Lion Air B737 MAX 8 (Wikimedia Commons) |
On October 29 of this year, Lion Air Flight 610 crashed into the Java Sea 11 minutes after departing Jakarta for Pangkal Pinang with the loss of all 189 souls on board. What first called special attention to this accident was that the mishap aircraft was a brand new MAX 8 version of the venerable Boeing 737, and had been delivered to the airline less than a year earlier.
Also of note has been the revelation in the wake of the ongoing accident investigation that a new safety system designed to prevent stalls had been installed on the aircraft, but had not been publicized nor documented in the flight manuals used by flight crews. The flight data recorder (FDR) from the mishap aircraft has been recovered and data from that recorder shows that an errant sensor on the aircraft may have provided bad data to this new system possibly implicating it in the accident.
The investigation is ongoing and it is inappropriate to assign blame to any system or persons until the completion of the accident review, but as there is much misunderstanding concerning what information is already known, we can take a closer look at the circumstances surrounding this tragedy.
An Undocumented System
The new safety system installed on the MAX version of the 737 known as the Maneuvering Characteristics Augmentation System or MCAS, was designed to provide a nose-down trim input during manual flight as the aircraft approached a stall. What this means in simple terms is that if a pilot is flying the aircraft without the autopilot, and is for whatever reason flying the aircraft well below a safe speed, the aircraft will automatically run the stabilizer trim forward which will have the effect of making the controls heavier to hold.
In addition, once full power is eventually applied to recover from the stall, the forward trim assists the pilot in keeping the more powerful engines on the MAX from overpowering the recovery by exceeding elevator authority. The nose tends to want to rise during a stall recovery and forward trim lessens that effect.
In addition, once full power is eventually applied to recover from the stall, the forward trim assists the pilot in keeping the more powerful engines on the MAX from overpowering the recovery by exceeding elevator authority. The nose tends to want to rise during a stall recovery and forward trim lessens that effect.
Here is an excerpt from the multi-user message sent by Boeing on November 10 to all 737 MAX operators:
A pitch augmentation system function called 'Maneuvering Characteristics Augmentation System’ (MCAS) is implemented on the 737-8, -9 (MAX) to enhance pitch characteristics with flaps UP and at elevated angles of attack. The MCAS function commands nose down stabilizer to enhance pitch characteristics during steep turns with elevated load factors and during flaps up flight at airspeeds approaching stall. MCAS is activated without pilot input and only operates in manual, flaps up flight. The system is designed to allow the flight crew to use column trim switch or stabilizer aisle stand cutout switches to override MCAS input. The function is commanded by the Flight Control computer using Input data from sensors and other airplane systems.
It is also important to note that any pilot finding him or herself in this position has real problems and has already disregarded the "stick shaker" stall warning system which vibrates the control column well before reaching stall speed. The reason the system was installed on the newest MAX 8 versions of the 737 and not earlier models is apparently the discovery during flight testing of some unfavorable stall characteristics on the new aircraft that did not exist on earlier models.
Angle of Attack
Ok, so far so good. A new safety system was installed. Who can argue with a safety system? The problem that the Lion Air flight encountered, however, was some sort of malfunction in information coming from a sensor being fed to the new system. This sensor is known as the "angle of attack" or AOA sensor. The angle of attack of a wing is the angle between the chord line of a wing and the relative wind moving across that wing. A chord line is an imaginary line which runs from the leading edge to the trailing edge of a cross section of a wing.
A wing which exceeds the critical angle of attack stalls, which is where boundary layer separation occurs and the wing stops producing lift. If you've ever stuck your hand out the window of a moving car and made a wing with it, you've experienced how changing the angle of attack changes lift. For more on AOA, see here.
The angle of attack sensor is essentially a very small wing on a hinge mounted on the fuselage which measures direction of the relative wind passing the aircraft. You can see them installed near the pitot tubes on most airliners and there are usually at least two installed for redundancy. AOA data is used by a number of systems on an airliner, but happened to be one of the primary inputs to the MCAS system on the MAX 8 aircraft. It is here where problems occurred.
Faulty Input Means Faulty Output (GIGO)
Analysis of the flight data recorder from the Lion Air flight revealed that the data from the two AOA sensors installed on the aircraft did not match. The left AOA sensor was recorded as giving erroneous information during the entire flight. An erroneous AOA information feed or some other malfunction is suspected to have caused the activation of the MCAS system resulting in the system trimming the aircraft in a nose down direction. During the entire flight the pilots trimmed in a nose up direction to keep the aircraft flyable, but at some point stopped trimming and allowed the MCAS system to trim the aircraft nose down to an unflyable condition.
The reason for this is unknown and may be determined when the cockpit voice recorder (CVR) is recovered. Also unknown is why the pilots never used the two stabilizer cutout switches located on the center stand just behind the throttles. These switches remove all electric power from the stabilizer trim motor and would thereby deactivate the MCAS trim inputs.
In fact, on the previous flight of the mishap aircraft, a failure of a similar nature also resulted in uncommanded nose down trim inputs and required the pilots of that flight to use the cutout switches to deactivate the electric trim system. The 737 has a large manual trim control wheel mounted on the center stand that can be turned to adjust the stabilizer trim. It is normally not touched but spins as the electric trim motor is engaged. The pilots on that previous flight used the manual trim wheel to adjust the trim to safely land.
