Wednesday, August 21, 2019

Connecting the Dots: From Command to Action

The 737 stabilizer trim system evolved from its 707 roots with the introduction of the NG, when separate Main and Autopilot Actuators were combined into a single stabilizer actuator, retaining two electrical interfaces. The basic tenants were: 
  1. Manual trim (by trim wheel) has highest priority
  2. Electric trim has second priority
  3. Autopilot trim has lowest priority
  4. Significant column aft movement shall inhibit airplane nose down trim commands
  5. Significant column fwd movement shall inhibit electric airplane nose up trim commands
  6. Two cutout switches are used together to remove both Electric and Autopilot trim commands
  7. Stabilizer travel shall be limited to the same point during airplane nose up motion
  8. Stabilizer travel shall be limited using to an intermediate point while flaps up, using electric trim 
    1. to limit the nose down runaway mistrim
  9. Stabilizer travel shall be limited using autopilot airplane trim nose down to the flaps down limit
    1. autopilot "in command" stab trim objective is to maximize elevator authority
      1. Stab Trim fail indicator provided if trim ineffective
    2. NG FCC speed trim schedule was extended to stall speeds, to facilitate stall recovery
      1. Speed Trim fail indicator if command does not match monitor command
  10. Fast Electric trim speed is selected when flaps-not-up
  11. FCC fast trim speed is commanded by FCC based on flaps down
The 737 MAX revised the pitch trim system to accommodate MCAS. MCAS intruded upon the long-held stabilizer control logic because it was designed to command with nose down stab trim even while the column is significantly pulled back (aft column cutout). MCAS design includes an override feature to allow FCC airplane nose down stab trim to continue in the presence of opposing column movement (tenant 4, above).  MCAS also tripled the trim rate, increasing the mistrim in any runaway scenario.

The FCC sends a speed trim warning signal to the flight control module if it finds a failure in the speed trim function.  The speed trim warning circuit supplies a warning signal if any of these conditions are not present:* Air/ground sensors valid* Stabilizer move in 10 seconds when commanded* Engine N1s valid* Stab trim position sensors valid* Data from the air data inertial reference unit (ADIRU) valid * Clutch valid and trim valid signals present. 
The air/ground sensors are valid if these conditions are present:* Engines N1s are more than 18%* Computed airspeed (CAS) is less than 80 knots* Angle of attack (AOA) less than 15 degrees* The squat switch shows the airplane is on the ground. 
The speed trim warning circuit also supplies a warning if the FCC commands a trim up and trim down signal at the same time. 
Speed Trim Fail Warning LightIf the function fails in only one FCC, the light does not come on. However, if you push either master caution recall switch when there is one failure, the speed trim fail light comes on. If you push the master caution reset switch, the light goes off.
The FCC sends a stab out of trim signal to the stab out of trim warning light if a stabilizer mistrim condition occurs. The stab out of trim warning circuit looks at these conditions and if any occur, the warning may be set:
* Stabilizer does not move in 10 seconds when commanded
* Too much A/P actuator movement for 10 seconds
* Too much elevator command for 10 seconds. 
Too much actuator movement means the difference between the elevator A/P actuator position and the elevator position sensor is greater than 3 degrees. If in single channel operation, the difference between the elevator A/P actuator position and the neutral shift sensor position must be less than 0.5 degrees to reset the warning. 
Too much elevator command occurs when the difference between the elevator A/P actuator position and the neutral shift sensor position plus a bias is more than 5 degrees. The bias is zero unless these conditions are present and then the bias is 3 degrees nose up:
* Flare is armed
* Radio altitude is less than 400 feet
* A/P is engaged
* A/P G/S is engaged. 
These conditions cause the stab out of trim annunciator to come on:
* Warning ready to set
* A/P engaged
* Radio altitude more than 50 feet or G/S not engaged or stab out of trim warning already set.
MCAS was designed to rapidly command airplane nose down (AND) trim command to counter a pitch up tendency at high angle of attack (AoA). The FCC MCAS override also switched the trim rate normally used for flaps up to the much faster flaps down rate. The flaps up trim rate was originally designed with runaway criteria in-mind (three seconds of uninterrupted movement).

