Can Boeing trust pilots?

The media uproar created by two fatal accidents in new Boeing 737 MAX airline jets makes me wonder if Boeing, or any transport jet maker, can continue to trust pilots to be a critical part of aircraft systems. Let me explain.

Because the new MAX version of the 737 has heavier engines and other changes, Boeing added a system that under certain conditions of airspeed, CG location and weight, automatically moves the pitch trim to modify stick force. The pilot who is hand flying feels this as though he is pulling on the yoke and would naturally reduce pull force to lower the nose and angle of attack (AOA).

In the non-aviation media, this system is being called everything from new, to radical, to untested. In reality, nearly all airplanes larger than a basic four-seat piston single use some sort of device to alter the forces a pilot feels while maneuvering the airplane.

Boeing 737 MAX
The 737 MAX is based on a design from the 1960s, but the technology is new.

Stick force—the load we pilots feel as we pull or push the airplane nose away from its stable trimmed airspeed—is critical for safety. If an airplane had no force feedback on the stick as the nose dropped, or worse, rose, it would be very difficult to fly. And almost impossible to fly for long periods, or in the clouds. That’s why maneuvering stick force is a strict certification requirement.

In light airplanes, the certification rules require that the stick force be positive. In other words, it must always take a pull force to slow the airplane from its stable airspeed no matter the location of the CG, the airspeed, or the configuration of the airplane.

In transport airplanes like the 737, the rules require a linear stick force gradient. And the rules also specify minimum stick forces in pounds of pull or push to maneuver the airplane away from its trimmed condition. Achieving positive stick force under all conditions is hard, but creating a linear force that builds steadily with each increment of airspeed change is really hard. And that’s what Boeing must do to certify its jets.

In general aviation airplanes, designers frequently put a spring in the elevator control cable system that pulls the elevator down. The spring pull is what we feel as positive stick force in addition to the natural air loads on the elevator. If the natural aerodynamic forces aren’t always positive, the spring delivers the certification requirement.

If you don’t believe me, sit in a Bonanza A36 or Cessna 210, or just about any other high-performance piston airplane, and pull the wheel back while sitting still on the ramp. That force you feel is mostly a spring, not the weight of the elevator, which, by the way, is statically balanced.

Often a spring isn’t enough to create positive stick force under all maneuvering conditions so designers add a bob weight to the pitch control system. The bob weight is a weight mounted somewhere in the pitch control circuit so that any G load acts on the weight pulling the control wheel forward. The higher the G load, the greater the force of the weight.

Most artificial pitch force feel devices are aimed at increasing nose-down stick force because that’s the most difficult to achieve when maneuvering. And pitching up is much more critical than down because the uncontrolled pitch up will eventually lead to a stall.

What the much ballyhooed system in the 737 MAX does is sense an increasing AOA when the pilot is hand flying the airplane. When the AOA reaches a point without enough stall margin, the system adds some nose-down pitch trim. That pitches the nose down and gives the pilot the stick force to know that he is pulling too close to the stall margin.

This concept of adding artificial feel using the pitch trim has been around for years. It has been used to add stick force at high speed cruise where Mach effects can alter stick force as well as at higher AOA where stall margins must be maintained.

What’s critical to the current, mostly uninformed discussion is that the 737 MAX system is not triply redundant. In other words, it can be expected to fail more frequently than one in a billion flights, which is the certification standard for flight critical systems and structures.

What Boeing is doing is using the age-old concept of using the human pilots as a critical element of the system. Before fly-by-wire (FBW) came along, nearly all critical systems in all sizes of airplanes counted on the pilot to be a crucial part of the system operation.

The certification concept for relying on the human involves identification of a failure, and a reaction time. The way it works is that the pilot must be able to recognize the failure, then take three seconds to analyze what is wrong, and then take corrective action before the airplane flies into a critical condition.

If you fly an airplane with an electric pitch trim system, you are flying under this certification concept. A pitch trim system running away can obviously fly the airplane into a dangerous condition, particularly when the autopilot is engaged which masks the trim runaway for some time.

Circuit breakers
The proper reaction to a trim or autopilot problem is the same in a 737 or a 210 – push the button and pull a breaker.

The manufacturer seeking certification of the trim system and the FAA agree on what it will take to allow the pilot to identify a trim failure. It could be the airplane deviating from the desired flight path. Or a trim monitoring system with enough redundancy. Or, in years past, simply seeing the trim wheel moving on its own could have been enough.

Experimental test pilots introduce the trim failure, wait for the agreed identification condition, and then wait three more seconds before taking the prescribed recovery actions. In all airplanes I know of, the recovery is—including the 737 MAX—to shut off the system using buttons on the control wheel then a switch, or sometimes circuit breaker to make a positive disconnect.

Though the pitch system in the MAX is somewhat new, the pilot actions after a failure are exactly the same as would be for a runaway trim in any 737 built since the 1960s. As pilots we really don’t need to know why the trim is running away, but we must know, and practice, how to disable it.

