The 737MAX crashes. Did the pilots do everything?..

Recently I read an article on the BBC.com named "What went wrong inside Boeing's cockpit?" After reading the very first phrase: "There was nothing more the pilots could have done " I couldn't force myself to read it further. Yes, they did everything… they could. But did they do exactly what was needed?

You will not find anywhere what I'm going to tell you in this article.

There are tons of articles and videos about these terrible 737MAX accidents. Almost every kid nowadays knows that this brand new model has got new engines, which are quite big, wide and shifted forward so that at some higher angle of attack they start producing a lift  force which suddenly starts to increase the airplane pitch and this can lead to a stall – as the airplane rapidly gets closer to the critical angle of attack.

To prevent this from happening Boeing implemented a software, an MCAS – a Maneuver Characteristics Augmented System, which counteracts this pitching momentum by trimming the horizontal stabilizer to nose down. This system works only when the autopilot is not engaged and only when flaps are fully up. The problem was that the MCAS was using the single source of angle of attack data to sense the requirement to start its work. I am saying "was" because nowadays when the MAX fleet is grounded all over the world they are working hard to change to logic.

But before this change if this single source of AOA produced wrong data, the MCAS would have used it anyway and this actually happened in both accidents – immediately after airborne the left angle of attack sensor for some reason provided incorrect information, which caused different weird things to start happening in the flight deck at the same time – left yoke shaking, disagreement between airspeed and altitude information. And after the pilots retracted the flaps, the MCAS activated and moved the stabilizer almost full to nose down.

This is how things happened in Indonesia and Ethiopia in short.

Surprisingly, while it has been said a lot about a shitty design of the MCAS, almost no media source has published anything about what was done badly by the pilots.

Look. We are pilots. We are there to help save the airplane and the souls if something goes wrong. Our failure to do needed things is one of the links of the chain which makes accidents possible to happen. The same link as a blind MCAS design and a weird airplane certification process. In my opinion the question of pilot training is even more important than others as we are the last wall of defense in all cases. If we can do something to survive, we must do it. At least we must do the standard actions for those common non-normal situations which are provided in our manuals.

Before I continue,

let me loudly define my point. Being an airline pilot, I really want to believe that airplane designers are ideally sinless, and their airplanes are ideal due to the perfect certification procedures. Sadly, this is utopia. In real life designers can make a mistake – they are humans, by the way, and certification procedures can leave them unnoticed. That’s why pilots are still there in airplanes – to compensate for mistakes and errors, such as: weather "errors", ATC errors, own pilots errors… Errors of Boeing engineers. Errors of the certification.

I believe, we must talk openly about obvious pilot errors even if the investigation is still ongoing as a lot of aircraft are flying during that time. Open information can help other pilots save a lot of souls, by the way. Even though all 737MAX are grounded a lot of other aircraft are flying and the problems discovered already can be also applicable to them.

For years I've been highly interested in how to train pilots to be ready to safely deal with the variety of non-standard and abnormal situations. I mean those situations, which pilots have not been trained specifically for, but which nevertheless are manageable if the pilots timely make correct decisions and take proper actions. I think, that is not only me who believes that competency is not the same as "qualification", competency – which in this context is an ability of pilots to recognize and to adapt to this or that complex non-standard situation, - is mainly based on training which pilots are going through – I mean, initial training, recurrent training, day-to-day training.

And training itself greatly depends on the environment in which pilots are being put: the airline traditions, the mentality, the input and influence of the state aviation authorities and so on.

The true is that exactly that 737MAX which crashed in Indonesia was safely landed a day before, after a different crew managed to survive in absolutely same situation. One day after, the first accident happened. In six months another 737MAX crashed in exactly the same situation.

This shows an obvious problem which exists in aviation training nowadays – one crew combination of pilots the same airline can deal with a situation, another cannot.

Of course, passengers would like to always fly with pilots, whose performance is better. But all pilots are similarly qualified and thus, approved for flying. Could anyone say that these pilots will survive and those will not?

By the way, the first crew who has safely survived after a faulty activation of the MCAS then did a thing which I cannot understand. After landing they didn’t fully describe what they had faced with in the flight– I mean uncommanded stabilizer nose down movement and the stick shaker activation. 

They just put two entries in the tech log regarding a light activation and airspeed and altitude disagree alerts. The technicians didn't have a full picture of what had happened in the flight; thus they did a different troubleshooting which didn't find anything wrong. The aircraft was released to service and crashed in the next flight. 

