They did just that but they approach problem badly.
Article suggests that pilot didn't know about new system nor how to disable it. In case of faulty sensor (Boeing can't stupid enough not to have quorum of sensors, can it?) crew should be able to disable possibly deadly autopilot.
1. YES - for automation
2. YES - for sensible and safe handling of sensor failure
3. YES - for allow human to override auto-pilot
Rookie pilot here. Large airplanes have drive by wire systems where the plane pretty much flies itself. But when certain instruments like the Pitot tube don't work then the control is handed over to pilots and they operate in alternate law, where they are responsible for the actions.
If instruments cannot measure key environmental indicators such as velocity, temperature etc - no amount of automation will save the plane.
Instrument meteorological conditions (IMC) / Instrument Flight Rating (IFR) flights are when the plane is flying through darkness, or through conditions that do not allow for a judgement of the visual elements and therefore pilots can easily make incorrect judgement calls on the position of the plane, leading to a crash.
The pitot tube is a primitive equipment to measure wind velocity and easily can be jammed by ice, insects etc. I think it was the Pitot tube malfunction in this plane that caused the incident.
What's being called into question here is the alpha vane (which measures the angle of attack) and AoA disagree warning -- of which the 737 has two and none respectively. This means that there's no quorum (need 3+ vanes for that) and no way for the pilots to know if there's a problem with the AoA data being fed into the computers.
I believe the issue is that this hidden system (MCAS) relies on AoA data which can, per the above, not be validated by the pilots or the computers. Thus the fear is that the plane will go full nose down for no obvious reason. Granted the emergency AD indicates some secondary indicators that your AoA vanes have gone wonky.
Per the AA email:
> The MCAS function becomes active when the airplane Angle of Attack exceeds a threshold based on airspeed and altitude. Stabilizer incremental commands are limited to 2.5 degrees and are provided at a rate of 0.27 degrees per second. The magnitude of the stabilizer input is lower at high Mach number and greater at low Mach numbers. The function is reset once angle of attack falls below the Angle of Attack threshold or if manual stabilizer commands are provided by the flight crew. If the original elevated AOA condition persists, the MCAS function commands another incremental stabilizer nose down command according to current aircraft Mach number at actuation.
IOW hey the plane might try to kill you and while you're busy trying not to die at 5,000 ft please disable the electronic aids and grab the trim wheels by hand. Noting, of course, that it take the computer ~30 seconds to move the stabilizer from one end of its travel to the other. It'll take a person longer if you're cranking it by hand. This is, of course, all after the pilots have realized what the problem actually is. All of this at five thousand feet where you might not have 30 seconds to respond. I'd suggest that if this scenario is at all close to what transpired those pilots didn't have a chance.
> no way for the pilots to know if there's a problem with the AoA data
Just to clarify, with two AoA sensors, you can know that there is a problem (if they disagree), but you don't know which one is erroneous.
What I find surprising about this crash is that even if there's an indication of unreliable readings, the automation proceeds to actively do stuff - I thought Boeing philosophy was to hand everything to the pilots in such a case.
> I'd suggest that if this scenario is at all close to what transpired those pilots didn't have a chance.
Yeah, absolutely devastating. In the time they had, how were they supposed to diagnose that error condition (automatic down trim), given that a) it sneakily recurs every now and then, and b) it was not prepared/trained for?
> Just to clarify, with two AoA sensors, you can know that there is a problem (if they disagree), but you don't know which one is erroneous.
The AoA disagree alert is an optional feature on the 737[1]. My understanding is that the AoA display is optional as well[2] but does not break down the info per vane. I don't know if the gauge and alert are bundled together or available separately. So maybe you can know, maybe not.
That a feature that notifies you that two flight critical sensors are disagreeing is optional is mind blowing to me. It’s like discovering that brakes are optional on the new Mercedes C Class.
Interesting. What I meant to say is that even if the pilots had no way of knowing, the computer should notice and drop into a failure mode (that does not involve trimming down again and again, until the pilot sticks an umbrella in the trim wheel).
I'd be surprised if this was the case. Typically redundancy like this is handled by having A and B systems on commercial aircraft. In the case of flight instruments this is usually divided by pilot and co-pilot systems. They have a separate AHRS (Attitude and Heading system) and their flight instruments show data from each system independently.
If you watch a cockpit video of an airliner taking off you will usually hear the co-pilot announce "80 knots" and the pilot reply "cross-checked". What they are doing is checking that their air-sensor data agrees (within a reasonable margin) for the most critical information at that stage of flight (since takeoff speed is very important with the modern wing shape on an airliner).