The problem for Boeing, and maybe eventually all airplane designers, is that FBW avoids these issues. FBW removes the pilot as a critical part of the system and relies on multiple computers to handle failures.

Boeing is now faced with the difficult task of explaining to the media why pilots must know how to intervene after a system failure. And also to explain that airplanes have been built and certified this way for many decades. Pilots have been the last line of defense when things go wrong.

What makes that such a tall order is that FBW airplanes – which include all the recent Airbus fleet, and the 777 and 787 from Boeing – don’t rely on the pilots to handle flight control system failures. FBW uses at least a triple redundant computer control system to interpret the inputs of the cockpit controls by pilots into movement of the airplane flight controls, including the trim. If part of the FBW system fails, the computer identifies the faulty elements and flies on without the human pilots needing to know how to disable the failed system.

I know, I know, you’re yelling, “What about the Air France Airbus over the Atlantic?”  It was determined that all three pitot tubes on the airplane froze robbing the FBW system, and the human pilots, of airspeed and other air data at night and in an area of thunderstorms. The pitot tubes were thought to have enough heat to prevent that, but those extreme conditions were outside the certification envelope. And certification theory also thought the engines on the Airbus Sully and Skiles were flying were far enough apart that large birds wouldn’t take out both. Was that one in a billion? Probably.

I have been fortunate enough to fly several FBW airplanes and I find the simplicity and excellent flying qualities, weight savings, and potential efficiency gain, to be an important advance. But, as a pilot, I also want to believe that being part of the redundant requirements for critical systems is still acceptable.

But airline accidents have become so rare I’m not sure what is still acceptable to the flying public. When Boeing says truthfully and accurately that pilots need only do what they have been trained to do for decades when a system fails, is that enough to satisfy the flying public and the media frenzy?

I’m not sure. But I am sure the future belongs to FBW and that saying pilots need more training and better skills is no longer enough. The flying public wants to get home safely no matter who is allowed to be at the controls.


  • That was an excellent run down on the certification process.

    I’ll leave discussion about the pilot/automation interface to more knowledgeable commenters. But I would note that Boeing has been expanding and evolving the 737 for five decades.

    I will wait for the report(s) to see if they give any indication that the Max rendition has shadowed the limits of the basic 737 design.

  • Great insight and I learned a few things here. Please do a follow up when we learn more from the FDR analysis. Thank you Mac.

  • Excellant explanation in general, Mac, and a very concise statement regarding the MCAS (Maneuvering Characteristics Augmentation System): “That pitches the nose down and gives the pilot the stick force to know that he is pulling too close to the stall margin.” Exactly.

    This is precisely what the pilots of AF447 did not have. Having been unceremoniously dumped into alternate law 2B, they had no positive longitudinal static stability, and no stick force or feel to indicate where they were in the envelope. THAT is exactly what Boeing does not want a pilot to experience.

    It’s a good idea but it is hamstrung by a couple of technical limits: there are only two AoA vanes, so the system has to trigger when either one indicates a stall, whether that is a valid condition or not. A third vane would have allowed for a voting algorithm with rejection of a spurious indication. Second, for obvious reasons, the control column cutout switches do not disable MCAS, which is different from a runaway stabilizer. In that case, simply opposing the control column force kills the trim motor. There wouldn’t be much point in having the MCAS if the control column switches could disable it.

    It is also worth noting that the 737, from day one, has never been particularly speed stable. Therefore it comes equipped with a speed trim system, which automatically tweaks the pitch trim to increase static stability; as the nose wanders off toward the horizon, the STS rolls in a bit of trim to remind the airplane what the trimmed speed is supposed to be. This means that the trim wheel is moving constantly in manual flight. That may be part of why the Lion Air crew did not perceive a trim system malfunction.

    Boeing contends that the standard runaway stabilizer trim procedure is valid; this is not entirely true, since the first step in that procedure is to firmly oppose the control column forces, using the column cutout switches to disable the runaway. However, all of us flying the bird know exactly where the master trim cutout switches are, and I guarantee that at the first indication of an MCAS malfunction, those switches will be shut off in a nanosecond.

    • All of you flying the 737 Max in the United States and the rest of the advanced Western world know exactly where the master trim cutout switches are and can shut them off, if not in a nanosecond at least in a couple of seconds. There are reports of U.S. pilots saying they have had to override the MCAS on a 737 Max. They recognized an issue, took care of it, continued the flight, and squawked the event for maintenance, no big deal. The problem lies in selling these very advanced and complex airplanes to third world airlines that may not have the training budgets or the intense safety culture that we take for granted in the West.

      I’ve had the opportunity to fly 777 sims, and was amazed how easy that huge beast is to hand fly, even through engine failures at V1 on takeoff and single-engine circling approaches. But that is with all the computers quietly doing their magic. When stuff goes wrong — and stuff will ALWAYS go wrong — the pilot(s) must be good enough, and well trained enough, to respond appropriately, and not sit there, frozen, wondering, “What’s it doing?” As a passenger, I have absolute confidence that my U.S. or Western European airline crew will meet the test. On a third world airline? Maybe not.