And what Boeing did after that was not a good thing

Surprisingly, nobody pays attention on what I'm going to tell now. Myself, I consider this to be very important and maybe, this was one of the contributing factors and caused the second 737MAX crash.

Shortly after the first accident the Boeing issued a safety bulletin. Let's have a look on them. At a first glance it looks pretty well written. It provides pilot with a brief but full information about what can happen if one of the AOA sensors has failed, it covers what pilots will get in this case. Also, it describes the MCAS activation logic:

1. autopilot off,
2. flaps up; and
3. flying at a certain higher angle of attack

All together it will cause the MCAS to start trimming the aircraft to nose down. But first, the pilots will see a lot of "special effects" in the flight deck – some or all of the following:

The bulletin also provides instructions what pilots must do if the stabilizer starts moving together with having that weird effects in the flight deck.

But!

In the most important section of the Bulletin, in Operating instructions the Boeing write the following:

So, at the very beginning of the instructions they say that if pilots get those special effects in the cockpit and the stabilizer is moving down, they first must do the old Runaway Stabilizer memory items checklist. Which says:

I would like to say a few words about what could probably confuse pilots. In a standard Runaway Stabilizer case in which the stabilizer moves uncommanded because of an electric fault for example, there is a protection – if a pilot make an input by the yoke opposite to the stabilizer movement, the movement will stop and will not continue until the pilot releases the yoke again. But if the stabilizer is actually commanded by the MCAS, the opposite yoke movement has no effect. As the pilots didn't know about the MCAS until the first crash this could be really confusing, but anyway, any unwanted motion of the stabilizer which impose problems to the controllability of the airplane must be treated as a Runaway Stabilizer. It is not written anywhere in black and white; this is a common airmanship and a good judgment.

Anyway, doing this Runaway Stabilizer checklist takes time, and while time is going, the stabilizer is still moving to nose down! The MCAS moves the stabilizer at a rate of 0.27 degrees per second and every cycle lasts for 10 seconds. As the stabilizer moves nose down, the force that the pilot needs to apply on the yoke to keep the airplane at the altitude are constantly and significantly increasing!

Moreover, in this particular situation the force on the yoke can be even doubled, as another module – Elevator Feel Shaft, or EFS – is doing its own job, thinking that the airplane is approaching to a stall. The EFS uses the angle of attack data, too! And it provides a protection against further moving the yoke backwards by doubling the force needed to apply to the yoke.

All right, in the instructions firstly they say that pilots must switch off the electric motor of the stabilizer by moving both STAB TRIM CUTOUT switches to CUTOUT and then trim the aircraft by the manual control wheels. Later I will come back to the issues which can be caused by doing this.

Ok. The instruction says that you have to disconnect the motor and only after that there is a Note – just a Note. Not a Caution, not a Warning – just a note, which contains information of an utmost importance! It says that initially, higher control forces may be needed to overcome any stabilizer nose down trim already applied. Electric stabilizer trim can be used to neutralize control forces BEFORE moving the STAB TRIM CUTOUT switches to CUTOUT.

Do you understand what Boeing guys have actually done? First, they say that pilots must switch off the motor. And then they put just a note saying that forces can be already very high… Exactly! They can be very-very high! If so, pilots have to trim the aircraft nose up, to move the stabilizer back to get a chance to fly the aircraft by the yoke. And they must trim it BEFORE they switch off the electric motor! With the MCAS activated, the yoke trim switches work normally, and pilots can easily return the aircraft to a safe state and then switch off the electric motor.

How the MCAS logic works? The yoke trim switches have a priority over the MCAS – if any pilot uses his trim switch, the MCAS will be immediately disconnected and will only start working again if five seconds have elapsed after the yoke switch is released and if conditions for the MCAS activation still exist.

So, the pilots can easily return the stabilizer back by just pressing the switches as they are expected to do in their normal flights if they feel too much load on the yoke. This is a basic rule of manual flying – to trim the aircraft!

But how they can do this if they have already switched off the electric motor???

We are humans. Our design is not perfect also. A pilot can quickly go through the Operating Instructions issued by the Boeing, through the major part – I mean, the first sentences. And they may not pay too much attention to the Note as it is just a Note. So, what will be saved in a pilot's memory is that he must switch off the stab trim switches.

But the most critical information is in the Note. If only pilots knew that normal trim from the yokes is still available, they could have flown the aircraft with a faulty MCAS for hours even without disconnecting the motor.