Because of the design changes brought on by MCAS override, and for other reasons that are not apparent to me, Boeing redesigned the cutout switches. The legacy design had one cutout switch for the Main Electric trim and another for Autopilot trim, when each had its own actuator. The interface was retained with the single actuator redesign during the NG development.  The Primary and Backup Cutout switches no longer allow an option to isolate malfunctioning Autopilot trim commands while retaining the use of Main Electric trim. While there has been no procedure to date relating to switching Autopilot off, it would have been a better option compared to falling back on the manual trim wheel.

Augmentation systems should have an off switch. For MCAS, the stabilizer runaway procedure cutout  was the off switch, which renders Main Electric trim inoperative.  Timely pilot response to MCAS malfunction is necessary by either seizing the trim wheel, to opposing trim using Main Electric trim (which has priority), or to throw the stab trim cutout switches.  The intentional removal of the aft column cutout results in some pilots taking longer to respond to MCAS malfunction, which worsens the runaway scenario.

I presume that the repeated triggering of MCAS was not anticipated in the failure analysis, rather only one command step was expected in malfunction. A legitimate runaway (continuous movement) would also have been more severe, because of the higher trim rate as already mentioned.

The unanticipated re-trigger of MCAS occurred while in the presence of significant opposing column motion. The repeated MCAS commands ultimately overwhelmed both JT610 and ET302 elevator command authority.

From the bits of information I have available to me, I have explored each of the basic tenants from the list above. The differences from NG to MAX include:
  1. no change
  2. no change
  3. no change
  4. Modified to override aft column cutout while MCAS active
  5. no change
  6. no change in procedure, but the new cutout configuration removed any option to isolate autopilot commands from electric commands; any malfunction relies on reversion to manual wheel trim
  7. no change
  8. no change
  9. MCAS repeated commands did not ensure sufficient elevator authority was available - in fact it overwhelmed the elevator
  10. no change
  11. MCAS switches trim speed to flaps down (faster) rate which results in more trim movement while the pilot reacts to any malfunction
Boeing has proposed the following new MCAS features:
  1. Trigger MCAS only if both AOA-L and AOA-R do not differ more than a threshold amount.
  2. Enable MCAS after a single command trigger "only after AOA has recovered" (gone below the trigger angle).
  3. Limit MCAS command to preserve sufficient elevator authority.
The first feature addresses the single failure of an AOA sensor, encountered in both Lion Air JT043/JT610 and Ethiopian ET302. In both cases, the differences were well beyond the threshold proposed - the failed AOA sensor would not have triggered MCAS in either case with this logic.

The second and third features address the issue that MCAS overstepped its boundaries when it retriggered, and also when it triggered at high speed. 

The three features are "intended functions" for MCAS. Each will prevail when the software and hardware execute the logic and calculations flawlessly. 

A single thread computer relies on its memory and hardware to logically calculate commands and to turn them into electrical signals. Effectively, failures in the platform can cause memory or hardware to issue false commands in spite of any software intent - the faults are downstream of the logic.

The monitor for a single thread computer function is usually the pilot. The pilot must take action to address any failure mode, including runaway commands. The probability of failure is paced by the ability to detect and stop failures from turning into hazards.

Andrew Hodgson once told me that you cannot expect insane software to perform logically. Don't expect malfunctioning software to act rationally. 

MCAS is hosted in the Flight Control Computer (FCC). There are two FCCs on the airplane. Each FCC has both a command processor and a monitor processor. For Speed Trim Commands, the monitor processor compares calculations with the command processor and will trigger SPEED TRIM FAIL if they disagree. The monitor processor does not have the ability to stop a false Speed Trim Command, but the alert will aid in pilot awareness and response.

For MCAS, there is no pilot alert for the monitor to trigger. It is not clear if there is an MCAS monitor processor function at all. MCAS was designed single-thread, with a hot-spare; the off-side FCC can provide MCAS commands if the on-side FCC fails.

