 Notice. New forum software under development. It's going to miss a few functions and look a bit ugly for a while, but I'm working on it full time now as the old forum was too unstable. Couple days, all good. If you notice any issues, please contact me. |
Forum Index : Microcontroller and PC projects : 737 MAX AoA and MCAS issue...
Page 1 of 2   |
|||||
| Author | Message | ||||
Grogster Guru  Joined: 31/12/2012 Location: New ZealandPosts: 7148 |
This video is a good doco about the 737 MAX issue with the AoA(Angle-of-Attack) sensor and the MCAS(Maneuvering Characteristics Augmentation System). Rogue Boeing 737 MAX documentary. I post this in this forum, as it is computer-related being avionics. Basically, the problem with the MAX series of aircraft has been traced to faulty AoA's feeding data to the MCAS, which then thinks the aircraft is in a steep nose-up attitude - when it isn't - and so it commands a steep nose-down to compensate - when it doesn't need to. The big issue is that it OVERRIDES the pilots to do that, so the pilots make changes to compensate for this error, bring the aircraft back to wings-level, then the MCAS does the same thing again. And again, and again, and again....until you run out of altitude. Sometimes automation is a wonderful thing, and sometimes - such as in this case - not so much. From an avionics point of view, this is very interesting stuff, and a perfect example of how bad system design within aviation can easily kill lots of people. Here is a tear-down of an AoA sensor, the same kind used on the MAX series of aircraft. He also explains the situation in very hard terms. AoA sensor video. WARNING! This video contains offensive language! Smoke makes things work. When the smoke gets out, it stops! |
||||
TassyJim Guru Joined: 07/08/2011 Location: AustraliaPosts: 3305 |
Thanks for the reminder Grogster, I was just checking my baggage allowance for a 737 flight in 2 weeks time. I will be on the model before the MAX, hopefully one where the pilots look out the window to see which way is up. So far, Norwegian Air are handling the grounding of their MAX planes without stuffing up the schedules but if I disappear, never to be seen again, I will blame you... Jim It all started with the ZX81.... VK7JH http://www.c-com.com.au/MMedit.htm |
||||
Gizmo Admin Group  Joined: 05/06/2004 Location: AustraliaPosts: 4795 |
I often though these aircraft rely to heavily on one or two sensors. As a big fan of the TV show "Air Crash Investigations", and as a result someone who now refuses to fly, I've noticed too many aircraft crash because of one faulty sensor. A aircraft carrying that many people should have multiple redundant sensors, 4 or more for each crucial measurement. Then a average is taken, high and low ignored, average of the center two used. I also think pilots need eyeballs on the interior and exterior of the plane, a camera system to let them look into the passenger cabin, the luggage hold, and on both wings and tail. A CTV system is cheap, and means they are not guessing an engine or something in the hold is on fire, or a wing is damaged or there is a hole in the side of the passenger cabin. Glenn "Treat the earth well, it was not given to you by your parents, it was lent to you by your children" JAQ Software |
||||
| Grogster Guru Joined: 31/12/2012 Location: New ZealandPosts: 7148 |
It really is odd. After decades of air crash investigations, and everything that the industry has learnt from those incidents to make flying safer(and that is a whole HEAP of things that help safety), that something like this could actually be possible.... ONE AoA sensor?!?!!!!  One sensor is not triple-redundant, which I thought was supposed to be the minimum standard for any flight-critical system in modern aircraft. You would perhaps have thought that Boeing would have at least had a simple off switch so that the pilots could disable the MCAS, so at least then they could re-trim the aircraft manually and then it is still flyable and safe enough if MCAS starts to go nuts, but to have MCAS permanently engaged because the computer always knows best..... Amazing. Yes, I would never want to board a MAX series 737 after this. No matter how much software they change, you still only have the one physical AoA, and you would think that the ABSOLUTE minimum would be two, so MCAS can compare one with the other so they agree - plus redundant ones, naturally. But the reason why this WASN'T done, is all in the documentary, and it is extremely sobering stuff. One documentary I have(Air Crash Investigation, flight United 811, S1E1) they are interviewing a lawyer who was on that flight, and he summed it up thus: "You know: one airplane every ten years, one airplane every five years, two-three hundred people - cost of doing business. Cost of doing business."  Smoke makes things work. When the smoke gets out, it stops! |