By the way, the pilots of the first crashed aircraft were playing with the stabilizer for 6 minutes! For 6 minutes they periodically returned the stabilizer back to normal and for 6 minutes the MCAS continued its weird job once the yoke switch was released. For six minutes they were having an uncommanded nose down stabilizer motion which is actually a condition for doing a Stabilizer Runaway Checklist, which, by the way is a memory items checklist and has existed in the book since first 737 Jurassic appeared in the sky!

Sadly, they didn't recognize it and the MCAS won in this battle.

Coming back to this ugly written operating instructions what I would like to see in this bulletin is the following:

I would have moved the critical information up and labeled it as a WARNING. No way a Note! No way a Caution as it is extremely critical!

Anyway, after the first crash the bulletin was sent to every airline and all pilots were supposed to read it and to know how the MCAS works, how to recognize the situation and what to do after all.

What have the Ethiopian pilots done?

Sorry for saying this, but controversially to what the BBC.com says, the pilots did nothing correctly after the MCAS had activated. They almost didn't even try to trim the aircraft nose up by using the yoke switches. – yes, they did press them a couple of times and this did have a positive effect… I can't understand why they didn't continue to use the trim! I really cannot understand this. The only idea is a stress which pilots have been feeling.

Thus, they let the MCAS move the stabilizer nose down, almost full… By the way, it took several dozens of seconds! During this time, they continued to fly having the takeoff thrust set and this led the aircraft to constantly accelerate. And then they switched off the electric motor.

Yes! This stopped the movement of the stabilizer, which was already close to its forward limit, but this also killed a possibility to move it back by the yoke trim switches!

Now, consider that the stabilizer has gone nose down significantly, and that the speed was dangerously high and continued to increase as the pilots had not done some important things which I will talk about a little bit later.

At higher speed the efficiency of the stabilizer increases greatly. Just imagine: the pilots were desperately pulling the yoke back, deflecting the elevators up. The thrust was still set at maximum…

All right, I will give a description of this process to let you understand how critical the situation was! Once the electric motor has been switched off, the only tool for moving the stabilizer back was a manual trim wheel. Two trim wheels are located on the both sides of the throttle quadrant. They are connected to the stabilizer by cables, mechanically. So, the pilots must rotate any wheel using their muscles only to trim the aircraft. But when the stabilizer is already significantly deflected out of the trimmed position for the existing speed, the aerodynamic forces can be extremely high! And approximately 15 rotations are needed to move the stabilizer for a single degree! And what if you need to move it for at least 4 or 5 degrees to obtain safe control of the aircraft, I mean, to reduce forces you need to apply to the yoke to keep the altitude???

At the same time, while the yoke is pulled back, the elevators – surfaces at the aft of the stabilizer deflects up, creating a force which works opposite to the stabilizer if pilots are trying to turn it to trim the nose of the aircraft up. If we look at the aircraft from the left we see that the pilot needs to rotate the stabilizer counter-clockwise to make the airplane fly nose up. But the aerodynamic force applied to elevators, rotates the stabilizer oppositely. In some unlucky cases it is absolutely impossible to move the stabilizer! This is not an another Boeing secret – the FCTM contains this information.

You have to do something to return the aircraft closer to a trimmed state – by accelerating or decelerating towards the in-trim speed. Also, you need to unload the stabilizer, in this case – you need to lower the elevator, to push down the yoke. But doing this will make the aircraft fly towards the ground.

The ground was too close. The speed was over the limits, the wheels were aerodynamically stuck, the pilots were desperately pulling the yoke trying to get out of the terrain… The forces on the yoke were extremely high. No human could prevent the aircraft from flying down…

But, even in this extreme situation they had a 100% effective chance to survive by just switching on the electric motor again and applying nose up trim from any yoke. Moreover, the FDR shows there was a momentary input from a yoke trim which moved the stabilizer up! But nobody knows the answer why they didn't continue doing this – the FDR doesn't show any touching of any yoke trim switch anymore…

The 737 yoke trim switches and trim wheels (in the lower center). The 737MAX is the same

So, how it could have happened that the crew let the situation become critical? How did they let the MCAS start working if the BBC says that they have done everything, complying with all Boeing instructions?

Did they comply with them really?

All right, let's say it loudly – even this shitty bulletin was not done correctly by the crew. Maybe, this happened because Boeing presented it in a bad way.

Let's go back to the beginning – to the moment of the takeoff!

