Boeing How Safe is the Boeing 737 Max's MCAS System?

[cyboman]

Thinking of the system as "engaging" is misleading. The MCAS system is always adjusting the trim in manual flight to compensate for the pitch up moment of the engines. Its purpose is not "spot some particular condition we don't want and adjust to get out of it". Its purpose is "change the way the plane feels to the pilot to make it like previous 737s". If the system were only active part of the time in manual flight mode, the "feel" of the plane would change from one flight regime to another. That would not be good.

Right, to clarify, when I say engage, what I mean is the when the MCAS activates erroneously. Such that as we see in the Lionair case, it repeatably tries to pitch down and the pilot fights it trying to climb. My point is that when this system is in error, say during take-off, there very likely is not time to bypass it before the system has pitched the aircraft into an irrecoverable dive. I sounds to me that the MCAS is basically a sub system of the fly-by-wire system, since as you said under manual control it is always active. If that's the case then it looks like we're moving too far from "direct law" with sub systems that make the plane "easier" to fly or more like previous aircraft. It seems that was a very expensive mistake and training for the different flight characteristics would of been a way better direction, regardless of cost or convenience. I also find it hard to believe that with all the reports we see (including those that didn't result in crashes) it's always a faulty sensor causing MCAS to fail. I think the code should take into account pilot input and altitude. If it detects the pilot is constantly pitching up and the altitude is falling to a dangerously low level, it should automatically shut down without the need for the pilot to deliberately bypass.

I agree this would be a good idea. I don't know what information Boeing's cockpit communicates currently, but I know that in several previous Airbus incidents, one of the findings of the investigation was that the cockpit information system was not communicating information well to the pilots.

It almost sounds like a good fit for an AI. A CGI human face that is reporting to the pilot what the computer is doing at the time. Almost like another member of the flight crew. I was watching some coverage and they said in the one of the reports of the problem the computer was saying "Don't Sink, Don't Sink". If that's true that seems like a pretty ridiculous verbal feedback to a pilot. But maybe I'm wrong and that's following best practices? I mean I would expect that sort of verbiage in a videogame sim. An actual airliner I would expect to say something more specific like, Stall risk, or MCAS pitching down, push to deactivate...etc...

No, it isn't. If a total sensor failure happens, the odds of all three sensors agreeing with each other to within the required tolerance are too remote to worry about. The system I've described would see a total sensor failure as all three sensors disagreeing, and would stop believing any of them and light up a big red light in the cockpit that says "automatic systems disabled because of bad sensors", and the pilot would take over.

Right, I'm still not convinced with all the reports it's always a sensor failure. It could be in the code itself and how it's interpreting that input. Also, "too remote to worry about" sounds like something an engineer might regret stating, but I get your point.

It's not a matter of "use cases" not being known; they are known. Remember we're not talking about aerobatics or military flying or recreation; we're talking about commercial airliners flying between known airports on known routes with known flight profiles. That's a much narrower requirement than "be able to deal with anything that could ever be done with an airplane, better than a human does". But the algorithms do require accurate sensor data, so making sure all sensor data is checked for accuracy before acting on it seems like an obvious design requirement.

I see your point. I do still think you're underestimating the variables and complexity of landing and take-off, weather, unsecured cargo load, possible mechanical failure all with aerodynamically unstable vehicles that need MCAS like systems.

 

[cyboman]

Note: Here I am talking about the incidents I've described where we know what happened, and where MCAS issues were observed, or where uncommanded pitch down events happened in autopilot. We don't know enough yet about the Ethiopian Airlines incident to know what caused it. With Lion Air I think we know more, but I'm not sure MCAS has been definitely fingered as the only root cause--but we know from the flight profile that "the plane stalled and the automatic system prevented the pilot from recovering properly" is not what happened; the plane wasn't stalled at any point.

Right, I'm getting confused with how the MCAS is trying to prevent a stall and what's actually happening is that there is no risk of stall and instead there's basically a battle between the MCAS input and the pilot input, where unfortunately the MCAS prevailed.

