Plato90s

I would note that the Ethiopian pilots performed one of the steps which you noted is standard - shut down electrical trim motor which prevented MCAS from taking further action but did NOT shut down MCAS.

When they were unable to manually trim fast enough, the pilot thought he had no choice but to re-enable the trim motor. That allowed MCAS to start over-riding the pilot AGAIN. Knowledge of MCAS would be critical in that scenario because if the pilot had known that a silent malware was still continuously issuing commands - he would have chosen different action.

The overall result is that Boeing created software which actively worked against the operator and did so secretly. The decision to skip training and instead go for the secret malware is driven by time-to-market concerns, and thus Boeing has blood on their hands.Or you can just set up the test aircraft with a software module that triggers MCAS with false data and then try to recover.

That's what WSJ's travel columnist did with a 737 pilot in simulator and they came away with the conclusion that it was possible that not every pilot would have the physical ability to trim the aircraft fast enough, manually, to prevent a crash.

https://www.barrons.com/articles/boe...th-51560973022

That, of course, validates the position that many pilots could have saved the plane. But the standard should be that every qualified pilot should be able to do it, and the 737 Max fails to meet that standard. Therefore it is fundamentally unsafe.

And as Sullenberg noted - the surprise factor of dealing with unexpected software contributes to the crash.

https://www.npr.org/2019/06/19/73424...-been-approved

chrisl137

Yeah, that's reasonable once it's identified as a risk - I'd imagine even the simple cutout or disagree is done very carefully with a way to restore immediately a

That's another software module and interaction to validate. A piece of hardware in the loop that fakes inputs is a closer verification of the actual system behavior.

Plato90s

The problem is that you wouldn't be able to disable the "bad hardware" easily the way you can with a software module. If the test gets into trouble because pilot is having problem fighting off MCAS, a software module means the test can be aborted.

Deliberately bad hardware means you're locked into the test until the plane lands.

Remember that the revised MCAS is set up now to use dual-input using both AoA sensors. That means you can no longer test it by using 1 bad and 1 good sensor and switching the active flight-computer.

chrisl137

As pointed out by jrl767 - the fake hardware input values would be done on the simulator, while a regular sensor loss/disagree might be done in flight, and there would be some flight validation tests of the MCAS response to the sensor.

But you're not locked into a bad sensor if you do it in hardare. If you wanted to test in flight you would put a physical switch to go back and forth between fake sensor and real sensor and have greater certainty that you can cut the fake sensor than with software.

LarryJ

The nose doesn't "start pointing down". I've posted this quite a few times already, in several threads, so apologize to those who are reading essentially the same material yet again.

When you are hand-flying an airplane it will frequently become nose-heavy or nose-light. You hold the pitch attitude at the desired location (the nose doesn't move) but holding those control forces for extended periods of time is tiresome. It's like driving a truck or minivan down a freeway with a strong crosswind requiring you to hold pressure on the steering wheel to stay in your lane. These out-of-trim conditions occur constantly while flying, particularly when climbing, descending, accelerating, descellerating, changing power settings, or changing configuration (flaps/slats/spoilers/gear). This is completely normal and occurs many dozens of times during each departure and arrival. When the airplane becomes out of trim, the pilot flying uses the thumb switches on his control wheel (primary electric trim) to trim out the control forces and return the airplane to an in-trim state.

In the case of an unschedule MCAS activation, the pilot-flying (PF) would notice the airplane becoming nose-heavy and would use the primary electric trim to trim the nose back up to an in-trim state. This action stops the MCAS activation. Five seconds after the pilot stops trimming, MCAS would activate again. As the PF notices the airplane becoming nose-heavy he would use the primary electric trim to trim the nose back up to an in-trim state. Five seconds after the pilot stops trimming, MCAS would activate again. As the PF notices the airplane becoming nose-heavy he would use the primary electric trim to trim the nose back up to an in-trim state. Five seconds after the pilot stops trimming, MCAS would activate again. As the PF notices the airplane becoming nose-heavy he would use the primary electric trim to trim the nose back up to an in-trim state. Five seconds after the pilot stops trimming, MCAS would activate again. As the PF notices the airplane becoming nose-heavy he would use the primary electric trim to trim the nose back up to an in-trim state. This cycle could repeat indefinitely with the pilot keeping the airplane in-trim the whole time.

Eventually, the PF should notice that the airplane is repeatedly and persistently trimming nose-down. This is a stabilizer runaway and the stabilizer runaway procedure should be accomplished.

At this point, the airplane is in-trim. The airspeed is appropriate for the phase of flight (210 - 250 Knots). The aircraft pitch attitude is normal (~10deg aircraft nose-up). The aircraft's flight path is normal (climbing).

The FP calls for the stabilizer runaway immediate action items. 1. Grasp the control wheel firmly. (He already is). 2. Autopilot disconnect (it's already off). 3. Autothrottles disconnect. If the trimming continues (it will), 4. Stab trim switches to Cutoff.

This stops the runaway stabilizer. The airplane is still at an appropriate speed, at or near in-trim, and completely controllable.

The manual trim backup system consists of two, large trim wheels on either side of the center console. Each wheel has a fold-out handle and those two handles are positioned 90 degrees of rotation apart to ensure that at least one pilot will have his handle in a position providing good leverage at every point in the wheels' rotation.

When the airplane is at, or near, an in-trim state, the PF can easily make routine trim adjustments with his fold-out handle in one hand while continuing to fly the airplane with the other (this is how many smaller airplane are normally flown). If larger trim changes are needed then the PF would call for trim and the pilot-monitoring (PM) would do it. i.e. "Trim down" ... "Stop trim". If the trim is allowed to progress to an excessively out-of-trim condition then the system is designed so that both pilots can work together to turn the trim wheels with the Captain using his right hand and the F/O using his left. In extreme conditions the pilots work together along with unloading the stabilizer for brief periods of trimming. This is the same manual backup system that was used on the B707, B727, and all generations of the B737.