The situation in the skies of Ethiopia has being developing in exactly the same way as it happened in two last flights of the first 737MAX crashed airplane. Just after they lifted off the left angle of attack sensor started to produce wrong data. Immediately, a lot of things started to happen in the cockpit as the airplane systems, which were using this data, assumed the aircraft was in a stall. The Captaiin's yoke started to shake… by the way, if only one yoke is shaking – this sometimes happens and these were not the first cases in history when one of the sensors was faulty – this normally is a sign that this is just a fault of a single sensor, if the airplane flies at correct attitude and is normally controllable.

Besides this, the speed and altitude on the primary flight displays became different, highlighting the messages IAS DISAGREE and ALT DISAGREE on both PFDs.

If a 737 pilot gets an IAS DISAGREE, he must immediately start doing a special memory items checklist – an AIRSPEED UNRELIABLE checklist of the QRH. Both crews of the first 737MAX somehow did this checklist, but the Ethiopian crew – did not.

So, even having all the things, described in the bulletin, the crew obviously was unprepared to act. Note, the MCAS was not working at that moment – because the flaps were down. All what they had to do was to continue takeoff and correctly do the needed actions from the AIRSPEED UNRELIABLE checklist to climb out safely and somewhere later do other needed things.

Ok, what the pilots had to do when they got an IAS DISAGREE alert?

1. Disconnect the autopilot – it was off as they just took off, and disconnect the autothrottle.
2. Switch of the flight directors.
3. Set the certain pitch and thrust for flying with gear up. In this case these were 10 degrees and 80%

Then the NNC contains steps to recognize which airspeed indications are correct. In their case the First Officer's PFD and standby airspeed were correct.

They didn't do this checklist at all! The FDR doesn't show any attempt to do it! They left the thrust at maximum which very soon contributed greatly in impossibility of dealing with the situation!

And here we come to a critical key point of the story.

Retraction of the flaps is NOT recommended during the initial phase of AIRSPEED UNRELIABLE checklist (FCTM). Only after the correct indication has been identified (or not identified) they can be retracted IF NEEDED. Or they may be left down if the crew decides to land at the airport of departure or, for example, if the crew doesn't want the MCAS to activate as he has read the instructions and knows how it works.

It is important!

The MCAS can be activated only in a manual flight and only if flaps are up!

Anyway, even if pilots didn't know about the MCAS, like it was before the first accident, it was a good idea – to land the aircraft at the departure aerodrome and thus, to leave the flaps down.

Moreover! The QRH says that if pilots identify a correct airspeed indication on one of the PFDs they can switch the AUTOPILON on that side. In both cases the FOs PFD showed correct airspeed thus, if pilots have done the QRH checklist correctly they could switch on the autopilot B.

It is important!

The MCAS can be activated only in a manual flight and only if flaps are up.

So, if only they switched on the autopilot, the MCAS would not be activated. If only the haven't set the flaps UP the MCAS would not be activated.

Thus, if only all that three crews would have worked accordingly to that QRH scenario template, there was a chance that the world wouldn't know about the MCAS, stupidity of engineers and gaps in the certification process. Why? As you see, certain things were needed to be done to let the MCAS activate. In all three cases they were done – the flaps were retracted, the autopilot was not connected.

Yes, this isn't a must to fly with flaps up and to switch the autopilot. But this is something like good actions of the crew in an Airspeed Unreliable event.

I will highlight again – in the last fatal MCAS faulty activation case the crew didn't do anything from the checklist. Anything at all. Though after the first crash only a very lazy 737 pilot didn't chat about this topic with other guys. Being a 737MAX pilot, I stress, that we did have a lot of talks about the MCAS, how it works and what to do if the same shit happens during takeoff with us.

And once the bulletin has been issued, it looked that it should have been thoroughly investigated by the MAX pilots all over the world as all of them wanted to be alive. That's why I would like to ask: what was done in airlines to ensure pilots got a needed understanding of the problem after the first crash. What did they do to ensure all pilots knew what to do?

The last barrier

Pilots – are a product of the aviation system, we are trees' branches or even just leaves. If leaves get sick, you shouldn't start looking to them to find a core problem. Maybe you start investigating the state of the trunk or the tree's roots. Or maybe in the surrounding environment.

The CEO of Boeing, when he was answering to the stakeholders' questions, very accurately took the responsibility, saying they yes, they had made a mistake when they were designing the aircraft. What was the mistake? In the aviation industry pilots are considered as a part of the system. Thus, they were considered to compensate for the MCAS failure using old non-normal procedures, which every 737 pilot has being trained for.

In theory this looked really smoothly. The crew was supposed to heroically save the souls by just using the old procedures. But in reality, they failed.

Why?

