Boeing 737 MAX 8 crash, clear tech details

“What the Lion Air Pilots May Have Needed to Do to Avoid a Crash” (nytimes) contains a lot of good cockpit photos and illustrations explaining the combination of manual and automatic flight controls that likely played a role in the recent Boeing 787 MAX 8 crash (see https://philip.greenspun.com/blog/2018/11/11/boeing-737-crash-is-first-mass-killing-by-software/ ).

If it sensed a stall, the system would have automatically pushed up the forward edge of the stabilizers, the larger of the horizontal surfaces on the plane’s tail section, in order to put downward pressure on the nose.

To counter the nose-down movement, the pilot’s natural reaction would probably have been to use his yoke, which moves the other, smaller surfaces on the plane’s tail, the elevators. But trying that maneuver might well have wasted precious time without solving the problem because the downward force on the nose exerted by the stabilizer is greater than the opposite force the pilot would be trying to exert through the elevator, said Pat Anderson, a professor of aerospace engineering at Embry Riddle.

“After a period of time, the elevator is going to lose, and the stabilizer is going to win,” he said.

(The same guy gave an interesting lecture this summer; see “Transitioning to electric flight (lectures at Oshkosh)”.)

The pictures show a mix of 1950s (the big trim wheel), 1980s (the switch-controlled trim and trim interrupt), and 1990s (the MCAS layered on top that puts in heavy trim silently).

My comment on the NYT piece:

I sometimes fly the Pilatus PC-12, a simple 11-seat turboprop. Its stall-protection system was designed in the early 1990s. There are two angle-of-attack (AOA) sensors, one on each wing. There are two computers, each one of which is connected to a single AOA sensor. Only if both AOA sensors show a stalling angle of attack (“nose too high”) AND both computers agree THEN there will be a “stick push”. Thus there could never be a nose-down push due to a single bad AOA sensor. In the unlikely event that both sensors and/or computers went haywire at the same time, there is a “pusher interrupt” switch right on the yoke (“stick”). So the pilot need not hunt for an out-of-sight and never-previously-used switch.

It sounds as though Boeing engineered something that relies on just one sensor.

Plainly the Pilatus-style system would not have interfered with these 189 souls making their way safely to the destination. I wonder if a simple voice annunicator on top of the Boeing system would have also saved the passengers and crew. If it had said “trimming down, trimming down” into the headsets, the pilots would have known to direct their attention to the trim and trim interrupt switches.

21 thoughts on “Boeing 737 MAX 8 crash, clear tech details

  1. Phil, I know nothing of aviation but your question regarding the voice system is especially poignant given that my $300 Bose headphones have this capability and are constantly informing me of their state: “battery 40%”, “Pixel 2 disconnected”, etc. I realize these are apples and oranges, but it makes me sad for the folks whose lives might have been saved by such a (presumably simple?) system.

  2. What happened to the rule that if you move a switch and something bad happens, put it back? Not so much for the flaps, but the other one is do not move a switch with dust on it. Maybe Boeing was thinking like Airbus; the computer knows more than the pilots so it will not let them fly the airplane.

    They also could have engaged the autopilot to disable the system.

  3. I am amazed that the failing NY times wrote such an accurate aviation piece, even if it did take 4 journalists to do it!

  4. Right now there is a 737 Max systems programmer sitting in his cubicle saying, “oh, I never thought that odd combination of events would happen”. The passengers were unwitting beta testers,

  5. Didn’t know the trim wheels pulled cables to move the stabilizer. Mentour Pilot always called them more a visual aid than functional & busses have no trim wheels. We’re just told busses have an alternative method of overriding the autopilot.

    Who knew the trim cutoff switches were that prominent. Such a large control surface shouldn’t be fast enough to trip up the humans, but the media has never shown exactly how fast it is.

  6. 1. Wouldn’t the stick shaker shaking put you on notice that the anti-stall system was going to trim you down?

    2. Those STAB TRIM switches seem pretty prominent to me. The are right at the FO’s left hand. They are not hidden in some big bank of switches.

    Boeing definitely made some mistakes here as you have pointed out – probably the anti-stall should not have activated unless both angle of attack sensor agreed. The pilots should have been trained on what to do in case of unwanted activation of the anti-stall system. But I remain convinced that better pilots could have figured it out in the course of 8 minutes. 5,000 feet was also too low given what was going on. They should have climbed way up to give themselves more leeway. It looks to me like they had the ability to climb but chose to level off at around 5,000 ft.

    Although the pilots were not trained in this scenario, improper trim is a common scenario and they should have figured out that their stabilizer was, for whatever reason, being angled up and needed to be brought down and they they need to take manual control of the stabilizer. The Times makes this seem like an obscure procedure but I don’t think it is. The electric stabilizer switch, the STAB TRIM cutout and the stabilizer wheels are all very prominent flight controls – they are not at all obscure. I have complete faith that if Phil had been flying he would have figured this out.

  7. toucan sam: I agree with you on the nytimes! When they lay off their Trump-hatred it seems that they are capable of gathering some relevant facts and presenting them. Imagine all of the lost learning among the NYT readers since the paper decided that its main mission was to label non-Democrats as haters, sexists, racists, and morons!

    Jack: That’s a good point on the stick shaker. The flight data recorder that they’ve recovered should, I think, tell us whether the shaker was activated the whole time.

    Thanks for your vote of confidence. I have certainly handled runaway trim competently about 25 times… in simulators where I knew in advance that horrible things were going to happen (and where I knew that nothing could be injured except my pride)! But that’s not the same as real life.

    https://www.aopa.org/news-and-media/all-news/2017/july/pilot/turbine-pitch-trim-runaway

    talks about a relatively recent (2007) bizjet crash attributed to runaway trim. Those pilots had done well in the sim, presumably.