The key is to address the situation BEFORE it drives the trim to the full nose-down limit.

Neither accident crew correctly or completely applied the stabilizer runaway procedure.

I don't know what you mean by "prevented MCAS from taking further action but did NOT shut down MCAS". Those are the same thing. When the stab trim switches are in cutoff, the electric trim will not activate. MCAS may be calling for trim but nothing will happen. That is how it is supposed to work.

They were unable to manually trim the airplane because they failed to accomplish the correct procedures, or ANY corrective actions, until the trim was at, or very near, the full nose-down limit.

The Lion Air Captain kept the airplane in-trim through 21 MCAS activations by using the primary electric trim as I described above. He failed, however, to recognize the runaway stabilizer situation and never applied the runaway stabilizer immediate action items. He then transferred control to the F/O who failed to correct the out-of-trim condition through five additional MCAS activations after which the stabilizer was at the full nose-down limit. There is no evidence to suggest that they even tried using manual trim.

The Ethiopian Captain engaged the A autopilot below the minimum autopilot engagement altitude (800') even though he knew, from the stick shaker and IAS DISAGREE, that the input data to the A autopilot was invalid. This produced unstable autopilot pitch inputs (chasing bad data) and eventually led to the autopilot disconnecting itself after 30 seconds later. As I said above, disengaging the autopilot is the second item on the stabilizer runway checklist and the first item on the IAS DISAGREE checklist. He never disengaged the autothrottle (3rd step in stabilizer runaway and 2nd step in IAS DISAGREE) which maintained full climb power throughout the flight and resulted in the airplane accelerating to 390 Knots (indicated airspeed; likely over 460 Knots true airspeed at that altitude). The maximum indicated airspeed limitation (Vmo) is 340 Knots. The Ethiopian crew did not re-trim the airplane after each MCAS activation to maintain a near-in-trim state as had the Lion Air crew. Neither crewmember recognized the stabilizer runaway until the stab trim was approaching the nose-down limit. At that point, they disabled all electric trim inputs with the stab trim switches but they still didn't accomplish the rest of the steps on either the runaway stabilizer or IAS DISAGREE checklists. The combination of the excessively high airspeed, and stab trim near the nose-down limit, would have required high forces to move the trim wheels manually.

The Captain told the F/O to try manual trim but it is unclear if he tried turning the trim wheel at all. The DFDR shows that he tried using the primary trim switches which, of course, were disabled by the stab trim switches. Nothing he said (CVR) indicated that he unfolded the handle and tried turning the trim wheel. Even if he did, they never attempted to work together to turn the trim wheel (as I described above) which certainly would have been required at that airspeed and trim position.

No, it would not. The key to managing these events was to maintain aircraft control (pitch and power), confirm the emergency (runaway stabilizer), and to apply to applicable checklist. Neither accident crew did this.

That's what happens when you allow the airspeed to increase 150 knots above where it should be and don't take any corrective action for nearly two minutes while the runaway stabilizer condition progressively drives the trim farther and farther toward the nose-down limit.

Make enough mistakes and you'll eventually find yourself in an unrecoverable situation. That doesn't mean that you started in an unrecoverable situation.

Plato90s

That's how it was programmed to work.

It's not how it's supposed to work because Boeing's software architecture is dangerously incompetent.

When the autopilot is disengaged - it's turned off. It doesn't mean that it's running in the background - still issuing commands. MCAS, by design, can't be turned off. And that's a massive failure of design when it comes to software.



Boeing's official position, which you mirror faithfully, is that the pilots had the ability to save both flights. That's technically true, but it doesn't change the other truth - the poor design of the 737 Max made it so hazardous that 2 sets of pilots were unable to save the 300+ passengers.

That means the 737-Max is unsafe to operate.True, but when Boeing's bad choices create the circumstances for a cascade of failure - Boeing's executives/employees have blood on their hand for releasing a dangerous and unsafe aircraft.

edgewood49

I think that we have expressed our opinions and thoughts on this thing to death, at the end of the day it should not have happened especially from Boeing. It will be an interesting read the final incident safety report. It also appears some airlines are scheduling the Max back in service later on this year, interesting.

At the end of the day Boeing has inflicted great harm on themselves, the airline manufacture industry as a whole and to the US economy. Sad and all the executives are still drawing salaries.

serfty

New flaw discovered on Boeing 737 Max, sources say | CNN

GetSetJetSet

Boeing needs to junk this pile of crap and go back to the drawing board.

JamesKidd

This is turning into a nightmare for Boeing. Time to hire a new PR & branding agency

Maestro Ramen

here are a few rebranding suggestions

737 MAX DANGER
737 MIN
737 STAB
737 V5
797 Skycruiser
Boeing A321

edgewood49

Rumor has it December before the "mighty Max" is back on the line. However who is going to fly it?

JamesKidd

And that's why they need to consider re-branding. I wouldn't be surprised if they completely drop the 737 moniker and go with something completely new. The words 737, 800 & Max need to go along with a huge PR about how excellent the "new" planes are.

EmailKid

There are hundreds and hundreds of Boeing 737-800 flying every single day on every single continent*




*Technically Antarctica is a continent, but for al intents and purposes uninhabited so no one flies there.

JamesKidd

Definitely not an easy job, never is going to be. They've got to weigh it against how detrimental 737 to their overall image.