      • Although there is a significant difference between Western World and Third World in this case they have a common factor called Boeing ( to no difference with Airbus ). Cutting cost mantra has brought down training to getting to know buttons, modes and Company SOP, whereas flying skills are “cosmetically “ mentioned and sometimes practiced, never insisting on! B777 Engine failure procedure at cruise level by
        Boeing TM is FMC VNAV page, ENG OUT select, execute and stay in VNAV…where has Aviation postulate: FLY, NAVIGATE, COMMUNICATE, disappeared??? When I teach Pilots that Pitch + Thrust + Situation Awareness is called Flying, most of them are looking at me as an old grumpy fart…
        It is not quite fair to Ethiopian Crew ( I flew for them on 777/787 ) as they were not skillful enough just as they were from Third World. Consider few factors:
        Company in huge expansion
        Pilots not protected by Sindicate ( Third World ) so they fly more then 1000 hours per year, they have only two choices take it or leave it
        Young Captain, just over a year of experience
        Freshly promoted FO
        They have reached not more then 1500 feet AGL, so very little time to react properly considering abbreviated training patronized by Boeing ( Modes, Buttons and SOP )…

        In Serbia we have a saying, the clay pot floats on the stream until it cracks…

        Aviation has urgently to go back to its postulate: FLY, NAVIGATE, COMMUNICATE

        Ivan Makevic B777/787 TRI

  • Steve, I wholeheartedly agree with you about our airlines’ pilots being loaded and locked toward system disconnect at the slightest indication of problems with the stabilizer. They would not hesitate to take action – if still humanly possible. Nevertheless, the question remains: What’s causing the initial problem, and could it quickly lead to an over-stress situation (excessive Gs), which would render the pilots incapable of physically controlling the machine? At this point you have to ask yourself: “Would I be willing to put my family on a MAX and watch them taxi away toward the runway..?” If I knew you were at the controls I would feel more confident – because I know you and your history. But that’s about as far as it goes with me and mine with the MAX right now.

  • As your analysis mentions, the certification concept for relying on the human involves identification of a failure. And that requires that the aircraft give some indication to the pilots that a failure has occurred, preferably with an additional indication of which system failed. It seems to me the common denominator between the Air France 447 crash and the Lion Air crash, and possibly this new crash, is the pilots did not correctly identify the failure. Whether or not they could, or should, have been able to is debatable. But it seems clear that the aircraft did not communicate the failure clearly enough so they could take the correct action. My understanding is one of Boeing’s responses to the Lion Air crash is to make a software change to more clearly indicate when the AOA system is not working. If we want to make the pilots a critical element in these systems, then the pilots need a clear, easily understood signal when there is a failure.

  • Grounding an airplane is easy for regulators. Several significant countries have already done that with the 737 MAX. The hard part is how to unground the airplane.
    Let’s say investigators determine that the suspect automatic pitch trim system failed in both fatal accidents. Then the cause of the accident was the crew failure to correctly handle the failure. The system is not like fly by wire. It doesn’t have the necessary redundancy to be the final authority so pilots must be able to intercede.
    The people now howling about the safety of the airplane won’t be satisfied with a simple pilot error finding. Or the need for more training. They want the airplane to take care of itself even when the pilots fumble. Even though that requires a change in certification theory and practice.
    So to unground the MAX for those countries it will take an entirely new system, one that meets fly by wire standards. And that will be a very big deal.

  • Of course the public is howling. The public references air accidents from their armchairs. Probably from a coach seat.
    All we can do is picture ourselves on the most recent 737Max fatal crash and ask ourself why did this happen again? You are wrong. We would be very satisfied with pilot error if that’s what the NTSB declares. We would be satisfied with a software error too. What is not satisfying? Watching our airline/ aircraft industry fall behind the curve investigating the Lion Air accident, too late to prevent the Indonesia accident. What is causing “the media uproar ” is concerned family and friends of pilots, passengers and employees of airlines that a second similar accident had to occur. The public trusts and admires the aviation industry. We are in awe of the technology, equipment and the safety record airlines and manufacturers have shown the world. So please spare us the ignorant public insinuation and media bashing. Mistakes were made. The industry will learn from them. That’s how we are getting closer to the goal of zero crashes.
    Lastly. The public is very well aware of computers. To suggest we would trust a pilot less than a computer? Nonsense.
    That’s like saying we wouldn’t trust the NTSB, Boeing and the airlines to reach a decision as to the cause of these crashes.
    We always readily accept these findings as law.
    The public understands we are not in a position to second guess the industry.
    That’s why millions of people fly every day.
    Because we trust and admire the industry.
    Accidents happen. We know that. However the trust can be broken. That’s what we are worried about.

  • This is a very interesting article, but it raises a question. Some previous incidents involving Airbus aircraft (I’m thinking of Quantas Flight 71 and 72 in particular) involved uncommanded pitch down events while in autopilot, which were caused by one of the three angle of attack sensors giving faulty data, and the faulty data being allowed to trigger the event. You say that triple redundancy is required for flight critical systems; having three AoA sensors would meet that, but wouldn’t it also be required to have a voting algorithm (as referred to by another poster) that prevented a single sensor fault from triggering an erroneous uncommanded event? It doesn’t appear that the Airbus algorithm has that.

