Flawed Assumptions Pave a Path to Disaster

When MCAS (Maneuvering Characteristics Augmentation System) was implicated after Lion Air JT610 plunged into the sea, tragically taking 189 lives, the spotlights converged on the malfunction of a single Angle of Attack (AoA) vane. My first thoughts were that Boeing had some how overlooked this scenario or viewed it as inconsequential, based on blind faith that no matter what, the pilot would remain vigilant taking correct and timely action as the safety backstop. I could not wrap my head on how repeated applications of MCAS did not create unlimited authority in malfunction which would create a HAZARDOUS hazard.

Boeing had declared MCAS malfunction a MAJOR hazard.

JT610 Final Report

Why wasn't an MCAS malfunction treated as HAZARDOUS, which would have mandated a dual-channel, fail-safe design?

The answer lies in a number of buckets, which overflow beyond just MCAS:

• a desire to justify design rather than direct safety
• over-use of a convenient test condition restriction
• blind reliance on unproven pilot response
• misunderstanding the ramifications from removing an under-appreciated safety interlock
• ignoring escalation from the combination of persistent hazards
• incorrectly applying a convenient probabilistic factor to dodge the obvious conclusion
• overlooking the ramifications from extending Speed Trim to provide Stall Identification

AEEC Ku/Ka Satcom Subcommittee - Sep 2019 Meeting Report

The SAE-ITC AEEC Ku/Ka Satcom Subcommittee met at the Boeing Integrated Aircraft Systems Lab (IASL) for three days of deliberations revolving around aeronautical satellite communications.

Topics discussed included:

• Smaller form-factor antenna
• Thermal management of solid-state antennas
• Replaceable/Multiple Modems
• Standard Ka/Ku-band Antenna
• Enhanced Terminal Security
• Enhanced Network Security
• IF/RF over Fiber (modem to antenna)
• Baseband over Fiber (modem to antenna)
• Additional radios under the radome

737 AoA and Redundancy

The undetected failure of one Angle of Attack (AoA) sensor can spawn a host of flight deck effects on the Boeing 737. AoA malfunction is the root stimulus that triggered the events that unfolded on Lion Air JT610 and Ethiopian ET302. The challenge is to decrease the likelihood of undetected malfunction while retaining acceptable loss of function. The simplest and most effective strategy is to boost the ability to recognize a failed AoA sensor without reference to any other AoA sensor. The most complex solution would be to install or to derive additional AoA readings and which can still result in malfunction.

Postcards from Destination Moon: The Apollo 11 Mission

The Museum of Flight hosting of the Smithsonian Apollo 11 Exhibition, along with many notable additions, is drawing to a close. With the fifty year anniversary to celebrate, I visited the show along with my wife and youngest son. My wife and I were both eleven when Apollo 11 flew its historic mission. I was living Fort Lauderdale, looking longingly (and without reward) to the north whenever a rocket was launched.  The mission was certainly an inspiration to me then, but frankly, I am more and more impressed as time goes by. The dedication and willingness to take great risks, the methodical engineering coupled with pushing scientific breakthroughs as required, the clean sheet approach to the unknown number of challenges; truly a great example of what a society can accomplish if it chooses to. And we chose to!

Connecting the Dots: From Command to Action

The 737 stabilizer trim system evolved from its 707 roots with the introduction of the NG, when separate Main and Autopilot Actuators were combined into a single stabilizer actuator, retaining two electrical interfaces. The basic tenants were: 

1. Manual trim (by trim wheel) has highest priority
2. Electric trim has second priority
3. Autopilot trim has lowest priority
4. Significant column aft movement shall inhibit airplane nose down trim commands
5. Significant column fwd movement shall inhibit electric airplane nose up trim commands
6. Two cutout switches are used together to remove both Electric and Autopilot trim commands
7. Stabilizer travel shall be limited to the same point during airplane nose up motion
8. Stabilizer travel shall be limited using to an intermediate point while flaps up, using electric trim 
1. to limit the nose down runaway mistrim
9. Stabilizer travel shall be limited using autopilot airplane trim nose down to the flaps down limit
1. autopilot "in command" stab trim objective is to maximize elevator authority
1. Stab Trim fail indicator provided if trim ineffective
2. NG FCC speed trim schedule was extended to stall speeds, to facilitate stall recovery
1. Speed Trim fail indicator if command does not match monitor command
10. Fast Electric trim speed is selected when flaps-not-up
11. FCC fast trim speed is commanded by FCC based on flaps down

