Lion Air Crash and the 737 MAX

November 15, 2018

LAST WEEK, Boeing sent a formal safety directive to all operators of the 737 MAX series, warning that the popular new twin-jet could enter an uncommanded dive. The directive follows the October 29th crash of Lion Air flight JT610, in which 189 people were killed when the plane plummeted into the ocean shortly after takeoff from Jakarta, Indonesia.

Radar data shows the airplane plummeting into the sea at several thousand feet per minute. An immaculate, ultra-modern aircraft, calm weather, an experienced crew… what on earth went wrong?

The problem, Boeing says, occurs when faulty data is generated by the plane’s angle of attack indicator. The indicator is a small, wedge-shaped sensor near the plane’s nose that helps warn pilots of an encroaching aerodynamic stall — i.e., a dangerous loss of lift that results from flying too slowly or too steeply. The faulty data triggers the plane’s stabilizer trim — stabilizers are the wing-like horizontal surfaces beneath the tail — to force the nose down.

This nose-down command can last upwards of ten seconds, Boeing says, and can repeat at five-second intervals, whether in manual flight or with the autopilot engaged. If and when this happens, the stabilizer trim itself gives no indication that it’s moving. All the crew knows is that the plane is nosing over.

The good news is that whether its movement is commanded by the pilots or uncommanded through a technical glitch like this one, stabilizer movement can easily be shut off through a cockpit switch. The Boeing directive tells pilots exactly how to disconnect the system and prevent a descent. (And you can take additional comfort in knowing that the malfunction cannot occur when close to the ground. Deployment of the jet’s flaps inhibits any automatic stabilizer trim movement, and a 737, like most passenger jets, will always take off and land with flaps deployed.)

Though it appears there’s a design flaw that Boeing will need to fix as soon as possible, passengers can take comfort in knowing that every MAX pilot is now acutely aware of this potential problem, and is prepared deal with it. I’ve never been much of a fan of the 737 family, but certainly the MAX is safe to fly.

Unfortunately, the crew of Lion Air flight 610 didn’t have this information. It’s possible — if in fact this is what caused the disaster — they became overwhelmed, unable to figure out in time what the plane was doing and how to correct it.

Their confusion may have been exacerbated by not realizing that a stall-avoidance system was installed in the first place. If it’s working right, and a jet really is on the verge of a stall, an anti-stall system like the one on the MAX can help stave off disaster. If it’s not working right and forcing the plane to do something it shouldn’t be doing, it’s crucial that the crew recognize the malfunction and know immediately how to respond. According to reports out this week, Boeing never told airlines or their pilots about the details of this particular pusher system. This would have made it even tougher for the Lion Air pilots to realize what was happening.

But how tough? Just the same, is too much being made about the technological aspects of this accident? It seems to me that something might be missing. That is, questions as to why the pilots reacted — or failed to react — as they did. If a jet’s pitch trim appears to be going haywire, then why not simply disconnect it and see what happens? Is there not some basic, seat-of-the-pants airmanship skills that the pilots could have, or should have, fallen back on?

Of course, that’s easy to ask when sitting safely in front of a keyboard, days later. The truth is, we can’t fully grasp what they were dealing with — the sights, the sounds, the alarms and sensations — in that cockpit as it was all going to hell. “Pilot error” sounds so easy and clear cut, but it can be a complicated, sometimes misleading diagnosis.

And what of cockpit automation and the degraded hands-on skills of the modern airline pilot? We hear so much of this these days, and we’re hearing it now, in the aftermath of Lion Air. Sure, that’s a conversation of some importance. Just maybe not right now. I don’t feel, based on what’s known at this point, that this had anything to do with automation. The alleged dark side of automation is becoming a sort of catch-all these days each time there’s an accident. Yet — not to sound like a broken record on this topic — few people understand what cockpit automation actually does (and what it doesn’t do); how pilots interact with it; or have a grasp of how it did or didn’t play a role in whichever incident. The fate of flight 610 may have had something to do with modern jetliners being so complex and, to an extent, over-engineered, but not with automation in the sense that people are implying. Sure, the stall pusher system is “automatic,” but these systems have been on planes for decades. As I see it, the pilots’ inability to recognize and solve the issue speaks to something else.



 

New Plane Blues

The 737 MAX is the latest and most sophisticated variant of the venerable 737 — a model that dates to the 1960s.

New aircraft are often beset by technical issues in their early days of service. Normally these problems are minor, if expensive, nuisances (engine problems that plagued the first 747s, for example), but they can sometimes be catastrophic.