  • Thanks for the detailed explanation. However I disagree with the statement “saying pilots need more training and better skills is no longer enough”. If there’s a new equipment (hardware + software) and gap with previous experience then pilots need to be given enough opportunity to develop genuine intuition on them.

    Also, excuse my understanding but title sounds like putting the blame on the pilots of the crashed aircraft.

  • Funny how transport pilots WANT to be trusted, and wail that they are not “bus drivers” but an integral part of the safety system. I’m good with that (though I fly only little planes), but when they (the pilots) fail, why do we blame the airplane? (Or gun, or Tesla …)

  • Now I understand what’s going on. Why can’t the mainstream media make it this simple? Probably because they profit from inducing hysteria.

    Boeing is absolutely responsible hundreds of deaths for not having trained 737 pilots on this change. And it looks like their engineering is suspect as well. But the technology itself is nothing to be frightened of.

    Is that really too much of a nuanced message for the mainstream press?

    • “But the technology itself is nothing to be frightened of.”

      The core issue is not the technology itself. The core issue is trusting technology which you don’t really know and are not in control of, such as an airplane, which most people, including journalists, only know as a passenger (if they know it at all).

      That’s not just related to aviation. I work in technical customer support (where I help people using computer and network related stuff), development (where I try to develop things people can use, and write user manuals which people hopefully can understand), and up to my PhD I did research on interaction between human and technology.

      From all these perspectives I know one fact: Most people have no idea how complex technology works, and most of them don’t want to know — they just want to use it. And this is okay, because industry tells them that they CAN just use it and that they don’t need to know much about it.

      But the ‘currency’ for being able to “just use” technology is trust:

      – trust in the technology itself
      – trust in the experts who developed it
      – trust in the salesperson who sold it
      – or trust in the experts who “directly” use it (if you are just a passenger, for example, and the direct user is a pilot).

      To a certain degree, trust can serve as a replacement of knowledge. You use something without needing to know what’s going on in the background, or you enter an airplane and let the plane and pilot do their job.

      However, the complex relations of various layers of trust can be easily shattered, because it has a strong emotional component. Then it’s natural to speculate, to share rumours, half-knowledge, etc. It’s actually a communicative means of evaluating if you can continue to trust (“Can I still enter this airplane?”) or if distrust is safer at the moment (“Well, I try to avoid flying with plane during my upcoming vacation”). Just asking some expert if it’s still safe is not enough (partly because you can’t really know if you can trust this expert’s opinion); you need to work it out among your peers. Mainstream media are both place and trace of these processes.

  • What bothered me is that there is little/no redundancy in the AOA sensors. There are only two primary sensors, and Boeing reportedly just decided to use one of them at a time. So at least in the Lion air crash, was a single faulty sensor was effectively flying the plane?

    What might be desirable is an independent AOA system using multiple simpler sensors that could show when a primary sensor was faulty, and act as a backup.

    • You, sir, have hit the nail on the head! I cannot believe the readers seem to be slopping this bullshit up and gleefully swallowing it!

      What needs to happen is to remove all of the “magic” from these airplanes and melt it into ingots for recycling. Hire PILOTS, not computer nerds to watch the airplane fly itself from point A hopefully to destination.

      And remember what Captain Max Power says: STAY OFF THE BUS!

      • Yeah, sure wish we could go back to the “good old days,” back when “real pilots” flew “real airplanes.” The only problem with that is that airline accidents were 4-5 TIMES HIGHER back in the 60s and 70s. Maybe part of the problem is accidents are so rare these days that everyone gets to dissect them.

  • You need to be more specific when you say “is that the 737 MAX system is not triply redundant.” Are you saying the FCS is not triply redundant or, the MCAS system is not, or is the AOA not triply redundant. I would have a hard time believing the first and last are not. Your article doesn’t address the “derived AOA” which would seem to be the real issue here.

    Secondly, your assertion that “If part of the FBW system fails, the computer identifies the faulty elements and flies on without the human pilots needing to know how to disable the failed system.” is totally off track. These are lower level hardware failures where the system is designed to deal with them and provide the pilot with the required indication. The issue with the MAX is a case where the system design must be faulty and/or is not providing any indication of failure. The Boeing flight advisory addressed an AOA failure scenario.

    The issue is not FBW – the issue is a combination of any or all of the following design issues: 1) improper system response to a failure, 2) improper design redundancy, 3) improper indication of system failure to the pilot.

  • “Artificial feel” trim has been present in 737s since ages. MCAS is a new, additional module not for stick feel, but to add envelope protection at low speed and high AOA. It was required due to the aerodynamic instability caused by the larger, more forward engine nacelles.

    • Isn’t this equivalent to saying that MCAS is adjusting the “artificial feel” trim to compensate for the effect of the new engine nacelles? As I understand it, Boeing’s stated purpose for doing this was to make the plane feel like previous 737s, to avoid having to retrain pilots.