 

[cyboman]

Q. Is anyone else a little uneasy that electronic flight systems have a more powerful control surface (AMT) under their command than the human pilot (Elevator)? I'm sure aircraft designers will say there are systems in place to ensure pilots have full control at all times - but it just feels wrong.

To confirm, are you saying there is a mechanical device, AMT, that controls pitch which the pilot has no control over?

 

[cyboman]

Crew factors have been a focus for research since the dawn of aviation, indeed one of the founding reasons for NACA, now NASA. Airline flight crews have shrunk over time. For instance Flight Engineers have been replaced by automation and advanced engine designs. Navigators, almost always trained pilots, have been mostly if not entirely replaced on commercial flights by enhanced navigation and communication. Relief pilots and Training pilots ("third seaters") are specific to regulations and airlines but have proved vital in alleviating problems with advice, also available if a pilot becomes incapacitated.

No matter what the cause of the accident, consider the composition of the Ethiopian Airlines crew. Airliner.net reports a 29 year old captain supervising a first officer with ~200 hours flight experience. While a common on-the-job training (OJT) scenario, what happens if the captain is unable to perform?

Managing crew costs are a major economic factor for successful airlines. While analogies with ground transportation are common, even long-haul trucks only have one driver. Transportation unions fight for reasonable hours and relief operators. Autonomous ground vehicles soon followed by surface vessels are rapidly becoming reality. Transport crew sizes have reduced while information to pilots and drivers has increased. As airliner automation improves, two trained pilots may seem economically redundant. Triple redundancy, an important engineering principle, may not have an economical counterpart.

Very interesting. I for one would pay more for a ticket from an airline that embraces human redundancy and a little over-engineering in the name of robustness and safety.

 

[anorlunda]

In this thread alone there seems to be different opinions about failures of AOA sensors in the Lion Air Crash.

Had anybody seen claims of sensor failure on Lion Air that are based on the FDR data rather than speculation by journalists?

 

[cyboman]

In this thread alone there seems to be different opinions about failures of AOA sensors in the Lion Air Crash.

Had anybody seen claims of sensor failure on Lion Air that are based on the FDR data rather than speculation by journalists?

I have not seen the data but on a press conference a ministry of transportation safety or something stated that in the Lion Air case, the MCAS was in error due to a faulty AOA sensor. As I understand the investigation may still be ongoing however.

 

[cyboman]

In this thread alone there seems to be different opinions about failures of AOA sensors in the Lion Air Crash.

Had anybody seen claims of sensor failure on Lion Air that are based on the FDR data rather than speculation by journalists?

Even if the AOA sensor was the cause in the Lion air case, it seems hard to believe that all reported problems with the MCAS is due to sensor failure. For example like the article referenced earlier:

https://www.nytimes.com/2019/03/13/world/africa/boeing-ethiopian-airlines-plane-crash.html

See heading: Pilots on U.S. routes had reported concerns about the Max 8

 

[PeterDonis]

The more I read about these reports the more I'm less inclined to believe it's always a faulty sensor. I think there is a much deeper flaw in the design of the MCAS system.

You have to be careful to distinguish MCAS issues from autopilot issues. The reports referenced in the NY Times article were about uncommanded pitch down events with autopilot engaged. That's not an MCAS issue. Based on the similarity with the Airbus incidents of uncommanded pitch down, I suspect those autopilot incidents were due to faulty AoA sensor data not being spotted as faulty. But it's true that, since those pilot reports have not been investigated to pin down a root cause, we don't know that for sure. It's possible that your suspicions about other flaws somewhere in the automated systems are correct.

 

[PeterDonis]

I'm getting confused with how the MCAS is trying to prevent a stall

It's not. Again, there are different automated functions involved that it's important to keep distinguished. We've talked about three of them in this thread:

(1) Autopilot, which basically means getting the plane to a desired altitude, airspeed, and heading and keeping it there. This includes climb to cruise altitude, cruise, and descend to landing.

(2) Automatic stall prevention, which means detecting when the angle of attack is too high and automatically pitching the nose down.

(3) MCAS, which is a manual system designed to constantly input some amount of nose down trim to make the 737 MAX feel to the pilot like previous 737 models.

