Confusion with the Boeing 737 MAX: an analysis of the possible causes of accidents
“Collision with land in a controlled flight” ( Controlled Flight into Terrain ) is an aviation term for the crash of a normally functioning aircraft due to the fact that the pilots were distracted or disoriented. This nightmare. According to my estimates, even worse is the collision with the ground in an automated flight , when the control system of an airplane causes it to dive into the ground, despite the crew’s desperate attempts to save the situation. This is the alleged reason for the two recent crashes of the Boeing 737 MAX 8 aircraft. I tried to figure out how these incidents could happen.
Note: The study of disasters MAX 8 is at an early stage, so much of the article is based on data from indirect sources, in other words, leaks and rumors, as well as the arguments of those people who know or do not know what they are talking about. So keep this in mind if you decide to continue reading.
Accidents
Early in the morning of October 29, 2018, flight 610 of the Lion Air airline flew from Jakarta (Indonesia) with 189 people on board. It was a new, operated only four months, 737 MAX 8 - the latest model of the line of aircraft Boeing, created in the 1960s. Taking off and climbing to a height of about 1,600 feet (480 meters) was normal, after which the pilots removed the flaps (wing elements that increase lift at low speeds). At this point, the aircraft suddenly dropped to 900 feet (270 meters). In radio communications with air traffic controllers, the pilots reported a “problem with the control system” and asked for information about their height and speed displayed on the screens of the dispatchers' radars. Equipment in the cockpit gave changeable testimony. The pilots extended the flaps and climbed to 5,000 feet (1,500 meters), but after removing the flaps, the nose of the aircraft lowered and he again began to lose altitude. Over the next six to seven minutes, the pilots struggled with their own aircraft, they tried to maintain the nose level, but the flight control system constantly lowered it down. In the end, the car won. The plane crashed into the water at high speed and everyone on board died.
')
The second disaster occurred on March 8, when Ethiopian Airlines Flight 302 fell six minutes after taking off from Addis Ababa, killing 157 people. The aircraft was another MAX 8, which was operated for only two months. Pilots reported problems with control, and satellite observations showed sharp height fluctuations. Because of the similarity with the Lion Air accident, an alarm was raised: if the cause of both incidents was the same malfunction or design flaw, then there could be other accidents. For several days, the 737 MAX fleet around the world was suspended from flying. The data recovered after the crash of flight 302 increased the suspicion that the two cases are closely related.
The sad fate of flight 610 Lion Air can be traced from the data extracted from the “black box”. (The schedule was published in November as part of the preliminary report of the National Transport Safety Committee of Indonesia.)
A general idea of the history is given by the height tracking curve at the bottom of the graph. The initial rise is interrupted by a sharp descent; a further uphill should be followed by a long indiscriminate ride on a roller coaster. At the end there is a dive, a little more than 10 seconds, the aircraft descends 5,000 feet (1500 meters). (Why are there two height curves on the chart divided by several hundred feet? I’ll return to this question at the end of my long article.)
All these ups and downs were caused by movements of the horizontal stabilizer - a small, wing-like surface at the back of the fuselage. The stabilizer controls the pitch angle of the aircraft, i.e. where the nose is directed. On the 737, it does this in two ways. The elevator trimmer mechanism tilts the entire stabilizer, while the movement of the pilot's steering wheel (the steering wheel towards and away from you) moves the elevator - a movable steering wheel at the rear of the stabilizer. In both cases, moving the back of the surface upwards causes the nose to rise, and vice versa. Here we are mainly interested in the changes of the trimmer, and not the movement of the elevator.
The commands given to the elevator trimmer system and their effect on the aircraft are shown by three curves from the flight data, which for convenience I will repeat here:
The line marked “trim manual” (blue) reflects the actions of the pilots, “trim automatic” (orange) shows commands from the aircraft’s electronic systems, and “pitch trim position” (blue) shows the stabilizer tilt; a higher position on the graph indicates a command to raise the nose. It is here that the struggle between man and machine is evident. In the second half of the flight, the automatic balancing system repeatedly sent commands to lower the nose at intervals of about 10 seconds. In between these automated teams, the pilots, using the buttons on the steering wheel, trimmed the nose with a trimmer. In response to these conflicting teams, the position of the horizontal stabilizer fluctuated with a period of 15-20 seconds. The sawtooth movement continued for about 20 cycles, but towards the end the inexorable automated commands for lowering the nose took over the shorter commands for raising the nose of the pilots. In the end, the stabilizer switched to its maximum deviation of a dive down and remained in it until the plane crashed into the water.
Attack angle
What should be blamed for the misbehavior of the automatic balancing system for pitch? The charges are directed toward the MCAS - a new system of the 737 MAX series. MCAS stands for Maneuvering Characteristics Augmentation System (“system for expanding maneuverable characteristics”) - a surprisingly complex name that does not give us any understanding of what this system does. As I understand it, MCAS is not a hardware device; in the compartments of the electronic equipment of the aircraft does not find the body labeled MCAS. The MCAS system consists entirely of software. This is a program running on a computer.
MCAS has only one functionality. It is designed to prevent aerodynamic stalling - a situation in which the nose of the aircraft is raised relative to the surrounding air flow so high that the wings can not keep it in the air. Dumping is a bit like a situation when a cyclist climbs a hill, which becomes more and more steep: sooner or later a person runs out of power, the movement of a bicycle becomes unstable, and then it rolls back down. Pilots are trained to get out of the stall, but they do not practice this skill on airplanes filled with passengers. In commercial aviation, the emphasis is on avoiding stalling, so to speak, on their warning. Airliners have mechanisms for recognizing an impending stall and they report this to the pilot with light and sound indicators, as well as a stick shaker. On flight 610, the captain's steering wheel vibrated almost from the very beginning to the end.
Some planes with the threat of stalling are not limited to simple warnings. If the bow of the vessel continues to rise, the automated system intervenes and lowers it, intercepting the manual control from the pilot if necessary. MCAS is designed specifically for this. She is armed and ready for battle, subject to two criteria: the flaps are removed (and they are advanced only during takeoff and landing) and the aircraft is in manual control (not autopilot). Under these conditions, the system is triggered when an aerodynamic quantity, called angle of attack (AoA), rises to a range of dangerous values.