We remember the Comet, the world’s first commercial jet, and the three stress-crack disasters that led to its grounding and redesign. The McDonnell Douglas DC-10 was plagued by troubles from the start, including a poorly designed cargo door that killed 346 people in the horrific Turkish Airlines crash in 1974. (Later, in 1979, all DC-10s in the United States were grounded by the FAA after crash of American Airlines flight 191 at O’Hare — to this day, the deadliest crash ever on U.S. soil.) In 2010, an uncontained engine failure involving a Qantas Airbus A380 raised important questions about some the plane’s systems redundancies. And more recently, the 787’s debut was marred by a series of battery fires.

Scary stuff, but we live in an age when airline disasters have become vanishingly rare; and when they do occur, we’ve gotten pretty good at ciphering out the causes and preventing repeats. A 737 MAX is not the Comet; that was another era, another age — one of entirely different expectations when it comes to safety and reliability. That’s little solace for the 189 people who perished in Indonesia, but it should mean something for the millions who will fly aboard these planes in the years ahead.

Back to the Ask the Pilot Home Page Visit the Blog Archive Back to Top!

Leave a Comment

Maximum 1500 characters. Watch your spelling and grammar. Poorly written posts will be deleted!

26 Responses to “Lion Air Crash and the 737 MAX”
You are viewing newest comments first. Click to reverse order
  1. Andrea G says:

    This incident got me thinking more about why the US lifted the ban on Indonesian airlines in 2016 and the EU earlier this year? Every article I’ve been able to find says the ban was lifted because Indonesia showed improvement in safety standards but I can’t find anything that says how they came to that conclusion? What information did they cite and what methods did they use to quantify this improvement? Looking at just the incident stats the numbers haven’t decreased over the last 10 years.

  2. Anand Kelkar says:

    Thanks Patrick for detailed article. Really sad situation. Here is a link to an article https://www.seattletimes.com/business/boeing-aerospace/black-box-data-reveals-lion-air-pilots-struggle-against-boeings-737-max-flight-control-system/

    What is interesting to me that the use of stabilators as a solution here. Even more confusing is the fact that a single sensor caused a catastrophic failure in the system. As a designer for these systems I find it really troubling. There are several rotorcraft platforms where the stabilizer is used to pitch the nose down. In those cases there are two stabilator controls that act independently so a single sensor failure cannot cause aircraft to go into nose dive. If one side is stuck then the other side saturates the opposite way. Quite scary to see the pilots according to the charts try repeatedly to bring the nose up. I am assuming they could have used flaps to get out of the mode as well.

    One thing I was wondering Patrick if you feel that over the years the response time to emergencies is affected by amount of automation? I am thinking under stressful conditions if there are several possible decision trees you need to traverse how fast can someone narrow down the solution. So it’s not that automation is bad but if it adds time that someone may not have in an emergency.

    Regards,
    Anand

  3. Mike says:

    Looks like this $400 iFly aviation GPS unit could have helped in many of the “fly by wire” crashes we have seen. And we ain’t seen nothing yet, unfortunately. See at 1:03 a backup instrument panel.

    Like they said in that SNL skit: “You can’t put too much water into a nuclear reactor.”

    iFly video:

    https://www.youtube.com/watch?v=tJ4KYSybCfo

  4. J. L. Turriff says:

    This sounds to me like a documentation problem, not a technical problem. If this recovery system was deployed by Boeing but its existence was not pushed out to the pilots, it’s hard to conclude ‘pilot error,’ even if, as you say, recovery from the anomalous state is ‘easy,’ given, as you also say, the likely confusion that the crew was experiencing. As a veteran of many years in the world of computers, I know that more often than not, documentation is one of the first casualties of ‘get it out the door first’ mentality.

  5. mitch says:

    [continued]
    The pusher was rarely-used. It was for airplanes with marginal stall characteristics, like pitching up when stalling, making recovery more difficult, sometimes impossible. Mostly those with T-tails such as the BAC 111 and the Trident. When 727s were first registered in the UK in the mid 1970’s, the UKCAA required a stick pusher.

    The 737MAX’s MCAS system drives the stabilizer. It does not push the control column I’ll leave the explanation of that choice to Boeing’s flight control experts, but using the jackscrew-driven stabilizer seems counter-intuitive: it responds to a rapid-onset event – a stall – using a slow-moving secondary flight control – the stabilizer – instead of rapidly-movable primary flight controls – the elevators.

    As for stall recovery, since the elevators can move faster than the stabilizer, recovery to normal flight should be quicker.