Solid State Devices are subject to failures due to many reasons. One example is related to atmospheric radiation. 
Atmospheric radiation is a generic term which refers to all types of electromagnetic radiation which can penetrate the earth’s atmosphere. The main contributors to atmospheric radiation are solar and galactic radiation. Solar radiation is emitted from the sun and galactic radiation originates from outside our solar system. Both types of radiation can be affected (distorted or bent) by the earth’s magnetic field. 
SEEs occur when atmospheric radiation, comprising high energy particles, collide with specific locations on semiconductor devices contained in aircraft systems. Memory devices, microprocessors and FPGAs1 are most sensitive to SEE. 
Some examples of these types of effects are Single Event Upsets (SEU), Multiple Bit Upset (MBU), Single Event Gate Rupture (SEGR) and Single Event Burn-out (SEB). However, SEU and MBU are the two single effects that present the largest potential threat to aircraft systems. 
The rates of SEE are likely to be greater on aircraft flying at high altitudes and high geographic latitudes. This is due to the effects of atmospheric absorption and magnetic deflection of solar and galactic radiation. Although the intensity of atmospheric radiation varies with altitude and geographic latitude, the high energy particles are randomly distributed at any given location. Due to this, the predicted SEE rates can be derived based on the characteristics of the aircraft equipment (number of vulnerable elements) and operating conditions (altitude, latitude).”

It was reported that the FAA set up a test condition to trigger two discrete bits: MCAS engaged and FCC Nose Down Trim Command. MCAS engaged caused override of the aft column cutout and set the FCC trim command to the faster flaps down rate.

This was a very extreme selection of two bits to flip. The lack of the aft column cutout feature worsened the pilot response to the circumstance.

As has been described to me, Boeing will move MCAS (speed trim commands too?) to a dual architecture.

In a dual architecture, each FCC has a full set of dedicated sensors to draw from; therefore no single point failure on inputs. If both FCC commands must agree for trim commands to be valid, then malfunction of one FCC can be suppressed.

A dual architecture is fail-passive or fail-safe. Any single failure renders the false command benign - the pilot has no action to take other than to deal with the loss of the augmentation function.

The remainder of this post collects my analysis of both the NG and MAX circuitry. In each scenario, I work progressively through the logic and command circuits using a highlighter to trace the routes.

I am basing the 737 NG analysis on some information revealed in the ch 22 and ch 27 maintenance manuals. I am basing the 737 MAX analysis from diagrams gathered from various internet web sites.  It is quite possible that my baseline does not represent every configuration, that I may have overlooked significant aspects, that I may have misinterpreted features, or that my analysis has flaws.

737 NG Electric Trim Commands

Baseline Main Electric Trim schematic.  Three phase power is delivered to the stab trim actuator through the R64 Stab Trim Cont relay. Captain controls are shown. The Capt Stab Trim SW is on the pilots yoke. The switch commands go through the fwd/aft column cutout switches, the stab trim cutout switch, an interlock relay and travel limit relays. Each will be highlighted below.

Stab trim Arm is provided from a 28 VDC source. The column switch is made up of two switches. One switch passes the Arm voltage whether trim up or trim down is commanded.

If the column is not at the fwd or aft column switch limit, the Arm signal passes through.

The Arm signal proceeds through the cutout switch, if not thrown, and energizes the R64 Stab Trim Cont Relay.

If the Main Elec Cutout switch is thrown, the Arm signal to the R64 relay is grounded, isolating power from the actuator.

The Airplane Nose Up (ANU) command taps the same 28 VDC Stab Trim Control voltage source as the ARM signal. The ANU command must proceed through both yoke switches.

The ANU command proceeds through the column cutout switches (while not in either fwd or aft positions).

The ANU command routes through the Main Elec trim cutout switch.

The Arm signal that engages R64 (Main Elec Arm) also engages R850 Stab Trim Interlock Relay.

With the Arm signal engaged, the ANU signal proceeds through the R850 Stab Trim Interlock Relay and then through the S144 stab trim ANU travel limit relay and to the Stab trim actuator.

This is a composite showing both Arm and ANU signals in the normal case.

Forward Column cutout switch is tripped. The pilot is pushing the column significantly forward while at the same time the electric trim command is nose up. In this case, the column cutout switch breaks the stab trim cont relay (R64) taking power away from the stabilizer actuator, opens the electric trim ANU command signal, and the ANU command signal is further isolated by  R850 Main Trim relay release.

The Stab Trim OVERRIDE switch is provided for the case where the Column Cutout switch is tripped falsely. In this case, the OVERRIDE switch provides a bypass circuit for both the Electric Trim ARM and for the ANU command. 

