MCAS: Them, Us, and Progress

Engineering

Eddie sez:

Now that the official accident report on the crash of Lion Air 610 is out, the dividing lines have been set for why this Boeing 737 MAX 8 crashed on October 29, 2018. Those of us in the formerly “If it ain’t Boeing I ain’t going” crowd (and I do count myself as a member) may feel personally injured that the company that would forever grant control of the airplane to pilots (unlike the heathens at Brand X) has been caught giving some supremacy to the computers. Non-Boeing lovers will say the rest of us might as well throw in the towel and agree that if the electrons are to rule, go with a company that realized that early on. I think the former crowd is ignoring the trajectory of aerospace engineering and the latter crowd is forgetting the tremendous design advantage inherent in every Boeing product.

I have a more thorough analysis of the Lion Air 610 crash here: Case Study: Lion Air 610. What follows here are my opinions, for what they are worth. (Address all “you don’t know what you are talking about” letters to Eddie, contact information below.) Unlike legal jurisprudence, the effort in flight safety is not to assign blame, but to prevent recurrence. And that is my aim here; I hope to instill in pilots a healthy amount of skepticism towards safety claims and a desire to learn more about their aircraft and work on basic stick and rudder skills.

So here are the conclusions I’ve drawn from Lion Air 610: Boeing mishandled the design, the FAA mishandled the certification, and the pilots mishandled the airplane. Just as far too many non-pilots are ready to condemn the company, far too many pilots are quick to excuse the pilots. No matter where you stand in this blame game, it is critical to put a historical and practical perspective on aviation progress. (Hint: the electrons are here to stay.) But my main purpose is to provide pilots with the tools needed to avoid these kinds of accidents. To that end I’ll provide three predictions to match those three conclusions: Boeing will learn from their mistakes, the FAA will not, and the pilot pool will have those that learn from the mistakes of others and those that do not.

Everything here is from the references shown below, with a few comments in an alternate color.

images

Photo: Boeing 737 MAX 8 Stabilizer control, KNKT.18.10.35.04, figure 12.
Click photo for a larger image

Last revision:

20191110

Cover Story:

20191113

MCAS

Conclusion: Boeing Mishandled the Design

images

Photo: Boeing 737 MAX 8 Overview, KNKT.18.10.35.04, figure 13.
Click photo for a larger image

The Boeing 737 might be the company’s most successful design ever, at least based on the number of aircraft built and continued longevity. From its beginning in 1967, over 10,000 have been built. The idea was to have an airplane that could fly 50 to 60 passengers economically from 50 to 1,000 nautical miles. The Boeing 737-100 was a success from day one. Fast forward to today and you have 737s that can carry over 200 passengers nearly 4,000 nautical miles.

By far the largest contributor to the airplane’s increased performance and efficiency is engine technology. More thrust means more payload and efficiency, but it comes at the cost of increased cowl diameter which puts the engine closer to the ground. This, in turn, means more Foreign Object Damage (FOD) to the engine as well as an increased likelihood of contacting the runway during crosswind landings. The early response to this was moving engine accessories from the bottom to the side of the engine and the non-circular look of later model engine cowls. The latest answer, as implemented in the 737 MAX, was to move the engine forward and up, providing added ground clearance.

The unintended consequence of moving the engine forward is something veterans of Boeing’s 4-engine swept wing jets are familiar with: pitch coupling with thrust changes. In the Boeing 747, for example, you can move the pitch up by adding power only to the inboard engines, which are mounted forward of the outboards. In the case of the two-engine 737 MAX, high power settings will have the tendency to push the pitch up. This can be disastrous at low speeds, where pilots can be tempted to firewall those engines.

Boeing’s answer to this was the Speed Trim System (STS) which would control the horizontal stabilizer during low gross weight, aft center of gravity, and high thrust situations when the autopilot was not engaged. I suppose the idea was to make this 737 feel like older model 737s when hand flying in those situations. The Maneuvering Characteristics Augmentation System (MCAS) is a subset of the STS designed to apply double-speed impulses of nose-down trim during high Angle of Attack (AOA) situations with the flaps up. I thought Boeing believed this system was similar enough to conventional stall barrier systems (such as a stick pusher) that the company did not need to document its existence in the airplane’s flight manuals. But I’ve since read that they thought the chances of pilots getting into this part of the flight envelope were so remote that pilots didn’t need to know about it. Either way, the system went undocumented in pilot materials.