||||
| isochronic Guru Joined: 21/01/2012 Location: AustraliaPosts: 689 |
Yes its pretty amazing sometimes ! I saw one episode, which was about a very similar situation. It had a side story, whereby a plane was about to land at Mascot, and the autopilot tried to correct for a incorrect sensor reading. The Qantas pilot simply switched off the autopilot and landed the plane as normal - no drama - which is what the pilots are there for, and paid to do, right ?! Seriously the airliners are so safe these days you are more likely to have a problem sitting in a taxi on the way to the airport. ed - of course, you could always revert to, say, a Sopwith Camel !!! Go get em Snoopy !!!  edit2 - I used to live near a fairly small airport...it was eye opening watching Air Crash Investigations many years later, which detailed a cargo jet that almost failed to take off, ripping out a bank of landing lights on the way. Human error had input the wrong take off weight...no one reported that to the locals at the time though !!! Another time an indonesian jumbo mistook it for the international airport in another locale and pulled out of the landing just in time... somehow I think the smallish runway wasn't going to work that well... |
||||
| Paul_L Guru Joined: 03/03/2016 Location: United StatesPosts: 580 |
OK guys, you asked for it! In any aircraft the center of lift moves outward, away from the fuselage, on each half of the wing as the aircraft speeds up. That makes them more stable at higher speed. In a swept wing aircraft when the aircraft speeds up the center of lift moves outward on the wing half, which means that the composite center of lift for both wing halves moves aft along the fuselage. That makes the aircraft pitch nose down as it speeds up. Then, as the fuel in the center tank burns off, the longitudinal center of gravity moves aft along the fuselage which makes the aircraft pitch nose up. Later in the flight fuel is burned from the wing tanks which moves the longitudinal center of gravity forward again making the aircraft pitch nose down. The pitch control of the aircraft must be continually adjusted in small increments during any flight. Primary pitch control is provided by the entire horizontal stabilizer. In a 737 the nose of the stabilizer is pushed up and down about 5 feet by a jackscrew. This jackscrew is moved by muscle power through a loop of aircraft control cables which run to a coffee grinder winch in the cockpit. When the aircraft speeds up and the fuel burns off you have to crank the nose of the stabilizer up and down to keep the aircraft flying level. If you are lazy you can run the coffee grinder winch with a motor from switches on the yoke. Boeing designed an automatic trim system using a three phase synchro angle of attack sensor back in 1954 for the KC135 tanker which had severe pitch problems due to the radical change in the longitudinal center of gravity as up to 180,000 pounds (22,500 gallons) of jet fuel was pumped into a B52 in flight in less than 3 minutes. The output of the angle of attack synchro was subtracted vectorially from the pitch synchro of a vertical gyro and the resultant was used to control the horizontal stabilizer position automatically. This made it possible for the pilots to maintain level flight easily while a B52 was hooked up. Vectorial math is extremely easy with differential synchros. https://www.allaboutcircuits.com/textbook/alternating-current/chpt-13/selsyn-synchro-motors/ The 707 is directly descended from the KC135 with a larger diameter ovalized fuselage cross section. The 727 and 737 used modified 707 fuselage sections. All of them share the same pitch stability variation with airspeed and fuel load and all of them use a direct descendent of the automatic stabilizer trim system introduced in 1954 for the KC135. If it ain't broke don't fix it. Stab trim is always on, even when the aircraft is sitting on the ground. There are two breakers on the overhead breaker panel which can turn it off but they were never pulled in flight in the third of a century while I was in Pan Am Engineering. The latest variant of the 737 MAX 8 has a pitch trim system with a lot more smarts. Boeing now calls it MCAS. It seems that it has too many smarts for its own good. They tried to make it smart enough so that all of the present variants of the 737 all feel the same to pilots which eliminates separate pilot lists for small differences in 737 fuselage lengths. I think they made it too smart!!! In the first video Grogs posted the vintage 1954 stab trim coffee grinder wheels can be seen rotating at about 2:05 as the MCAS computer trims the nose down. It should be possible for the pilots to shut down MCAS for a runaway stabilizer by pulling breakers and then use manual control of the stab trim, but they have to be aware that a runaway can happen and they should practice shutting it down in a static simulator. Remember HAL in 2001 and always keep the power plug for any computer accessible!!!! Paul in NY |