The MAIN ELEC stab trim cutout switch isolates the ANU command directly, the Electric trim Arm through the R64 Stab Trim Control Relay (actuator power) and the R850 Stab Trim Interlock Relay, which further isolates the ANU command.

Main Elec trim rate is selected by the S245 flaps up switch, which is closed with flaps "not up" or flaps down. The MAIN ELEC cutout switch and the Stab Trim Interlock Relay both can cause the input to go to open circuit.

Airplane Nose Down (AND) Main Electric trim command is powered by the 28 VDC Stable's Trim Control circuit.

AND command proceeds through the column cutout switches and the MAIN ELEC stab trim cutout switch.

AND command goes through S245 Flaps UP switch to direct the trim command to the correct travel limit. In this case, flaps up is shown, directing the AND command through the S844 limit switch and then proceeding to the stab trim actuator.

There is one travel limit ANU and two travel limits AND. Autopilot uses one AND limit. Main Electric uses one AND limit flaps up and another AND limit flaps not up (or down).

With Flaps "not up", the AND command is directed through the S145 flaps travel limit.

As with ANU commands, the column trim switch includes an ARM circuit, shown in red, which connects power to the actuator and mandibles the AND command to proceed through the R850 Interlock Relay.
Pulling the column aft can trigger the AFT column cutout switch, which isolates both Stab Trim ARM and AND command.

737 NG Autopilot Trim Commands

Each FCC (Autopilot) issues trim commands in a wire-or fashion (either FCC can seize control of the stab trim actuator interface).

For the NG, the FCC stab trim command was either from Speed Trim System (STS) (which is only when autopilot is not in command mode) or while autopilot is in command mode. 

STS operates to enhance speed stability by modifying stick forces under manual flight by trimming the stabilizer based on delta trim for delta speed. As speed decreases, the stabilizer is trimmed AND. As speed increases, the stabilizer is trimmed ANU. This is the opposite of trimming for level flight, instead it can be thought of offsetting the motion of a phugoid.

Stabilizer trim is used by the autopilot to maximize elevator authority. In effect, the autopilot moves the stabilizer to keep the elevator in the neutral position (trimmed).

The FCC stabilizer trim command is armed when STS is active (from one FCC) or when an FCC is in a command engaged mode. The FCC refers to this armed discrete as engaging the stabilizer clutch. 

Each FCC produces separate discretes for ANU and AND commands and a discrete to command high rate stab trim speed for flaps down operation.

The ANU and AND commands, as well the ARM discrete, are processed through the forward and aft column limit switches, then through the AUTOPILOT cutout switch. The ANU command is processed through a STAB LIMIT SW UP travel limit; the AND command through STAB LIMIT SWITCH DOWN travel limit.

The stabilizer actuator is designed so that main electric trim commands have priority over Autopilot trim commands. Prior to the NG, the 737 used individual actuators. For the NG, there is a single actuator. It is not clear how the requirements for priority between conflicting main electric and autopilot trim commands are implemented in all malfunctions, except that the column switch module isolates the autopilot ARM signal for main electric AND or ANU command.

28 VDC Interlock power is wired through the AUTOPILOT cutout switch and then to each FCC.

The ARM (clutch valid) signal routes through the column switch module, the AUTOPILOT cutout switch and then to the stabilizer actuator.

A composition of both the Interlock power source and the ARM routing.

The ANU trim command is processed through the column switch module, the AUTOPILOT cutout switch, and the STAB LIMIT SWITCH DOWN (stabilizer leading edge down is ANU).

The AND trim command is processed through the column switch module, the AUTOPILOT cutout switch, and the STAB LIMIT SW UP (stabilizer leading edge up is AND).

The FCC ARM signal is interrupted by main electric trim ANU command. The FCC AND command (or ANU, for that matter) is left connected.

AFT column cutout is signaled to the FCC to suppress AND command.  In addition, the ARM circuit is redirected and isolated while FCC AND is commanded.

AFT column cutout does not stop FCC ANU command. FCC ARM signal is passed through with FCC ANU trim command in combination with AFT column cutout.

FCC AND trim command is isolated if travel limit is reached (STAB LIMIT SW UP).