The angle of attack is a rather incomprehensible concept, so I will draw a diagram:
The scheme is adapted from Review of Research on Angle-of-Attack Indicator Effectiveness Lisa R. Le Vie.
The angles shown in the figure are the turns of the airframe relative to the pitch axis - a line parallel to the wings, perpendicular to the fuselage and passing through the center of gravity of the aircraft. If you are sitting in the same row with the exit, then there is a chance that the pitch axis passes under your seat. Rotation along the pitch axis raises and lowers the nose. The pitch angle (Pitch attitude) is defined as the angle of the fuselage relative to the horizontal plane. The angle of inclination of the flight path (flight-path angle) is measured between the horizontal plane and the velocity vector of the aircraft, that is, it shows how smoothly it rises or descends. Angle of attack (Angle of attack) - is the difference between the pitch angle and the angle of inclination of the flight path. This is the angle at which the aircraft moves through the surrounding air (assuming that the air itself is stationary, that is, there is no wind).
AoA affects both lift (upward and reverse gravitational force) and drag (dissipative force opposed to forward motion and engine thrust). Increasing AoA above zero increases lift, because air collides with the lower part of the wings and fuselage. But for the same reason, resistance is increasing. With a further increase in the angle of attack, the flow of air through the wings becomes turbulent; after this point, the lift decreases, but resistance continues to increase. And here begins the stall. The angle critical for stalling depends on speed, weight and other factors, but usually it is no more than 15 degrees.
Lion Air and Ethiopian flights were not at risk of stalling, so if MCAS was activated, this should have happened by mistake. According to the working hypothesis mentioned in many press releases, the system received erroneous data from the failed AoA sensor and acted in accordance with its readings.
Conceptually, the sensor for measuring the angle of attack is simple. In fact, this is just a weather vane, outstanding in the air flow. In the photo below, the angle of attack sensor is a small black ledge located directly in front of the 737 MAX inscription. Fixed in front, the vane rotates, aligning with the local airflow, and generates an electrical signal describing the angle of the vane relative to the axis of the fuselage. The 737 MAX has two attack angle sensors, one on each side of the nose. (The devices above the AoA sensor are Pitot tubes used to measure air velocity. Another device under the word MAX is most likely a temperature sensor.)
The angle of attack was not displayed on the instruments of the pilots of the Lion Air 737, but the flight recorder recorded the signals received from two AoA sensors:
And something terribly wrong is happening here. The left sensor shows that the angle of attack is about 20 degrees steeper than on the right sensor. This is a huge discrepancy. These two separate indicators in no realistic way could reflect the true state of movement of the aircraft in the air: the left side of the nose showed that it was directed towards the sky, and the right side showed that it was approximately horizontal. Some measurements must be erroneous, and higher ones are suspected. If the true angle of attack reached 20 degrees, the plane would already be in a state of deep stalling. Unfortunately, MCAS Flight 610 reads only data from the left AoA sensor. She interpreted these meaningless measurements as a true indicator of the position of the aircraft, and tirelessly tried to correct them right up to the very moment of the flight’s collision with water.
Cockpit automation
The tragedies in Jakarta and Addis Ababa have become a cautionary tale of the dangers of excessive automation, in which computers usurp the power of the pilots. The Washington Post stated :
The second fatal crash involving the Boeing 737 MAX 8 may be a consequence of the struggle of man and machine. This failure shows that regulators should carefully examine systems that take control of people when safety is at stake.
Belgian journalist Tom Djuser, who often writes articles about aviation and computing, offers the following opinion :
It cannot be denied that the Boeing flight JT610 had serious computer problems. And in the high-tech computerized world of aircraft manufacturers, in which the role of the pilot is often reduced to pushing buttons and passive observation, such incidents may well become more frequent in the future.
In a special rage pilots pushing the buttons. Pilot and software developer Gregory Travis summarized his feelings with a brief comment:
"Raise your nose, HAL."
“Sorry, Dave, I'm afraid I can't do this.”
Even Donald Trump wrote a tweet on this topic:
Airplanes are becoming too complex to fly. They now need not pilots, but computer scientists from MIT. I see such a picture with many products. There is always a desire to take another optional step forward, although often older and simpler solutions are much better. Decisions need to be made in a fraction of a second, and complexity creates a threat. All this requires a huge price, but gives very little. I don’t know about you, but I wouldn’t want Albert Einstein to be my pilot. I need excellent professionals who have the ability to quickly and easily take control of the aircraft!
There are significant ironies in complaints about over-automation 737; in many aspects, this aircraft is in fact surprisingly old-fashioned. The basis of the design was created more than 50 years ago, and even in the latest MAX models, quite a lot of technologies of the 1960s are preserved. The main controls in it are hydraulic, a network of high-pressure pipes passes directly from the steering wheels in the cockpit to the ailerons, elevator and rudder. If hydraulic systems fail, then a fully mechanical reserve system of cables and blocks remains to control various control planes. The main driver of the trimmer stabilizer is an electric motor, but it has a mechanical replacement with a handwheel pulling the cables going to the very tail.
Much more dependent on computers and electronics is another aircraft. The main competitor of the 737, the Airbus A320, is a vehicle in which the principle of electronic control is implemented comprehensively. The pilot controls the computer, and the computer controls the plane. The pilot chooses where to go - up, down, left or right - but the computer decides how to achieve this, which control planes should be rejected and by how much. More modern Boeing models - 777 and 787 - also use digital control. In fact, the latest models of both companies have taken another step from “wire control” to “network control”. The main part of data transmission from sensors to computers, and then to control planes, consists of digital packets sent over one of the versions of the Ethernet network . An airplane is a computer peripheral.
So if you want to complain about the dangers and insults of pilots caused by the automation of aircraft, then 737 is not the most obvious goal. And a Luddite campaign to destroy all avionics and return power to pilots will be a dangerous erroneous response to the current situation. There is no doubt that the 737 MAX has a critical issue. This is a matter of life and death for those who will fly on them, and possibly for the company Boeing. But the problem did not start with MCAS. It began with previous decisions that made MCAS necessary. Moreover, the problem may not be solved by the method proposed by Boeing — a software update that limits the capabilities of the MCAS and leaves the pilots with more authority.