  • As I understand it, the aerodynamic instability is worse than just a stick force feel problem. When pulling to high pitch angles, one could freeze the elevator there. However, the lift created now by the far forward engine nacelles will pitch her further up, like a positive feedback loop. She has a built-in auto pitch-up behavior.
    You could call it a “self-stalling” aerodynamics instability. This is exactly the opposite of what an airplane should do: it should have an auto-pitch down tendency in high AOA situations.

  • +I am reminded of an accident back in the early 1960’s where a similar accident happened.
    A Lockheed Lodestar being operated as a corporate executive aircraft and flown by very experienced crew crashed because of a stuck in the down position trim switch.
    As I recall, test pilots in its twin identical aircraft could not override the trim forces.

  • Great write up Mac. The hardest integration is riding the fence (i.e. partially automating a function and partially relying on human intervention). If we look at FADEC as an example of good automation integration, it becomes more clear: modern FADEC always controls the engine the same way, it doesn’t fail back to cable controls requiring the pilot to remain current on separate control regimes and to also recognize and mentally transition to a different control response when failures are occurring and we begin the mental process of troubleshooting and doubting what we’re seeing. The fence is a tough place to be. I look forward to being on the totally on the other side.

  • My jaw literally dropped when I read that the 737 MAX problem was caused by the failure of a single sensor. As a software developer, I can say definitively that is just plain irresponsible. Even if Boeing did not add additional AOA sensors, the AOA input can be sanity checked against other sensors such as airspeed, thrust and deck angle. FBW needs to be 100% foolproof. There is something seriously wrong if code like this can make it into production aircraft.

  • This article seems to be BS to me. The information so far, which seems to be what the article assumes, is that a software problem caused the problem. The required reaction would be for the pilots to have disabled the software in order to stop the trim from running forward. But it appears the pilots were not properly informed of the software system’s operation. So now you ask whether pilots can be trusted? It appears that only the pilots could have saved the planes, if they had known how the software was trying to kill them. Personally I trust the pilots, rather than trusting software that has failed to recognize how to quit doing something that no pilot would ever do.

  • I thought MCAS was “stall PREVENTION” not merely “stall warning”. There are lots of cases with pilots ignoring stall warning horns, stick shakers, etc and holding an airplane in a stall till it hits the ground. As stall PREVENTION, MCAS is not (easily, at least) disconnected or overridden. It takes specific pilot actions over and above what are normally done.

    Mac also ignores another fact – we pilots, especially instrument-trained pilots, are strongly trained to ignore our senses and rely on what the instruments say. Stick force is not the only clue as to whether you should push or pull – in fact it is not even the primary clue. Aircraft attitude, whether determined by looking at the real or artificial horizon, is the PRIMARY clue, followed by airspeed. If the nose is down more than it should be, or the airspeed is higher than it should be, you pull (or push) to the correct attitude/airspeed, then trim away stick force.

    MCAS seems poorly designed – if it is intended to be stall PREVENTION or other envelope protection, it shouldn’t be relying on a single sensor, as the information following the Lion Air crash indicates it is. Beyond that, Boeing seems to have promoted the 737 MAX as “just another 737, no need for a separate type rating” when actually there are apparently significant differences in emergency procedures. FAA had a chance to fix this after Lion Air – an AD requiring additional pilot training on identifying MCAS failures and emergency procedures following MCAS failure. Instead, they apparently just hoped that pilots worldwide would read news reports and figure it out.

  • There’s a couple of things to add here. First, just to be clear: the only thing on the 737 Max that is FBW are the spoilers.

    Second, nothing on the airplane is triply redundant. There are two AoA vanes, two pitot-static systems (a third for the standby instruments), two autopilots, etc.

    When we are discussing probabilities and redundencies, bear in mind the definitions of failures found in AC 25.1309-1A:

    Minor: Failure conditions which would not significantly reduce airplane safety, and which involve crew actions that are well within their capabilities. Minor failure conditions may include, for example, a slight reduction in safety margins or functional capabilities, a slight increase in crew workload, such as routine flight plan changes, or some inconvenience to occupants.

    Major: Failure conditions which would reduce the capability of the airplane or the ability of the crew to cope with adverse operating conditions to the extent that there would be, for example,-¬
    (i) A significant reduction in safety margins or functional capabilities, a significant increase in crew workload or in conditions impairing crew efficiency, or some discomfort to occupants; or
    (ii) In more severe cases, a large reduction in safety margins or functional capabilities, higher workload or physical distress such that the crew could not be relied on to perform its tasks accurately or completely, or adverse effects on occupants.

    A major failure is associated with the word improbable, which is defined thus:
    Improbable failure conditions are those not anticipated to occur during the entire operational life of a single random airplane. However, they may occur occasionally during the entire operational life of all airplanes of one type. Quantitatively, this is expressed as between 1 x 10-5 and 1 x 10-9.

    Catastrophic: Failure conditions which would prevent continued safe flight and landing.