The AUTOPILOT cutout switch directly isolates the FCC ARM signal. In addition, it triggers an internal relay the isolates FCC AND and FCC ANU trim commands. It also switches the cutout feedback discrete to the FCC to a ground state.

The FCC commands the autopilot trim rate using an output discrete directly connected to the actuator. The actuator provides a feedback discrete.

737 MAX Electric Trim Commands

The 737 MAX Electric Trim Commands are shown in a composite schematic that is a bit difficult to read. While I will use the full schematic to show the pathways, first lets take a look at the different components.

The stabilizer trim actuator is power by 115V, 3-phase power.

The power is routed through R64 STAB TRIM CONT RELAY. Only when the relay is "not cutout" does the power pass through the relay.

28 VDC STAB TRIM CONT is routed through both PRIMARY and B/U cutout switches, in series. The additional contacts in the cutout are used for FCC trim control.

The traditional yoke-mounted trim switches are provided for both Capt and F/O.  Each yoke includes one switch to ARM the main electric stabilizer trim command, the other to indicate ANU or AND command.

The STAB TRIM SW is provided to override a stuck AFT or FWD column cutout switch.

The M1983 CAPT COLUMN SWITCHING MODULE and the M1201 F/O COLUMN SWITCHING MODULE each independently switch their respective yoke AND and ANU commands so that the AND command with AFT travel and the ANU command with FWD travel. The columns are coupled mechanically so that normally if one column reaches an AFT or FWD limit, the other will as well.

Two relays and three switches are in the next grouping. The three switches provide travel limits for the stabilizer trim - a common limit ANU, a flaps up AND limit and a flaps not down AND limit.

R1192 MAIN TRIM FLAPS RELAY is switched between flaps up and flaps not up. On contact switches the main trim speed at the actuator, the other selects between the two AND travel limits.

R1193 MAIN TRIM ARM RELAY is directed to engage the actuator during main trim command.

The R1193 MAIN TRIM ARM RELAY also is used to signal the FCC to suppress any FCC trim command whenever a main electric trim command is active.

The stabilizer actuator has two electrical interfaces: Main and FCC.  The main electric interfaces are Trim Rate, ANU, AND, and ARM.  The actuator controller arbitrates between main and FCC commands. Power is provided while neither cutout switch is thrown.

The DFDAU interface (digital flight data acquisition unit) is directed towards flight data recording. It is apparent that signals recorded include the raw yoke switch AND and ANU commands.

Actuator power is routed through the R64 STAB TRIM CONT RELAY which is switched on by 28 VDC power routed through both PRIMARY and B/U cutout switches.

28 VDC is routed through both PRIMARY and B/U cutout switches to each yoke switch. The ARM signal is issued if either AND or ANU trim is commanded. The ARM signal switches on the R1193 MAIN TRIM ARM RELAY which routes the ARM signal itself to the actuator.

The R1193 coil return path is not shown on this same schematic, but is shown on another (as displayed below).  There return path is just tied to ground; there is no other logical function. There is no FCC signal that can stop the main electric ARM signal from getting to the actuator.

An ANU command is shown below while neither the FWD column limit is reached nor the stab travel limit is reached.

An AND command is shown below while neither the AFT column limit is reached nor the flaps-up stab travel limit is reached.

An AND command is shown below while neither the AFT column limit is reached nor the flaps-not-up stab travel limit is reached.

28 VDC is routed through both the PRIMARY and B/U cutout switches and then through the R1192 MAIN TRIM FLAPS RELAY, shown in the flaps-not-up position (commanding high trim rate).

Baseline normal ANU command scenario. The actuator is powered, armed, and commanded ANU.

PRIMARY cutout switch is thrown. This takes 28 VDC away from R64 STAB TRIM CONT RELAY, in turn taking power away from the actuator. There is also no power for the R1193 MAIN TRIM ARM RELAY, nor to send both the ARM and the ANU command signals.

The B/U cutout switch performs exactly the same function as the PRIMARY cutout switch: Power is removed from the actuator, the ARM and ANU command signals are not powered.

The FWD column cutout switch isolates the ANU command. The same logic follows AND and AFT column switch.

The OVERRIDE switch provides ANU command if the FWD column switch is stuck. The same logic follows AND and AFT column switch.