||||
| isochronic Guru Joined: 21/01/2012 Location: AustraliaPosts: 689 |
Why don't civilian planes refuel in-flight ? Is it a safety issue or do the economics not stack up? |
||||
| Gizmo Admin Group Joined: 05/06/2004 Location: AustraliaPosts: 4795 |
Both probably. From what I've seen refueling does come with some risk, for both planes. And getting a full air tanker up to the aircraft needing fuel would not be cheap. I can see a military need for it, but not civilian. Longest trip I went on was 13 hours from Dallas to Tokyo. It was hell, I would rather more, shorter trips. "Treat the earth well, it was not given to you by your parents, it was lent to you by your children" JAQ Software |
||||
CaptainBoing Guru Joined: 07/09/2016 Location: United KingdomPosts: 1199 |
I agree with most of what is posted here... who of us (even) would design/build a critical system that didn't have redundancy? Speaking as someone who recognizes that he walks among giant on this forum and has little knowledge about this... my 2p It is difficult to resolve the element of "permanently enabled". We live in odd times with the phenomenon of rogue pilots that decide to go out with a bang and take everyone with them... Think MH370... <deleted personal theory> There really should be a telemetry pod independent of other systems to which no-one but ground engineers have access. I could do it with a micromite, GPS module and iridium comms module - I am being flippant here but it proves my point that if I can do it in my shed... So with flight systems that intervene... you have to choose your battles and it is a difficult subject, but if you think back to that German co-pilot who flew his plane into a mountain with everyone on-board while the remaining crew battled (and failed) to get through the armoured cockpit door... the pilot outside would have been able to hear the systems on the flight deck warning "terrain... terrain" (flightdeck voice recorder did) - the plane's systems telling the pilot there was ground directly in the flight path... should the systems take over? It is clear the scope exists... full throttle and nose-up alone would likely have saved all those souls and I am being overly simplistic. How much can we design for? if it saves a plane - it'll be a hero but would you trust it? It is not a dis-similar situation MCAS was supposed to resolve. But for god's sake... a single sensor on such systems? multiple redundancy is required with rock-solid arbitration software. |
||||
| Boppa Guru Joined: 08/11/2016 Location: AustraliaPosts: 807 |
There's several threads (some VERY long) about the 737MAX (the only variant this affects- the NG is fine) and the multitude of sins involved with the MAX over at PPrune... MCAS was introduced because the 737MAX uses a new engine design, but it is so big, they didn't fit under the wings anymore... so they mounted them forward and up of the original location Worst the new larger engine cowlings introduce lift at high AOA (angles of attack) which led to some undesirable handling characteristics at these angles, an ever lightening 'feel' to the controls and a possibility of rolling when turning at high AOA This led to the handling characteristics being outside of those allowed by the 737 series certifications... (which are 50 years old!- yup, the 737 has been around THAT long) Add that Boeing would have to pay some really, really big penalties to airlines (in the hundreds of millions of dollars in penalties)if pilots needed 'retraining' to fly them ie sim time etc and they decided to introduce the MCAS... It was always supposed to be an 'invisible ghost in the machine' that made everything better, but probably due to a rushed production schedule at Boeing, a rather toxic safety enviroment where costs had become more important than other factors, they released it with it using only one AOA sensor (there are two fitted but for some reason, possibly programming speed limitations) which was alternated from flight to flight- so the left was used on one flight, the right on the next flight... Add in a hidden change to the controls where the previous models had two control switches, one disabled all electric trim functions, the other disabled all AP(autopilot) inputs, but