Squeeze out of 737 maximum
The first passengers 737 began to transport in 1968. He was (and still is) the smallest jet airliner of the Boeing family, as well as the most popular. More than 10,000 copies were sold, and Boeing has orders for another 4,600. Of course, changes were made to the aircraft over the years, in particular, they affected engines and instruments. The updated 1980s model became known as the 737 Classic, and the 1997 model is called the 737 NG (next generation, “next generation”). (Now, after the release of MAX, the NG model has evolved into the previous generation.) But despite all these modifications, the basic structure of the airframe has not changed much.
Ten years ago, it seemed that the 737 had finally reached the end of its life. Boeing has announced that it will begin the development of a completely new replacement for it, the body of which will be made not of aluminum, but of light composite materials. Of course, the competition has made its own adjustments. Airbus had an advantage in the form of the A320neo, an updated model that, when released in the same market segment, will have more efficient engines. The modified Airbus should have been released around 2015, while the development of the Boeing project from scratch would have taken a dozen years. There was a threat of customer churn. In particular, Boeing’s long-time loyal partner, American Airlines, negotiated a large A320neo order.
In 2011, Boeing abandoned the plan to create a completely new design and decided to do the same as Airbus: attach new engines to the old glider. This would allow to abandon most of the preliminary design, as well as the need to build enterprises for tooling and production. The FAA (Federal Aviation Administration of the United States) checks and certification would also accelerate, and the first deliveries could be started five to six years later, not too late from Airbus.
Model 737-800 (produced to MAX) burns about 800 gallons of jet fuel (3 thousand liters) per hour of flight. That is, costs are approximately $ 2,000 at a price of $ 2.50 per gallon. If the plane flies 10 hours a day, then it spends 7.3 million dollars annually. Fourteen percent of this amount is more than $ 1 million.
It was promised that the new 737 engines would provide fuel efficiency by 14 percent, which would allow the airline to save a million dollars in operating costs per year. Greater fuel economy will also increase the range of the aircraft. And in order to sweeten the deal, Boeing offered to leave such a part of the airframe unchanged so that the new model could be operated with the same “sample evidence” as the old one. A pilot who received an admission to control 737 NG, could take control of MAX without a long re-training.
The first model 737 of the 1960s had two cigar-shaped engines, long and narrow, located under the wings (in the photo above to the left) . Since then, jet engines have become thick and short. They receive more thrust not from the jet exhaust from the outlet pipe, but from the air flow in the outer loop, moved by a large diameter fan. When mounted under the 737 wings, such engines would scratch the ground; therefore, they are mounted on pylons that are led forward from the front edge of the wing. The engines on the MAX models (pictured above on the right) are the thickest of the existing ones, and their fan has a diameter of 69 inches (175 cm). Compared to the NG series, MAX engines are pushed forward a few inches and hang a few inches lower.
In the New York Times article written by David Gells, Natalie Kitroef, Jack Nikas and Rebecca R. Ruiz, the development of this aircraft is described as hasty and muddled.
Being late from Airbus for months, Boeing was forced to make up for lost time. According to former and current employees who communicated with The New York Times , the pace of work on 737 Max was insane ... Former employees say that engineers were forced to accept technical drawings and designs about twice as fast as usual.
The Times article also notes: “Although the project was chaotic, current and former employees say they completed it, being confident in the safety of the aircraft.”
Pitch Instability
At some stage in the development of the MAX series, Boeing found an unpleasant surprise. Under certain flight conditions, new engines caused an undesirable increase in the pitch angle. When I first read about this issue shortly after the crash of the Lion Air flight, I found the following explanation in the article by Sean Broderick and Guy Norris in Aviation Week and Space Technology (Nov. 26 – Dec. 9, 2018, pp. 56–57):
As with all turbofan airliners, in which the engine thrust lines are below the center of gravity, any changes in thrust 737 will lead to changes in the inclination angle of the flight path caused by the vertical thrust component.
In other words, low-hanging engines not only push the aircraft forward, but also have a tendency to rotate it relative to the pitch axis. It looks like a bike doing a rear-wheel ride trick. Since MAX engines are mounted even lower and in front of the center of gravity, they act as a sufficiently long lever arm and cause much more serious pitch increasing movements.
I found a more detailed description of this effect in an earlier article in Aviation Week , the report of the pilot Fred George for 2017, which describes his first flight at the helm of the new MAX 8.
The aircraft has sufficient natural speed stability in most flight modes. But with as much as 58,000 pounds of thrust provided by engines located far below the center of gravity, there is a clear link between thrust and pitch at low speeds, especially with rear centering and low overall weight. Boeing equips the plane with the function of increasing the stability of speed, which makes it possible to compensate the connection by automatically deflecting the horizontal stabilizer in accordance with the speed indicators, the position of the engine control lever and the center of gravity. However, pilots should be aware of the effect of a change in thrust at the moment of pitch and resist it with the help of the steering wheel and the elevator trimmer.
The mention of a “boost function” that performs “automatic deflection of a horizontal stabilizer” seems awfully familiar, but it turns out that this is not MCAS. The system compensating the connection of thrust and pitch is called speed-trim . Like the MCAS, it works “unknowingly” the pilot, making changes in the control plane without direct commands. There is another such system, called mach-trim , which, without warning, corrects another pitch anomaly that occurs when air reaches near-sonic speeds, about Mach 0.6. None of these systems were new to the MAX series; they have been part of the control algorithm since at least the 1997 release of the NG series. MCAS runs on the same computer as the speed-trim with the mach-trim, and is part of the same software system, but its separate function. And according to what I've read in the past few weeks, it is meant to solve another problem, which seems much more sinister.
Most aircraft have a convenient static stability feature. When the plane is properly aligned for horizontal flight, you can release the steering wheel - at least temporarily - and it will continue to move along a stable path. Moreover, if you pull the wheel towards yourself to lift the nose up and then release it again, the pitch angle will return to neutral. The location of the various aerodynamic surfaces of the aircraft takes into account this behavior. When the nose rises, the tail lowers, pushing the lower part of the horizontal stabilizer into the air stream. The air pressure on this tail surface creates a restoring force that returns the tail up and the nose down. (That is why it is called stabilizer!) This negative feedback loop is built into the design of the aircraft, so any deviation from equilibrium creates a force that prevents its violation.
