hé sin
> Rusty Vandura - www.tinyurl.com/keepoppo
03/18/2019 at 13:14
| 0
|
I’ve been reading about this on a forum elsewhere and there is no shortage of gods of the flight deck who attribute all blame to the pilots who they think should have had the sense to turn the system off (it’s just a switch) and take over. Seemingly
the previous crew on the Lion flight did just that and pilots are supposed to have been reminded of this since. Whether the average person is going to remember this in the heat of the moment is another matter and sadly it seems that they may not.
In small planes, changes in power usually have a different effect — torque and p-factor.
Does p-factor account for the spinning air brake when you chop the power?
Rusty Vandura - www.tinyurl.com/keepoppo
> Cé hé sin
03/18/2019 at 13:32
| 0
|
Yeah. I’m just an armchair quarterback on this and I don’t want to be a blame-the-pilot person, but I expect it to come out in the wash that the pilots on both flights were not highly experienced pilots. Still, by the book, they were qualified to fly the aircraft and it sounds like the qualifications and qualifiers were a fail.
Strikes me that there would be criminal culpability here for one or more entities.
It used to be to that a lot of technical people at Boeing were pilots - they had a flying club and operated flight training programs. They got rid of those about 15 years ago, and I think this is one of the results, as a pilot (even of a Cessna)
would have some of the general knowledge
to know this was a dangerous situation
.
Probably doesn’t help that in a town known for software, Boeing has a well-earned reputation for being cheap when it comes to salaries of its technical people.
Given that there haven’t been any final reports, either from the Lion Air crash, or the Ethiopian crash nobody outside of the investigators privy to the preliminary details can say with any certainty what caused either crash. Based on the publicly available information it would appear that the MCAS has been implicated in both crashes, but that isn’t a definite thing.
To say that technology killed these people is a gross oversimplification of what happened, and does everyone a disservice. Based on preliminary
news
(not aviation safety authority
)
reports it would appear that MCAS played a significant role in both incidents. The caveat that applies here is that the news has shown a propensity for sensationalism and blaming that quite often goes spectacularly wrong.
Assuming the reporting implicating the MCAS system is correct, it would still be incorrect to lay the blame solely on the technology involved. There is a whole chain of failures
that lead to the eventual crashes. First it would appear
there were awful choices made regarding the system architecture. A critical system should not have single sensor input without any redundancy built in. There should also be some type of error checking when that sensor gives inputs way outside of the expected readings. The single sensor input and apparent lack of error checking the input were human decisions.
The choice to allow the MCAS enough control authority to prevent the pilots from being able to maintain manual control of the airplane should not have happened. That choice shouldn’t have been made by the engineer/programmer who made it. That choice should have been caught by the person at Boeing
who signed off on that decision. That choice should have been caught by the person at the FAA
responsible for certifying the system. Those are at least
three layers of human failure before the technology ever flew.
The pilots should have been trained on what to do in the event of a runaway MCAS. It would appear that they either weren’t trained at all, or that the training was ineffective. Part of the problem (from the perspective of someone who is in no way qualified to fly a 737)
is that runaway trim and runaway MCAS appear to
manifest in a similar way, yet require very different procedures to correct. In
the case of runaway auto-trim,
pilots would experience an uncommanded pitch change. From what I’ve read runaway trim is corrected by sharply pulling back on the yoke which disables the auto trim system. If MCAS fails the pilots experience an uncommanded pitch change. In the case of
runaway MCAS sharply pulling back on the yoke does nothing, you need to disable the system by switching it off. In either case the failure mode presents as an uncommanded pitch change, yet the solutions are very different.
It would also appear that the instinctive response to the aircraft pitching down (pulling back the yoke) would result in the MCAS responding by trimming the stabilizer further nose down which results in less control authority for the pilots the next time they attempt to pull the nose up. Boeing essentially programmed in a positive feedback loop when the system fails. From an engineering perspective positive feedback is a very bad thing because it inevitably results in a complete system failure.