The 737 MAX revised the pitch trim system to accommodate MCAS. MCAS intruded upon the long-held stabilizer control logic because it was designed to command with nose down stab trim even while the column is significantly pulled back (aft column cutout). MCAS design includes an override feature to allow FCC airplane nose down stab trim to continue in the presence of opposing column movement (tenant 4, above).  MCAS also tripled the trim rate, increasing the mistrim in any runaway scenario.

Movable Stabilizer

Swept-wing airplanes inevitably suffer from pitch-up near stall, due to the tendency for their wing tips to stall before the wing root. This same effect is compounded by compressibility effects when nearing stall at high altitude (which brings high Mach number into play).

The fuselage itself can contribute to pitch-up at high angles of attack. An example of that can be related to the 737MAX engine nacelles (or pods).

Gen. Chuck Yeager credited the trimmable stabilizer as the key technology for dealing with Mach Tuck, or shifting the lift aft with supersonic speeds causing a pitch down. While Mach Tuck is managed separately, the principal objective with a trimmable stabilizer is to minimize drag along with maximizing the elevator for whatever flight condition or center of gravity.

The following discussion is based largely on the writing of D. P. Davies, Handling the Big Jets, third edition. I have copied in some of his figures in the discussion. Anyone interested in these matters is highly encouraged to obtain and read his book, it is amazing.

Various regulatory factors are listed at the end.

737 Pitch Trim Incidents

REVISED TO INCLUDE OTHER EVENTS => 23 JUNE 2019

Pitch trim is an abstract term to represent the ability to reduce column forces by moving the stabilizer and elevator. This post will dwell on stabilizer trim reported difficulties.

All airplanes provide at least two means to trim the stabilizer, mostly using two seperate actuators motors. Starting with the NG, the Boeing 737 relies on only one electric trim actuator, with manual wheel trim as the backup. There is no documented 737 accident as a result of stabilizer/pitch trim malfunction or failure (prior to JT610 and ET302).

With sparse reporting to draw from, it can be surmised that a stabilizer runaway or failure occurs about once a month, with a jam about once a year (world-wide).  Just plugging this into a spreadsheet yields the failure rate for runaway, loss of function and jam.  I am just assuming about 5,000 737 during the time frame for the failures accounted for, and looking ahead with a larger fleet size.

Ethiopian ET302 encountered high opposing forces due to the mistrim; it has been assumed that the ET302 actuator was not jammed, and there has been no concern raised that the ET302 clutch would have oppressively opposed trimming manually, on top of the aero loads.

The Beat Goes On

On Wed, May 15, House Transportation and Infrastructure Committee, Aviation Subcommittee convened a Hearing with the NTSB and FAA regarding 737 MAX airworthiness.  Information was provided, that which was new, still confusing, important, repeated, wrong, left out, and offensive.

What happened on ET302?

The preliminary report for ET302 reveals many details, but not enough to know exactly every and all aspects. The following is a look at what can be learned.

Trim Cutout with Severe Out-of-Trim Stabilizer can be difficult to recover

The Wall Street Journal reports that the crew on ET302 used the stabilizer trim cutout switches in response to MCAS commands, but appeared to be unable to raise the nose. They then released the cutout switches to use electric trim, but encountered MCAS commands again without recovering.

One possible explanation is that the loads on the jackscrew due to the severe stabilizer nose down out-of-trim situation were too great for the pilot to overcome using the trim wheel with folding handle. The pilots restored electric trim as a means to trim.

Boeing published a technique in the past that discussed this issue and the need to release the column briefly in a series of "roller coaster" or "yo yo" maneuvers, by cranking in stabilizer trim alternatively with large column commands.