However, the tail surface with its useful stabilization property is not the only structure that affects the equilibrium of aerodynamic forces. Jet engines are not designed to give the aircraft lift, but at high angles of attack, they can create it, because the air flow collides with the lower surface of the outer shell of each of the engines (nacelle). When the engines are much in front of the center of gravity, the lift creates a torsional momentum that increases the pitch. If this moment exceeds the balancing force from the tail, then the plane becomes unstable. Positioning nose up creates a force that raises the nose even more, and positive feedback wins.
Is the 737 MAX subject to similar increases in pitch angle? This probability was not obvious to me until I read onBoeing 737 technical site commentary on the MCAS is a web post written by former 737 pilot and instructor pilot Chris Brady. He's writing:
MCAS — . , MAX , NG; , LEAP-1B AoA. LEAP , NG CFM56-7, . AoA ; , (.. ), , . / FAR §25.173 «Static longitudinal stability» . (FAR — (Federal Air Regulations). Part 25 shows airworthiness standards for airplanes of the transport category). Therefore, MCAS was created to provide stabilizer commands for lowering the nose during sharp bends with increased load factors (high AoA) and during flights with closed flaps at speeds close to the occurrence of a stall.
Brady does not confirm his claims by any sources, and as far as I know, Boeing did not confirm or deny this statement. But the above-mentioned Aviation Week , to which I referred, explaining the link between thrust and pitch, in a newer release ( March 20 ) supported the hypothesis of instability of lift caused by nacelles:
MAX CFM Leap 1 AOA , NG CFM56-7. MCAS - , MAX NG.
If we assume that Brady’s point of view is correct, then an interesting question arises: when exactly did Boeing notice the instability? Were the designers aware of this danger from the very beginning of the project? Did it manifest itself during computer simulations, or during tests in aerodynamic tests on models in scale? The story of Dominic Gates in the Seattle Times gives us a hint that Boeing might not have realized the seriousness of the problem before the flight tests of the first instance of the aircraft, which began in 2015.
According to Gates, in the FAA-transmitted security analysis protocol to the FAE control, MCAS will be able to move the horizontal stabilizer by no more than 0.6 degrees. In an airplane launched on the market, the MCAS can deflect it by as much as 2.5 degrees, and is able to act repeatedly until it reaches a mechanical limit of movement of about 5 degrees. Gates writes :
, , , .
, - .
It seems that the instability of MAX at high AoA is a property of the aerodynamic shape of the entire aircraft, and the direct way to suppress it would be to change this form. For example, to restore static stability, you can increase the surface of the tail. But such modifications of the airframe would slow down the release of the aircraft, especially since their necessity was discovered after the flights of the first prototypes. In addition, constructive changes could jeopardize the possibility of flying on a new model with flight rights of the old type. It must have been a software change, rather than a modification to the aluminum construction, that seemed an attractive alternative. Perhaps we will ever know how this decision was made.
By the way, according to Gates, the security analysis document transmitted by the FAA, which contains a limit of 0.6 degrees, should be revised to reflect the true range of possible MCAS commands.
Flight in conditions of instability
Instability is not necessarily the black mark for an aircraft. There have been at least a few successful unstable structures since the 1903 Wright Flyer. The Wright brothers deliberately placed a horizontal stabilizer in front of the wing, and not behind it, because their previous experiments with kites and gliders showed that what we call stability can also be called sluggishness. The front Flyer control planes (called front horizontal control) reinforced any slight upward and downward movements of the nose. Maintaining a stable pitch required a high concentration of the pilot, but at the same time allowed the aircraft to respond faster when the pilot wanted to increase or decrease the pitch. (The pros and cons of this design are discussed in the article1984 Fred E.S. Kulik and Henry R. Jax.)
Orville rules, Wilbur runs nearby, Kitty Hawk, December 17, 1903. In this picture we see the plane from the tail. Anterior horizontal control — double adjustable horizontal surfaces in front — seems to cause a nose lift. (Photo WikiMedia .
Another seriously unstable aircraft was the Grumman X-29, a research platform designed in the 1980s. The wings of the X-29 were located at the back; moreover, the main planes for pitch control were set at the front of the wings, as in the Wright Flyer .
The goal of this strange project was to investigate structures of extreme verticality, sacrificing static stability for faster maneuvering. No pilot without support could not cope with such a jerked vehicle. It required a digital electronic control system that sampled the state and controlled the control planes with a frequency of up to 80 times per second. The controller was successful, perhaps even too much. He allowed the plane to fly safely, but by curbing instability, he left the plane with fairly limited control characteristics.
I personally had some connection with the X-29 project. In the 1980s, I briefly worked as an editor with a group at Honeywell, who developed and built the X-29 control system. I helped prepare publications according to the rules of management, and also contributed to their implementation in hardware and software. This experience gave me enough information to understand that MCAS has something strange: it is too slow to suppress the aerodynamic instability of a jet aircraft. While the X-29 controller had a reaction time of 25 milliseconds, the MCAS took 10 seconds to move the stabilizer 737 by 2.5 degrees. At such a pace, the system probably could not cope with the forces lifting the nose up in the loop of positive feedback.
This is a simple explanation. MCAS should not fly an unstable aircraft. She had to restrict him from entering a regime in which he becomes unstable. The same strategy is used by other stall prevention mechanisms — they intervene even before the angle of attack reaches a critical point. However, if Brady is right about the 737 MAX instability, then this task becomes more urgent for MCAS. Instability implies a sharp and dangerous descent. MCAS is a road fence that takes you back to the road when you are ready to drive off a cliff.
Which leads us to the question of the stated plan to eliminate the problem of MCAS. Reportedly, the modified system will not activate itself so steadily and will automatically turn off if it detects a big difference between the readings of the two AoA sensors. These changes should prevent the recurrence of recent accidents. But do they provide adequate protection against the malfunction that MCAS should have dealt with in the first place? When the MCAS is turned off, either manually or automatically, nothing will stop the rash or misled pilot from moving to that part of the flight mode area in which MAX becomes unstable.
Without additional information from Boeing, one cannot say how serious the instability can be, if it really exists. A Brady article on the Boeing 737 technical site states that the problem was partially caused by the pilots. In the normal state, for a prolonged elevation of the nose, it is necessary to tighten the steering wheel more and more strongly. However, in the area of instability, the resistance to pulling force suddenly drops, so the pilot may inadvertently pull the steering wheel to a more extreme position.
