Why an MCAS failure does not present as "runaway trim."
Comment on this (at bottom of page)
Comments



After the Lion Air crash, the FAA and Boeing believed (or so they said) that all that was needed was a) To make pilots aware of the existence of MCAS in the first place and b) To make them understand that an MCAS failure was simply a form of “runaway trim,” for which they had always trained. And that they should treat an MCAS failure the same way they would treat a runaway trim situation (i.e. by cutting power to the electric trim motor).

Now it is first important to understand what “runaway trim” is. Runaway trim is a situation in which the electric trim motor operates without being commanded to operate by either the pilots, using their yoke-mounted trim switches, or the autopilot (when the autopilot is operating correctly).

Incorrect operation of the trim by the autopilot is kind of frequent. It has happened a few times to me, in my Cessna. The important thing is that pilots, in a kind of “there it goes again” thinking, are used to it.

There are a number of standard safety features that are built in, and that pilots are used to, that make the danger from incorrect trim movement by the autopilot a non-event.

The autopilot is designed to disengage whenever:

a) The pilots operate the manual electric trim switches on the pilot’s yoke,
b) The pilots give contrary commands through the control column/yoke — i.e. if the autopilot is trimming nose-up and the pilots push the nose down, the autopilot will disengage and stop trimming.
c) The airplane’s attitude exceeds limits (i.e. it is rolling or pitching too much, as in a severe storm)

So “runaway trim” from the autopilot is a kind of non-event and it is handled by entirely routine (i.e. non-emergency) action by the pilots. I would call it “runaway trim lite.”

A real runaway trim, in which the electric trim starts operating and does not stop is extremely rare. It is almost always caused by some kind of an electric short in the wiring somewhere. Even then, there are several ways in which the industry has designed the system to minimize even this possibility. Of which the biggest is the certification requirement that it take two switches to turn on manual pilot control of the electric trim. That way a short in any one switch is not enough to start the trim moving.

Stacks Image 7
Above is a picture of the yoke-mounted trim switch (the black ribbed things) on my Cessna. As you can see there are actually two switches, both of which must be moved in order for the trim to activate. The setup and configuration on the 737 yoke is identical. Note also the big red autopilot disconnect push button. Pushing that button or activating the trim with the two switches will cause the autopilot to disconnect immediately and allow manual flying.

As a reference, here is the control yoke in a 737:
Stacks Image 11
Note the dual manual/electric trim switches on the left hand side. Same as a Cessna. Also note the button below the trim switches. That is the autopilot disconnect on the 737 — same as the red button on my yoke, above.

What I am trying to say here is that when “runaway trim” happens in real flying, it is almost always because the autopilot got confused. Pilots are used to it and simply either push the yoke, hit the manual trim switches on the yoke or push the autopilot disconnect switch. That always ends the runaway trim event.

Pilots are not used to a runaway trim caused by an electrical short, because it almost never happens in real flying. However, if they did it would look like this:

Note how the trim wheel moves continuously (the trim wheel on the 737 moves much more rapidly than it does in my Cessna, FYI). That’s what happens when there’s a short. It just runs and runs. Now when MCAS moves the trim, two things are true:

  1. The autopilot is not on. Because the autopilot is not on, the pilots are not expecting the autopilot to command any trim movements. When I engage the autopilot in my plane, something in the back of my head is always saying “…any second now…”. When I have not engaged it, I’m not thinking about the trim moving on its own.
  2. The trim does not move continuously. MCAS fires the trim motor intermittently. This is how MCAS activation would look, were my Cessna to be so equipped (perish the thought):
It was NEVER realistic to think that pilots would have dealt with MCAS as a runaway trim failure when they didn’t know that MCAS existed (Lion Air). It is doubtful that they would even after, although the pilots of the Ethiopian Air flight apparently did, unsuccessfully.

I want to end this with a few pictures. This one is of the autopilot “user interface” in my Cessna, called the “mode control panel.”
Stacks Image 22

This is a picture of the autopilot “user interface” in the 737 MAX. Boeing also calls this the “mode control panel.”

Stacks Image 26

You will see that there are stark similarities, including the vertical speed command wheel, altitude select knob, heading select knob and the various buttons to select which horizontal and vertical modes. The biggest difference is that the displays for the user interface are on the mode control panel on the 737 (the windows with the LED displays for course/heading/altitude/etc.

On my Cessna those displays are moved to the center of the control panel:
Stacks Image 30
Stacks Image 32

Note that those two units, above, in my Cessna are not only the autopilot displays but they are the autopilot computers themselves. The architecture in my Cessna is to have two independent autopilot computers, just like in the 737. However in the 737 only one autopilot computer is active at a time. In mine both are active at a time and both are constantly checking the output of the other to make sure that one of them has not faulted or is not making bad decisions.

All of the external sensors on my Cessna (airspeed, air temperature, static pressure, etc.) are available to both computers all the time. Again, this is different from the 737 architecture where each autopilot can only see the sensors that belong to it (this is the “root cause,” if you will, of the crashes).

If it’s not obvious, I use my Cessna as an example of how these things should be architect-ed. Both to inoculate against charges that I can’t know what I’m talking about because a Cessna is not a Boeing (it is) and to show how these systems should be architect-ed to ensure maximum reliability and safety. I don’t have to tell you that there is no excuse for what Boeing did and what the FAA approved.

I think the FAA must be held accountable for not grounding the MAX much earlier and certainly before it started being grounded by other nations.