This is in a 737NG Flight Crew Ops Manual

This is in the 737NG training manual:

Manual Stabilizer TrimIf manual stabilizer trim is necessary, ensure both stabilizer trim cutout switches are in CUTOUT prior to extending the manual trim wheel handles.Excessive airloads on the stabilizer may require effort by both pilots to correct the mis-trim. In extreme cases it may be necessary to aerodynamically relieve the airloads to allow manual trimming. Accelerate or decelerate towards the in-trim speed while attempting to trim manually.Anticipate the trim changes required for the approach. Configure the airplane early in the approach. When reaching the landing configuration, maintain as constant a trim setting as possible. If a go-around is required, anticipate the trim changes as airspeed increases.

This is in a 737 QRH (Ref 9.15)

This is from the Airworthiness Directive. It seems quite pertinent to emphasize using the electric trim to get the stabilizer near to an in-trim condition before hitting the cutout switch.

REVISED 11:40pm 3 Apr - Added discussion at end regarding cutout switch change

REVISED 7:43pm 4 April - Adjusted the Stab Nose Down trim representation to be zero lift

REVISED 9:20am 5 Apr - Added Stab Nose Down trim at Autopilot travel limit

AoA Vane must have Failed, the Boeing Fix is In, Senate Grills FAA

New information confirms that MAX is similar to the NG, that the AoA analog interface is connected to two different computers, the Stall Management Yaw Damper (SMYD) and Air Data Inertial Reference Unit ADIRU) (which supplies the Flight Control Computer (FCC)). The SMYD uses AoA for Stall Warning and is evident by activation of Stick Shaker. FCC hosts MCAS, and if AoA from ADIRU too high it can trigger MCAS. The significance is that both SMYD and FCC responded to AoA large bias on JT043/JT610, and therefore, the AoA sensor must have been producing that erroneous output. The AoA sensor is what failed.

Boeing has confirmed that AoA disagree Alert will become basic, that AoA disagree will inhibit MCAS from triggering, and that MCAS cannot issue more than one trim command without AoA recovery. 

The Senate grilled FAA acting Administrator Dan Elwell over excessive delegations and allowing Boeing to sell "safety critical items". Elwell stumbled on some key points, notably describing the 737 MAX as Fly-By-Wire and that the aft column cutout switch can stop MCAS trim commands.

Both Boeing and the FAA continue to insist that MCAS "runaway" is easy to detect and simple to respond to, but neither of these claims align with observations.

How Did MCAS Get Here and What Hurdles Remain?

The Seattle Times reported that the development of MCAS was limited to features that would not jeopardize differences training, including any new warning light.

“A single point of failure is an absolute no-no,” said one former Boeing engineer who worked on the MAX"

"Rick Ludtke, a former Boeing engineer who worked on designing the interfaces on the MAX’s flight deck, said managers mandated that any differences from the previous 737 had to be small enough that they wouldn’t trigger the need for pilots to undergo new simulator training."

"He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off. And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table." 

"Matt Menza, a former Boeing pilot who worked on the MAX, said that during flight testing of planes ready for delivery, he wasn’t aware of any events that indicated a problem with the stall warning or the MCAS system. But he said an ideal system would have been built on two angle-of-attack probes, so that a single bad value wouldn’t cause problems. Menza and two other pilots who have worked on the MAX said they were unaware that the system used only one AOA probe."

REVISED 27 March 10am - ADDED AC120-53B FSB discussion

Taking the Next Steps while Awaiting on the Preliminary Report from ET302

Little new information has been released offering any specific detail on the events regarding ET302, except vague statements of similarities to JT610. It has been reported that a flight observer on JT043 identified the stabilizer cutout as a corrective measure. Further, it has been reported that the crew on JT610 were calm and methodical in trying to identify the source of their difficulty, and that control was lost shortly after the First Officer took over. This last point confirmed my thoughts from examining the flight data back in November, where it looked like the column forces had been transferred just prior to the final MCAS trim commands.

Ethiopian ET302 similarities to Lion Air JT610

Reports from Ethiopian investigators have implicated the same Angle of Attack (AoA) sensor malfunction that was observed on Lion Air. Lion Air captain AoA sensor read about 22 degrees higher than the First Officer AoA sensor (a large bias error). Initial assessment of Lion Air AoA failure modes did not reveal any obvious electrical malfunction that could create the bias. The simplest explanation was that the AoA vane had been bent, causing a gross aerodynamic offset in the readings. If ET302 encountered the exact same offset, with the likelihood of it being bent exactly the same way not being conceivable, some other factor must be in play. For example, the ARINC 429 representation of AoA uses two's complement fraction binary notation (BNR). It is interesting to note that bit 26 represents 22.5 degrees which would be the bit "flipping" between the Captain and F/O AoA values (all other bits would match).  Is it possible that the ARINC 429 word is getting corrupted (software defect)?  If the ET302 offset was something like 20 or 24, this theory falls apart.