    This is associated with the term extremely improbable, which is defined this way:
    Extremely Improbable failure conditions are those so unlikely that they are not anticipated to occur during the entire operational life of all airplanes of one type. Quantitatively, this is expressed as less than or equal to 1 x 10-9…one in a billion flight hours.

    With respect to positive longitudinal stability and stall protection, ALL 737 NG models (700, 800 and 900 as well as all 3 Max version) use a shift in elevator feel to increase pitch force approaching the stall, as well as inducing the speed trim system to trim aircraft nose down when approaching the stall. This is driven by two stall management and yaw damping computers.

    MCAS is intended to operate only in flaps-retracted manual flight, at high bank angle, with the AoA approaching stall.

    Bear in mind also that the Lion Air airplane had multiple airspeed and altitude comparison anomalies on several flights, including flights before the angle of attack vane was changed. There is a lot more going on here than just a deficient design. All of which leads to the open question: did several failures that might be individually considered minor and/or major manage to line up and create a catastrophic event?

  • Does the yoke on the MAX series have a trim/autopilot disconnect button? From what I’ve read elsewhere,the required drill would have been to overcome the downward trim runaway with an 80 Kg. pull [!!!] on the yoke, and simultaneously disconnect two switches on the central console and then manually roll back the trim manually to eliminate the out of trim condition. No mention of a disconnect button on the yoke, which has been present on every plane I’ve flown with an autopilot. If true it seems to be an impossible task for a single pilot, and a very hard one for two in the midst of the confusion of trying to figure what is happening.
    In my opinion every aircraft needs to be capable of instantly reverting to being a purely mechanical device moving through space under the total control of the pilot. If in visual conditions he/she can maintain orientation by looking out the window, if in instrument conditions by looking at a backup attitude indicator that does not rely on outside sensors, (like the one on my cell phone!) And pilots need to be well versed in hand flying whatever aircraft they command in any and all conditions.

  • My question is: How can a (reportedly) 29 y/o become a Captain? I started driving trucks when I was 24 y/o, and did not know near enough about all the systems on board when I was 29. And that was in a truck, not an airliner.
    Or was there a reporting error?

  • How difficult would the addition of a 3 R system be? The public should be okay with that fix. Boeing might have some ‘splaining to do (in court).

  • A little knowledge is a dangerous thing when commenting on any aviation accident. Please leave it to the experts rather than offering opinions based on 90% opinion and 10% percent facts.

  • Folks, I appreciate Mac’s article and all your learned views. But shouldn’t there be a big yellow button beside the gear handle for turn all this crap off? I suppose they would call it EMR – Emergency Manual Reversion . Push this button to turn this thing back into an airplane! That way the guys up front have a fighting chance against an airplane, not a room full of software engineers.

  • Everyone needs to remember 2001: A Space Odyssey, and your soft talking HAL 9000 computer that ran it all.

    Sophomoric analogy? Yes…to the more arrogant egotistical pilots that have wives with leg time in the air longer than they have air time………..

    These programs are created by geeks and nerds and those that somehow relish the creation of zero’s and one’s in a program that controls an object so far from their capability of control – – of anything – – that I believe there’s some “experimentation” going on that has somehow shown itself as a sign to its creator that “Hey…..I’m here……I work……we crashed………sorry.” They install back door sub-programs. NO ! ! REALLY ! ! DAMN ANGLE….YOU’RE A WHACKED OUT CONSPIRACY THEORIST ! ! !

    Far fetched? Have you really gotten to know a geek/nerd? They are the furthest from a sociable human as a person can get. They are brilliant (depending on their field of work) in what they do……and it’s the end result of their work……not what happens in the completion of it….that they’re interested in. Most geeks/nerds I’ve had to deal with are severe sociopaths…but because they have broken no laws…they are out and about programming your data into programs that “control” aircraft. Gee…sucks to be you 1st seater ! As you’re auguring in at over 500 MPH…”it’s not the crash that kills you>>>complete this statement……….”

  • The Miracle on the Hudson happened because the PIC knew his aircraft and could fly it by looking outside. We all learned that in our C152’s. I believe complacency played a large part in these accidents. Letting the aircraft fly itself as a routine can cause a lot of atrophy in the pilot’s risk management and hand flying skills. In viewing the flight profiles from these accident flights it appeared that they had the altitude and working engines to get stabilized. Knowledge and training could have saved these lives.

  • Thanks Mac for starting this article with great insight.
    There have been comments regarding the mcas system only working with the autopilot off. Or in other words these accidents wouldn’t have happened ( uncommanded pitch down, or commanded pitch down erroneously or not erroneously by the mcas) if the autopilot was flying.
    Well, I read some ASAP reports regarding the 737 max. There was at least one instance where an US carrier airline crew got a elevator pitch down AFTER turning on the autopilot immediately after takeoff The pilot disconnected it and flew out of it.
    So the system is definitely not protecting the aircraft from the pilot.
    Someone also mentioned no AD from the FAA
    There was an emergency AD put out by the FAA on November 7th.
    Spelling out in detail procedures to change in the AFM
    Not sure if non us carriers are bound by this AD though.