The crashes didn’t start and end with the technology or the pilots. The chain of failures that resulted in two planes crashing appears to have started with decisions
Boeing made, continued through FAA certification procedures that in hindsight were woefully inadequate, continued through further Boeing & FAA decisions that pilots didn’t require training on MCAS as it would work “
in the background”, included the failure of the airlines to demand proper documentation and training from Boeing, continued to the pilots who flew an aircraft they didn’t fully understand, and ended up with two aircraft going down. While what I’ve seen places a huge share of the responsibility on Boeing, that doesn’t absolve the pilots of their responsibility to fully understand the aircraft they fly, and its possible behavior when critical systems fail.
I think that’s likely - question in my mind is where the biggest training failures were. If Boeing wasn’t telling anyone about this, and not re-iterating the need for training on runaway trim emergencies, then it’s pretty hard to fault the crew, even if they weren’t experienced.
The investigation will ultimately reveal all of that, though - and you can just about guarantee that this will be a landmark accident investigation, along with Tenerife, UA232, AA191 and others. I just wish we could have learned all of this without bloodshed - but that’s not usually how it works, sadly.
No one with any common sense would lay all of the blame for this on the flight crew.
People often get worked up about the outcomes of these investigations, because they feel that the purpose of them is to ‘assign blame’. That is absolutely not the case - the reason why airline travel is so safe today is because these investigations are thorough, and don’t stop with finding one cause of an accident. They look at *all* of the opportunities that were missed to prevent the crash and try to improve all of them - so we get multiple layers of redundancy. And I feel pretty confident that there will be multiple recommendations that come out of this investigation - including flight training - but that in no way absolves MCAS, nor blames the crews.
I don’t believe that MCAS was required because of the propensity for pitch to change with power changes. Like you said, most airplanes want to change pitch with power changes. Try adding full power on a Cessna 182 with the flaps extended (as you would in a go-around), and see what happens - the nose will pitch up enough to stall the airplane if the pilot doesn’t do anything.
What I did read somewhere was that the size/shape/location of the engine nacelles actually causes them to generate some lift at high angles of attack - which has a negative impact on pitch stability. IE, without MCAS, at high angles of attack, the aircraft may have a little less resistance to the nose going even higher - perhaps in the form of lighter stick forces. That, if true, is decidedly *not* normal or intuitive. That would be a logical reason why MCAS was required.
It may not be a fair comparison, but I am thinking about the brain drain at NASA that was identified after the shuttle Challenger blew up.
It will be interesting to watch the degree to which the launch airlines and Boeing point fingers at each other. And the efficacy of the FAA under various administrations also to be gum-smacked over by the losers in the Congress.
This is a maddening situation.
First, I posted the story I posted because AVWeb is a respected aviation news source. I am told by a Seattle Oppo that Dominic Gates, the writer of the column referenced by AVWeb
, is respected by people inside Boeing. If I were an engineer, I could have stated as you have that a positive feedback loop is bad, and the airplane apparently became unflyable as a result, since the pilots did not, or could not, or did not know how to, disable the technology.
In the totality of what I have opined about this matter, I have tried hard to be clear. One of my posts makes an actual comparison to how AVWeb reports the nose trim
jackscrew finding compared to LA Times’ reporting of it (“
trim full nose down,”
versus “set to dive.”) I’ve opined that Boeing and or the airlines might stand to become criminally culpable, certainly liable. I’ve opined that pilot experience level
might
prove to be a factor. So yes, the one-liner that you responded to here is an oversimplification, but in the main, I have stated everything you have, to a point short of being an engineer or a pilot myself, pretty much exactly as you have.
Thank you for helping to keep me honest. These mishaps are needless and stupid.
...
the technology
killed
them
in dramatic fashion,
by design
.
The point that I attempted to make and seem to have failed at is that MCAS
was not designed to kill people. Everyone involved was trying to make the airplane as safe as they could. Unfortunately it appears that the entire design and approval process failed to catch a problem that ultimately proved fatal.
It's a semantic difference: the design killed them, but it wasn't designed to kill them. I take your point.