left the yoke trim switches available to control the electric trimming- the MAX now had BOTH switches in series, and both now disabled ALL electric trim options, leaving only manual hand trimming- and those trim wheels were physically smaller than in previous versions due to the 'glass cockpit' needing more space ie less leverage (these are literally wheels that pull on cables and move the control surfaces entirely by hand, and are over a hundred turns from one stop to the other....) Boeing, needing to comply with its contract 'no extra training needed' obligations, got around this by simply relabelling the switches, and not telling anyone (including the pilots) that their functionality had changed..... Now we get to the FAA- surely they must have checked this??? Well, no.... See, a few years ago, they started allowing Boeing to 'self certify' less critical systems, ie they just took Boeings word for it that it was all OK... So Boeing originally gave MCAS only (from memory) about 6 degrees of command authority in their submission for MAX certification... But during testing they found this was insufficient so extended it- to OVER double the original specs, and didn't bother to tell the FAA... Because it was all done by Boeing engineers (some who did actually complain, and were then shuffled off the MAX project  ) and they could 'self certify', these changes went into production- with pilots only 'training' a 1 hour Ipad 'tutorial' on the changes made....There's a lot more but this post has become a novel as it is, sad to say there were many more issues, but I might leave them to another post if anyone's interested... |
||||
| Grogster Guru Joined: 31/12/2012 Location: New ZealandPosts: 7148 |
Very interesting points. I have the ACI(Air Crash Investigation) episode on this one, and you do make good points. But out of ALL of the pilots in the world, how many are really wanting to fly their planes into the side of a mountain? Most would not. I would speculate that it would be less then 1%. I don't have a problem with automation - so long as it works!  The MCAS system could be GREAT, so long as it can get consistant data from AoA's(more then one!). AirBus has also had issues with its fly-by-wire systems too, so....Smoke makes things work. When the smoke gets out, it stops! |
||||
GoodToGo! Senior Member  Joined: 23/04/2017 Location: AustraliaPosts: 183 |
Grogs, 737's have 2 AOA sensors, one on each side. But for some reason they only let the MCAS software use the data from the Capt's sensor. (??!?!??!?) A320's have 3 AOA's. I'm not trained on the MAX, and it's been many, many years since I worked on a 737 Classic so my knowledge is pretty rusty. For a runaway stab trim, the 727 used to have a mechanical brake to physically stop the hori-stab from moving. (Keep in mind, as Paul said, the 707/727/737 share similar systems architecture) You could operate the electric trim one way, then push/pull the control column the opposite direction and there would be a massive *BANG* as the brake slammed on. From memory they did away with the brake mechanism on the 737 Classic and installed a couple of column cutout switches instead. These switches disabled both the normal electric motor (high speed) as well as the dedicated autopilot motor (low speed) that was mounted to the Hori Stab jackscrew. (Again from memory, I'd have to find my course notes to double-check) Anti-stall mechanisms have been around for a very long time. Indeed a lot of 'T'-tail aircraft had 'stick pushers' to prevent the aircraft going into an unrecoverable 'Deep Stall' (Google it) The stick pusher was a last resort that would literally force the control column full forward in an effort to nose the aircraft over and prevent a stall. Important to note is that the stick pushers worked the elevators, not the hori-stab. This meant that pilots still had full authority with the elevators. If the stick pusher operated erroneously, the pilots could generally override it. I am surprised that Boeing apparently engineered the MCAS software to manipulate the Hori-stab instead of the elevators. If you move a hori-stab too far either way, the elevator authority is significantly reduced, and sometimes to the extent that an aircraft can become uncontrollable in pitch. Modern Airbus products have a function called "Alpha Floor". (Google it) Basically, **in normal mode**, the computers won't let you stall the aircraft. If an AOA vane is in error, the computers decide which one is in error and vote it out. However MCAS is a band-aid solution to a problem that was physically designed into the aircraft 50 years ago:- The 737 was never designed to have such massive engines installed. Due to