Is human exposure a necessary part of instability, or is it just a reinforcing factor? In other words, if you remove the pilot from the feedback loop, will the positive feedback still cause an uncontrollable uplift of the nose? While I did not find the answer.
Another question: if the root of the problem is a deceptive change in the force that resists the movements of the steering wheel, lifting the nose up, then why not solve this problem directly?
The elevator boot mechanism transmits “fake” forces to the pilot’s steering wheel. The figure is taken from the presentation of the B737 NG 's author’s theory of flight controls . The presentation was created for the 737 NG series, not the MAX; perhaps the architecture has changed.
In 737 (and most other large aircraft) the force “felt” by the pilot through the steering wheel is not a simple reflection of the aerodynamic forces acting on the elevator and other control planes. The feedback forces are mainly synthesized, they are generated by the elevator feel and centering unit loading mechanism - a device that monitors the condition of the aircraft and generates corresponding hydraulic pressures pushing the handwheel in one direction or another. These systems could be given an additional task of maintaining or increasing the pulling force on the steering wheel when the angle of attack approaches the values of instability. Artificially reinforced resistance is already part of the stall prevention system. Why not extend it to MCAS? (Perhaps there is a reasonable answer to this, but I do not know him.)
Where is his shutdown button?
Even after randomly switching on the MCAS on the Lion Air 610, derailments and casualties could have been avoided if the pilots simply disconnected this thing. But why didn't they do this? It seems that they had never heard of MCAS, did not know that it was installed on the plane they were driving, and did not receive any instructions on how to turn it off. There are no switches or buttons marked “MCAS ON / OFF” in the cockpit. The system is not mentioned in the flight manual ( except for the list of abbreviations ), and there were no pilot training programs for pilots who switched from 737 NG to MAX. The training consisted of one or two hours (the information differs) of working with an iPad application.
Explanations of these omissions by Boeing are given in the historyWall Street Journal :
One of the high-ranking officials of Boeing reported that the company decided not to disclose details to the crews because of concerns overloading ordinary pilots with too much information and much more technical data than they could assimilate.
To call this statement “hypocritical” means to say nothing. It is simply absurd. Boeing didn’t just conceal the “details”, she didn’t mention in principle the very existence of MCAS. And the “too much volume” argument is simply stupid. I do not have a MAX flight manual, but the NG editorial office contains more than 1,300 pages, plus another 800 pages of quick reference manual. A few paragraphs about the MCAS would not overload the pilot, who had already mastered the manual. Moreover, the manual describes in detail the speed-trim and mach-trim systems, which most likely fall into the same category as the MCAS: they operate autonomously and do not provide the pilot with a direct interface for tracking and adjustment.
As a result of the Lion Air incident, Boeing stated that the MCAS outage procedure was spelled out in the manual, although MCAS itself is not mentioned there. This procedure is indicated in the “stabilizer trimmer out of control” problem resolution map. It is not very difficult: you need to hold on to the steering wheel, disable the autopilot and automatic thrust, if they are included; then, if the problem persists, turn the two switches labeled “STAB TRIM” to the “CUTOUT” position. In the event of a MCAS malfunction, only the last step was really important.
This control card is a “memory action”; Pilots should be able to perform these steps without looking at the manual. The crew of Lion Air must have known her for sure. But could he understand that it was necessary to apply this particular card on the plane, whose behavior did not resemble what they had seen during training and flying on the previous model 737? According to the manual, the condition under which it was necessary to use the stabilizer trimmer troubleshooting card was “constant spontaneous movement of the stabilizer trimmer”. The MCAS commands were not constant, but repetitive, so in order to diagnose the problem, it was necessary to make a jump in reasoning.
By the time of the Ethiopian crash, 737 pilots around the world knew about the MCAS and its shutdown procedure. A preliminary report released at the beginning of the month by Ethiopian Airlines showed that after a few minutes of struggle with the control wheel, the pilots of flight 302 still used the procedure from the control card and turned the STAB TRIM switches to the CUTOUT position. After that, the stabilizer stopped responding to the MCAS commands to lower the nose, but the pilots failed to regain control of the aircraft.
It is not yet completely clear why they failed and what happened in the cockpit for the last few minutes. One of the possible factors is that the Cutout switch disables not only the automatic movements of the pitch trimmer, but also the manual ones, which are controlled by the buttons on the control wheel. The switch cuts off all power to the motor moving the stabilizer. In this situation, the only way to move the trimmer is to turn the handwheels located next to the pilots' knees. During the crisis of flight 302, this mechanism could be too slow to adjust the angle on time, or the pilots were too focused on pushing the steering wheel back with maximum force that they did not try to use the handwheel. It is also possible that they turned the switches back to the NORMAL position,by restoring power to the engine stabilizer. Such a possibility is not mentioned in the report, but it is hinted at by a chart from the flight recorder.(see below) .
Component leading to the failure of the entire system
One can argue about whether MCAS is a good idea if it works correctly, but when it switches on erroneously and directs the plane to the sea, no one dares to defend it. Apparently, uncontrolled behavior in Lion Air and Ethiopian disasters was caused by a single sensor malfunction. In aviation, this should not happen. It is impossible to explain why one of the aircraft manufacturers would have deliberately created an aircraft in which the failure of a single component would lead to a fatal accident.
Protection against single failures is provided by redundancy, and in the design of the 737, this principle is so fully embodied that the car can practically be considered two planes in one building.
, , (, , ) .
The cockpit has room for two pilots looking at two different sets of instruments and using separate sets of controls. The left and right instrument panels receive signals from different sets of sensors, the signals of which are processed by different computers. Each side of the cabin has its own inertial control system, its own navigation computer, its own autopilot. The plane has two power supplies and two hydraulic systems, plus mechanical backup systems in case of a double hydraulic failure. Two steering wheels in normal condition move in unison - they are connected under the floor - but if one steering wheel gets stuck, this connection can be broken, which allows the co-pilot to continue controlling the aircraft.
There is one exception to this list of overlapping systems: it looks like the device called the flight control computer (FCC) seems to have received special attention. On board two FCC, but according to the information of the technical site of Boeing 737on each flight only one of them works. All other duplicate components work in parallel, receive independent incoming commands, perform independent calculations, and transmit independent command actions. But in every flight, only one FCC performs all the work, and the second is in idle mode. The active computer selection scheme looks oddly arbitrary. Every day, when you turn on the power of the aircraft, the FCC on the left receives control in the first flight, then the device on the right takes control in the second flight of the day, and so the two sides alternate until the power is turned off. After powering up again, alternate use starts again from the left FCC.