Similarly they have A and B autopilot systems which are driven independently by two AHRS units (except in special cases like during auto-land where both systems are operational).
Which is all to say that I think they likely have two separate AoA sensors. Although, perhaps being an optional element the failure of one doesn't automatically trigger a AHRS disagree message.
> Which is all to say that I think they likely have two separate AoA sensors.
Correct, the 737 NG has two separate alpha vanes[1] and I believe the MAX does as well. However the "alpha vanes disagree" alert is a paid option per the emergency AD. Likewise the AoA indicator is a paid option. There is redundancy, but the plane may be configured such that the pilot cannot determine if there is a failure.
Failure of one or both alpha vanes on an NG isn't a good thing, but failure of an alpha vane on a MAX could cause MCAS to essentially try to kill you and without that AoA disagree alert you may not know why because you've never been informed about this system, and at low altitude you likely wouldn't have time to figure out what's going on.
Edit: if that all sounds fucking insane, it is. That's why American and Southwest pilot unions are livid[2].
Okay, so Boeing added an electronic safety feature (with a deadly failure mode) necessitated by physical changes and regulation. They didn't mention it for marketing reasons. They made an indicator of the deadly failure mode of the feature a paid option. Got it.
Reading a little between the lines this is probably related to the pitch - power coupling present on all modern airliners. This is due to the thrust line being below the centre of lift meaning that increasing power causes a pitch up moment.
In the 737 Max this probably got exacerbated to the point that it was possible to fly the plane into a stall by sharply increasing power in a high AoA situation (typically in a go-around). This was probably different enough to the 737NG that they felt it necessary to add the MCAS system to prevent having to do, what they considered, excessive differences training in that phase of flight.
Could well be; I read somewhere that it was related to the ever bigger engines (for more efficient (higher) bypass ratio), which presumably have a lower centre of thrust.
They lengthened the nose gear 20cm to fit the new engines with the same ground clearance. Must have dropped the thrust centre line nearly half of that.
Well the Seattle Times quoted an ex-Boeing employee thusly:
> A former Boeing executive, speaking on condition of anonymity because discussion of accident investigations is supposed to be closely held, said that Boeing engineers didn’t introduce the change to the flight-control system arbitrarily.
> He said it was done primarily because the much bigger engines on the MAX changed the aerodynamics of the jet and shifted the conditions under which a stall could happen. That required further stall protection be implemented to certify the jet as safe.
> That's why American and Southwest pilot unions are livid[2]
Wow, the information in that Seattle Times article is really damning! Differences training from the 737 NG to the MAX consisted of a one hour iPad session (plus crosswind training because the permissible roll is reduced due to vertical wing tips). Livid indeed.
That’s actually incredibly common in the airline world. The issue isn’t so much the delivery method but more that information was withheld entirely. A brief description of this system allowing enough operational knowledge to be safe would only add a few minutes to the same iPad training.
There's actually some precedent for this happening: AA flight 191, a DC-10 that crashed in 1979, wasn't equipped with two stick shakers (a stall warning device) - a paid option at the time.
The series of events that caused the accident are a long story, but power was knocked out to the pilot's controls (where the one stick shaker was installed), but not the copilot's controls (which didn't have a stick shaker due to the selected options). TBH, it's doubtful that the pilots could have recovered in that specific situation, but the chances of success dropped to basically zero when they didn't have a device capable of communicating what was happening to them in time.
Of course, this is obviously different than having no warning system for the type of failure whatsoever (as appears to be the case on the MAX), but it was still a little surprising for me.
Good info thanks. But yeah, with a stick shaker there are many other ways for the pilots to get the same info, so I can sort of understand that as being optional for the copilot. Obviously not ideal, but at the end of the day engineering is nothing but compromise management :)
>Instrument meteorological conditions (IMC) / Instrument Flight Rating (IFR) flights are when the plane is flying through darkness
In the US flight in darkness is not flight in IMC. Neither does darkness impose instrument flight rules. Recall that IMC is governed by ceiling, proximity to visible moisture, and visibility: Fail one of those criterion and you're in IMC, governed by IFR.
A pilot lacking an instrument rating may fly in pitch black, no moon, (high) overcast over an ocean and still be VFR compliant. Whether it's wise or not is a different issue...
Article suggests that pilot didn't know about new system nor how to disable it. In case of faulty sensor (Boeing can't stupid enough not to have quorum of sensors, can it?) crew should be able to disable possibly deadly autopilot.
1. YES - for automation 2. YES - for sensible and safe handling of sensor failure 3. YES - for allow human to override auto-pilot