All three of these functions rely on accurate AoA sensor data, but the functions themselves are separate and are there for different purposes.

 

[cyboman]

It's not. Again, there are different automated functions involved that it's important to keep distinguished. We've talked about three of them in this thread:

(1) Autopilot, which basically means getting the plane to a desired altitude, airspeed, and heading and keeping it there. This includes climb to cruise altitude, cruise, and descend to landing.

(2) Automatic stall prevention, which means detecting when the angle of attack is too high and automatically pitching the nose down.

(3) MCAS, which is a manual system designed to constantly input some amount of nose down trim to make the 737 MAX feel to the pilot like previous 737 models.

All three of these functions rely on accurate AoA sensor data, but the functions themselves are separate and are there for different purposes.

Right, that helps. Thank you for that clarification. I was conflating 2 and 3.

It does seem that MCAS pulls the nose down if the AOA is too high, thereby preventing a stall. So doesn't MCAS overlap with stall prevention in that way?

 

[PeterDonis]

Regarding earlier posts about cockpit indications, it looks like Southwest took steps after the Lion Air crash to add an optional avionics package to their 737 MAX aircraft that includes an AoA display in the cockpit to help pilots identify possible AoA sensor errors:

https://theaircurrent.com/aviation-...le-of-attack-indicators-to-its-737-max-fleet/

 

[PeterDonis]

It does seem that MCAS pulls the nose down if the AOA is too high, thereby preventing a stall.

Not really. What the MCAS does is add nose down trim to compensate for the pitch up moment due to the new engines. No compensation is needed at low AoA; it's only needed at higher AoA. But adding nose down trim is not the same as pulling the nose down; the pilot can still push the nose up with the yoke, he just has to push harder if the MCAS is adding nose down trim. So, for example, if the pilot really wanted to stall the aircraft, he could keep pulling harder on the yoke to push the nose up, despite MCAS--and then, if automatic stall prevention were active, it would eventually kick in and force the nose down regardless of the pilot's input. Which is something different from what the MCAS was doing. (All this assumes accurate AoA sensor data.)

 

[cyboman]

Regarding earlier posts about cockpit indications, it looks like Southwest took steps after the Lion Air crash to add an optional avionics package to their 737 MAX aircraft that includes an AoA display in the cockpit to help pilots identify possible AoA sensor errors:

https://theaircurrent.com/aviation-...le-of-attack-indicators-to-its-737-max-fleet/

That seems like a good implementation to the GUI. Sort of surprised it's not there by default.

 

[cyboman]

Not really. What the MCAS does is add nose down trim to compensate for the pitch up moment due to the new engines. No compensation is needed at low AoA; it's only needed at higher AoA. But adding nose down trim is not the same as pulling the nose down; the pilot can still push the nose up with the yoke, he just has to push harder if the MCAS is adding nose down trim. So, for example, if the pilot really wanted to stall the aircraft, he could keep pushing harder on the yoke, despite MCAS--and then, if automatic stall prevention were active, it would eventually kick in and force the nose down regardless of the pilot's input. Which is something different from what the MCAS was doing. (All this assumes accurate AoA sensor data.)

Again, thanks for clarifying.

 

[PeterDonis]

Sort of surprised it's not there by default.

Yes, this would seem to be exactly the sort of thing that should have been in the base aircraft, not an optional package.

 

[cyboman]

Yes, this would seem to be exactly the sort of thing that should have been in the base aircraft, not an optional package.

I guess that's why "Boeing did not immediately respond to a request for comment."

 

[CWatters]

To confirm, are you saying there is a mechanical device, AMT, that controls pitch which the pilot has no control over?

Not quite.

On a typical light aircraft, glider or model aircraft you have a fixed horizontal tail plane with hinged movable elevators behind.

On a supersonic jet fighter you don't have separate tail and elevators, instead its all one surface called an All Moving Tail.

On many passenger jets you have a combination of both. There is a tail plane and separate elevators but both can move. I might be wrong but as I understand it typically the pilot controls the elevators and the electronic flight systems control the angle of the tail plane. The pilot can also control the tail plane via the manual trim wheel.