I am surprised by many aspects of such a scheme. I do not understand why the attitude to duplicated FCC devices is different than to other components. If one FCC fails, will the control automatically intercept the second? Can pilots switch between them in flight? If so, will this be an effective way to deal with a MCAS malfunction? I tried to find answers in the manuals, but I can not trust my interpretations of the read.
In addition, I had great difficulty finding information about the FCC itself. I do not know who produces it, how it looks and how it is programmed.
On the Closet Wonderfuls website, an item called the “737 flight control computer” is sold for $ 43.82 with free shipping. On the Airframer websiteThere are lists of many suppliers of parts and materials for the 737, but there is no information about the flight control computer. The device has a Honeywell nameplate. I was tempted to buy a device from the Closet Wonderfuls site, but I’m pretty sure that the latest MAX models do not have such a device installed. I learned that earlier FCC was called FCE (flight control electronics, “flight control electronics”), and from this it can be understood that the device was analog, it performed integration and differentiation with the help of capacitors and resistors. I am sure that today the FCC has caught up with our digital era, but this may be specialized equipment, custom-made. Or a standard Intel processor in an unusual package, perhaps even working under Linux or Windows. I just do not know.
In the context of disasters, MAX flight control computer is important for two reasons. First, it contains MCAS; This is a computer running MCAS software. Secondly, the curious procedure for alternately selecting the FCC on each flight also influenced which AoA sensor transmitted incoming data to MCAS. The left and right sensors are connected to the appropriate FCC.
If two FCCs are used interchangeably, this raises an interesting question about the history of the plane that crashed in Indonesia. A preliminary report on the accident describes problems with various instruments and controls on five flights over a period of four days (including on a trip that ended in an accident). All problems arose from the left side of the airliner or caused by misalignment between the left and right sides.
The flight in the second line (Manado → Denpasar) is not mentioned in the preliminary report, but the plane had to fly from Manado to Denpasar in order to perform the flight the next day.
| date | Route | Problem Reports | Maintenance |
|---|---|---|---|
| October 26 | Tianjin → Manado | left side: no airspeed and altitude readings | check the left stall management computer and stabilize the yaw angle; done |
| ? | Manado → Denpasar | ? | ? |
| 27th October | Denpasar → Manado | left side: no readings of airspeed and height; speed-trim and mach-trim warning indicators | ; ; ; ; ; |
| 27 | Manado → Denpasar | : ; speed-trim mach-trim; | ; ; ; AoA |
| 28 of October | Denpasar → Jakarta | : [ MCAS] | ; |
| 29 | Jakarta → Pangkal Pinang | [ MCAS] |
Which of the five flights of the active computer was the left FCC? The last two, when MCAS was activated, were the first flights of the day, so they were allegedly driven by the left FCC. It’s hard to say about the rest, especially because the maintenance operations could be followed by complete power outages of the aircraft, after which the alternate use of computers must begin again.
It is reported that the upgraded MCAS software will take into account the signals from both AoA sensors. What will it do with the additional information? So far, only one mention has been published: if the readings differ by more than 5.5 degrees, then MCAS will turn off. What if the readings differ by 4 or 5 degrees?
: AoA.
How will MCAS choose a sensor to be trusted? Conservative (or pessimistic) engineering practice should give preference to higher readings in order to provide improved protection against instability and stalling. But this choice also increases the risk of dangerous “patches” caused by a faulty sensor.
The current MCAS system, with alternating left and right sensors, has a 50 percent chance of a crash in the event that one random failure causes the AoA sensor to transmit erroneously high data. In the case of the same random failure on the one hand, in the updated MCAS there will be a 100 percent chance of ignoring the pilot's attempts to move into the stall area. Is this an improvement?
Broken sensor
Although a faulty sensor should not lead to an airplane crash, I would still like to know what happened to the AoA weather vane.
No one is surprised that AoA sensors may be faulty. These are mechanical devices operating in aggressive environments: winds exceeding 500 miles per hour and temperatures below –40 degrees Celsius.
A common type of malfunction is a stuck sensor, which is often caused by glaciation (despite the presence of a built-in anti-icing heater). But the fixed vane will transmit constant data that does not depend on the actual angle of attack, and other symptoms were observed on flight 610. The flight recorder shows small fluctuations in the signals of the left and right instruments. Moreover, the oscillations of the two curves are closely aligned, and this makes us understand that they both tracked the same movements of the aircraft. In other words, it appears that the left sensor worked; he simply transmitted measurements that were shifted by a constant amount, approximately equal to 20 degrees.
Is there any other type of failure capable of creating the observed displacement? Of course: it is enough just to bend the vane by 20 degrees. Perhaps it was touched by a passing truck or a ladder. Another guess: the sensor could be installed incorrectly, and the entire device was turned 20 degrees. Several authors on the Professional Pilots Rumour Network website have explored this possibility, but they finally concluded that this was not possible. The manufacturer, who no doubt knew about such a danger, placed the fastening screws and centering pins asymmetrically, so the device could be installed in the casing in a unique way.
The same effect can be obtained with an assembly error during sensor production. The vane could be incorrectly attached to the shaft, or the internal transducer could be incorrectly attached, turning the angular position into an electrical signal. Did the designers ensure the impossibility of such errors? I do not know, I did not manage to find drawings or photographs of the sensor internals.
Studying other possible causes of failure, I briefly reviewed the FAA airworthiness standards used in servicing or replacing AoA sensors. I found that there are several dozen of them, and some of them describe the same sensor installed on the 737 MAX ( Rosemount 0861 ). But none of the reports I read read a fault that could cause a constant error of 20 degrees.
For a while, I thought that the failure might have occurred not in the sensor itself, but somewhere further along the data transfer channel. It could be something simple, such as a faulty cable or contact. The signals from the AoA sensor are transmitted to an air condition and inertial reference system (ADIRU) data device, in which the sine and cosine components are combined and digitized to obtain a number representing the measured angle of attack. ADIRU also receives incoming data from other sensors, including Pitot tubes, measuring the speed of air flow, and from static pressure receivers, measuring air pressure. In addition, the device contains gyroscopes and accelerometers of an inertial control system that can track the movement of the aircraft without relying on external data.(There are separate ADIRUs for each side of the aircraft.) The problem may have occurred in the digitizer - an error in bits, not in the weather vane.