next-to-no ground clearance, these engines had to be installed a fair way ahead and slightly above the wing. This means when you pour the power on, the aircraft tends to pitch up. Software in modern fly-by-wire aircraft generally take this into account and automatically introduce a slight pitch down command on the elevators to counter any pitch up moment. The 737 is not a pure fly-by-wire aircraft. (Although the spoilers from the 737NG onwards are) It's an archaic design that has been tarted up, re-winged and re-engined to stay competitive in today's market. Of course, it will still make Boeing a lot of money once these MCAS issues have been addressed. It will be a reliable aircraft again, once the teething issues are sorted out. As much as I enjoy Boeing's products, I hated working on the 737 Classic. Nothing was easy to fix on it. They literally took a 727, shrunk it down and then stuffed twice as much as crap into it. Luckily, it hardly broke down, but when it did, oh man it was a headache. I think they should've taken the old horse out in the paddock and shot it. Then started again with a clean sheet of paper. Same goes with the 747. (Although the airlines have forced Boeing to make that decision) Nostalgia aside, it's time to move forward. Sorry for the long winded reply. Cheers, GTG! ...... Don't worry mate, it'll be GoodToGo! |
||||
| Grogster Guru Joined: 31/12/2012 Location: New ZealandPosts: 7148 |
@ Boppa - Wow.........  Smoke makes things work. When the smoke gets out, it stops! |
||||
| Grogster Guru Joined: 31/12/2012 Location: New ZealandPosts: 7148 |
|
||||
| GoodToGo! Senior Member Joined: 23/04/2017 Location: AustraliaPosts: 183 |
That's the million dollar question. I reckon there is a software engineer having *a lot* of trouble sleeping at night...... Cheers, GTG! ...... Don't worry mate, it'll be GoodToGo! |
||||
| Grogster Guru Joined: 31/12/2012 Location: New ZealandPosts: 7148 |
Well, based on the doco link I posted on page one, it would seem that the engineers really had little choice. They probably knew more then the executives did, that this would turn bad, but they were INSTRUCTED to do it. Visions of Alaska 261......something I never thought we would ever see again. For those that don't follow this kind of thing: Alaska flight 261 Smoke makes things work. When the smoke gets out, it stops! |
||||
| Boppa Guru Joined: 08/11/2016 Location: AustraliaPosts: 807 |
I found the differences (I don't have a copy of the 737NG circuit diagram, but this flow chart shows it clearly enough, and the MAX series switches are clearly evident- a major change (the MCAS system was reactivated several minutes after the first alarm indicators went off, but didn't dial in the fatal excess trim on the elevators until a bit later after they were struggling to wind back the trim by hand- I suspect (as do many pilots and such over at PPrune) that they were attempting to get the NG 'configuration' of electric trim yoke buttons to work with autopilot off, instead they got the MCAS back... and boy was HAL P.O.'d at being turned off, so he drove them into the ground....  MAX  NG |
||||
| Boppa Guru Joined: 08/11/2016 Location: AustraliaPosts: 807 |
Another pointer they never stood a chance from here Note that they did 'recover' but started at 10000ft, and got as low as 2000ft However the EA302 flight was only at 9000ft at it's highest- which would put them nearly at sea level... EXCEPT.... HAAB (Bole Airport) is at 7625ft.... they were only just over 1000ft off the ground... So unless they had a drill mounted on the nose, they were 6000ft short of getting it back under control in time.... ETA gif of sim cockpit, too big to load here, but worthy of watching, shows the struggles of the pilot trying to hand wind off the eqvilent of the MCAS trim in a sim... Hand trim... and remember- he has to wind off between 50-100 turns.... |
||||
| Boppa Guru Joined: 08/11/2016 Location: AustraliaPosts: 807 |
You wouldn't like the other solution that 'may' have gotten them out alive then One possible solution brought up was to invert the plane (at less than 1000ft above ground level, with a full load of pax!!!) which would allow them to unload the elevators enough to retrim by hand.... So should you see the ground up and the sky down on your flight- you know you are in a MAX with a AOA failure... Feel better now?  Can't understand why they didn't think of this as a possible solution.. /baffled...  (remember that statistically, you are safer in the air than the drive to the airport though) |
||||
| CaptainBoing Guru Joined: 07/09/2016 Location: United KingdomPosts: 1199 |
after this thread I am not so sure |
||||
| Page 1 of 2 |
|||||
 Print this page |