Takeoff is a very quick phase of flight where the firm ground is so close. Suddenly having too much things in the flight deck at the same time – a stick shaker, increased yoke forces, different alerts coming up – this can cause a tremendous stress to humans. The pilots were just not ready to save the aircraft under this conditions event though they have passed all needed training successfully – I mean these old Runaway Stabilizer and Airspeed Unreliable cases, otherwise they couldn't have got the approval to operate the 737.

I strongly believe that in the 21^st century, the aviation manufactures should better think a little bit ahead when designing the logic of their systems, than to rely on our outstanding abilities to back up their mistakes. Even having pilot procedures as a backup, systems which operate controls of the airplane, such as MCAS must not rely on a single source of data. This must never happen again!

At the same time the way, how pilots are being trained nowadays must be thoroughly analyzed and relooked.

Yes, thanks to the engineers, we got used that 99.99% of time we never face with something which is quite specific, just routine issues which are not difficult to deal with. And thus we, pilots, tend to rely on reliability of the modern aircraft more then we actually have to. We are lazy to fresh up our skills a bit – doing a manual descent and a raw data approach for example. We better use the automation and maybe disconnect the autopilot at 1000 feet or even lower. We are trying to use ILS whenever it is possible instead of performing a non-precision or a visual approach – just for practice, even if the weather is excellent and skies are empty we are doing an ILS approach. Sometimes we even use an autoland if the weather becomes just a little bit cloudy and/or windy. Many 737 pilots are rarely if ever performing takeoffs with flaps greater than 5 and landings with flaps 40 because they never tried this in the past and they are afraid to do an error – to exceed a flap speed limit, for instance and then be called to the office. Thus, when the situation dictates to use higher flaps setting, they are getting stressed. Do you know, that stress is cumulative? A lot of things beyond flying causes the stress also. What if something happens when the stress is already too high?

We are scared to demonstrate our basic skills in day-to-day flying as the Big Brother is always looking at us and punishment can be quite painful if we do a mistake. Airlines want to see very good flight data records. They don't want to see deviations, even too small to cause a real danger. And this is being motivated by the authorities, of course. In my home country there is an airline which prohibits manual landings if an autoland is possible! By doing this they want to reduce the number of hard landings which they considered as a landing with more than 1.8 g even though this causes nothing bad to the airframe. They also prohibit first officers to perform landings!

Come on, if pilots are not doing landings routinely, what will happen if one day they face with a need to demonstrate their skills – in a bad weather, for example? You will probably get a hard landing or even a worse thing…

If we are not polishing our basic skills in real flights and if a shit happens once… You understand what I mean.

I call this "a closed cycle of accidents".

Is there anything that could be done?

Our readiness to deal with problems is checked only twice per year – on flight simulators with a certain number of problems only. The training program have a duration for three years – during this cycle we are supposed to cover all major things.

In most of the world airlines an old approach to training still exists – I mean, to train pilots as robots for some single problems, like an engine failure or depressurization. Our grandfathers were trained like this and we are trained the same nowadays, even though a rare pilot faces with an engine failure on a modern aircraft, but at the same time there is a bigger probability that he will experience a situation in which he will need to demonstrate his knowledge, skills, abilities – I mean his CRM.

Traditional way of training provides so called "qualified pilots". The qualification means that the pilot must demonstrate his abilities to perform a certain task in a certain acceptable manner. Let's say, he must show that he can fly with a single engine, then correctly do an emergency descent, then perform a windshear escape maneuver and so on. One by one. Satisfying the examiner by doing these exercises the pilot confirms his qualification, the CAA is happy.

But what if the pilot faces with something he has not been directly trained for? I mean a complicated situation in a real flight which will definitely rise a stress to a much higher level when during a simulator session?

Do you remember a recent case with a 737NG in the USA when a female-captain together with a gray-haired first officer got the following all of a sudden?

1. Left engine severe damage and a quick loss of thrust on it.
2. Decompression – due to a fan blade crashed a window in the passenger cabin.
3.  A sudden deep bank to the left – an upset situation.

It was not an easy walk, but they managed to survive even though they had not been trained for such complex situations.

There is a modern approach to training, which is intended to rise pilot competencies instead of checking their qualification only. Competent pilot means that he is being specifically trained to deal with unforeseen situations, by using his competencies together with his colleague who has been trained in the same manner, the chances to survive are supposed to significantly increase.

The implementation of EBT – the Evidence Based Training, this is what I'm talking – about is still on the move. There is no airline in the world which can state that they have fully implemented the EBT.

And there are much more airlines in which the EBT implementation has not started yet.

FLY SAFE!