  • The media goes ape on any aviation fatality because there are so few, including general aviation. Where was the media coverage of the fact that in 2017 there were more than 37,000 deaths in the US attributable to highway-roadway accidents according to NTSB?.
    The back to back occurrences really put the media into hysteria mode, yet they pay no attention to the thousands of deaths each year caused by tobacco in all of its uses.
    Tragedy reports sell newspapers and draw TV viewers, but anything short of a busload killed or injured on a highway is seldom covered unless a celebrity is involved, and then only gets local coverage.
    The almost unbelievable safety record of the airlines in recent years is not worthy of media coverage because there is no money to be made in that area. Guess the old adage of “follow the money” applies here.

  • Great article Mac. I always enjoy your writing. I am a 767 Line Check Airman for a major U S airline, which does not fly the Max 8. However, a friend who is a Max 8 Captain for another U S airline told me he never even heard the term “MCAS” until after the Lion Air mishap. Thus, training pilots on ALL aircraft systems is paramount to keeping the pilot a part of the refundancy you mention. During my 30 year airline career, I have seen many training “efficiencies” implemented. Unfortunately, pilots learn much less about systems without an indepth ground school. Maybe I am old school, but I miss those days.

    • Andy,

      I’m with you. Totally agree that occasionally training is lacking and it the MAX case it’s sorely lacking.

      I’m not for automation to the extend that the MAX goes and spent my airline career flying the less automated planes by choice, where the crew had the option of totally controlling the plane without the computer taking it from them. I was glad I passed on being a Bus Driver, and disappointed that Boeing is leaning toward this “let the computer fly the plane without the pilot’s knowledge”.

      Also, not a fan of bandaid fixes to a problem that could have been fixed with better design. And this is not limited to the MAX. There’s tons of planes out there with this issue, and a lot of folks are dead because of it.

      There’s been a TON of “automated” caused accidents.

      What happened to good stick and rudder skills being trained and let the pilot fly the plane. Planes did not get safer because computers took over. They got safer by providing the pilots with better information.

      • I agree with the ” bandaid fixes to a problem that could have been fixed with better design” statement. It appears that Boeing decided it was too expensive to design a new plane for it’s new market. So they added on and added on to the original model until the last add on made it unstable. Oops. Now what do we do. Oh! We will put on a band aid, aka: additional computer code, and hope it doesn’t come off. I guess the FAA thought this made perfectly good sense.

  • I remember reading that we won the US/Soviet space race because our astronauts could fly, if needed, the space capsules & their cosmonauts couldn’t & sat there like passengers during failures. If it boils down to “stick feel”, & there is a “command hierarchy of power assistance”, shouldn’t the pilot be at the top? Also, with the engines so far forward, is the weight & balance chart no longer valid?

    Rusted rusty pilot

  • Nice discussion, but the pilot does not have much time to fool around trying to find two circuit breakers to disconnect the AOA control when he is close to the ground and porpoising.

    • Manarii,


      First, he should be trained for that.

      Second, the switches for a system that can cause such a critical outcome, should be very accessible. And they are.

  • I’m struggling to understand how the author who is a very experienced pilot can have such a basic notion of the trim system – it is much more than stick force!
    It is critical to aerodynamic longitudinal stability and phugoid oscillation behaviour of the aircraft – but the MCAS system on the 737 max tries to provide envelope protection and ‘fly’ against pilot inputs – but it is a bodge of a system, and not certified to ARP4754 DAL A as it should have been.
    MCAS needs to be disabled!

  • Can we have a return to the basics here?

    The 737 was never apparently all that stable in pitch.

    In order to add bigger engines without redesigning the undercarriage, which would have also required structural wing re-design, the engines were moved forward and the fuselage extended to the rear.

    The effect of both of these was to drastically increase the moment of inertia about the centre of lift – wings.

    The AoA vane in almost all airliners is mounted on a disk which like all mechanical devices has both a delay and a fundamental frequency.

    It is the basis for further instability and a control system failure. A larger tail plane might have been a more sensible measure. A fundamental difference between almost all passenger aircraft and say fighter jets, is the former are designed to be or should be designed to be stable.

    There are of course AoA systems which don’t rely on mechanical vanes, which are far simpler.

  • Boeing has in the past always kept the pilot in the loop, and now for something completely different as Monty Python would say.

  • In response to, “Can Boeing Trust Pilots”
    I wonder if pilots can trust Boeing.

    Is it not true that the changes to the artificial feel of the flight control system in the 737 MAX were unknown to those flying the airplane? Is it also not true that such software modifications were never included in the Flight Crew Operations Manual of any of the user airlines? Otherwise the tragedies that befell Lion Air in Indonesia and Ethiopia Airways in Addis Ababa might not have occurred and 346 lives would not have been lost.

    That last point involves the certification process and the FAA. How could the FAA have permitted the 737 MAX and its variants to be certificated without divulging ACTIVE automatic pitch trim at high angles of attack in any phase of flight especially take off when close to the ground? In other words, why would the pitch trim wheels in the cockpit be spinning away during the takeoff phase and then cause the airplane’s nose to pitch downward abruptly? Further, why wasn’t there an emergency procedure or at least an abnormal procedure in the FCOM included to deal with such an exigency?