But the information received later destroyed this idea. To begin with, the AoA sensor, dismantled by the Lion Air maintenance team on October 27, is now in the hands of the investigation. According to the news, it was “recognized as defective”, but I have not yet heard any mention of specific defects. In addition, it turns out that one of the elements of the control system, stall management computer and stabilization of yaw angle (Stall Management and Yaw Damper, SMYD) receives direct analog sine and cosine voltages from the sensor, rather than the digitized angle calculated by ADIRU. It is SMYD that controls the steering wheel vibration alarm function. On the Lion Air flight, and on the Ethiopian flight, the vibrator was active almost continuously, so these analog sine and cosine voltages should have indicated a high angle of attack. In other words, the error already existed before the signal hit the ADIRU.
I'm still confused by the constant angular shift in Lion Air flight data, but now this question seems a little less important. From the preliminary report on flight 302 Ethiopian, it follows that the left AoA sensor on this plane also crashed badly, but in a completely different way. Here are the corresponding graphics from the flight recorder:
The AoA sensor readings are at the top, the red line is the left sensor, the blue line is the right one. In the left part of the graph, they differ slightly when the plane should have just started to move, but when moving along the runway, the plane picked up speed, their readings began to almost coincide. However, during takeoff, a significant discrepancy occurred - the left vane began to show a completely impossible elevation angle of the nose at 75 degrees. Later, it decreases by several degrees, but otherwise shows no signs of fluctuations that would suggest a reaction to the air flow. At the very end of the flight there are other unexpected deviations.
By the way, the blue chart of the automatic balancing commands gives another hint of what could have happened in the last moments of Flight 302. Around the middle of the chart, the STAB TRIM switches were pressed, which caused the automatic nose lowering command to not affect the stabilizer position. But at the very right, another automatic nose down command affected the trimmer position chart, and this suggests that the Cutout switches were turned on again.
Other puzzles
But there is still much that I still do not understand.
Riddle number 1. If the Lion Air and Ethiopian crashes were caused by faulty AoA sensors, this means that in a completely new aircraft there were three parts with similar defects (including the spare sensor installed on the Lion Air aircraft on October 27). From recent news it became known that the spare part was not new, but restored in the Florida workshop called XTRA Aerospace . This fact allows us to assign another possible culprit, but the two sensors installed by Boeing were supposedly not restored, so you can't blame XTRA for all of them.
Currently, about 400 MAX aircraft are in operation, on which 800 AoA sensors are installed. Is a 3/800 failure rate unusual or unacceptable? Does this judgment depend on whether the defect was the same in all three cases?
Riddle number 2. Let's take a look at the pitch trim balancing graphs and the angle of attack in the Lion Air 610 data. The conflict of manual and automatic commands attracted everyone’s attention, but what happens in the first few minutes is also puzzling.
While driving on the runway, the pitch balancing system was installed at almost the maximum position for raising the pitch angle (blue line). Immediately after takeoff, the automatic balancing system began to transmit commands for further movement to increase the pitch angle, and the stabilizer probably reached its mechanical limit. At this point, the pilots manually directed it towards a lower pitch angle, and the automatic system responded with a quick sequence of commands to increase the pitch angle. In other words, the “pulling of the rope” between the pilots and the automation has already begun, but the pilots and the automated control have pulled in opposite directions to the ones they choose in the future. All this happened while the flaps were still open, that is, the MCAS could not be active. Some other element of the control system was to transmit these commands to increase the pitch. Compounding mysteriousness isthat the left AoA sensor has already transmitted its erroneously high readings to the left flight control computer. If the FCC acted in accordance with this data, then it should not have sent commands to increase the pitch.
Riddle number 3. Readings AoA - this is not the most interesting data from the information in the preliminary report of Lion Air. Here are graphs of altitude and speed:
The height reading to the left (red line) is only a few hundred feet. It seems that the error is multiplicative rather than additive, probably it is 10 percent. The left and right airflow rates are also inconsistent, but the graph is too tight to quantify the difference. It was these discrepancies that initially annoyed the pilots of flight 610; they could see them on their instruments. (There were no indicators of angle of attack in the cockpit, so these conflicts remained invisible to them.)
Altitude, airspeed and angle of attack are all measured by different sensors. Could they both fail at the same time? Or is there some kind of common point of failure that can explain all this strange behavior? In particular, could a single unreliable AoA sensor cause all this chaos? I guess so. The angle of attack affects altitude, airspeed, and even temperature sensors. Therefore, the measured velocity and pressure are changed to compensate for this conflicting variable using the AoA sensor output. This output was erroneous, so the changes allowed a single stream of erroneous data to infect all measurements of the air situation.
Man or car
Six months ago, I wrote about another catastrophe caused by an out of control system. In that case, the problem was the distribution of natural gas in Massachusetts, the improperly configured pressure adjustment setting which caused fires and explosions in more than 100 buildings, as well as the death of one person and serious injuries to twenty. Then I lamented that the special pathos of technological tragedies lies in the fact that the driving force of our destruction are the machines that we design and create ourselves.
In a world where defective automatic control explodes at home and makes airplanes fall down, it’s hard to argue the need for moreautomation, adding to the control system of new layers of complexity, providing machines with greater autonomy. Society is leaning in the opposite direction. Like President Trump, most of us trust pilots more than scientists. We do not want MCAS on board. We want to see Chesley Sullenberger, the hero of USAir flight 1549, which sent its defective A320 to land on the Hudson River and saved 155 passengers. No level of cockpit automation will allow such a trick to be performed.
However, a cold, analytical look at statistics suggests a different reaction. Human involvement does not always save the situation. On the contrary, pilot error is responsible for the largest number of fatal accidents. In one studypilot errors are declared the primary cause of 40 percent of catastrophes, and equipment failure only 23 percent. Nobody (for the time being) is in favor of an unmanned cabin , but at the current stage of development of aviation technologies this is a much closer perspective than an uncomputer cockpit.