    Another question for Boeing: My decades-old flight test engineering experience is that stall speeds and stall characteristics are thoroughly explored during pre-certification flying. Once they are measured and found acceptable, an FAA pilot will repeat the testing. Any issues that do not meet FAA requirements must be rectified before certification.

    Was MCAS installed as a result of early wind-tunnel tests, or pre-certification flights (before the FAA flew the 737MAX), or was it a requirement imposed by the FAA during 737MAX certification flight testing?

  6. mitch says:

    An aerodynamic stall is when airspeed drops so low that the wing cannot provide enough lift to support the airplane. Wing and airplane design criteria require that a stall results in the nose pitching down with wings level to allow the airplane to self-recover by accelerating. Pitching nose-up or rolling to one side is not acceptable

    Question: Why did Boeing select the stabilizer as their method of 737MAX stall prevention?
    – All airliners have a stick shaker to warn of an approaching stall. The stick shaker works by vibrating the control column plus an aural warning. My information is that airline pilots are trained in a simulator and in the air to initiate recovery at stick shaker; they do not do a full stall and then recover.

    Patrick, can you confirm your 767 stall recovery training? Does your airline’s simulator or flight training include a full stall: slow down below stick shaker, through pre-stall buffeting, let the nose drop, and then recover.

    – If it is installed, a pusher activates below stick-shaker to preempt stalling. When first used, it was an analog device that pulled the control column forward, thus deflecting the elevators to force the airplane’s nose down. It did not move the stabilizer

    Patrick, your statement that “pusher anti-stall systems like the one on the MAX are common on commercial planes” is not correct. Non-FBW Boeing airliners – the 707 through the 767 – do not have a stick pusher. [to de continued]

  7. Oliver Wiest says:

    (Edited)
    The aircraft systems generated inaccurate data readings for two days before the crash, according to a story in The New York Times. The story details Lion Air’s inattention to safety and training, reports that dual logbooks were kept to hide overworked pilots and questionable maintenance procedures, including ransferring faulty equipment from one plane to another.
    https://www.nytimes.com/2018/11/22/world/asia/lion-air-crash-safety-failures.html

  8. Olver Wiest says:

    The aircraft generated inaccurate data readings for two days before the crash, according to a story in The New York Times. The story details Lion Air’s inattention to safety and training, reports that dual logbooks were kept to hide overwroked pilots and lax maintenance procedures, including ransferring faulty equipment from one plane to another.
    https://www.nytimes.com/2018/11/22/world/asia/lion-air-crash-safety-failures.html

  9. Andrea G says:

    I know its too early to speculate but my guess is this accident will be attributed to pilot error due to improper training (runaway stabilizer trim & how to remediate existed in models prior to MAX) with improper maintenance as a contributing factor. After recurring AOA sensor issues maintenance replaced the sensor, it appears without confirming the sensor itself was causing the issue. I believe the presence of an engineer in the cockpit during the accident flight is telling. Maybe they were unable to recreate the issue on the ground so the engineer wanted to witness the issue live.

  10. Speed says:

    From Aviation Week …

    The United Airlines Master Executive Council (MEC) has taken a different stance, telling the carrier’s pilots that while MCAS may be new, its function is not. As a result, pilots already knew how to manage a MCAS-linked problem.

    “Despite the omission of the MCAS description in the initial 737 MAX differences training, United pilots are properly trained in handling an MCAS malfunction,” MEC safety committee chairman Bob Sisk wrote to members. “[W]hen working properly, the system helps us avoid stalls. If it faults or activates due to a related system fault (like an AOA sensor), it presents itself to pilots as runaway stabilizer trim … something we can recover from using existing [checklist] procedures with the flip of the cutout switches.”

    https://bit.ly/2ztM2iH

    This is not the attitude expressed by others in the article and in the news generally.

  11. Molly says:

    Thank you so much for writing this article. I found you through an interview you did with Freakonomics and I was impressed with your candour. That you have a blog that answers so many questions and concerns, is marvelous. I am due to fly on a Max8 next Thursday to Ireland and I have been all over the internet looking for reassurance that I’ll be ok. After reading this article, I feel lighter, relieved and calm. Thank you so much, I can finally relax.

  12. Caio Zink says:

    The flight Crew Operations Manual Bulletin TBC-19 reads:

    The Indonesian National Transportation Safety Committee has indicated that Lion Air flight 610 experienced erroneous AOA data. Boeing would like to call attention to an AOA failure condition that can occur during manual flight only.