    1. If in auto flight to disconnect the autopilot

    2. If in manual control oppose the pitch down with column force.
    (This would also disconnect the autopilot if in auto flight.)

    3. If runaway stabilizer trim is suspected:
    Turn off the stab trim cutout switches

    One or more of the above were utilized the day before on the same Ethiopian Airways 737 MAX 8 because the pilot was experiencing similar problems. But he solved his dilemma and continued the flight.

    Just before submitting my comments to AFJ I read no less than three articles in the Wall Street Journal, The South China Morning Post and New York Magazine probing the FAA’s certification of the 737 MAX jetliner and safety approvals. In fact a subpoena was issued to one person involved in the development of the 737 MAX seeking correspondences to be handed over to a grand jury later this month.

    I extracted the following from New York Magazine: “However, the system “failed to account” for how it could “reset itself each time a pilot responded.” On the Lion Air flight, black box data suggests that each time the captain pulled the plane’s nose up, the “MCAS kicked in … to push the nose down again,” causing the plane to crash into the Java Sea 12 minutes after takeoff.”

    Also I have heard very harsh comments from an erstwhile and well-known airline hero about the pilots on Ethiopian Airways Flight 302 that they crashed due to “pilot error”. If there wasn’t any information in the FCOM, no emergency or abnormal procedure that they could rely upon and they had never trained or practiced in the simulator, then who was at fault?

    Another question is: Why should the Maneuvering Characteristics Augmentation System hang its hat on just one sensor? The USAF lost a lot of F-16s and pilots relying on three “voting” Flight Control Computers until they installed a fourth FCC. The MCAS relies on one, single AOA probe.

    And Mac can talk about Air France 447 but the F/O in the right seat wasn’t thinking very clearly. His reaction to seeing an erroneous airspeed increase was to pull back on his side stick. Never mind that engine parameters and altitude were all stable and where they should have been and where they had been for a considerable period. His reaction was to violate his altitude assignment and climb resulting in airspeed decay and eventual stall and loss of control. No consideration for having a midair collision at all.

    The fault with the Airbus design is that nobody knew he was holding his sidestick full aft because nobody could see what he was doing. Not so with the Boeing FBW yoke-in-the-floor design where everyone would be able to see a dope holding the yoke in his lap.

    The bottom line is that any manufacturer must inform its operators of all flight control intricacies and details. Pilots deserve to know and are smart enough to understand a lot more than any of your engineers think we do.

    Joe Crecca
    ATP: 727/757/767/MD-11/EMB-120
    NAMPOW 1966-1973

  • Mac, great article on the 737 MAX accidents. I am just an ordinary single engine pilot (private with instrument) so flying airliners is way above my pay grade. The number one rule is fly the airplane and of course the feedback (i.e. control force) on a single engine aircraft is not going to be “filtered” by anything fancy other than possible trim inputs by hand or from an autopilot.
    So this raises the question: Can a “modern” airliner truly be flown by hand? By that I mean reference to the basic equivalent of the six pack instruments. For example, in the PBS Nova documentary on the Air France Flight 447, an experienced pilot stated that for a jet powered airliner there is a throttle power setting (I believe he stated 80 percent) in which the airplane will maintain stable level flight. You don’t need to know airspeed, and you just use your pitch indication from the artificial horizon or its glass equivalent to get the plane in level flight. In other words set power and fly the plane. I assume that since this was a Nova documentary, that the pilot making this suggestion knew what he was talking about and by adopting this power setting the aircraft could be put in a stable configuration buying time to figure out what was wrong.
    Concerning FBW, it works well in the cases like Miracle on the Hudson where the computer system is not compromised. However, it is a totally different story when you have a situation where an inflight mechanical malfunction (e.g. engine throws a disk) has serious damaged critical systems such as hydraulics and electrical connections. This was the case for Qantas Flight 32, an Airbus 380. For anyone wanting a thorough description of just how FBW can be your friend and enemy, I suggest the book QF32, by Richard Crespigny, the captain who saved the flight. It is an excellent read.
    Basically it all boils down to pilot experience and training. It used to be that many airline pilots flying for US carriers had military flying experience. As these pilots retire, they may be replaced by younger pilots with good eye hand coordination from playing video games but not much if any experience and time flying real hardware in trying conditions and no military flight training.
    Simulators seem to work very well for emergency training, but apparently they can’t cover all the bases. So as airplane safety and reliability improve, it seems that pilot experience and skills are are not keeping pace.

    PS. I attempted to use the NASA ASRS to search for 737 MCAS and 737 MAX and got no hits. I changed the search to “all 737s” AND “loss of aircraft control” and got several hits. Virtually every one was an incident where the 737 encountered wake turbulence from another airliner. No mention of the problems similar to the 737 MAX incidents.

Leave a Reply

Your email address will not be published. Required fields are marked *