With this in mind, what are the issues left to restore 737 MAX airworthiness?

What have we learned this week?

The crash of Ethiopian ET302 brought a tragic beginning to what must be one of the worst weeks in aviation, ending with the grounding of the Boeing 737 MAX. What does Lion Air JT043 and JT610 teach us? Did we, as an industry do everything we should after JT610? Accusations of impropriety levied at Boeing and the FAA seemingly are always on the ready. Adding to the week was an update on Atlas 5Y3591 which at first seemed to be one thing, but with a slight wording change thankfully seems to be another altogether.

Comparing Ethiopian ET302 to Lion Air JT043, JT610

Did Ethiopian ET302 succumb to the same situation as Lion Air JT610? The FDR and CVR data is being processed as I write this, with a public release in some form expected by Monday March 18. Aviation authorities have grounded the Boeing 737 Max before receiving a report from this recorder data. The only information to the public is from commercial ADS-B data brokers, notably Flightradar24.com, whose recording is incomplete. Aireon has shared space-based ADS-B data with several parties, but not to the public. Canada and the US make reference to the Aireon data as a factor in their assessment, with the claim that there were sufficient similarities to be concerned.

Atlas Air 5Y3591 Dove because of Nose-Down Elevator Command

The NTSB has revealed that Atlas Air 767 Freighter flight 5Y3591 dove based on nose-down elevator command. The nose was pushed over 49 degrees nose down. The engines were brought up to full thrust. There was no stall warning that preceding these actions. The dive reached 430 knots before impacting. Pitch attitude rose from -49 deg. to -20 deg. in the dive.

Exploring Rain Fade in an Extreme Rain Fall Zone

Rain Fade is a factor with Ku-band and Ka-band satellite communications.  Rainfall rate is measured in mm/hour. The occurrence of significant Rain Fade events is scaled by the rainfall rate and its duration. Generally these events are transient as the rain cloud moves through. The path of interest is only the line from the satcom terminal to the servicing satellite. Only while the rain cloud is in the way do problems occur.

Panama is in a very severe rainfall rate region and will create frequent issues with Ka band service operating below about 15,000 feet. Ku should operate through these scenarios with less disruption. It is prominent in the region along with the Brazilian rain forests and significant as a hub airport. 

5Y3591 Stabilizer Trim Actuator appears to be Nose Down

When KHOU took a video tour of the collected wreckage, they included a frame of the stabilizer trim actuator (the jackscrew).

Limiting RF exposure to Humans in Close Proximity to Satellite Transmitters

Satellite radios produce powerful Radio Frequency (RF) emissions. A method is provided for limiting the RF exposure to humans that are in close proximity to satellite transmitter antennas by establishing radial keep-out zones.

More Questions Raised for Atlas 5Y3591 Loss of Control

Atlas 767 flight 5Y3951 was descending for 3,000 feet when it appears to have briefly leveled off at 6,200 feet, before nosing over and plunging to the ground.

NTSB Brief Atlas 5Y3591 Sun 4pm CST

NTSB chairman Sumwalt has seen video of the last five seconds to the impact of Atlas 5Y3591 and confirms it was in a steep, wings-level dive and made no visible attempt to pull up. The debris field is approximately 200 yards long by 100 yards wide in a NW orientation, consistent with the aircraft steep trajectory and high speed. The steep descent began with light to heavy rain in the area, from about 6,000 feet at 240 knots airspeed. There was no communication from the flight crew after their routine approach. They were descending from 18,000 feet for 3.000 feet when the event occurred. 

Atlas Air 767 Flight 5Y3591 Plunges from 6,000 Feet

Three Atlas Air crew members tragically perished when their 26 year-old Boeing 767 plunged from about 6,000 feet in about 10 seconds. The freighter had departed from Miami and was on approach to Houston (IAH). The crew made no radio call, and there was no warning or indication of difficulty prior to the pitch over.