MCAS was necessary to get the MAX to fly like a conventional 737 and convince the FAA to certify the airplane under the existing Boeing 737 type certificate. STS and MCAS appear at first glance to be Flight Control Computer (FCC) architecture found on fly-by-wire airplanes for many years now, in fact the system on the 737 MAX is called just that: a Flight Control Computer. But it really is little more than a digital autopilot. This may seem like splitting hairs but there is more to it than that. A true fly-by-wire system is run by FCCs that are constantly checking each other, ruling out bad information, and providing pilots with news about any unresolved issues. The 737 MAX has two FCCs that simply take turns controlling the airplane’s pitch. While one FCC has access to the other’s information, it wasn’t allowed to use it. In the case of Lion Air 610, the left seat MCAS could only use the faulty AOA from its on-side probe.

Conventional aircraft for years have been using stall barrier systems that sense the airplane’s angle of attack and give the nose a push when the AOA indicates the aircraft has been stalled. Most systems rely on two AOA sensors, each with a vote. If the two sensors disagree, the stall barrier system is no longer allowed to push and will simply inform the pilot there is a disagreement. That has been true of many aircraft for many years. The 737 MCAS, in stark contrast, only needed its onside AOA and at that point, was allowed several repeated pitch impulses.

Conclusion: The FAA Mishandled the Certification

images

Photo: FAA Headquarters, Matthew Bisanz
Click photo for a larger image

It seems Boeing supplied the FAA with an update to its decades old type design (time tested and proven), with a successful new engine (proven on other aircraft), and a new Flight Control Computer. These FCCs have been around for years, so what could go wrong?

At first glance, it would seem certifying the 737 MAX would be just a matter of continuing the long legacy of successful airplanes with proven upgrades in technology. What is not apparent at first glance, however, is that the 737 MAX may be the first in that line to be inherently unstable. Aerodynamic stability, in a nutshell, simply means that when you take your hands off the control the airplane “wants” to maintain pitch, roll, and yaw as well as airspeed. The airplane naturally gravitates to a safe condition. Let’s say you are in straight and level, trimmed flight and decide to firewall the engines. The airplane’s pitch should increase as the airplane seeks to maintain the trimmed speed and then settle in on a climb. In the case of the 737 MAX, without the MCAS the airplane’s pitch could become too high and the control feel presented to the pilot could inhibit recovery. Not good.

It could very well be that the right answer is that there comes a point the engine is just too big for the airframe or that the way the airplane was designed is no longer inherently safe. But the FAA never examined the airplane with this thought process objectively because they effectively surrendered their oversight duties to the manufacturer. The Designated Engineering Representative (DER) and Organizational Delegating Authority (ODA) programs acknowledge that nobody in the FAA is up to the task of certifying these complex airplanes as airworthy and cedes that responsibility to the manufacturers themselves. While we out in the field know that giving pitch control to a system relying on a single AOA probe is nuts, Boeing talked themselves into allowing it and, one step removed, to certify it as safe.

The airplane isn’t as safe as it could be, we now know with the benefit of history. But were the pilots doomed to crash? I don’t think so.

Conclusion: The pilots Mishandled the Airplane

images

Photo: Lion Air 610 Flight Track, FlightRadar24
Click photo for a larger image

Much has been made about the faulty AOA sensor and the fact the 737 MAX does not have two Control Column Cutout (CCC) switches so that if the trim is pushing forward either pilot’s pull aft will cutout the pitch trim. Instead the MAX has the CCC on only the captain’s yoke. In the case of Lion Air 610, for example, the first officer was in control in the airplane’s final moments. The CCC looks to be a very nice feature, one that I did not have in my first two Boeings and have never had on a Gulfstream. But this also ignores the fact that the pilots on Lion Air 610 reacted correctly by trimming in the opposite direction several times and that should have reinforced with them that they were dealing with trim inputs that were not their own.

In my opinion, we as pilots are responsible for monitoring the performance (attitude and thrust) on the aircraft and adjusting that performance when it is not as we desire. If you want the airplane to be in a hands-off nose up pitch climbing, and it does something other than that, it is up to you to take control. In the case of Lion Air 610, the pilots realized the trim was moving opposite their intent and they should have turned the trim system off.

Why didn’t the pilots know instinctively what to do in this situation? Author William Langewiesche was told that in Indonesian simulators, “there are sometimes seven in there: two pilots flying, one instructing and four others standing up and logging the time.” If the lesson plan said every pilot had to be trained to deal with a runaway pitch incident, they logged the event whether they flew it or not. In a culture such as this, it is easy to realize that not all pilots are trained to the same standard.