  13. Caio Zink says:

    This nose-down command can last upwards of ten seconds, Boeing says, and can repeat at five-second intervals, whether in manual flight or with the autopilot engaged. If and when this happens, the stabilizer trim itself gives no indication that it’s moving.

    Apparentelly not true !!
    1. occurs ONLY in manual flight
    2. are you saying the manual trim wheel DOES NOT turn while the stabilazir is being trimmed nose down ?? Hard to beleive !!

  14. Lee says:

    As a video director and cameraman, I will sometimes throw my camera in “Auto” if I need to record IMMEDIATELY, and if it’s just a quick shot and I don’t want to think about exposure levels, “Auto” is used. If I am shooting in Auto and the resulting footage is overexposed, as I can clearly see in the viewfinder, and I can’t quickly figure out what is wrong, the FIRST thing I do is to set the camera into full manual control. That way, no automatic system can be making decisions for me. If you’re flying an airplane and the plane suddenly misbehaves, isn’t the FIRST thing you do is to shut off ALL auto-pilot systems and just fly manually, and by the seat of ones pants? (we don’t need no stinkin’ computers)

    Remember the 777 that crash landed into San Francisco a few years ago? Cockpit computers contributed to that accident and the pilots just kind of let it happen. They realized too late that automated systems were helping to crash the plane.

    Computers make mistakes and they do so fairly often. Robot and computer controllers are not our overlords. If in doubt, turn ’em off.

  15. re: “Lion Air Crash and the 737 MAX. New aircraft are often beset by technical issues in their early days of service.”

    There also were problems with the Lockheed Electra; they resulted in the permanent reduction of the cruising speed of an otherwise marvelous aircraft. On the roof of my Beacon Hill apartment, I loved watching them take off from Logan and climb, as someone said, “like a frightened Mallard”.

  16. Jeff Guinn says:

    There’s something seemingly obvious and easy to deal with this sort of thing. That it doesn’t exist can only mean I’m confused, but I just don’t know where.

    In flight, at any moment, the aircraft’s state is a function of pitch and roll attitude, airspeed, weight, air density, center of gravity, thrust, coefficient of lift, horizontal stab position, vertical and horizontal accelerations, pitch and roll rates, and angle of attack. All are measurable, and any one of them can be calculated if the measured values for the rest are known. This can be looked at as a system of 15 simultaneous equations, every one of which can solve for a different parameter, given the measured values for the rest.

    For that 737, if it was in level unaccelerated flight at 6000 feet and 250 knots, (plus all the other parameters), then the calculated AoA should have been about three degrees. Had this calculation been done, then it would be possible to compare it to the measured AoA and find a discrepancy. Further, had the measured AoA been used in the other simultaneous equations to determine calculate the other parameters, it would be quickly clear the measured AoA was wrong — for example, given those parameters and solving for vertical acceleration, high AoA would produce vertical acceleration so high as to rip the wings off if the AoA really was at stall.

    That would allow determining which measured value was wrong, throw a warning, and either replace it with the calculated value, or disable that parameter. Off hand, I can think of at least a dozen mishaps that could have been prevented by what amounts to a continuous, automated, sanity check. That it doesn’t exist must mean it is a lot harder to do than I think it is. Sure can’t fathom why, though.

    • Chris says:

      That seems to make perfect sense to me, but like you said there must be a reason why it’s not that straightforward.

      Remember the Air France accident due to bad air speed readings from the pitot tubes? Same thing….one bad input caused an accident? wouldn’t a $50 GPS unit confirm the actual speed? Again, I’m sure there’s a reason it’s not so simple. Like GPS speed isn’t the same as air speed or something…

      • Jeff Guinn says:

        “… one bad input caused an accident? wouldn’t a $50 GPS unit confirm the actual speed?”

        That’s the astonishing bit. All modern airliners have both GPS and ring-laser gyro inertial reference systems.

        When the airspeed went to zero, the airplane knew groundspeed, wind vector and acceleration. It *should* have been able to detect the airspeed failure, and degraded to a calculated airspeed/Mach based upon GPS and inertial inputs. Yes, that solution would get increasingly inaccurate over time, but not quickly. Modern IRU’s have very little drift, less than 5NM/hour, even after the end of a long flight.

        Similarly, the Buffalo mishap, caused by severe clear icing. Had a data analysis unit been on the airplane, it would have noted an increasing divergence between what AoA was, and what it should have been, for the airspeed, altitude, and wing configuration (and for confirmation, the difference between the fuselage reference line and the flight vector).

        Which is exactly what a sufficiently observant pilot would have noticed.