The aircraft did have maintenance performed on various airspeed, AOA and other systems in the days leading up to the mishap flight in response to several defects being written up on previous flights. The exact nature of the malfunctions and degraded systems on the mishap aircraft has yet to be determined as the investigation proceeds, but an AOA sensor had been replaced in response to writeups on the previous flight. A closer look at the flight data from both the mishap flight and the previous flight can be found here.
Protecting Pilots From Themselves
There is an ongoing debate in the aviation community about the benefits and liabilities of cockpit automation. This debate has centered on the effect that highly automated cockpits have tended to make pilots rusty in their "stick and rudder" or basic flying skills. Make no mistake, automation has been a boon to both aviation economics and safety, but it is now being realized that it is not an unmitigated benefit.
At question is the design philosophy incorporated into automation. Years ago, the two main commercial airframe manufacturers, Boeing and Airbus, diverged in their approach to flight control automation. While Boeing aircraft have always incorporated the ability to disconnect all automation, Airbus on the other hand was a pioneer in designing "fly by wire" flight controls into their aircraft. This meant that pilot inputs were sent to a computer and the computer controlled the aircraft. There was no ability to completely bypass the computer and control the aircraft directly.
The revelation that a safety system designed to prevent an inattentive pilot from stalling the aircraft was surreptitiously installed will raise questions as to whether Boeing has decided to follow Airbus down the road of incorporating behind the scenes automation to prevent pilots from doing stupid things. Remember, the original anti-stall device was always the pilot. Warning systems could signal that the airplane was getting slow, but the pilot was always the backstop. Given that the MCAS system can be disabled by the trim cutout switches makes the above scenario less likely.
The alternate explanation to the installation of the MCAS system is that it is simply designed for the mitigation of unfavorable stall characteristics as mentioned above. This raises the question, though, of why the system would not be documented in the aircraft flight manual. Surely pilots would want to know of these unfavorable characteristics and also of the existence a system designed to compensate for those effects. Since the system was undocumented, the pilots of the mishap flight likely had no idea why their trim kept running forward nor were they expecting such behavior.
It is imperative, then, that pilots are well versed in not only the normal operation of their aircraft, but also in any possible failure mode and are ready and able to assume complete command at any time that the automation is not performing as expected.
Several high profile accidents such as Air France 447 and Asiana 214 serve to highlight the potential pitfalls of flying highly automated aircraft. Part of the problem confronting pilots of these aircraft is the danger of becoming confused about what the aircraft automation is doing. Known as "mode confusion", pilots can make the mistake of assuming that the automation will perform in a certain manner and become confused if it doesn't.
This was one of the findings in the accident review of Asiana 214 which crashed into the seawall at San Francisco. The pilots realized too late that the mode that had been selected would not do what they were expecting. They were then unable to prevent the aircraft from crashing short of the runway.
Now extrapolate mode confusion to a malfunctioning system which the pilots were unaware was even installed, and you can see the difficult situation they faced.
At question is the design philosophy incorporated into automation. Years ago, the two main commercial airframe manufacturers, Boeing and Airbus, diverged in their approach to flight control automation. While Boeing aircraft have always incorporated the ability to disconnect all automation, Airbus on the other hand was a pioneer in designing "fly by wire" flight controls into their aircraft. This meant that pilot inputs were sent to a computer and the computer controlled the aircraft. There was no ability to completely bypass the computer and control the aircraft directly.
The revelation that a safety system designed to prevent an inattentive pilot from stalling the aircraft was surreptitiously installed will raise questions as to whether Boeing has decided to follow Airbus down the road of incorporating behind the scenes automation to prevent pilots from doing stupid things. Remember, the original anti-stall device was always the pilot. Warning systems could signal that the airplane was getting slow, but the pilot was always the backstop. Given that the MCAS system can be disabled by the trim cutout switches makes the above scenario less likely.
The alternate explanation to the installation of the MCAS system is that it is simply designed for the mitigation of unfavorable stall characteristics as mentioned above. This raises the question, though, of why the system would not be documented in the aircraft flight manual. Surely pilots would want to know of these unfavorable characteristics and also of the existence a system designed to compensate for those effects. Since the system was undocumented, the pilots of the mishap flight likely had no idea why their trim kept running forward nor were they expecting such behavior.
What's It Doing Now?
It is imperative, then, that pilots are well versed in not only the normal operation of their aircraft, but also in any possible failure mode and are ready and able to assume complete command at any time that the automation is not performing as expected.
Several high profile accidents such as Air France 447 and Asiana 214 serve to highlight the potential pitfalls of flying highly automated aircraft. Part of the problem confronting pilots of these aircraft is the danger of becoming confused about what the aircraft automation is doing. Known as "mode confusion", pilots can make the mistake of assuming that the automation will perform in a certain manner and become confused if it doesn't.
This was one of the findings in the accident review of Asiana 214 which crashed into the seawall at San Francisco. The pilots realized too late that the mode that had been selected would not do what they were expecting. They were then unable to prevent the aircraft from crashing short of the runway.
Now extrapolate mode confusion to a malfunctioning system which the pilots were unaware was even installed, and you can see the difficult situation they faced.
In Conclusion
The cause(s) for the crash of Lion Air 610 are currently unknown and will remain so until the investigation is complete. In the interim, new knowledge of the existence of an undocumented safety system installed on the 737 MAX should serve to further the debate on the appropriate role of cockpit automation.