I believe a properly trained set of pilots could have survived what started as a poorly designed airplane saddled with an improperly repaired AOA sensor. Many of us who grew up in Boeings with the thought that the pilot must always have ultimate control will, sooner or later, have to realize we long ago gave up total control and that trend is going to continue.

Predicate: The Inevitable Push of Progress

Perhaps the larger engines should not have been allowed and an airplane with “fly by cables” should not be allowed to become a hybrid with part mechanics, part electronics. Perhaps all airplanes should be designed so that the least capable pilot can fly it in the least likely scenario. But the purpose of an airplane is not to guarantee safety to the maximum extent possible, but to the maximum extent feasible. An airplane designed to the former standard will be economically prohibitive. As we used to say in the Air Force safety business: the only way to guarantee flight safety is to not fly at all.

Consider, as an elementary example, the flying tail. Not too long ago a conventional airplane was one with a fixed horizontal stabilizer with an elevator mounted behind it. Primary pitch control was achieved with the elevator only and, perhaps, another tab on the end to trim off control pressures. The stabilizer gained its own movement to account for larger ranges in speed and center of gravity. In some airplanes, stabilizer movement was tied to flap position and in others it became the pitch trim mechanism. (In some fly-by-wire airplanes the stabilizer is tied to the elevator to automatically streamline both surfaces to minimize drag.) In any step in this evolution it would have been easy to complain that progress had made the pilot’s task more complicated than should be allowed.

Many years ago, I flew with pilots who routinely disabled the stick shaker and pusher, reasoning that was taking control from them and they were pilots of such a caliber they would never get the airplane into that flight regime. But years of experience tells us that flying airplanes with fewer and fewer “seat of the pants” cues can leave pilots in these flight regimes “cue-less” rather easily. I don’t know of anyone these days who believes a stick shaker or pusher should be disabled.

Of course, a line needs to be drawn somewhere. Why install an engine so large it makes the airplane unstable in a small part of its envelope? Why take that chance? A friend of mine told me he was cruising along the other day in his Gulfstream GVII at Flight Level 470, ISA +3, 8 passengers, four hours of fuel on board, Mach 0.87, burning only 2,200 lbs. of fuel per hour. My first Gulfstream burned more fuel than that idling on the ground. The GVII is fly-by-wire and places two flight control computers (each with two separate channels) between the pilot and the flight controls. Without these computers these kinds of efficiencies would be impossible. This is progress and aviation is headed this way. Now the question is how are we (all of we in aviation) going to react?

Prediction: Boeing Will Learn From Their Mistakes

I think Boeing must realize that trying to stretch a 50-year-old design one more time and pushing the certification process has the potential of killing the company. If the company survives, they will need a cultural change to the way they build airplanes. I think that is going to happen, but that is me the longtime Boeing supporter.

Prediction: The FAA Will Not Learn

The FAA will take a few very big hits along the way too because they are certainly culpable in the hundreds of deaths that resulted. Unlike Boeing, no one at the FAA will lose their jobs and I suspect their bonuses will be in full force. In fact, I believe there are some very big promotions in store for many of the guilty. So there will be some ceremonial shifting of the deck chairs and the process of aircraft certification will appear to change in the near term. But that won’t last long. When you work for the world’s largest nonprofit organization, very little can happen to change the trajectory.

Prediction: The Pilot Pool Will be Divided Into Those Who Can Adapt and Those Who Will Not

Of course, I am no expert on aircraft manufacturing or government bureaucracy. I come at this from the perspective of a pilot trying to best defend myself from the mistakes of others as well as my own. I do this by being skeptical, learning as much as I can about my aircraft and environment, and by constantly playing the “what if” game about my chosen profession. Allow me an example from the past and one that could happen in the future.