        FedEx slammed the tail of an MD-11 into the pavement at DEN because the entered gross weight was 100,000 pounds shy of what it should have been. A DAU© would have noted that pitch attitude, AoA, thrust, and fuel flow did not correspond with the gross weight.

        Again, what a sufficiently observant pilot should have noticed.

        I still don’t get why what seems so obvious is non-existent.

    • Speed says:

      Jeff Guinn wrote, “For that 737, if it was in level unaccelerated flight at 6000 feet and 250 knots, (plus all the other parameters), then the calculated AoA should have been about three degrees. Had this calculation been done, then it would be possible to compare it to the measured AoA and find a discrepancy.”

      Sadly, or fortunately, that’s what the pilots are there for — to monitor the aircraft and instruments.

      From 1974 …
      “The airplane’s climb rate soon exceeded 6500 fpm and an overspeed warning horn sounded at 23,000 feet, with airspeed at 405 knots. Shortly afterward, the stall warning stick shaker was recorded intermittently and, five seconds later, vertical acceleration reduced to 0.88 G.”

      http://www.aviationsafetymagazine.com/issues/36_12/features/Pitot-Static-System-Failures_11274-1.html

      If the instruments disagree or if the pilot’s “seat-of-the-pants” sensor is giving him/her information different from what he/she sees on the panel, his/her job is to intervene and fly the airplane.

      • Jeff Guinn says:

        “If the instruments disagree or if the pilot’s “seat-of-the-pants” sensor is giving him/her information different from what he/she sees on the panel, his/her job is to intervene and fly the airplane.”

        Absolutely — no disagreement there.

        However, in this particular case, it may be the lack of a data integrity check made the task of flying the airplane far harder than it had to be.

        And in other cases, like the Buffalo crash, while the pilots *should* have noticed their angle of attack was too high for their speed and configuration, it seems only good sense to help the pilots notice something is out of whack.

        • Thomas Daddato says:

          As far as I know, angle-of-attack (AOA) sensors on airplanes are a pretty new feature.
          I have never heard of airplanes doing a data-integrity-check (and I read the full, detailed reports about airline accidents for ‘entertainment’). A data integrity check would make a lot of sense. On current Airbus planes, I believe it would be possible. They are controlled via computers. Even when pilots are hand-flying, they are giving commands to a computer, which controls the airplane.
          With Boeing it’s a different story. A data integrity check may not be feasible. The 737 has been around since the 1960s. Basic flight controls are mechanical, hydraulic or whatever. The system that may automatically push the nose down, based on AOA sensor data, is a stand-alone add-on. It acts on the existing rudder trim controls. It is not connected to any other systems or sensors.
          There is a big hype nowadays, about AI – Artificial Intelligence. Actually a lot of this so-called “intelligence” is no more intelligent than a sieve. A sieve can distinguish between bigger objects and smaller objects. So it must be intelligent, right? If all these AI systems would do a data integrity check, they might be more intelligent.
          Coming back to the subject of airplanes: as of today the only kind of intelligence involved in the control of airplanes, is the kind you find between the ears of a live human being.

          • Speed says:

            Thomas Daddato wrote, “It acts on the existing rudder trim controls.”

            Perhaps you meant “elevator trim controls.”

          • Patrick says:

            Or stabilizer trim. Jets don’t have elevator trim, normally. Instead, the whole stabilizer moves.

          • Jeff Guinn says:

            “As far as I know, angle-of-attack (AOA) sensors on airplanes are a pretty new feature.”

            I can’t claim to have encyclopedic knowledge about airliners, but AoA sensors are on all the jet aircraft I know of. I flew the DC-9, which came into the service in the mid-60s.

            Because AoA is a direct reading of how much work the wing is doing relative to the amount it can do, it is the most fundamental air data sensor. In fighter aircraft, AoA is used directly, and is sometimes more primary than the airspeed indicator.

            Why airliners have never displayed AoA directly is a complete mystery to me.

  17. Michael Lloyd says:

    I know this system was not (to our knowledge) installed on previous versions of the 737. But the procedures for a runaway pitch trim have been in the training syllabus for some time. It’s time time delay responding after a WTF moment that gets us into trouble.

    https://www.nytimes.com/interactive/2018/11/16/world/asia/lion-air-crash-cockpit.html?action=click&module=Top%20Stories&pgtype=Homepage

  18. Chris says:

    As automation increases we will need to come to terms with these types of accidents. Rationally we know that if automation means less accidents overall, it’s a good thing, but it’s really really difficult to accept that humans die from non-human error accidents. This is just a preview of what’s coming with cars.