I have difficulty articulating my concern about this. The AMT part of a passenger aircraft has to have quite a large movement to cope with the wide speed range of modern aircraft. Likewise the range of movement of the elevator has to vary depending on speed and configuration so as to provide enough control at low speed but not too much at higher speeds. There are quite complicated laws/equations that determines how much elevator travel is produced for any given input by the pilot. It's no longer a simple relationship.

A heck of a lot of engineering goes into these systems and I'm sure engineers will say they have thought of all the failure modes and have written procedures for pilots to follow, but when accidents happen we scratch our heads and wonder why the pilots didn't do x or y. Perhaps things are just too complicated?

 

[Nik_2213]

All 737 Max grounded !

Looks like something nasty has shown up in the flight data...

Truly, advances in safety are too-often bought in blood...

 

[PeterDonis]

A very interesting article by a pilot giving good details on not just the 737 MAX MCAS system but the more general subject of automated trim adjustments, how a plane feels to the pilot, certification requirements for systems, and the impact of fly-by-wire systems on all this:

https://airfactsjournal.com/2019/03/can-boeing-trust-pilots/

Note: AFAIK the 737 series as a whole does not have fly-by-wire (FBW). However, MCAS on the 737 MAX introduces some of the issues of FBW by automating the trim adjustment, which makes what is said about FBW in this article relevant to the MCAS discussion.

 

[berkeman]

On many passenger jets you have a combination of both. There is a tail plane and separate elevators but both can move.

You can see the AMT feature and separate elevators in this photo from Google Images...

https://upload.wikimedia.org/wikipedia/commons/3/3a/Qantas_Boeing_737-800_Registration_on_tail.jpg

 

[cyboman]

A heck of a lot of engineering goes into these systems and I'm sure engineers will say they have thought of all the failure modes and have written procedures for pilots to follow, but when accidents happen we scratch our heads and wonder why the pilots didn't do x or y. Perhaps things are just too complicated?

I think this alludes to the somewhat fuzzy line between these control systems which are computer aided, due to forces required / hydraulics and in turn for force feedback compared to pure fly-by-wire systems. I would suggest the more complex the computer intermediary in the control systems, the closer it is becoming fly-by-wire. Add an autopilot and more complex systems like MCAS (that in this case pilots are not even aware of) and the line is quite blurry indeed.

 

[cyboman]

A very interesting article by a pilot giving good details on not just the 737 MAX MCAS system but the more general subject of automated trim adjustments, how a plane feels to the pilot, certification requirements for systems, and the impact of fly-by-wire systems on all this:

https://airfactsjournal.com/2019/03/can-boeing-trust-pilots/

Note: AFAIK the 737 series as a whole does not have fly-by-wire (FBW). However, MCAS on the 737 MAX introduces some of the issues of FBW by automating the trim adjustment, which makes what is said about FBW in this article relevant to the MCAS discussion.

This was a fascinating article. A pilot in the comment section notes that the articles concise description of MCAS is good: "That pitches the nose down and gives the pilot the stick force to know that he is pulling too close to the stall margin." So it does seem MCAS is closely related to protecting the plane from entering a stall scenario.

The pilot goes on with an interesting comment: "Boeing contends that the standard runaway stabilizer trim procedure is valid; this is not entirely true, since the first step in that procedure is to firmly oppose the control column forces, using the column cutout switches to disable the runaway. However, all of us flying the bird know exactly where the master trim cutout switches are, and I guarantee that at the first indication of an MCAS malfunction, those switches will be shut off in a nanosecond."

It seems here that there is no clear way to clear way to disable the MCAS in the event of a failure. Am I reading this right?

 

[cyboman]

You can see the AMT feature and separate elevators in this photo from Google Images...

https://upload.wikimedia.org/wikipedia/commons/3/3a/Qantas_Boeing_737-800_Registration_on_tail.jpg

View attachment 240254

Is the AMT what looks like flaps on the elevators?

 

[anorlunda]

I think this is a very important debate regarding human machine interaction. But I hate conducting it while the actual causes of these accidents are speculative.