The Model 737 MAX MCAS system is a particularly awkward compromise between fully manual and fully automatic control. Programs are given a large share of responsibility for flight safety, and they are even given the option of blocking the pilot’s decision. However, in the event of a system malfunction, responsibility for ascertaining the causes and correcting them completely falls on the pilot — and the situation must be rectified quickly, otherwise MCAS will send the plane to the ground.
Two destroyed aircraft and 346 deaths are convincing evidence that such a design is a bad idea. But what can we do about it? Boeing plans to move away from automatic control, returning more responsibility and power to the pilots:
- The flight control system will now compare incoming signals from both AOA sensors. If the sensors diverge by 5.5 degrees or more with the flaps closed, MCAS will not activate. A cockpit indicator will warn pilots of this.
- If the MCAS is activated under abnormal conditions, then it will provide only one incoming signal for each transmitted event of increased AOA. There are no known or suspected failure conditions under which the MCAS will send multiple incoming commands.
- MCAS will never be able to transmit more command stabilizer than those that the crew can resist from the helm. Pilots will still always have the option of turning off the MCAS and manual control of the aircraft.
A statement from Boeing CEO Dennis Muilenberg states that the software update "guarantees that the accidents of flight 610 Lion Air and flight 302 Ethiopian Airlines cannot be repeated." I hope this is true, but what about the incidents that MCAS should prevent? I also hope that we will not be able to read about the stalling and crash of the 737 MAX due to the fact that the pilots considered the MCAS to be faulty and continued to pull the steering wheels on themselves.
If Boeing had chosen the opposite approach - not to restrict MCAS, to improve it with new algorithms working with the control system, then such a plan would be perceived with indignation and ridicule. It really seems like a terrible idea. MCAS has been installed to prevent pilots from entering a dangerous area. The new supervisory system would monitor the MCAS, engaging with its suspicious behavior. But wouldn't we need another looking after looking, and so on ad infinitum? Moreover, when adding each new layer of complexity, we get new side effects, unintended consequences and the possibility of breakdowns. The system becomes more difficult to test, and its correctness is impossible to prove.
These are serious objections, but the problem under consideration is also serious.
Suppose that the 737 MAX would not have the MCAS, but in the cockpit there was an indicator of the angle of attack. On a Lion Air flight, the captain would feel that the wheel's vibration alarm warns him of an impending stall and sees a dangerously high angle of attack on the instrument panel. His skills would have prompted him to do what MCAS did: lower the nose down to make the wings work again. Would he continue to lower it until the plane collided with water? Of course not.He would have looked out the window, rechecked the instrument readings on the other side of the cabin, and after a few terrible moments would have realized that it was a false alarm. (In the dark or at low visibility, when the pilot does not see the horizon, the result could be worse.)
I see two lessons in this hypothetical example. First, the erroneous sensor data is dangerous, no matter who controls the plane: a computer or Chesley Sullenberger. An intelligently designed instrumentation and control system would take steps to detect (and ideally correct) such errors. At the moment, the only protection against such failures is the redundancy of systems, and in the unmodified version of MCAS even this protection was compromised. This is not enough.An important point that gives an advantage to live pilots is that they are reasonable and sometimes skeptical about the readings of the instruments. Such rationality is quite possible for automated systems. You can use many sources of information. For example, the mismatch between AoA sensors, Pitot tubes, static pressure receivers and air temperature probes is not only an error signal, but also an opportunity to understand which of the sensors turned out to be faulty. Inertial reference system provides independent control of the position of the aircraft; You can even use GPS signals. It is generally recognized that the main difficulty is the awareness of all these data and the extraction of the correct conclusions from them.
Secondly, the controller with feedback has another source of information: an indirect model of the controlled system. If you change the angle of the horizontal stabilizer, then you should expect that the condition of the aircraft will change in a known manner - its angle of attack, pitch angle, airflow rate, altitude and rate of change of all these parameters. If the result of the control action does not match the model, then something is wrong. Persistent transmission of the same commands when they do not produce the expected results is unreasonable behavior. In autopilot there are rules of behavior in such situations; similar health checks can be implemented in the low-level control rules that are performed when flying in manual mode.
I do not claim that I have a solution to the MCAS problem. And I would not want to fly on an airplane that I designed myself. (Yes, and you don’t want it.) But there is a general principle that I think must be accepted whole-heartedly: if autonomous systems make decisions “between life and death” based on sensor data, then it is necessary to check the correctness of this data.
Supplement dated April 11, 2019
Boeing continues to insist that MCAS “is not a stall protection function or a stall prevention function. This is a function of flight performance. Opinions that this is something else are misleading. ” This statement was made by Boeing vice president of product development and future aircraft development, Mike Sinnett; A statement appeared in a Guy Norris article in Aviation Week , published April 9.
I don’t quite understand what “qualities” means in this context. This expression seems to me to be something that can have more influence on comfort, aesthetics or convenience than on safety. An airplane with other flight qualities may be differently felt by the pilot, but it can still be controlled by him without the risk of serious accidents. Does Sinnett hint at something with this statement? If yes, that is, if MCAS is not critical for flight safety, then I’m surprised that Boeing doesn’t want to just temporarily turn it off to return the aircraft back to the sky while the company is working on a final decision.
Norris’s article also cites Sinnett’s words: “We are trying to avoid a situation where the pilot pulls the steering wheel toward himself, suddenly it becomes easier to do, and he is too nose-lifting up.” This situation, in which the nose is higher than the pilot wanted, reminds me of the state that precedes the stall.
The story written by Jack Nikas, David Gells and James Glanz in the New York Times presents a different point of view: it assumes that the “flying qualities” were the motivation to create the first version of MCAS, but the risks of stalling partially caused its further increase.
, , , 737. - Boeing.
MCAS — , — 0,6 10 .
, FAA MCAS. .
, 2016 , Boeing , MAX , . , , MCAS .
And finally, another article in Aviation Week by Guy Norris presents a convincing version of what happened with the angle of attack sensor of Flight 302 of Ethiopian Airlines. According to Norris sources, the AoA weather vane was shot down seconds after takeoff, possibly as a result of hitting the bird. This hypothesis corresponds to the graphs extracted from the flight recorder, including strange-looking fluctuations at the very end of the flight. I wonder if there is any hope of finding a lost weather vane that was supposed to fall not so far from the end of the runway?
Source: https://habr.com/ru/post/448174/
All Articles