The ANU command is stopped when the stabilizer reaches a travel limit. The same logic follows AND, except the travel limit is different flaps-up and flaps-not-up.

737 MAX Autopilot Trim Commands

Putting together bits and pieces to make connections.  Please understand I may have made mistakes.

A glossary of the dots:

A: FCC trim ANU command
B: FCC trim AND command
C: FCC Flaps Down output discrete (commands high trim rate)
E: Trim Rate feedback from actuator to FCC
F: Stab trim cutout feedback Input discrete
G: FWD Column Cutout
H: AFT Column Cutout
J:  Main trim ARM
K: Stab Trim Cutout feedback Output discrete
L: Main Trim Interlock feedback Input discrete
M: Main Trim Interlock feedback Output discrete
N: ANU command into the actuator
P: AND command into the actuator
T: FCC trim rate command at the actuator
W: Ground path for Main ARM relay coil.
?:  Not Known

Comparing the gauntlet facing FCC ARM (stab clutch) between NG and MAX.

The ARM signal is isolated by the runaway column cutout switch activations in the NG only.

Both NG and MAX isolate the FCC Interlock by one cutout switch.

With the context set, this figure will serve to illustrate the various scenarios.

FCC ANU command while not FWD cutout and while not travel limit.

FCC AND command while not AFT cutout, while not travel limit, and while not in column cutout override mode (MCAS engage).

FCC ANU command is interrupted by FWD column cutout. The column switch module feeds back a discrete to alert the FCC of the cutout.

FCC AND command is interrupted by AFT column cutout and while not in column cutout override mode (MCAS engage). The column switch module feeds back a discrete to alert the FCC of the cutout.

FCC FLAPS DN discrete is routed to the actuator. The actuator uses the discrete to both command high rate and to activate an internal relay to feedback a discrete (E) to the FCC of the selected trim rate.

FCC ANU command is interrupted by the travel limit.

FCC AND command is interrupted by the travel limit.

737 MAX Autopilot MCAS Trim Commands

MCAS ENGAGE is an FCC output discrete entirely unique to the MAX. It drives the COLUMN CUTOUT OVERRIDE relay in the column switch module. The relay serves two functions: to command high trim rate and to allow for AND command in the presence of AFT column cutout. 

The MCAS ENGAGE discrete is routed to the actuator instead of FLAPS DN discrete to force high trim rate.

The AND trim command bypasses the AFT column cutout switch.

Peter Lemme

peter @
Follow me on twitter: @Satcom_Guru
Copyright 2019 All Rights Reserved

Peter Lemme has been a leader in avionics engineering for 38 years. He offers independent consulting services largely focused on avionics and L, Ku, and Ka band satellite communications to aircraft. Peter chaired the SAE-ITC AEEC Ku/Ka-band satcom subcommittee for more than ten years, developing ARINC 791 and 792 characteristics, and continues as a member. He contributes to the Network Infrastructure and Interfaces (NIS) subcommittee developing Project Paper 848, standard for Media Independent Secure Offboard Network.

Peter was Boeing avionics supervisor for 767 and 747-400 data link recording, data link reporting, and satellite communications. He was an FAA designated engineering representative (DER) for ACARS, satellite communications, DFDAU, DFDR, ACMS and printers. Peter was lead engineer for Thrust Management System (757, 767, 747-400), also supervisor for satellite communications for 777, and was manager of terminal-area projects (GLS, MLS, enhanced vision).

An instrument-rated private pilot, single engine land and sea, Peter has enjoyed perspectives from both operating and designing airplanes. Hundreds of hours of flight test analysis and thousands of hours in simulators have given him an appreciation for the many aspects that drive aviation; whether tandem complexity, policy, human, or technical; and the difficulties and challenges to achieving success. 


  1. Is it possible that the reason for rewiring the cutoff switches in serial that "they" felt they needed redundancy on the switch with the heavy MCAS authority? Admittedly is seems unlikely with two low probability failus, but I do not know how the analysis works.

    They had to have some good reason for that change which looks to really impair the recovery capability.

    Thanks for the pretty colored lines by the way. I was trying to draw it out in my head and would forget half the early lines before I got to the end.

  2. I suspect- repeat suspect it was simply to meet the cert reqirements and avoid explanations re MCAS.