    • From the same article:

      Regardless of the cause, it was the crew’s response to the abnormality that doomed the flight. Performance studies on a similar Citation II showed that the airplane “would have been controllable if the captain had not allowed the airspeed and resulting control forces to increase while he tried to troubleshoot the problem.” Noting that the captain had relatively little difficulty controlling the airplane at low airspeed, the NTSB cited the crew’s “haphazard and poorly coordinated troubleshooting efforts” as having “allowed an abnormal situation to escalate to an emergency” and concluded that “if the pilots had simply maintained a reduced airspeed … the aerodynamic forces on the airplane would not have increased significantly” and “the pilots should have been able to maintain control of the airplane.”

      It also noted that “The first officer provided little or no support to the captain…and was arguably a distraction because the captain had to monitor the first officer’s actions as well as perform flying pilot duties”—a caution that weak knowledge can become a serious liability during an abnormal situation.

      Hardware malfunctions can get you in trouble but the job of the pilot (the one for which he earns “the big bucks” – haha) is to get you (and himself) out of it. It’s easy to 2nd guess pilot error while sitting safely in your armchair but the fact remains that some pilots are better than others at working under pressure and figuring out the right thing to do when things start to go sideways. On certain days even the best pilot’s skill are no match for the seriousness of the hardware failure but this was not one of those situations – better piloting could have saved lives.

  8. I did not realize until I read this article and did a little more research that the entire horizontal surface could pitch up or down. Now it makes more sense when they said that this entire surface moving could override the elevators.

  9. RE software, I have to agree with Anon’s comment about a programmer somewhere “saying, ‘oh, I never thought that odd combination of events would happen’. The passengers were unwitting beta testers”

    Someone observed, “A good programmer is someone who looks both ways before crossing a one-way street.” Anytime you’ve got a system that lasts for decades and/or has millions of users, it’s best to assume strange & unlikely things will happen 😐

  10. …RE hardware, I remember back in the early days of the Shuttle program, a lot of folks were concerned about the computers that flew the Orbiter failing. That turned out to not be a major issue, but sensors were more problematic.

    I still remember what an avionics test engineer at JSC told me once, which I’ve always found to be good advice: “I have a lot of faith in computers, but I DON’T have a lot of faith in sensors.”

  11. As a longtime software designer, it is clear to me that commercial aircraft auto pilot software is far more primitive than it should be. Auto recovery from all identifiable sensor and other equipment failures should be a standard feature. Controlled flight into terrain should be impossible. Virtually every commercial airplane crash in the past 10 years would have been avoidable if software features had kept up with the improvements in computer processors and memory.

    • I suspect the issue is that certification is a long process that guarantees that today’s plane fly with software developed quite a while ago. Phil will correct me if I’m wrong here.

    • As it is, commercial airliner crashes (at least in the US and Europe) have become extremely rare.
      Anything that goes in an airplane has to go thru a very rigorous approval process so technology that you might have in your car appears a decade later on airplanes and costs 10x as much, or 100x as much if it is going on a commercial air transport. As we see from this crash, devices that are intended to increase safety can backfire and themselves cause accidents. If your cutting edge phone “crashes” it is no big deal but it is a very big deal when a plane crashes due to defective software

  12. I had a much milder version of this in a small four seat piston airplane: had autopilot on during solo cross-country flight when I was student pilot, and had to descend urgently because clouds ahead were unexpectedly lower (flying into clouds for a student pilot would usually not end well, besides being against regulations). When I tried to push the nose down the autopilot applied huge nose up trim because it was trying to maintain altitude.

    I wondered for a fraction of a second why it was taking nearly all my strength push the stick down, but immediately disconnected the autopilot (red switch on yoke), and, at the same time noticed the trim wheel moving and was able to adjust it immediately afterward. In this case there was no malfunction, altitude sensors were fine and the autopilot was doing what it was supposed to do, but being able to turn it off quickly was extremely helpful.

    So, same as what philg said about PC-12, there should always be a red switch right on the wheel to stop the computer if it can make such sudden significant changes, and pilots should be trained to use that switch and take control back immediately if nothing else seems wrong.

    • Low-G or temporary weightless conditions are harmless fun in a fixed wing aircraft. But helicopters are designed so that the rotor is always supposed to be loaded – the helicopter is supposed to be hanging from the rotor. When the rotor is not loaded bad things happen – it starts to flap around and hit things it is not supposed to hit and the helicopter starts to tilt to the left, driven by the tail rotor. Low-g conditions are caused mostly by pilot error and there are things that you are supposed to do and NOT do when you find yourself in a low-G condition. So an inexperienced pilot (and Robinson pilots often have fewer hours) may make a mistake (or maybe try something daredevil) and unload the rotor and then make ANOTHER mistake by applying right cyclic (instead of aft which re-loads the rotor) when the helicopter starts to tilt left and that’s how you get fatal accidents. This is a well known characteristic of all 2 bladed helicopters and is disclosed in all of the Robinson manuals and training so if a pilot bumps the mast it is indeed his fault and not Robinson’s. Helicopters, even more than fixed wing aircraft, are unforgiving creatures – if you make a mistake you many not get a 2nd chance.

  13. I remember about someone once complaining that they came out onto the tarmac and found a ground personell cleaning the windshield by standing on the AOA vane.

  14. Today’s LATIMES has an article about the ‘deadly’ R22 and R44 copters. Nothing really new except apparently that Robinsons can suffer from something called rotor chugging and Robinson tried their damndest to bury the report.

Comments are closed.