Think how foolish all this talk will sound if the final report cites a cause that has nothing to do with MCAS or trim or handling or FBW or autopilot. It reminds me of TWA 800.

 

[cyboman]

I was researching a bit about AI and commercial flight, thinking about the lack of a good interface / verbal / visual feedback to the pilot from MCAS or other systems.
There is an interesting article I came across by wired here: https://www.wired.com/2017/03/ai-wields-power-make-flying-safer-maybe-even-pleasant/

Autopilots ace basic piloting tasks in non-emergency conditions, but outside the straight and level stuff, they suffer.

It seems existing autopilots are fairly limited in the scenarios they can deal with and engineers are looking to AI to build better more robust systems.

My interest however as I alluded to earlier in the thread, is less in making a better autopilot or smarter automated systems, which of course is a necessary development. But instead in AI taking a role in communicating to the pilot the current status of the vehicle, both in a emergency and non-emergency scenarios. This would help ease the information overload burden on the pilot, especially as more and more complex systems are added to the airplane like MCAS. The article seems to suggest this somewhat:

Baomar wants to build an AI-based autopilot that can respond reliably and correctly to whatever's happening, while ensuring the human in the cockpit knows what’s going on.

It closes on this point, which seems relevant to our thread:

Assuming these systems someday clear those regulatory hurdles and roll out to commercial airlines, they could provide a stepping stone between the eras of human pilots and what comes next. The days of stick-and-rudder piloting are rapidly fading as cockpit automation ramps up, and the benefits of flying absent the threat of human fallibility might prove too appealing to resist.

But getting there is half the battle, and the in-between period, with some automation going on and some manual control, will need to be deftly controlled to ensure that pilots can still manage their aircraft well. AI could prove invaluable to plugging that gap.

 

[cyboman]

I think this is a very important debate regarding human machine interaction. But I hate conducting it while the actual causes of these accidents are speculative.

Think how foolish all this talk will sound if the final report cites a cause that has nothing to do with MCAS or trim or handling or FBW or autopilot. It reminds me of TWA 800.

I think no matter how both investigations come out, the discussions we are having in this thread will still be very relevant. The overwhelming thesis of this thread is the dynamic between the automated systems and how those are communicated to the pilot, both during flight in feedback and made aware to the pilot via training or accurate bulletins before flight. Further, the ability for the pilot to circumvent these systems easily and whether or not that is continuing to be feasible as these aircraft become more and more dependent on autonomous or fly-by-wire systems. I think those issues are very relevant even if MCAS wasn't at fault.

 

[berkeman]

Is the AMT what looks like flaps on the elevators?

No. The AMT is the whole horizontal tail airfoil. There is an axle that runs down the middle of the airfoil from the plane fuselage to the tip of the tail airfoil, and if you look at the leading edge of the tail airfoil there is a slot in the fuselage for the moving front support. You can see marks painted on the fuselage at the leading edge showing three AMT angles (probably nominal, max up and max down).

 

[anorlunda]

I think those issues are very relevant even if MCAS wasn't at fault.

I agree with that. I just prefer to see them in a thread that is not linked to a recent accident.

 

[berkeman]

The AMT is the whole horizontal tail airfoil.

Check out this video. You can see the AMT on these F-14 fighter aircraft during takeoff and landings and other maneuvers. See the land-based takeoff at the beginning of the video, and the carrier launches at 3:00, and the carrier landing at 0:55. Feel free to enjoy the rest of the video as well...

 

[cyboman]

Check out this video. You can see the AMT on these F-14 fighter aircraft during takeoff and landings and other maneuvers. See the land-based takeoff at the beginning of the video, and the carrier launches at 3:00, and the carrier landing at 0:55. Feel free to enjoy the rest of the video as well...

Weird, I just watched this movie for the first time a few days ago. A little cheesy and definitely a Navy recruitment video in some ways, but it has some really amazing flight and carrier footage and a neat sci-fi premise.

I see the AMT fluctuating at 0.55. Is that under computer control or is that the pilot or a mixture?