My first Gulfstream was an Air Force C-20B flying for the 89th Airlift Wing at Andrews Air Force Base, Maryland, just outside of Washington, D.C. The aircraft were brand new and the crews were highly qualified but a bit “full of themselves.” Our squadron did not allow us to wear our oxygen masks as required by Air Force regulations, which were written similar to rules you will find in the commercial CFR 121 or 135 worlds. It was determined that the airplane would never depressurize and wearing the masks would only upset our passengers. My last job at Andrews was as the wing’s chief of safety and I had working for me a flight safety officer in each aircraft type except the C-20, since I represented that airplane. I tasked everyone with writing a few paragraphs predicting the next mishap in each airplane and published the results as a thought piece for our hundreds of pilots. For the C-20 I predicted the next mishap would be a rapid depressurization where both pilots had trays of food on their laps and stacks of charts over the oxygen mask boxes. The rest of our Gulfstream pilots said I was way off, since there had never been a pressure loss in any Gulfstream. How did they know that? Two weeks later we had a door seal blow out and a rapid depressurization on one of our C-20s. The pilots got their masks on and nobody was hurt. I have insisted on following oxygen rules in every flight department I have managed ever since. If you are of the “it never happens” belief, I urge you to subscribe to the Curt Lewis & Associates, LLC online publication Flight Safety Information, a daily newsletter covering worldwide aviation on a daily basis. In the last few years hardly a week has gone by without one or two cabin pressurization losses requiring an emergency descent. Subscribe here: www.fsinfo.org.

My new airplane is a Gulfstream GVII-G500 with a fly-by-wire flight control system with no manual backup: there is nothing between the control stick/rudder pedals and the flight controls but electrons. Scary? There are two full time flight control computers and each one has two channels. One channel monitors the other and each of these four channels has a vote. If all that fails, a backup flight control computer lies in wait. Gulfstream says the chances of ending up on the backup is one in one billion flight hours. Reassuring? At the beginning of the space shuttle program, NASA’s own pre-launch estimates were that there was a 1 in 100,000 chance of shuttle failure for any given launch. The historical result was 2 in 135. Question: how can such smart scientists and engineers be so wrong? Answer: they are not statisticians.

So let’s do some elementary statistics using a statistician’s basic demonstration tool, a two-headed coin. The odds of a head on a single coin flip is one in two or 0.50 as we all know. Now what are the odds of getting heads two times in a row? The possible results are HH, HT, TH, and TT; so only one of those is right and the answer is one in four or 0.25. The statistician tells you that the formula for the probability of p(A and B) = p(A) * p(B), where events A and B are independent, so (0.50)(0.50) = 0.25, agreeing with the word picture.

Now what about the odds of getting a heads on either toss? So, once again we could toss HH, HT, TH, or TT. Three of those four possible outcomes contain a heads so 0.75. The statistician tells you the formula in this situation is p(A or B) = p(A) + p(B) – p(A and B) where A and B are independent so (0.5) + (0.5) – 0.25 = 0.75.

I think this is where many engineers get it wrong. Let’s say you have an airplane that has flown for many years and has logged 1,000,000 flight hours. And in our example let’s say there have been one hundred examples of a left system hydraulic failure, or 100/1,000,000 = 0.0001. Now let’s say that in that same period of time you have only had 50 right system failures, or 50/1,000,000 = 0.00005. Now what are the odds you lose both systems? It is p(A and B) = p(A) * p(B): (0.0001)(0.00005) = 0.000000005 or once in 200 million flight hours. Pretty good odds! But what are the odds you lose either system? The answer is p(A or B) = p(A) + p(B) – p(A and B): (0.0001) + (0.00005) - 0.000000005 = 0.000149995 or once every 7,000 flight hours. That’s a different story altogether. I think a sales engineer wanting to promote the product can get the math wrong here.

So I look at the Gulfstream “one in one billion flight hours” with the same jaundiced eye that NASA engineers should have looked at their prelaunch predictions. I am sure that in both cases the intent was to instill confidence in the system but that could also serve to lure pilots into a sense of false confidence and complacency. We pilots should instead realize there is more to each aircraft system than we will ever know, indeed more than the designers will ever know. It is up to us to prepare as best we can.

And that, in a very long and drawn-out way leads to my prediction about us pilots. I’ve noticed that most pilots are willing to take the flight manual at face value and I’ve even heard a few say that if it isn’t taught in school it doesn’t need to be learned. These are the pilots who believe the one in a billion lie. Other pilots, not as many as I would like, realize that having basic stick and rudder skills are important even when the electrons are doing most of the flying. If you’ve never flown a real airplane upside-down and safely recovered, you need to schedule yourself for some aerobatics with a competent instructor. At the very least, you need to examine every airplane system at your disposal and ask the question, “what if?”


Aircraft Accident Investigation Report, PT.Lion Mentari Airlines, Boeing 737-8 (MAX); PK-LQP Tanjung Karawang, West Java, Republic of Indonesia, 29 October 2018, Komite Nasional Keselamatan Transportasi (KNKT.18.10.35.04), Republic of Indonesia

Langewiesche, William, What Really Brought Down the Boeing 737 Max?, The New York Times Magazine, Sept 18, 2019.